An urge to converge: Physical and logical identity and access managementAs a company that manufactures weapons, aircraft and defense electronics for the military, Northrop Grumman Northrop Grumman Corporation (NYSE: NOC) is an aerospace and defense conglomerate that is the result of the 1994 purchase of Grumman by Northrop. The company is the third largest defense contractor for the U.S. certainly knows security. When it comes to protecting its own assets, the company is on the cutting edge, currently implementing a converged physical and logical identity and access management program. By this time next year, it's expected that each of the 120,000 Northrop Grumman employees will carry a smart card that supports multiple authentication methods and enforces policies throughout the enterprise. The move will provide multilayered security across company networks, systems, facilities, data, intellectual property and information assets, says Keith Ward The Reverend Professor (John Stephen) Keith Ward (born 22 August 1938) is a British cleric, philosopher, theologian, and scholar. He is a Fellow of the British Academy and (since 1972) an ordained priest in the Church of England. He was a Canon of Christ Church, Oxford until 2003. , director of enterprise security and identity management at the company.When arriving at work, employees will swipe their personalized identification card to enter their Northrop Grumman facility. The card will store information about the employee – name, address, photo, fingerprints, access controls, passwords, digital certificates and training information, as well as data about the company. Once inside the facilities, employees will again swipe the same card to log onto their computer at each workspace, which will be equipped with a smart card reader.“The issue of logical and physical convergence is real,” says Larry Ponemon, chairman and founder of independent research company Ponemon Institute. “A lot of organizations are starting to think about one holistic model.”But security convergence Security convergence is a term that refers to the convergence of two historically disparate security functions -- namely physical security and information security -- within enterprises. has different meanings to different organizations. Some are changing their organizational structure  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. by merging the physical and logical groups themselves and aligning policies and budgets. More commonly, organizations are rolling out converged technologies, such as access control systems and IP-based surveillance cameras. “The federal government has been a significant driver for the development of converged technologies,” says Randy Vanderhoof, executive director of the nonprofit Smart Card Alliance. For example, in 2004, the Homeland Security Noun 1. Homeland Security - the federal department that administers all matters relating to homeland security Department of Homeland Security executive department - a federal department in the executive branch of the government of the United States Presidential Directive Noun 1. Presidential Directive - a directive issued by the President of the United States; usually addressed to all heads of departments and agencies directive - a pronouncement encouraging or banning some activity; "the boss loves to send us directives" 12 (HSPD-12) was passed, requiring all federal government employees and agencies to use a converged physical and logical ID badge. Standards were created for how the badge is designed, what identity elements are present inside the card, and how the card is used for physical and logical access. Northrop Grumman's identity and access management convergence effort began in May 2006. At that time, the company was hindered by numerous physical security, human relations human relations npl → relaciones fpl humanas and information technology systems it had inherited through years of acquisitions. “We had a lot of disparate systems, applications and authoritative sources for identity within the company,” Ward says. Since Northrop Grumman works largely with government organizations, it followed the federal HSPD-12 model, allowing employees to not only use their smart card internally, but also to gain physical and logical access to federal government facilities and systems.Lessons learnedBesides access control systems that merge physical and logical security, another leading convergence security technology is IP-based surveillance cameras. These cameras are being widely deployed today. But, says Steve Collen, director of product marketing for Cisco's physical security business unit, IT teams need to work closely with physical security teams to ensure deployments do not open security holes to the corporate network.At Cisco, this lesson was learned the hard way after the company implemented digital security cameras about 10 years ago, says Deon Chatterton, manager of workplace resources for Cisco's safety and security team. Initially, the physical security department let the IT department know what it was doing – implementing 2,000 cameras that would record digital video to 300 servers. However, that was the extent of the collaboration. “We found out this approach wasn't good. We left ourselves vulnerable on the network,” Chatterton recalls. In 2001, a virus spread throughout 150 of Cisco's video management servers. The physical security team was forced to ask IT for help. It took about 20 IT and physical security employees working through a weekend to fix the issue, Chatterton says. Since that incident, the IT department has helped manage and secure physical security products.“IT is a valuable partner – from the planning perspective to helping test and design architecture,” Chatterton says. In general, IT departments are getting more involved in the purchasing decisions of IP-based physical security products, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a recent survey conducted by global electronics research organization IMS (1) See IP Multimedia Subsystem. (2) (Information Management System) An early IBM hierarchical DBMS for IBM mainframes. IMS was widely implemented throughout the 1970s under MVS and continues to be used under z/OS. Research. The survey of 105 North American North American named after North America. North American blastomycosis see North American blastomycosis. North American cattle tick see boophilusannulatus. physical security systems integrators and installers found that IT managers are included in decisions to purchase IP-based physical security products 60 percent of the time. “Now, physical security is controlled in a lot of capacities by IT,” says Karim Hijazi, founder and CTO (Chief Technical Officer) The executive responsible for the technical direction of an organization. See CIO and salary survey. of cybersecurity services firm Demiurge demiurge (dĕm`ēûrj') [Gr.,=workman, craftsman], name given by Plato in a mythological passage in the Timaeus to the creator God. Consulting. In addition, 75 percent of respondents to the IMS survey said they deal more with IT managers now than they did a year ago. And, more than 35 percent of respondents said they expect half their physical and logical access control installations to be integrated in three years, says Niall Jenkins, market analyst at IMS Research.Both sides now But while IT is becoming more involved in physical purchasing decisions, some say a convergence effort and security itself is more successful when it's moved out of the IT department. “I believe it's a conflict of interest for the IT security group to be reporting solely to the CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. ,” says Kent Anderson Kent McKay Anderson (Born August 12, 1963) in Florence, South Carolina, is a retired Major League Baseball infielder. Anderson played for one team during his career, the California Angels (1989-1990). , managing director of security risk at consulting firm Encurve.When IT security falls under the purview The part of a statute or a law that delineates its purpose and scope. Purview refers to the enacting part of a statute. It generally begins with the words be it enacted and continues as far as the repealing clause. of the CIO, who is overseeing the applications that support the business, it's much easier for risks to be ignored or played down, Anderson says. The Smart Card Alliance's Vanderhoof agrees, noting that organizations must commit to both IT and physical security. So, rather than continuing to invest in both separately, there are products on the market today that will achieve the organization's security goals through a converged, system-wide approach. “I am a proponent of having all security fall under some group in upper management, like a CISO See CSO. or CSO (Chief Security Officer) The person in charge of all staff members who are responsible for promulgating, enforcing and administering security policies for all systems within an enterprise or division. ,” says Colby DeRodeff, enterprise strategist at security vendor ArcSight and co-author of Physical and Logical Security Convergence (Syngress, 2007). “Most of the time, it's not like that, unfortunately, but it would make things easy to be successful.”One of the biggest challenges of aligning the two groups is that they're so fundamentally different, says Demiurge's Hijazi. The physical security group, often made up of ex-military or law enforcement personnel, has a different skill set than the more technology-savvy information security personnel. But an organization that gets these two groups working together can reap tremendous benefits, says Craig Lucca, manager of security administration and management at Bloomberg. Specifically, the physical security team can provide risk mitigation insight, help enforce policies and conduct investigations. “If you have the right people on both sides, you can put together a very strong team,” Lucca says. 
|
|
||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion