|Friday, 29 September 2006|
by Fran Howarth, Partner
Do you know everyone who is walking around your office building? Every consultant? Each new hire? Could you spot an impostor? If someone walked up to your desk, could they get access to your computer files?
Probably not, if your company has invested in identity management technology—and especially if the system requires a reasonably challenging password to gain access in addition to some sort of security token that provides an extra layer of certainty that you are who you claim to be.
But that probably doesn’t solve the problem of who is gaining access to corporate facilities. In many companies, employees and visitors are required to show a company-issued photographic access card or valid identification to gain access, sometimes equipped with a magnetic strip for opening electronic doors. But when was the last time that a security guard took an active interest in checking that pass? When was the last time that you held a security door open for someone else?
Regulators worldwide are pushing companies and other organizations to put in place tighter controls on the ways that their operations are run, making individuals accountable for their actions by logging and reporting on the network resources that they access and what they do with those resources. For example, no one without the proper authority should be able to access and alter sensitive corporate financial information or databases containing personal information related to customers. Because of this, many industry-specific and governmental regulations are starting to demand that stronger authentication methods, over and above user name and passwords, be deployed in organizations to provide an extra layer of surety that people are who they say that they are.
Yet even these efforts are not enough. Unless security tokens such as smart cards are linked to physical access controls, companies can never be sure who is on their premises. One particular problem is that people are apt to share security information, perhaps giving a user name, password and security token combination to a colleague to gain access to company resources when on a business trip abroad. Another vulnerability might be someone using a VPN to access the network when they are actually in the office—something that would probably indicate that someone else is impersonating them.
Many regulations that have been developed recently are beginning to demand that stronger forms of authentication be used before employees or even customers in the banking world gain access to company networks. But some regulations go even further. In the US, the Homeland Security Presidential Directive 12 mandates that all federal government employees and contractors be issued with security passes for gaining both physical access to all facilities, as well as logical access to computer networks.
Another factor driving the convergence of physical and logical access controls is the drive to improve risk management—and this is something that is particularly being seen in Europe, where recent studies indicate that many firms are starting to combine their physical and IT security functions to ensure that no part of the business is left out of the security planning process.
Many firms may feel that they are already spending enough on security. However, for companies with valuable intellectual property such as a pharmaceutical concern undergoing merger and acquisition discussions, or with sensitive secured areas in their manufacturing plant, the benefits of tying down physical access far outweigh the costs. And there are a number of options available that aren’t all that expensive. Major players with offerings in this market include Tyco Fire & Security and Lenel—both of which have announced partnerships with Imprivata to provide companies with a low-cost but effective appliance for unified access control and provisioning across the organization.
This is just the first step in tying physical security deeper into the corporate security policy, with combining physical and IT controls being the low-hanging fruit in many organizations. Hurwitz & Associates believes that unifying access controls and provisioning across the organization is an important step to take, but many companies could benefit from other converged security controls that are emerging on the market, including linking intelligent vision systems, sensors and virtual perimeters to corporate networks for guarding sensitive facilities. This market is just in its nascent stage in terms of market adoption, but the technologies are available to reduce risk—and potentially insurance bills—in a wide range of organizations today.