Digital security has not eliminated the need for physical measures and there's a range of convergent products out there.
Although IT security is taking a more central role in many boardrooms, due in part to highly-publicised data breaches, physical security is still perceived as a different world, populated by security guards, metal fencing and wheel clamps. However, while digital security aims to defend data itself from external attackers and internal threats, if physical security is neglected then firewalls and IPS/IDS will not be sufficient to stop an intruder walking away with your company crown jewels. In addition, as IT departments face increased security responsibilities and decreased budgets, many aspects of physical security are becoming part and parcel of the job description.
Physical security is commonly thought of in terms of environmental security measures, such as barbed wire, fencing, site lighting as well as concrete bollards and metal barriers, but there is a huge variety of technologies on the market.
Managing legitimate entry to the business through access-management measures and monitoring unauthorised intrusions are increasingly digitised. The convergence of technology is eroding the barriers between digital and non-digital security, lowering costs by utilising existing enterprise IP infrastructure, as well as maximising efficiency and raising overall performance levels. SC identifies the greatest areas of convergence and some of the latest products.
Just as IT security in the enterprise begins with a user name and password, physical security begins with an ID card.
This is the key area where digital integration offers rewards, as traditional magnetic-stripe ID cards are easily copied, spoofed or stolen. Additionally, without a practical system to issue and repudiate cards when employees leave or contractor employment periods end, the system's reliability fails very rapidly.
A centralised HR database is a common solution to this problem. It allows the issuing of a card or token that users can employ to access specific physical areas for set periods of time, and it can also give them access to computer resources.
Many smartcards and tokens offer the ability to include an RSA token or biometric that authenticates the correct person. Many support non-reputable digital signatures, especially useful in regulated environments to verify that a person did approve or take the action.
Some cards, such as the Mifare range deployed in London Transport's Oyster card system, also enable wireless authentication via RFID. Other vendors, such as Clover, offer magnetic-stripe cards, proximity and hands-free cards and tokens as well as smartcards.
Of course, in addition to the administration of the cards themselves, a network of card-readers is required. Smartcard-readers such as Vasco's Digipass 855 offer multiple authentication functions including EMV-CAP (chip authentication program) and PIN entry, which can be used for PKI-based authentication, digital signatures, and to enable access to corporate networks.
In many cases, small and medium businesses are opting to outsource much of the admin and technical expertise required to set up and administer a card or token service. Managed authentication services allow an end user customer to set the system up, allocate and deploy tokens, manage the process of adds, moves and changes and produce activity reports via a secure portal.
In high-security areas, the use of biometrics to authenticate the holder of a pass has been common for some years. However, falling costs of biometric technology and increasing maturity of various technologies have made them viable options for a growing range of companies.
A recent Unisys survey found that the UK is particularly keen on biometric verification, with 75 per cent of UK residents willing to allow banks, government agencies and other organisations to take fingerprints in order to verify their identity, compared with 59 per cent in France, 62 per cent in Germany or 63 per cent in Italy. UK police forces will be issued with mobile fingerprint scanners as part of a scheme called Project Midas (‘mobile identification at scene'), due to roll out nationally within the next 18 months.
Early systems relied purely on fingerprint biometrics, but later systems can use a variety of identifiers, including the iris of the eye, blood vessels and measurements of facial characteristics. Some, such as AdmitOne Security's keystroke dynamics technology, rely on detecting behavioural characteristics, such as typing style. By measuring the unique rhythm of how a person types, it can provide an extra layer of authentication.
The PalmSecure from Fujitsu detects the pattern of an individual's veins in the palm of their hand. The sensor emits an infrared beam towards the palm, which is absorbed by the blood flowing through the veins on its way to the heart. The pattern of the veins is then encrypted and stored in a database or a smartcard.
Every person has a unique structure and positioning of veins and this does not change throughout the lifespan of the individual. Additionally, the individual needs to be alive and well to be authenticated, a condition that fingerprint recognition doesn't necessarily require. The technology has even been embedded in a mouse, allowing users to be transparently authenticated.
Although biometric-based authentication technologies are increasingly common, there are several barriers to enterprise deployment. Depending on the environment, systems are susceptible to false acceptance and/or rejection errors. And the collection and storage of biometrics can be a sensitive issue, if not correctly handled.
The UK boasts 20 per cent of the world's CCTV units, with more than four million security cameras. Worldwide, the market for IP and networked video surveillance grew nearly 50 per cent in 2007, to approach $500m, according to researchers at MultiMedia Intelligence.
Perhaps not surprisingly then, digital CCTV is a hot topic, offering the promise of video capture, playback and storage over existing enterprise networks, as well as the enhanced performance offered by HD products.
For example, Axis Communications is marketing the Q1755 network camera that claims to offer true HD TV performance as well as quality images, even for fast-moving objects – and in all lighting conditions. The importance of HD's increased resolution becomes clear when used to monitor complex environments where greater detail on demand can be vital.
The latest CCTV implementations are frequently based on IP CCTV, due to its flexibility and potential quality. A recent rollout at Bolton Wanderers' Reebok Stadium consisted of 40 IP CCTV cameras, allowing health and safety officials to achieve visibility in parts of the ground that had previously been unreachable. This has enhanced levels of security and safety for fans and employees during match days, according to stadium officials. The Cisco IP infrastructure also carries an IP telephony service.
As consumer technology has migrated towards digital storage, so has CCTV, with many hybrid solutions on the market designed to bridge the gap between legacy systems and IP technology. For example, digital recorders designed to work with both analogue and digital cameras can remove the need for complete re-cabling.
IPTV technology has matured significantly, replacing the confusing multitude of compression standard choices with common, multi-mode formats that enable footage to be delivered over the internet to any video-capable device, from a laptop to a smartphone.
IPTV can also be used in conjunction with an intrusion detection system to filter out false alerts. Most police forces require an alarm to be verified before they will respond, and video evidence of intruders is a vital tool in proving this.