By Michael Lawton
As Information Technology continues its victorious march through our daily lives, many functions are having to be rethought from the ground up. Take access control: once a lock was fitted to a door; now that lock may also have to be fitted into a computer network. And that means new questions have to be asked . . . and answered.
"We're in a transition between the old way of dealing with security and the new," says Mikael Wassdahl, Chief Security Officer for IT consultants WM-data in Stockholm. He's currently looking at various access control solutions for his company and experience has taught him that any system which is on a network has to be examined for its IT compatibility just as much as for its other functionalities.
"Nearly three years ago," he says, "when I was in charge of both IT and security in the company, we bought a camera surveillance system. I made the mistake of looking at it just as a video system, but then Microsoft stopped supporting Windows NT4 and we as a company decided not to buy in support. Unfortunately, the surveillance system couldn't be upgraded. I've learnt from that experience that, from now on, I'll always see security as an IT issue."
The problem in that case was solved by putting in an extra firewall, but that meant the surveillance system was no longer as accessible as it should have been.
Approval for the network
Anders Borg, R&D Manager Software Platforms at ASSA ABLOY, perfectly understands Mikael's position. "IT managers tell you, 'Nothing comes on my network which I haven't approved,' and that's quite reasonable," he says. "They want to know how it could disturb their network, and once it's installed they need to know what they have to do with it. Does it need backups? Can they run it on their database?"
That's exactly what Mikael wants to hear. "The supplier has to be able to communicate with us as to how the system is configured and updated. We should only need to see if it complies with our systems, and then deal with any differences there might be between our world view and theirs."
But Mikael is most worried about security in the IT system, and, paradoxically, he's not convinced that security companies really understand the issue. "There's some kind of a paradigm switch going on," he says. "Security companies are moving into the IT sphere, but there are not that many IT companies moving into the business of physical security." He argues that this means that security companies are only first or second generation software developers. "It takes time to develop secure processes," he says.
Increased awareness
Anders is inclined to agree, but he thinks that security companies are becoming much more aware of the problem, especially as integration increases. "Systems are becoming both more secure and more integrated. Our previous system only had very basic encryption. We just assumed it would be run on a separate network."
But for many customers, the convenience of integration is a central argument. Some feel that the fact that access control runs on an intranet makes it secure enough. Anders notes that companies want to use the access control card as a smart card to log in on the computer network, and one company wanted to use the card to record where people were in the building in order to ensure that someone who appeared to log in really was there.
Other systems have CCTV activated as soon as someone swipes a card through a reader. If the card is invalid, a video clip is immediately sent with the log to the security centre.
Such integration carries security risks. Anders says you have to balance security and convenience. But Mikael says, "Everyone is talking about integration, but integration makes you very vulnerable."
Focused attacks
Obviously much depends on the level of security which a project requires. For WM-data, the demands are high. The company writes code for security-conscious customers like banks, and Mikael has to ensure that no hostile code gets into the programmes his company supplies. "Whereas before most risks were due to mistakes or people trying things out," he points out, "now we're seeing more focussed attacks by organised crime. And one way they could get in to a bank's system, for example, is by introducing hostile code into our development process." So WM-data has extremely limited access control to those areas where the code is worked on. "You have to have a very clean developing environment," says Mikael, "and the question I as a buyer would want to ask the security company is: How do you ensure that no hostile code gets into your development process?"
For WM-data, even though access control will be on a separate physical or virtual network from the rest of the system, there will be points of contact, for example where access control and personnel details have to be matched. That means that Mikael has to be certain that the security company takes the security of the development process as seriously as he does. But even if access control were to be entirely isolated from the main network, unathorised access could mean more than just getting a cheap meal in the works canteen: "Anyone with physical access to a server can reboot, interfere with the system and wipe traces," Mikael warns.
At the same time, putting access control on a network can even have some security advantages. WM-data has 85 locations throughout Sweden, and Mikael says they go through a major overhaul of the organisation every two years, with lots of little changes in between. "There's always a discrepancy between the current reality about our organisation and what the access control system thinks it is," he says. "In order to keep the access control up to date, you need information from other parts of the system. And if, for example, someone leaves or changes role, it can take some time for all the authorisations to be revoked. This sort of thing can be done much more efficiently with an IT based system."
Integration, convenience and security
In the end there is no absolute security. You can limit contact between networks by only allowing delayed communication, you can encrypt the data you send, you can limit the number of ports open in your firewall and restrict them to a specific server. The jury is still out on quite how much integration is desirable; some users will insist on as much physical separation as possible, while others will be trying to win the advantage of convenience without sacrificing the central concern of security. Glen Greer, CTO of Shared Technologies at ASSA ABLOY adds the following contribution to the discussion: “What we have seen from several market studies is that convergence will become more important in future security solutions – many systems or services must share the same network without disturbing each other and allowing for maximum possible security. We as a security solutions provider are aware of the issues that the future development will impose on us and are working extremely hard to accommodate our customers’ high standards on security requirements.” What is clear is that you can expect to hear more about this topic in coming newsletters at ASSA ABLOY Future Lab.