Few technology words are as clearly defined and/or understood as the word security. But thats actually an oxymoron. Security is a concept readily understood as something an enterprise should have or at least an idealogical initiative they should strive for. More appropriately, it is commonly misunderstood, which yields organizations that are still insecure even after heavy spending. So establishing the context for this article is challenging.
Like most other technical topics, security has its own caveats and subcategories, and for that reason, well focus only on the access part of security. When you think about what the word access entails, firewalls and directories, be it Active Directory or eDirectory, probably come to mind. You might even think about an identity management system, which could then steer our conversation toward the hardening of an LDAP directory or even compliance.
Simply put, if you say security as opposed to innovation, Web 2.0 or unified communications, whether youre a CxO or an IT guy, youll have your own bias toward the topic.
As you might have guessed, Im going to write about security. Specifically, Physical and Logical access; moreover, it's convergence. Not being a lemming (a.k.a. follower), this trend has made a number of top ten lists directed at decision makers and CxOs. Additionally, I agree with analysts on this one. So let's dive in.
Starting with the basics, Physical and IT, or Physical and Logical, security was a methodology on the fringes before 2001. The events of 9/11 placed both physical and cyber security at the forefront. The US Department of Homeland Security took the reins and has driven this initiative with the creation of Directive 12. Its proper name is HSPD-12 or Homeland Security Presidential Directive 12. It mandates, in spirit a secure and reliable form of identification for federal employees which controls physical and logical access to all federal systems and facilities. The purpose of the directive was to eliminate the wide variations in the quality and security of forms of identification, as per President George Bush.
As I don't speak government, I was unclear what 'in spirit' meant? Long story short, this technical initiative lacked associated standards. Thus, the NIST (National Institute of Standards and Technology) was charged with this association task.
Within the framework of HSPD-12, the standard ratified was the Federal Information Processing Standard 201 or FIPS-201. It outlines the processes surrounding issuance, maintenance and identity proofing. It provides the framework for PIV (Personal Identification Verification). This speaks to the technical component of the specification commonly referred to as PIV-I or PIV-II. This separation of the business process from technology is a pervasive theme throughout technology. An example of this is within storage management, namely the relationship between Information Lifecycle Management (ILM) and Data Lifecycle Management (DLM). (For more information, see my July 2007 article on Data Management in Novell Connection.)
Security starts with the identity from the onset. Who are you? What are you trying to access? When? With which machine? From where? Pervasive through that line of questioning is identity and its management, or identity management. The authority on the subject, Liberty Alliance, defines identity management as a set of processes, tools and social contracts governing the life cycle of a digital identity for people, systems and services to enable secure access to systems and applications. Simply, identity is the cornerstone of security, now more so than at any other time in computing history. Elements encompassing an identity management system are:
- policy control
- data storage
In accordance with Joseph Pato, a industry authority, these components work in concert to provide functionalities such as SSO (Single Sign-on), Personalization and Access Management. SSO, as the name implies, lets the user authenticate once to gain access to systems or applications that are known to the identity management system. These applications and systems can be as simple as data repositories and e-mail or a combination of the previous with a CRM or ERP solution included. The short of it is, SSO is deeper than a simple synchronization of passwords between LDAP directories. It is the orchestration of authentication credentials between disparate systems and applications from a common source. Personalization relates to Policy Control as this speaks to the association of an application with the appropriate identity. Lastly is Access Management which allows applications to make authorization and other policy decisions based on privilege and policy information.
The components missing from this conversation and traditionally separate are that of the facilities. Most often these include physical access systems, power systems, centrally controlled locking devices, fire suppression systems and closed circuit monitoring systems. Of late under HSPD-12 a la FIPS-201, management of these traditionally separate environments is being centralized.
The two enabling bridge-building protocols are:
- Open Building Information Exchange or oBIX, and
- Physical Security Bridge to IT Security or PHYSBITS.
The oBIX protocol, based on XML and Web Services, is designed to facilitate the secure exchange of information between facilities components. These include HVAC and building automation systems to name a few. Think of this standard's responsibility as providing the language of interoperability between smart building components.
The Physical Security Bridge or IT Security (PHYSBITS) is simply that. A link between the physical facilitates world and logical information technological world. It does this by articulating and maintaining relationships through policies of assets which include readers, people, locations, credentials, roles, rights and events.
The inherent gains of this interoperability are, being compliant, which yields increased trust. This, in turn, culminates in measurable financial gains. We're all aware of the quandary IT Directors, CIOs and CFOs have: do more with less! Standardization of the protocols that govern this convergence will push this initiative closer to the mainstream. Companies such as Novell, coupled with niche players such as Imprivata, are focused on this trend. Bumps will inevitably appear along the way as this is a fairly immature market; however, its one that is sure to reach maturityand quickly. The mantras of Do more with less; Consolidate, and Interoperate, are pervasive throughout most IT trends. Why should security be any different?
Go, fight, WIN!