“The theory of converging physical and logical access security has actually been around for some time, but historically implementation has been virtually impossible. Access control systems in the IT and physical world have had little in common technologically, so integrating them was a costly and complex proposition. The lack of interaction between the physical security experts and information technology providers has also hindered this process. However, demand for converged security systems is growing, and the situation at present means that these kinds of solutions can now generate real value.

“Putting a converged security system in place requires a holistic approach across the physical and IT security frameworks. Understanding the requirements of both areas is key to delivering a system that meets the organisation’s needs. One of the major factors allowing this to happen is that over the past decade, Internet Protocol (IP) has become the de facto standard for physical access system devices. Having this common protocol in place reduces wiring requirements, deployment time, expenses, and makes management and administration via a Web browser possible. It also enhances the conversation between IT and those in charge of physical security. These advantages have led more physical security device providers to make their products IP-compatible. Today, the list of access devices that are IP-capable has expanded considerably including cameras, card readers, and access controllers.

“Vendors on both the physical and logical sides are responding to customer demand and seeing the value in supporting convergence. Many of them

are now promoting standardized APIs so that their products can be integrated, or revealing interfaces that can be accessed by IT-based solutions.

“Auditing for regulatory compliance is becoming necessary for more organisations. As this requirement grows, auditors are seeing the gaps in corporate security and alerting their clients to take action. Monitoring and reporting capabilities are becoming more important in order to demonstrate compliance with industry-relevant legislation. Regulation such as the Payment Card Industry Data Security Standard and Sarbanes-Oxley (SOX) require proof that security policies have been defined and adhered to.

Proving compliance“Meeting compliance demands has to be the first part of the story - actually proving that they have been met is the second, but not less important. Consequently, the biggest area of interest from both the physical and logical sides of security is ensuring that workers are actually adhering to the organisation’s security policies. Making these policies stick can be a challenge, especially if they affect the ways that members of staff have been working for some time. By converging these two disparate security disciplines, policy enforcement is now possible across both.

“From a physical perspective, policies can take many forms: for organisations with door access security, entering the building should be accompanied by signing into the physical access system. While this can be a mandatory requirement for all staff, proving that everyone

who is within the building has a badge in can be problematic; a member of staff could avoid signing in by simply walking in at the same time as another person who has authenticated him or herself. This process is called “tailgating”, and it means that there is no record of an individual coming into the building. This breaks the organisation’s security policy over physical access, but also means that it is more difficult to build up a complete list of who is in the building in the event of a fire or other security threat.

“Linking the physical access system to the IT infrastructure means that behaviour can be enforced more strictly. In the tailgating example, someone who does not badge in to the building can be denied access to their IT assets. When a user attempts to log in, the IT network can automatically query the building access system to check that the person has signed into the premises. If they have not, access will be denied until that person’s card is swiped. This approach reinforces adherence to the company’s policy while ensuring greater security for internal systems at the same time.

“How this can work in reverse? A building access card can be used as a factor for gaining access to the IT system as well. Linking a user’s password to the building access card means that an organisation can roll out strong authentication for its staff without having to invest in additional tokens, cards or biometric readers. As most building access cards are short-range RFID devices, a USB reader connected to the PC can also act as a method for secure authentication to the network. This additional factor can work alongside the standard password for access and ensures that security is tighter overall.

“A less sophisticated approach to convergence, merely re-using building access cards, does not integrate the two systems together. Instead of allowing the IT access system to query the building access server, driven by one security policy, a user within an organisation basically signs into two completely separate, ‘siloed’ systems that happen to use the same smart card. This solution does not allow a truly converged approach of integrating building and IT security at a system level which better allows security policies to be managed and enforced across both the physical and network layers.

Converged access control“Businesses may have to look at their approaches to managing these areas as well. Traditionally the facilities management department would cover the physical side of things, while IT would be handled by the IT manager and his or her team. As these two divisions would normally have completely separate budgets and targets to meet, there would be no reason for them to co-operate on projects. Continued on p10...

ChipChip TalkWhere leaders of the smart card revolution air their views

Managing access control – combining physical and logical security When thinking about access, it has traditionally meant different things to different people. For the facilities management department, it involves securing physical access points and teaching staff to lock all doors and windows before leaving for the night. For the IT department, it has been a mixture of keeping up to date with the latest patches, dealing with any remote or mobile workers and ensuring that users can only access the applications and data that they are allowed to. However, this situation is changing: organisations are looking at how they can combine physical and logical security together to redefine how they manage identities and control access. David Ting, CTO, Imprivata, tells CTT that by consolidating user credentials from these two separate systems, converging physical and logical security systems, a better picture of access control can be created, leading to tighter overall security.

Card Technology Today • March 20079

chip talk

continued from p9,,,

“However, this situation is also changing: as more physical security systems are becoming IP-enabled, IT will ultimately be called in to participate in managing the physical security system. A converged approach lets both departments get the information they require, and at a lower cost than would be possible through using disparate systems. It also allows reuse and eliminates overlap of management of security resources, for example card issuance and management.

