When it comes to physical security and information security, practitioners regularly talk about convergence, yet they're not always on the same page. In fact, they are not matching up. Post-9/11, there was a heightened sense of awareness about the need to better fuse physical and information security.
We saw a lot of discussion about the need for such, and some companies even merged these two aspects. The role of the CSO emerged as a must-have for these companies. But more than six years after the tragic events, what is being touted as "convergence" is really just integration.
On the physical security side, all we saw was migration - moving physical security sensors from stand-alone communications to IP networks. The only "convergence" here is a common migration to IP networks.
What had been proprietary (data formats) over proprietary (communications) has now become proprietary over IP (PoIP). To date, the physical security sensor vendors have ignored many of the lessons learned on the information security side: the notion that proprietary equals evil, while open standards are good.
So far, there is little integration even on the physical security side. What is apparent is the elimination of stovepipes for the sake of efficiency and the migration to IP networks, resulting in better device management.
But most physical security sensor vendors have their own "standards" and do not integrate their data with other physical security sensors. A couple of vendors "get it" and are working to integrate disparate physical security sensors' data through their own normalisation engines, but this lesson is currently being ignored by many vendors and their, sometimes short-sighted, interests.
On the information security side, convergence seems to have been forgotten altogether. What has been happening, and still is, is integration that is being done in the name of eliminating YAPP (yet another point product).
We see this integration at the gateway in the form of universal threat management (UTM) appliances. We see it on the endpoint in the form of endpoint protection suites. Elimination of YAPP is being done not only to reduce the number of devices (and improve device management) but, more importantly, for better data management.
Look at what happened in recent years in information security and what you see is in fact integration within information security systems.
An obvious example here is SIEM (security incident and event management). On the physical security side, the concept of SIEM is still embryonic. There are very few physical security vendors that appear to understand the concept, and even fewer whose products demonstrate such an understanding.
Contrast that with the information security side of the market, which is mature and growing. But the SIEM growth on the information security side is not towards inclusion of physical security sensor data, but towards further integration on the logical side.
For example, "information security SIEM" is moving beyond traditional IT infrastructure security to include networking operations data, for example network behaviour analysis, and integration with data leakage prevention to provide multi-dimensional analysis (events plus other IT data sources).
What "information security SIEM" has not included so far is data from physical security sensors. And why should it? As of now, only one strong case of converged data has been articulated: confirming whether remote access is in fact remote physically.
So, what has been dubbed (and hyped) as "convergence" is really just integration within information security and, to a far lesser extent, within physical security.
What has not happened to date is integration between physical and information security. That would rightfully be called convergence. So the next time you see or hear the word "convergence" being hyped, think about what is really being presented to you.
- Tim Mather is chief security strategist for RSA Conferences.
Let's get physical
By Tim Mather on May 26, 2008 10:31AM