Getting smart: Integrating data, cyber and physical security

There is a significant and growing need for organisations to address physical and information technology (IT) security issues as a whole. Physical access to buildings, for example, is not integrated into IT systems, which could help prevent access by unauthorised parties with malicious intent.

In April last year (2003) the Open Security Exchange (OSE) was born with a mission to investigate ways for the IT industry to adopt security measures that not only integrated data, cyber and physical security solutions, but to achieve these goals seamlessly across a broad range of product offerings.

According to research group Frost and Sullivan, the OSE represents "an important advancement" in bringing together disparate areas that traditionally have been dealt with separately.

Analysts at the group`s European Network Security Service believe that the OSE`s "visionaries" understand the need to increase businesses` awareness of security issues.

These visionaries include founding OSE members the HID Corporation, a manufacturer of access control readers; Gemplus International SA, a vendor of smart cards; Tyco Fire and Security`s Software House, an integrator of physical security management systems; and software specialist Computer Associates International, which has pioneered efforts to bridge the gap between physical and IT security monitoring through its eTrust 20/20 offering.

Is their goal a realistic one? Will their efforts result in a security nirvana capable of quickly detecting suspicious behaviours? Will organisations be able to effectively challenge and halt the efforts of the increasing number of hackers, code breakers, identify perpetrators and cyber criminals?

The first task the OSE assigned itself was the development of specifications for the common management of IT and physical security devices such as access control cards and readers.

Their efforts were to address three specific areas:

* Common administration of users, privileges and credentials;
* Common authentication to physical facilities and computer systems;
* Centralised management and auditing of physical and IT security.

An important target for the OSE was to have its proposed interoperability specifications accepted by the industry`s standards bodies as "open standards".

Another objective the OSE set for itself was to broaden the scope of its mandate by bringing more vendors of physical security and biometric systems in to the process of defining common interoperability standards.

Over the past twelve months, the OSE has sharpened its focused on smart card technology as the most likely method of increasing the convergence between the realms of physical and cyber security.

The group recently published a white paper entitled, "Smart Card Enabled Access Control Used in Logical and Physical Systems", which is viewed by many as the manual for companies planning to select smart cards for both logical and physical access.

Through this initiative, the OSE provides technical guidance and objective selection criteria that enable users to make educated choices among the standards available and the various products on offer.

Smart cards were an obvious choice for the OSE. They can be used by organisations as credentials to control access to physical locations and IT systems, for authentication to network tools and specific business applications on a user-by-user basis.

However, one of the key challenges highlighted by OSE is the proliferation of smart card technologies, with multiple, often conflicting standards both for physical and cyber access control.

To deal with this, the OSE has refined its objectives. It now sees its key role as one of education and it has set itself the task, in 2004, of advising business planners about the various choices available to them.

In line with its new direction, the OSE has also co-opted new members ActivCard, CoreStreet, Fargo, Siemens Building Technologies, Siemens Building Information and Communications Network and VistaScape to the group. These companies are heavily involved in the smart card arena.

The OSE hasn`t stopped there. In February 2004 it made the breakthrough it was looking for in the form of official US government recognition for its efforts.

With the help of regulatory bodies, US federated identity standards for wireless devices will now be extended to include physical security.

The OSE`s move will have far reaching global consequences. For example, users will be able to link identity information between accounts without centrally storing personal information - meaning that users can be authenticated by one company or Web site and be recognised and delivered personalised content and services in other locations, without having to re-authenticate or sign on with a separate username and password.

The OSE is now working with the Liberty Alliance, the premier open standards organisation for federated identity and identity-based services in the US to develop standards and best practices to enhance authentication methods for wireless, subscriber identity module (SIM)-based access to Web services.

Ultimately, this would allow unified SIM authentication for physical access control systems as well as network access, and increase a company`s ability to offer convenient single sign-on for mobile commercial payment systems.

The last word on the subject comes from respected US industry watcher and consultant Sandra Jones who says: "We are excited to see that industry leaders have put aside competitive issues and are working together to develop real-world solutions, standards and one methodology that will enable security users to blend and optimise their existing investments, while reducing total operating costs."