- Related Stories
-
10 things to know about info security in '07
January 5, 2007 -
Homeland Security chief defends Real ID plan
December 14, 2006 -
Big Blue could monitor borders, shoplifters, moose
November 6, 2006 -
Start-up soups up surveillance cameras
January 25, 2006 -
FAQ: How Real ID will affect you
May 6, 2005 -
The weakest security link? It's you
July 22, 2004 -
IBM launches video-surveillance services
March 11, 2003
(continued from previous page)
Katie Moussouris, a hacker for hire at Symantec, often tests the security of businesses, and that doesn't just include IT security. "We're requested by customers to do physical penetration tests," she said. In other words, she's hired to try to enter a building and get past the guards. "Those requests don't come from the physical security folks, they come from the IT department," she said.
With IT folks now involved in physical security, Moussouris expects her job to become tougher. "They will see a lot more places to harden than just the people who are in charge of physical security," she said. For example, weak spots, such as phone closets that have been turned into network hubs, will also be secured, she said.
Ultimately, the executive in charge of information security at an organization could also become responsible for the security guards, who today typically are part of a facilities group that may report to a different executive. That's because IT departments and chief information security officers are used to managing projects, Turner said.
"IT security has already made a progression from the data center glass house to desktops and mobile computing, where things have to be managed in a ubiquitous geographic context," he said. "They are better prepared to reach out and manage additional responsibility."
While technology is an enabler, it is also an obstacle to integration. Traditional security systems--the locks and cameras--are just now going digital.
"Not all physical access products are digitalized in a way that allows them to be integrated and managed through a network," Turner said. "They have to make a transition from an analog technology base to a digital base." Part of that is building secure systems, so they won't be a weak link in a security chain, he said.
Even if physical security systems have moved into the digital realm, they often aren't compatible with tools used to manage users on networks, such as those sold by Oracle.
"Interoperability is a key challenge," White said. Oracle has built connectors that allow its identity and access manager products to work with some physical security systems, but it had to custom-build those, he said. "The standards are ill-defined," he said, adding that nobody in the industry has yet stepped forward to establish any standards.
Also, controlling all aspects of security from a single system could provide a single point of failure. If the one system goes down or is breached, that could create a serious problem or compromise. The easy answer to that concern is strong security and using redundant systems, said Eric Maiwald, a Burton Group analyst.
"That concern may be more of a red herring than anything else," he said. "You're not going to leave that system somewhere it can be broken into." Also, there should be tight controls on who can grant access and clearances to people, he said. "You're not just talking about outsiders; you're also talking about insiders."
Convergence is very much a work in progress, experts agree. But while that work is being done, some organizations, mostly in government, are already moving to a single system and some, such as Delaware State University, already have.
Said Turner: "We're designing the shoes while we're running along wearing them."
See more CNET content tagged:
Howard Schmidt, business security, convergence, Honeywell International Inc., security
