Home » Identity & Access » Access Control

Industry View

Industry View: Checklist for Converged Access Control

Practical steps from Honeywell's Beth Thomas on how to gain efficiency and value from integrated physical and IT access control

By Beth Thomas, Honeywell

June 03, 2008 — In the past few years, perhaps no security industry buzzword has been defined in articles and promotional materials as many times as convergence.

These definitions have most commonly referred to the integration of physical security and IT systems, with occasional elements of building control. These definitions, while helpful to end users, beg the ultimate question: How do I make it work?

Convergence uses data generated by both physical security and IT systems to drive both business process efficiency and security, and its framework defines a migration path for organizational growth. Here are some basic elements required to ensure a solution is truly converged.

Common Security Policy Management and Control
The IT infrastructure is the backbone of a converged solution, sharing knowledge of key business data across systems. The physical security system does not inherently know critical business data such as employee status, staffer security clearances and training certifications. A computerized HR system, though, often has this knowledge. IP-enabled security systems therefore allow users to take advantage of fixed investments and improve return on investment (ROI).

Developing common protocols for managing access to company assets and data enables more efficient provisioning and management. An organization develops role-based policies that can manage badge issuance, enrollment and revocation processes by leveraging XML/SOAP interfaces for integration with identity management solutions. The key benefit is that building security personnel continue to use tools best suited to their jobs and HR personnel continue using HR tools.

Organizations should identify:
1. Authoritative sources (the system that has the ultimate say) for each person who has a building badge or an IT account.
2. Sources (IT systems or people) of key data used to determine whether a person has permissions to use a resource or access an area.
3. Compliance or audit needs where the data exists on multiple systems.
4. Any business or security concerns that are unique or are especially important to an organization.
5. Key business processes (onboarding, offboarding, change of position) and determine the responsibilities of different systems.
6. A policy platform that supports customizable workflow creation tools to easily model processes and approvals.

Common User Provisioning
Convergence drives the business to contemplate the inter-relationship of physical security on IT security, and vice versa.

How many organizations can definitely claim that terminated employees or contractors are immediately removed from their building access control systems? How many are confident that a former employee who tailgates into the building does not have active IT accounts? How many are confident current employees would recognize former employees and know the person has been terminated?