To achieve this holistic view of enterprise security, physical and logical security systems and business their units need to converge and work together. At the end of the day security is security. It may be much easier to convince an unknowing employee who works in the payment processing division that you have forgotten your badge and gain physical access to a sensitive area than it would be to write a complex buffer overflow, traversing the many layers of network security and go undetected.
Enabling StrategiesWhen effectively bringing together cyber and physical capabilities, identity management can enable an organization to establish a unique corresponding credential for each authorized user, and then use that credential to control access to both physical and logical assets, say two security professionals.
“I think it is very important to merge cyber and physical security programs together,” James D. Keyes, manager of security operations for North America for Alcatel-Lucent, tells Security. “This is a concept that I believe is recognized by most security professionals in the industry. The notion of merging the two programs makes sense but is easier said than done. There are still many organizations out there where cybersecurity is a totally separate entity from the physical security side and thus don’t even communicate let alone merge concepts and policies. That would be the starting point, to be on the same page with policies such as access control would be a catalyst for merged programs.”
Compliance and IdentityIn one example of physical and cyber ID management converging, Molina Healthcare is using software in more than 100 training, development and testing environments to identify and mask the personal health information of Molina Healthcare’s members and providers, protecting sensitive data and enabling the managed care organization to meet HIPAA compliance requirements.
Molina Healthcare is a multi-state managed care organization that arranges for the delivery of healthcare services to persons eligible for Medicaid, Medicare and other government-sponsored programs for low-income families and individuals. Altogether, Molina Healthcare’s licensed health plan subsidiaries in California, Florida, Michigan, Missouri, New Mexico, Ohio, Texas, Utah and Washington currently serve approximately 1.3 million members.
How to Converge and Merge in a Corporate EnvironmentImplementing an identification management program at your company is a mixed blessing. It will almost certainly increase the security of your facilities, staff and intellectual property. But there will likely be some false starts, office diplomacy and maybe some arm twisting before ID management yields a return on investment. Here’s how to make the process smoother.
1. Do your homework, as too much information will be your problem. Do basic homework on access control and smart cards and form your own definitions and common terms so as not to get tripped up in terminology.
2. Ask questions. Find out if there was an incident or other catalyst that raised ID management to the C-level. Communicate with leadership until you can create tangible metrics of success. “Tightening up IT security” or “better employee safety” are not specific enough to spend the company’s blood and treasure.
3. Climb through the corporate silos. Odds are that someone else in your company is thinking about/struggling with ID management. You can find allies to join the fight and possibly multiple budgets to be shared.
4. Part Science, Part Art. It may all look good on paper or in the potential vendor’s PowerPoint, but implementation will involve some trial and error. Fail small and fast first. If possible, first deploy the program at a single work site or location that would have minimal business impact.
5. Seek a consensus and grow the program. Perhaps PCI compliance required a ID management system for a subset of your employees. After implementation, look to expand ID management across the enterprise with only incremental costs and easier corporate acceptance.
6. Great is the enemy of good. Two factor biometric authentication thru mantrap turnstiles with RSA-style tokens linked to RFID tracked badges look great in the movies. Resist the shiny technologies, and confine your implementation to practical business requirements.
7. Cook the books on the ROI. When the cost of ID management is within one cost center it can look prohibitively expensive. Itemize the benefits, tangible and intangibles, across the enterprise. An ID management system that provides visibility into time and motion of employees on a manufacturing floor can yield real productivity results. Better physical access controls linked to video surveillance can possibly eliminate several manned security positions.
Information provided by W. Michael Susong of iSIGHT Partners