Security convergence -- integrating building- and IT-access systems --- is supposed to make life easier for everyone: IT, building security staff and employees coming into the office each day.
But two big questions loom:
- Will security convergence force employees to change their routines and learn entirely new ways to work, thereby lessening productivity before it can be improved?
- Can security convergence be used by organizations to enforce policies that have been unenforceable previously and therefore not truly effective?
That's a death knell because of people's resistance to change, which already has rendered many security advances irrelevant. So, it is incumbent on vendors to deliver systems that are not just functionally useful but also behaviorally digestible. Processes have to be very similar to what employees are doing already.
Subtle behavioral changes will be forced by the shift to a converged system, but the changes should build on familiar technologies and processes rather than require a complete re-education. Done correctly, convergence takes advantage of existing physical and IT infrastructure and technologies.
For instance, if employees flash badges at door sensors when they enter a building, requiring them to do something similar to get into applications will be better received than would be forcing them to punch in a new number at the gate every day and then remember a password that changes daily to gain access to the resources they need.
To accomplish this change in the least disruptive way, physical and IT security systems are best integrated at the system level, merging them with minimal disruption. Using existing security infrastructure minimizes reinvestment requirements and extends the ROI of that infrastructure.
Employees may still need to learn some new procedures. However, extending physical-security technologies, such as ID badges, for use with IT security to protect logical assets, such as data, application and networks, can result in stronger overall security that's established via nonintrusive means.
Regarding the second big question about whether security convergence can help organizations enforce policies that have been unenforceable -- in short, the answer is yes.
Many technology chiefs have put organizationwide security policies in place to try to eliminate bad behavior, only to find these policies difficult to enforce.
Converged security systems can help. Take, tailgating, for instance, when one employee follows another into the building without signing in or badging in. Unless the organization has deployed burdensome (and expensive) turnstile or man-trap systems, which are disruptive to the entry and exit of employees, there is little that can be done to enforce antitailgating policy.
In the absence of turnstiles, it may be socially awkward for an employee not to hold the door open for the next person. If building access were tied to employee access to network resources, on the other hand, staff would be more inclined to badge in each day, strengthening physical security while also better protecting access to information assets.
In addition, converging physical and IT security systems can lead to one access and authentication policy per employee. That's particularly handy in the case of termination, forced or voluntary. Handing in an ID badge addresses both building and IT access.
There will be no worries about former employees retaining logons or passwords they can use to access company files. That again improves security as it enforces existing policies.
With enabling technologies now catching up with the theoretical concept of converged security, more organizations are discussing the effects on employee behavior -- how it will, could and should change -- and the trade-offs involved. It's commonly believed that you must change behavior drastically to improve security, but that's no longer true. In many cases, subtly changing employee behavior in relation to converged security can transform into widespread acceptance and a commitment to tighter security overall.
David Ting is founder and CTO of Imprivata. He can be reached at firstname.lastname@example.org.