Forrester issued a report earlier this year on the convergence of Physical and Logical Security. The author, Steve Hunt, felt strongly enough about the subject to leave and form 4AInternational, a consulting firm focused on securty convergence.

Security Focus, published a nice summary
of the report which I’ve been meaning to discuss for some time. Anyone following the security convergence discussions would not be surprised by Forrester’s conclusions. However, it puts numbers on the size of the security convergence market and adds the weight of third party validation to media and conference discussions about security convergence.

What does this mean for convergence? There are a few key areas that offer immediate opportunities for convergence with a moderate effort. First and foremost, card integration. Other areas are policy development, reporting structrues, monitoring software, combined incident response, and regulatory compliance. This is where we should see growth over the next 12 months. Now is the time to lay the groundwork for larger efforts in 2006.

Now, to 4AInternational. During engagements with my clients “security convergence” has a achieved buzzword penetration. Convergence issues are being taken seriously in the context of other efforts. What we are not seeing is security convergence as a stand alone project. Major vendors offer lip service but few effectively offer products and solutions.

Talking about the benefits of security convergence at the C-level is fairly easy. Getting to those benefits is a little more difficult. Traditionally the physical and logical security efforts in an enterprise have different organizational structures and career paths. Both can have great systems, but there are very few individuals with the experience to talk to both groups. What most people do not realize is that physical and logical security systems integration can start small and may not be as far off as they think. If 4AInternational can put together a team that outlines the convergence business case for both sides of security and shows the client the low hanging fruit, they could find themselves with a nice slice of that security convergence growth.

4AInternational

Security-Flaws » Blog Archive » Wedded to physical and IT security?

Across the board, the idenity space is hot. Last week French smart card manufacturer spread its wings a little bit with the acquisition of Finnish secure document company, Setec.

Apparently their cooperation on the Singapore electronic passport last year impressed some folks. The deal makes lots of sense. As our paper documents become smarter, the vertical integration of the component manufacturers provides a logical competitive advantage. Pennies matter on this scale, so making production as efficient as possible means a more competitive Gemplus.

While it won’t immediately translate into benefits for the rest of Gemplus’ customer base, maybe it will down the road. Like most smart card companies, Gemplus gets most of their revenues from the telco industry. Although Gemplus has been supplying the ID market for some time, it always held more promise than profits. They made a big play into solutions just before the dot com bust. The Setec acquisition puts Gemplus in a stronger competitive place to pursue secure ID efforts like they won in Singapore.

Smart cards are already showing up in lots of other form factors than cards, so why not throw paper into the mix?

Gemplus Press Release

Gemplus snaps up e-document firm | The Register

Here’s an extension of the last post on security convergence. It’s really just a concrete illustration of the fact that the technologies for physical and logical security credentials can live side by side, but they still require different chips.

A few years ago, HID launched a contactless smart card line, iClass. While a lot of the smart card crowd looked down their nose at iClass, HID strategy squarely focused on the card and reader sets as an easy migration for their existing channel. HID’s channel of physical security integrators and installers were less concerned about the greatest smart card technology than with the ability to plug it into their existing systems. To many of the systems it hangs on, the iClass card and reader combo looks just like a dumb old prox card and that suits the customers just fine.

Recently, HID has worked effectively to expand the ecosystem around their cards and this press release shows that off. As I wrote a short while back, they are also bringing some of that ecosystem expertise in house with the acquisition of Synecard.

I’ll lay off HID for a while but they do show how users are not waiting for the “ideal” all-in-one technology, but putting together off the shelf components for an effective convergence solution.

Raak Technologies Joins HID%u2019s Development Partner Program to Supply Strong Authentication Products and Services to HID%u2019s Reseller Channel

In another security forum a security professional asked about using smart cards for a physical/logical security convergence project.

IT security folks often assume this should happen but it’s slow to get moving on the ground. The recent FIPS 201
standard is really bringing these discussions out in the open. Here’s my response to his questions. I hope you find it as helpful as he did.

The token (smart card) is an obvious place to handle security convergence and actually can be deployed fairly cost effectively. However, there is a substantial amount of confusion about what “smart card” convergence actually is. FIPS 201 addresses some of this but there is much to learn from previous, broader roll outs in business and higher education.

Issues to be aware of:

1. The PC/SC standard for smart card computer interfaces addresses a contact chip. This provides a higher level of security by requiring active presentation of the credential.

2. Physical security applications work best with RF technologies. It really boils down to wear and tear on readers and throughput at ingress points. This means a “converged” card will be effectively looking at two technologies, contact and contactless in the same form factor. You may even need to have multiple flavors of contactless, for instance 125 khz prox and 13.56 contactless smart card. Card manufacturers can accomodate this.

