Special Report: Coordinating Access Control Systems

Most companies focus on physically protecting their facilities, including computer systems, from unauthorized access. And though most computer systems are protected with their own access controls--usually a password setup--if an intruder gains physical access to a system, the logical security surrounding the OSs and information typically won't be enough to prevent unauthorized access. Companies are recognizing the need to integrate physical controls, such as door locks, with logical access controls, such as passwords or smart cards on computer systems. The combination will yield enhanced user management, more complete logging information, increased security and reduced costs for user management and provisioning.

Both physical and IT security vendors see potential for growth in integration. Companies such as Siemens and integrator Atos Origin are responding by forming partnerships to offer one-stop shops for smart cards, card readers and the back-end systems to manage physical and logical access controls.

Even so, integrating control systems is a massive project at most companies, affecting how users access facilities and computer systems, and demanding new business processes to provision employees and remove access when employees leave the company. Often the project begins as a planned upgrade to the physical access-control system. The scope of the project then grows to include logical access. A physical-access project may require card readers at each entrance. But when logical access is factored in, card readers must be placed at each desktop and server. The stand-alone directory needed for physical access must be integrated with the company's identity-management and HR systems so information can be shared across systems.

The costs and time required for implementation should be weighed against the benefits of improved user management and perimeter security. A project of this magnitude requires both a strong business case and a high-level executive sponsor.

Avoid scoping the project too small or the benefits to the company may not be realized (see "Managing Integration Obstacles," above, left). If smart cards are deployed for physical access to facilities, but the control system used for this access isn't linked to the organization's primary identity

management systems, many of the user management benefits, such as a single point for provisioning a new employee, will be lost. Likewise, the fact that the company has given users smart cards doesn't imply an immediate benefit unless further steps are taken such as improving the processes for new employees and the integration of log and event information from the physical and logical systems. Organizations will see the greatest benefits if they approach the project holistically.