Subscriber Discussion

Converged Physical And Logical Access Control - Is Anybody Implementing It?

BS
Bryan Shalke
Mar 07, 2014

As someone with a strong network security background, the idea of combining physical and network-based access control is as natural to me as putting cameras on the network.

The benefits are fairly obvious:

  • A single system to handle both leads to less overhead for managing credentials.
  • Having logical and physical datapoints lends to a 4th factor of authentication - where you are.
  • Using the same card and pin for physical access and logical access leads to less forgotten passwords - and less insecure behaviors (sticky notes under the keyboard, anyone?).
  • Reduces cross-section exposure for external attacks; if an employee is in tbe office, their VPN access should be disabled.
  • Increases effectiveness of network-based IDP; the more information a system has about the environment, the easier it is to detect anomalous behavior.
  • Effectively eliminates tailgating for anyone who needs computer access; if you're not recognized as inside the building, you can't access the network.

Needing to deal with both facilities and networking teams is an issue for integrators, but certainly not an intractable one.

So, tell me: Is anyone doing this now? If not, why? Do any integrators specialize in both network and physical security? Do any manufacturers sell this kind of integrated solution?

Avatar
Brian Rhodes
Mar 07, 2014
IPVMU Certified

The cross-functional discipline makes a load of sense to me.

It makes sense to HID Global (a stalwart phys sec brand) as well, who recently released a rack mount appliance designed to support enterprise multi-factor authentication. It's more than just LDAP:

No wild claims of cross-integration with logic rules in the access control system (ie: Disable VPN access if in the office), but I'm sure they'd salivate at the chance to do it if you brought it to them, for the right price.

If you're interested, be ready to drop ~$8500. And sorry dealers: there's no RMR in it for you.

Which carries the second point: Finding an integrator that is skilled in both physical security and logical security policy is really rare. I mean, most don't even change the default password of the cameras they hang. Is that really the crowd you want consulting you on logical security policy and operation?

BS
Bryan Shalke
Mar 07, 2014

I've seen the HID solution before - it's very similar to what Imprivata and RSA do. From a "using the same card" standpoint, it's very convenient, but I've never seen someone use the same system for physical access control and NAC. I think that's where the next big jump in the market has to be.

Maybe we'll see more of that with the Axis solution, since writing a program to, say, manage both Imprivata and Axis would be as easy as leveraging their API calls.

RW
Rukmini Wilson
Mar 07, 2014

As someone with a strong network security background, the idea of combining physical and network-based access control is as natural to me as putting cameras on the network.

I'm shocked to hear that its not a common occurence... Maybe its because the places where the economies of scale start to make it attractive, i.e. multi buiding campuses, are typically firms which already have seperated IT from security (or facility mgmt, risk mgnt, asset protection etc.) and therefore not keen on working together.

Effectively eliminates tailgating for anyone who needs computer access; if you're not recognized as inside the building, you can't access the network.

Sure does, 99% of the time, but then again 99% of tailgating is not malicious. But IMO intruders usually don't have network access to begin with, (if they do they usually like to 'work from home' and avoid the commute) and so are not deterred by such measures. Perhaps your point is that the if you reduce the tailgating dramatically then you can identify the true exceptions easier, but keep in mind there are always those people running back in just for their (coat, ipad, phone etc.) so its unlikely to get the point where employees are notifying security when it occurs. Moreover it requires credentialed egress be implemented which is even harder to enforce and more inconvenient and more likely to get push-back from other stakeholders.

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions