By Derek E. Brink

BUSINESS CONTEXT

Several market drivers are combining to cause significant instances of integration (or “convergence” between logical security systems and physical security systems to take root:

• In the United States, Homeland Security Presidential Directive 12 (“HSPD-12” requires US federal agencies to issue a standards-compliant Personal Identity Verification (PIV) card to all employees and contractors by October 27, 2008.  Such cards are expected to expand to additional large user communities (e.g., transportation workers and first responders) as well. 

• In addition, although not directly driven by HSPD-12 compliance, many commercial organizations worldwide are also deploying solutions that integrate logical and physical access management on a standardized, card-based credential. 

• In the back-end, emerging examples of convergence are motivated by improvements in visibility and risk management through centralized collection, normalization, and correlation of both logical and physical security information and events.  Security Information and Event Management (SIEM) solutions, and to some extent Enterprise Single Sign-On (E-SSO) solutions, are discovering new use cases in logical/ physical security convergence. 

• Convergence examples are also being driven by new classes of network-enabled physical security solutions in areas such as building access, building automation, video surveillance and video analytics, and supervisory control and data acquisition systems.

Policy, planning, process, and organizational politics all play a role in the successful integration of logical security and physical security for any of the above examples.  Recent Aberdeen research on Security Governance and Risk Management (November 2007) showed that by taking a more holistic view of risk, organizations with top performance have demonstrated their ability to improve security, sustain compliance, improve leverage from existing IT resources, make faster decisions, optimize business processes, and improve visibility across organizational and geographical “silos”.

Similarly, the current study reveals that top-performing companies are nearly two-times more likely than laggard organizations to view the convergence of logical and physical security as an integral part of their overall security governance and risk management strategy.  For the industry average, the tactical implementation and management of logical and physical security controls where specific needs exist is the most common approach.  (See Figure 1.)

Most importantly, the research indicates that initiatives in integrating logical security and physical security are already helping the “Best-in-Class” organizations (defined as the top 20% of all respondents in the study, based on selected performance criteria) to achieve superior performance in several critical areas:

• Better physical security -- Compared to one year ago, a net 83% of all Best-in-Class (top 20% based on performance) organizations reduced the number of actual physical security incidents; 40% reduced the average time to address these incidents; and 27% reduced the total cost to address them.  In contrast, the Industry Average (middle 50%) experienced more incidents than they did a year ago, took slightly less time to address them, and slightly increased their total cost to address them.  The net performance of Laggards (bottom 30%) was worse compared to that of a year ago on all three measures. 

• Better logical security -- Compared to one year ago, a net 48% of all Best-in-Class organizations reduced the number of actual logical security incidents; 31% reduced the average time to address these incidents; and 22% reduced the total cost to address them.  In contrast, the Industry Average experienced more incidents than they did a year ago, took about the same time to address them, and slightly increased their total cost to address them.  The net performance of Laggards was again worse compared to that of a year ago on all three measures. 

• Sustained compliance -- Compared to a year ago, a net 55% of all Best-in-Class organizations reduced the number of actual non-compliance incidents (e.g., failed audits); 59% reduced the average time to address these incidents; and 35% reduced the total cost to address them.  In contrast, the Industry Average experienced roughly the same number of incidents as one year ago, took roughly the same time to address them, and a net 9% increased their total cost to address them.  The performance of Laggards was worse compared to that of a year ago on all three measures. 

• Better collaboration -- Compared to a year ago, a net 57% of all Best-in-Class organizations improved communication between their respective logical security and physical security teams; 36% improved the coordination of responses to security breaches by their logical security and physical security teams.  This compares to 45% and 28%, respectively, for all respondents.  More striking, Best-in-Class organizations were 16 times more likely than all respondents to have reduced the amount of human error related to logical and physical security, and nearly five-times more likely to have reduced the number of organizational and geographical “silos” for logical and physical security.

What are the leading drivers for current investments in logical/physical security convergence initiatives?  Consistent with previous Aberdeen research on other IT security topics, compliance -- taken in all its dimensions, including compliance with government regulations, industry standards and best practices, industry regulations, and internal policies -- is at the top of the list.  Across all respondents, “protecting the organization and its brand” also continues to surface as a leading driver.  Best-in-Class organizations also identified reducing the costs of implementing and managing security controls as a driver of their current investments in logical/physical security convergence.

On the other side of the coin, the most commonly cited reasons that organizations had not invested in logical/ physical security convergence initiatives include: 49% of organizations indicated that other projects are perceived as higher priority, and 37% indicated that the costs are perceived as too high.  In light of the aforementioned business benefits, however, companies would do well to give logical/ physical security convergence opportunities a closer look.