3. Physical access control systems rarely take advantage of the “smarts” in a card, most often using RF capabilities to broadcast a unique system identifier, rather than any challenge/response authentication. Don’t let the logical security guys make this assumption. Also, switching physical security tokens can represent substantial costs switching the readers at every door. Don’t cram a card down physical securitys throat or you may be stuck with the bill.

4. Address physical and logical security concerns seperately when looking at card technologies and the ROI. The only thing combined cards save on is plastic. In most instances you’re still paying for the seperate costs of physical and logical security chips. Your savings will come from reduced administrative overhead. Security is raised by reducing the number of provisioning and revocation points for an identity. This really needs to be a policy and operations identity initiative, not a card project.

5. You will have to maintain seperate provisioning systems for physical and logical security. I have yet to see a security vendor from one side that meaningfully crosses the gap to the other, so mature single system solutions are still pending. As a practical matter this can be addressed with the appropriate processes and data flows between systems. Not easy, but absolutely practical. The important thing to remember is that you have a single physical point of registration and issuance from an operational and policy standpoint.

6. Consider logical security applications for your smart card other than PKI. The card based private key is the holy grail of security, but deployments often falter under the cost of deploying and managing certificates for everyone. In most organizations, the vast majority if users could be adequately served with something along the lines of RSA’s SecurID, while deploying PKI to a subset of users. As the system matures, PKI can be expanded to include more users. If you play your cards right, literally, you can deploy PKI to users without having to exchange their cards down the road.

7. Make the card a payment vehicle. Someone will surrender their password for a candy bar, but you’ll have to pry their cards from their dead hands if that is the key to Mountain Dew. If the card means “lunch” it doesn’t get left in the desk. Don’t reinvent the wheel for this. A magstripe adds about 3 cents to the cost of the card and all the payment infrastructure is already in place.

8. Work to have both physical and logical security events reported in the same interface. Let both physical and logical security groups use this. Nothing paints the broader security picture like having it on the same screen. Both your physical and logical access control systems should have the ability to import/export events. If they don’t, upgrade. Do not make this a battle for control.

9. Get HR & public relations invovled. Internal branding is important, too. The “one card” can be a point of access for a variety of service points, not just security. It seems silly, but they can be an unexpected help at getting uninterested C level folks on board. Let the magstripe be an employee health insurance card, or the key to a sweepstakes. Giving away a free iPod to the xxxxth user in foodservice gets people a lot more excited, cheaply, than your latest security effort.

10. Be open minded about the card, but guard the security like a hawk. For instance, smart card based print & copy control can save real $$$, but their “required” card technology may not be adequate for security purposes.

Finally, don’t be fooled by the costs of cards and readers as the ROI. You’re already paying for a physical access card. You’re paying through the nose for lost passwords and bad identity management. USB smart card readers can be had as cheaply as $10 US in bulk. Build a comprehensive ROI for the project. Cards and readers should be a modest portion of that. This is where the “intangibles” from public relations, HR, food service, can providing a tipping momentum.

Personal Identity Verification (PIV) Project

Last week was the National Association of Campus Card User’s (NACCU) annual conference. Other obligations kept me from attending for the first time since 1997. That and the beginning of the events log got me thinking aobut what are the “Don’t Miss Events” as it relates to Identity & Transaction Management.

For those looking to draw additional value from your identity management initiatives, college campuses are a great place to look. Unlike most corporate organizations, higher education often leverages their identity for value added services while neglecting security. Add that solution set to a corporate or government security stance and you have a recipe for a broad identity.

NACCU just passed and Card Tech/Secure Tech is just around the corner. IDWorld is emerging as a strong fall conference for identity. ISCWest is the premier spring physical security event. ASIS takes the physical security lead for the fall. I’ve always enjoyed the RSA conferecne, especially with my PKI experience. Moving to the straight transaction side, NAMA (vending) and FSTech (food service), NACUFS (more food), and IPI (parking) are all good shows. NACAS, NACUBO and ACUHO all offer oppotunities to learn about how higher ed draws additional value from what they traditionally call “card programs.” Educause in the fall offers another really good chance to look at hgher ed identity, this time from the IT perspective.

Wow, I know that seems like a lot, but I barely touched on the information security opportunities and left out the government conferences entirely. Please drop us a comment or email, to let us know which events you get the most out of. Check our events calendar and feel free to submit any we missed.

CTST, ISCWest and NAMA almost overlap in the coming weeks in Vegas. I however, will be attending an Infosec conference in Orlando and then heading down to Ft. Lauderdale for the International Parking Institute conference. Don’t laugh, there’s a lot of money in parking and we always want security around our cars.