Merging Physical and Cyber-Security

Open Security Exchange forum pushes holistic security

To better integrate physical security and cyber-security programs in enterprises, a group of companies announced the Open Security Exchange ( The forum, through best practices and interoperability specifications, proposes a more holistic view of security—whether companies are securing server back doors or the actual back door. Tackling both together, say representatives, will fix most organizations’ fragmented approach to overall security. That fragmentation makes managing security more difficult and increases the risk of undetected vulnerabilities, monitoring gaps, increased operating costs and difficulty enforcing security policies.

The forum was created by Computer Associates International (CA), smart card provider Gemplus, access control hardware vendor HID Corp., and physical security provider Tyco Fire & Security’s Software House. It will propose a range of vendor-neutral specifications for integrating security device management and security policies across the enterprise.

The first forum proposal is a set of “practical guidelines for the complex systems-integration required for truly holistic organizational security management,” says Richard Schieffelin, vice president of the National Systems Group at BAE Systems North America; the company is a “contributing member” to the forum. Smart cards would be the crucial link for enabling that holistic approach.

Today, linking physical and cyber-security is uncommon. Research from Pinkerton Consulting and Investigations puts the number of companies that have formal procedures for their physical and cyber-security departments to collaborate at just 36 percent. Collaboration, however, is still a far cry from companies actually tying physical and cyber-security information together. “I don’t know of any” companies that have done that, notes security consultant Sandra Jones, president of Sandra Jones and Co. in Chardon, Ohio, though “it may be done at a customer level through a systems integrator.” Yet such integration creates customized applications, which are hard to upgrade and maintain, especially if only a few people know those systems inside and out, and decide to leave.

Linking the two, however, is difficult. “It’s like eating an elephant—it’s one bite at a time,” says Jones. Also, many organizations are still evaluating or rolling out identity management systems, a prerequisite to linking all security together.

When physical and cyber-security converge, the benefit would be just seeing all security from one interface. “Most corporate security managers wouldn’t dream of having separate security systems for their Windows and Unix servers. Yet they often have no linkage between their building security systems and their cyber-security systems,” says Russell M. Artzt, executive vice president of CA’s eTrust security solutions.

One interface means improved security and cost savings, and better defending or tracing crimes committed by insiders. Perhaps the biggest payoff, says Jones, will be “what we call the single seat, where you can enter data once, and it can be used throughout an organization.” That allows for common administration of users, privileges, and credentials—across the physical as well as IT realm—and means less duplication of effort whenever an employee gets hired, leaves, or has a change in access permission.

The audit trail of such systems can be a boon to forensic researchers. For example, if a post-attack investigation uncovers the PC used and the username and password, does the physical security log actually show that person was accessing the system—or even in the building—at that time?

Such information can also feed real-time systems as well. If a username and password get entered in the secure mainframe room, but the owner hasn’t been logged as ever entering the building, then alarms can go off.

Of course, actually having someone present to verify that the photo on the security card matches the person using it goes a long way to ensuring that physical access logs are actually accurate.

Jones says that for most companies, “security is not their core business.” Automating all security data collection and displaying it to security managers in one interface, will just help companies better secure themselves and better correlate IT and physical records for any after-incident investigations.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.