ENABLING TECHNOLOGIES

With respect to current investments involving integration of logical security systems and physical security systems, the research indicates three distinct use cases that differentiate the best-performing organizations from other survey respondents.  (See Figure 2)

• Cards -- The use of cards (as the common basis for both logical and physical access management) is a well-known example of logical/physical security convergence.   Driven by compliance with HSPD-12 in the U.S. Federal government, card-based convergence is also beginning to take root in many large commercial enterprises.  In the current study, the Best-in-Class are currently two-times more likely than Laggards to be investing in integration of logical security and physical security based on common access cards.  Using a single device (smart card, or other token) is an excellent starting point, a positive step towards the greater vision of IT access, building access, photo ID, and even inter-organizational trust housed within a single converged “container”.  But issuing devices is merely the tip of the iceberg.  Even though both logical credentials and physical credentials may be tied to the same physical device, logical identities and physical identities must also be correlated at the management level.  In most organizations, card lifecycle management processes and physical access control management processes remain separate -- not only technologically, but also organizationally  with duplication of business processes and increased total cost.  Given that Physical Access Control Systems (PACS) have extremely long replacement cycles (as one respondent pointed out, “there is no rip-and-replace for these systems”, the trend will be towards more cooperation and integration between card management systems, identity and access management systems, and PACS systems.  Solution providers that can most effectively bridge the gaps in these technology areas will be best-positioned to drive new logical/physical convergence opportunities.  Another priority is to begin looking beyond mere issuance of cards or other tokens (e.g., to meet deadlines mandated by HSPD-12), to focus on how these credentials can be leveraged for multiple purposes.  “Rather than just having it in the badge holder,” as one manager from a government agency noted, “it’s about the applications.” Convergence initiatives are driving digital certificates towards their long-held promise as a common basis for identity across a broad range of applications. 

• Security information and events -- By collecting and correlating information and events from both logical security and physical security infrastructures, companies can improve overall management visibility and establish an enterprise-wide view of risk.  While this capability is just now emerging, the Best-in-Class in the current study are currently 1.5 times more likely than Laggards to be investing in this approach.  Correlating information and events across both logical and physical domains, with common auditing and reporting, is an immediate opportunity for convergence identified in the research.  SIEM solution providers, and to some extent E-SSO solution providers, have recently started to orient their solutions around these logical/physical security convergence opportunities. 

• IP-based physical security -- As new classes of IP-enabled physical security solutions are rolled out  in areas such as building access, building automation, video surveillance and video analytics, and supervisory control and data acquisition systems -- additional logical/physical security convergence opportunities are beginning to emerge.  Best-in-Class organizations in the current study are currently nearly 2.5 times more likely than Laggards to be investing in this approach by upgrading to physical security solutions based on standard IP-based networks.  As noted, Best-in-Class organizations are employing strategies to develop an enterprise-wide view of risk, and to establish consistent security policies.  Although made possible by the ongoing evolution of technologies and standards, the real impetus for moving logical/physical security convergence projects to a higher priority should be the demonstrable business benefits identified in this study: better protection of digital assets, physical assets, and people; sustained compliance; faster response times; lower costs; and improved collaboration between teams. 

IT TAKES MORE THAN TECHNOLOGY ALONE!

Survey results show that the firms enjoying top performance shared several common characteristics, including:

• 73% have conducted formal risk assessments.
• 81% have prioritized logical security control objectives as a function of risk, audit, and compliance requirements.
• 65% have prioritized physical security control objectives as a function of risk, audit, and compliance requirements.
• 45% have implemented consistent security and compliance policies across both logical and physical security.
• 55% have a clear mapping of risks and security controls to the various regulations, standards, policies, and best practices to which they relate.
• 64% have implemented controls to monitor and verify that requirements of internal policies and external regulations are being satisfied.

Leaders with experience in successful logical/physical security convergence implementations say that the single most important thing a company can do is to appoint a strong internal project manager.  Assuming that the logical/ physical security convergence initiative has a clear executive sponsor, key characteristics for this leadership position include:

• Experienced -- knows the discipline of project management.
• An employee of the company (not a consultant or vendor-appointed project manager)
• Respected throughout the organization
• Strong communication skills -- able to bridge the gap between logical and physical teams
• Fair and impartial -- ensures that all functions represented on the project team have equal input and authority.

Aberdeen research shows that through their emerging capabilities in the area of security governance and risk management, Best-in-Class companies are taking proactive steps to ensure that their investments in security and compliance controls directly support their objectives for the business.  A consistent, enterprise-wide view of security risk  -- integrating both physical security and IT security -- is a sensible element of this strategy.  By combining superior security governance and risk management with an integrated approach to logical and physical security, Best-in-Class organizations set themselves up to compete in the global economy with a distinct advantage: not only with an optimized IT infrastructure, but also with better protection for their digital, physical, and human assets.

Logical/physical security convergence opportunities are made possible by key enabling technologies (e.g., common access cards, security information and event management systems, enterprise single sign-on systems, and new classes of IP-based physical security systems), but policy, planning, process, and organizational politics each play a prominent role in successful implementations.  Aberdeen’s research indicates that inattention and inertia, rather than technology issues, may be the two biggest obstacles to the acceleration of logical/physical security integration in the near term.  Is logical/physical security convergence in the cards?  Yes -- literally in some cases, but more generally as a natural extension of taking a strategic, holistic view of security risk.  Convergence projects will be fueled by the demonstrable business benefits of better security, sustained compliance, faster response times, lower costs, and improved collaboration.

Derek E. Brink is Vice President & Research Director of IT Security for Aberdeen Group (www.aberdeen.com).