IT departments are no strangers to turf wars, but the one shaping up between those overseeing computer networks and those in charge of physical security could really get ugly.
Unlike past tussles between say, voice and data communications teams, the contest between IT security and those involved in everything from fire alarms to video surveillance to door-lock access controls tends to involve people who might never have had any reason to cross each other’s paths. The fact is there are different entities in a corporation for physical and logical security.
Merging physical and logical security is seen by advocates as a cost-saving step and a natural evolution for facilities maintenance and guard operations, where door-access equipment and video cameras are increasingly IP-enabled, and a smart card-based badge could be used by employees to access both buildings and computers. But resistance to convergence runs deep among traditional physical security managers, who are wary of IT departments taking control. And even IT security experts voice concerns that it’s risky, with some strongly opposed to the idea of physical security operations, such as video surveillance streams, riding on the same IP corporate network as the rest of the business.
“You don’t want the stuff on the same network as your business data,” says Tom Cross, X-Force advanced research manager at IBM, arguing that physical security controls for building access and video surveillance shouldn’t be mingled into networks for desktops that can become infected by malware and other types of attacks. Physical security systems can be migrated onto IP networks “but it has to be isolated from your general business network as much as possible,” he says.
Another IBMer sees physical and logical security convergence another way.
“Physical security has been about closed systems, but with the move to IP-based systems and connecting campuses there’s the need to have the IT and security department involved,” says Steve Russo, director of security and privacy technology at IBM’s global technology services group. He says there can be advantages in integrating physical security with logical and transactional systems to give management a better picture of what’s occurring, especially in retailing. And although network capacity is a concern, it’s possible to share an IP network for logical and physical security, he suggests.
“Is there a risk associated with combining it? Absolutely,” Russo acknowledges. But he adds: “The logical-security people are looking at threats to the environment. And where we see the interesting spark is that they can take information about physical events and turn it into operational use.”
But there’s often a cultural rift existing between the physical security department for facilities management, with their isolated closed networks, and the IT department with its systems administrators and security specialists trying to keep scores of Internet-accessing computers and applications running safely.
Many looking at the convergence of physical and logical security say the protocol issue is something that has to be confronted. According to Gemalto’s Tom Flynn, contactless smart cards often use the HID protocol in the United States while in Europe a protocol called Mifare, developed by Phillips, is more often found. In U.S. government agencies, dual-use smart-card badges required to have FIPS 201 compliance may use chips that support both legacy door-readers and computer access with a public-key infrastructure digital credential. In Gemalto’s view, the work that Microsoft has done with Windows 7, .Net technology for the chip and Forefront Identity Manager is helping make smart-card issuance more turnkey.
IBM’s Russo says other protocol issues point to the need for standardized compression techniques and transport in physical-security equipment, as well as standard XML-based definitions so that important meta-data can be shared. “Physical security is transitional right now,” Russo says, pointing to both the Physical Security Interoperability Alliance and OASIS as organizations trying to further interoperability standards that would add convergence and make it worthwhile.
But to date, Flynn says he is only aware of a handful of large enterprises in the oil-and-gas industry, such as Chevron and Exxon, and pharmaceutical giants such as Pfizer, that have adopted converged smart cards for physical and logical security.