Linking Physical and Logical Security

There is more and more rumblings within the industry of late about the convergence of physical and logical security within the enterprise. Nishant mentions it here, pointing to a piece by one of his colleagues, Anshu Sharma, here.

As yet, I haven’t seem a good definition of exactly what people refer to when they talk about physical to logical security. In my mind there are a number of different potential meanings.

1) A Single Authenticator with a Single Authentication Method
With this method, the most simple method of convergence is shown. Here, the user is given a single ‘token’ to use for authentication. This may be in the form of a  proxy authentication (see Phil Beckers article here on proxy authenticators) e.g. smartcard, RFID token or magnetic strip card etc. However, it might also be in the form of a actual identifier such as a biometric, e.g. fingerprint, retina etc.

Using this method, the user would use their authenticator to access the building using the physical access control (swipe card reader, HID reader etc) and then they would also use the same authenticator to sign-on to their PC. There is no connection between the two systems other than the fact that they use the same authenticator.

2) A Single Authenticator with Multiple Authentication Methods
This method is similar in concept to the first idea above. However, in this scenario the user may have a single authenticator but use different methods of authenticating with it. For example, with a proxy authenticator, the user may have a single card which has a smartchip on it but also HID built into it. They may use the HID to access the building but then put the card into a smartcard reader on their PC and use the information on the smartchip to log into the network.

3) Multiple Linked Authentication Methods
This method extends the above two methods by linking together the two instances of authentication instead of treating them as two separate entities. Using this approach, the user would use their physical authenticator access the building and pass the physical security. The user would then use a second authenticator to log onto the network. However, the software on the PC would check to see if the user had passed physical authentication before allowing them onto the network. If the user hasn’t ‘swiped’ through the door, they will not be allowed to log on. Similarly, if a user has ‘swiped’ through the door, they might not be allowed to authenticate a remote VPN connection to the network. The software can be tuned to ensure that you have not only ‘swiped’ into the building but that you have also ‘swiped’ into the correct part of a building (think about shared office buildings).

4) Single Linked Authentication Methods
This variation on the previous method uses a single authenticator
for both the physical and logical controls instead of separate
authenticators. Therefore, the user would authenticate to the physical
security using an authenticator such as the chip on a smartcard. The
user would then use the same chip on the smartcard to access their PC
and log onto the network.

To me, when we are talking about converging physical and logical the only real benefit to security comes when you are using methods 3 or 4 above. Depending on your scenario you may want to try and move towards a single method of authentication. Alternatively, you may (and probably will) want to look at using multiple levels of authentication. Think about a typical office environment. You will probably have different parts of the building that are more sensitive than others. Therefore, does it make sense that a user should use different, more trusted levels of authentication to access the sensitive parts of the building. What about the PCs in those sensitive areas? If you require biometric to access the sensitive area at the point of entry, doesn’t it make sense that you might also expect a higher level of trust when accessing computers within that sensitive area.

There are some very interesting alliances emerging between companies trying to bridge the gap between physical and logical security. I think that this area will gain popularity quickly as people start to realise the true benefits you can receive from the combined approach.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.