Slowly physical and logical security integrations is creeping onto the radar screens of large enterprises and into vendors heads as well. While there is the beginning of a buzz around this, not many people have actually done this. I have twice at large enterprises.
At one, several years ago, I replaced all the physical access control (PAC) vendors with one that was LDAP compliant. We then wrote scripts from the enterprise directory to provision and deprovision the identities in the PAC. This was expensive to do and time consuming.
At another more recent project, at Toronto Hydro, I convinced and then paid the PAC vendor to implement SPML (Service Provisioning Markup Language) into their code. This is now in test phase. However, this took nearly two years to accomplish and while good, it doesn't exactly fit my model for the future. So what is it?
There are two areas where I think physical and logical security integration is very important:
* Provisioning, role change and deprovisioning of identities
* Integrated logical and physical security ops
in a perfect world, all PAC vendors will code SPML, XACML and LDAP into there products. This will then integrate with the enterprise's IAM systems. However, it is a very imperfect world at the moment.
Most enterprises don't have PAC vendors with this capability. To make matter worse they often have two, three or several different PACS in their enterprise. Finally, if they do have a IAM implementation, and they have a provisioning system, they almost certainly don't have all the identity types who are issued security badges in their enterprise directories. People like window washers, plant waterers, air conditioning repair men, cleaners, etc are not using IT systems.
Then there is the issue of security ops. Almost all the enterprises I know, currently have physical security monitored separately from IT and enterprise perimeter defence systems. This is folly in today's age since smart criminals and foreign enterprises will likely first penetrate the enterprise physically, and then commence their attacks internally.
This requires having an integrated command console and trained staff where they can see an overlay of physical security on top of logical security overlaid with a map of the planet, showing them where attacks are coming from, doors adjar, network ports, etc.
Getting all the different enterprise PACS integrated together is hard enough. Then creating this new interface, is something that doesn't really commercially exist at the moment.
If you read my papers in the Papers section of www.authenticationworld.com, you'll find a very detailed analysis of all the things that need to be considered for implementing a logical and physical security together.