“At the same time, this convergence of physical and logical access is being linked to other IT security measures. A good example here is single

sign-on. Organisations are deploying single sign-on to allow users to login to all their authorised applications, via a single, complex password or strong authentication mechanism. This reduces password management headaches which can account for up to 40 percent of all helpdesk costs, while increasing employee productivity. The ability to integrate a physical security system into single sign-on meets the demand for additional strong user authentication while also creating a certain return on investment from the overall project.

“The term ‘convergence’ has started to crop up across many areas of the IT and physical security landscape. In this case, using building access systems and IT security together can create an

infrastructure that is more secure overall, while offering cost benefits compared to traditionally separate solutions. Auditing and reporting within this converged access environment is simpler: having a single overview of security, whether it is to buildings or IT assets, considerably eases the burden of proving that employees are meeting company policy. A converged security system covering both physical access and IT creates an infrastructure where the whole is greater than the sum of its parts.”Contact: David Ting, CTO, Imprivata, email: sales@imprivata.com, Web: www2.imprivata.com. Imprivata will be demonstrating its products and services at InfoSecurity Europe at the Grand Hall, Olympia, London from 24-26 April 2007.

Demand for cards is growing across the board. From magnetic stripe cards to smart cards and contactless cards, substantial levels of growth are being experienced. In the retail sector – which is slowly moving from paper-based products to plastic cards such as smart cards – merchants and issuers are continuing to entice customers by introducing new cards in the form of loyalty, gift and financial cards. Furthermore, the pre-paid card market is growing – particularly in the US – and this continues to be a driving force in the plastic card market.

Global marketing surveyICMA’s annual card manufacturing global marketing survey measures numbers of cards manufactured as well as geographic and market segment volumes in units and dollars. This year’s survey revealed that globally, in 2005, approximately 14.7 billion cards were manufactured, representing an 11.4% growth rate from 13.2 billion cards in 2004. The global card market increased by 11.5% from US$8.2 billion to US$9.1 billion, a result of continued microprocessor chip card growth.

According to the global market survey, North America and Europe continue to lead the way in the amount of units produced and revenue

generated. North America is the leader of units manufactured, but is only ranked as number four in revenue because of lagging chip card growth. However, this revenue should see an upside residual effect as chip card technology accelerates in North America. Contributing to the growth of units in the US is the continued increase in US citizens’ preference to use plastic for their purchases. In fact, cards now account for more than half of all transactions, up from 29% a decade ago, according to a Nilson Report. More than 1.5 billion credit cards are in US citizens’ wallets, and the average household now has more than ten cards that they can use.

Europe is number one in terms of dollar revenue and number two in units, driven by microprocessor chip cards in the financial and telecoms sectors. The Asia/Pacific card market is number two in dollars and number three in units, driven by China’s increasing demand for cards and chip card growth. Latin America is number three in dollars with continued robust growth, especially in Brazil. Overall, worldwide production capacity has significantly increased. This is in part being driven by National ID programmes being implemented throughout the world. But it is also being helped by the growth in contactless card schemes including contactless

credit cards such as MasterCard PayPass and Visa Wave, as well as contactless transportation cards for trains, busses and subways, such as the Oyster card in London.

Card manufacturing statisticsThe statistics make interesting reading. According to ICMA’s global survey, traditional cards represented approximately 82% of the units produced and almost 18% of the dollar revenue in 2005. The growing importance of chip cards to plastic card manufacturers is also highlighted in 2005’s statistics, which reveal that 2.6 billion chip cards were produced during the year, representing 12% of cards produced. This compares reasonably favourably with 2004’s statistics, which saw 2.3 billion chip cards produced.

There were no great surprises in the regional markets for cards. The North American market, with approximately 7.6 billion cards, remained number one in 2005 with 51.4% global market share. This market share is marginally down on 2004, when it took a 52.1% share of the global market. This should not be of any great concern, however, because the reduction in market share is because of impressive growth in the Asia/Pacific card market rather than a fall in the North American market. Europe also saw its market share fall slightly. In 2005, it retained its position as the second largest market for plastic cards with 3.2 billion cards, which represents 21.8% of global unit market share, down from 21.9% in 2004.

Asia/Pacific is the third biggest region with 2.8 billion cards, which represents 19.2% of the unit market share. This is an improvement of its unit market share of 18.7% in 2004.

Financial card growth is increasing exponentially as companies find innovative ways to use cards to increase loyalty and expand their business. The United States has seen a significant

Global demand for cards continuesThe global plastic card industry continues to experience robust growth, with 2005 seeing more than an 11% increase over the previous year in cards manufactured worldwide. Al Vrancart, ICMA co-founder and industry advisor, examines what is driving this growth and highlights which markets are providing the most potential.

Card Technology Today • March 200710

feature