Convergence of Physical and Logical Security

In my very first blog entry back in February, I wrote briefly about the convergence of physical and logical security. I didn't know much about the topic at the time, but I had a feeling that it was important. The entry is unfortunately a fairly uninteresting and un-informative piece of writing, but it seems to continuously generate a significant amount of activity to my blog. And it's not just me - I'm starting to see articles pop up everywhere that the security discussion is taking place. It's a hot topic.

Throughout 2006, it has become more and more obvious that this convergence is a vital part of securing the enterprise. Since joining RSA on the first of this month, the number of convergence conversations I've been a part of has definitely increased. RSA offers smart cards and card management software that enable organizations to deploy a single authenticator that stores multiple credential sets for use across both physical and logical security. So, that's probably why I'm hearing more about it.

If you're interested in learning more about RSA's offering, take a look at this webinar: The Future of Authentication

I unfortunately don't have any new insights to offer on this topic, but I thought it was simply worth saying that if you're responsible for securing an organization, you ought to be thinking about this. And to put together some info on the topic since people seem to be coming here for info.

A few related articles:

• CSO Fundamentals: ABCs of Physical and IT Security Convergence, CSO Online
• The Convergence of Physical and IT Security, by Fran Howarth (Sept. 11, 2006)
• Security Convergence, by Thomas Hoffman (Feb. 13, 2006)
• The Convergence of Logical and Physical Security Solutions, by Brian T. Contos
• Ten Steps for Assisting Malicious Insiders, by Brian T. Contos

Happy converging...

First Week at RSA

I had an interesting and busy first week at RSA. It's no surprise that I met some extremely bright people. I spent my first few days in Phoenix working with an internal team and managed to speak with a few customers as the week progressed. Some of the very cool ideas I've already heard include:

• Providing Network Access Control using machine certificates. The idea here is that you can't plug in a machine without a proper cert and gain access to the network. RSA has certificate management software that makes this solution a reality. The cert can be based on a specific hardware profile so getting your hands on the cert won't help. It's simple and effective.
• Risk-Based access control or what RSA calls Adaptive Authentication. This is about adding an additional dimension to the authentication process. Not just what you have and what you know, but where are you right now? Or from which device are you attempting to gain access?
• The business value of implementing Federation as a way to reduce bandwidth on the LAN. It never even occurred to me until one of my new colleagues pointed it out. Why tie up your global WAN with unnecessary packets (and spend your budget on increasing infrastructure) when you can leverage the web to pass access rights to overseas applications using a simple Federation solution?
• RSA also has a nice key management utility for organizations that need to build encryption into software solutions but don't want to assume the burden of: 1) designing a secure encryption solution. 2) securing the encryption keys for use by the solution. Or worse yet 3) managing the on-going key life cycle. Keys can be shared amongst applications and re-generated on a schedule to reduce the risk of the keys being compromised.

Needless to say, I'm already getting very busy. I have a lot to do and I have to say I'm invigorated by the new challenges. ...until next time.