So what role does security technology play in site selection and management today, and what do site selectors need to know? For starters, while facility security will almost always include good locks and roving security officers, the security facility industry has added advanced information technology with a futuristic flair, specifically through biometrics. The science of studying the physical characteristics of someone's finger or hand print, eye structure, or voice pattern, biometrics is usually implemented at higher levels of security, according to Tim Callan, group product marketing manager for VeriSign. For instance, VeriSign, which provides security against identity theft, phishing, and online fraud, uses biometrics to access some departments within its own organization. "We require a biometric screening to get into our Tier 3 level," says Callan. "Everyone [entering the area] has to go through a door, through a hand scan, and through another door. That is something our practices folks have determined is necessary for our level of security need."
But, according to Mark Peterson, director of iTD (intelligent technology design) resources for HID Corporation, "It takes special knowledge to operate a biometric. Fingerprints can be difficult to enroll and people can have physical characteristics that make use of some biometrics difficult." Callan agrees. "The trouble with biometrics," he says, "is they are expensive and difficult to implement, and they are not as reliable." Thus, many companies either forgo biometrics completely or use them in a multifactored authentication with two of the biggest trends in IT security today - digital certificates and smart cards.
"While technology that reads retinas or a thumbprint sounds cool, it requires physical hardware and people to read the outputs, so it can be expensive," says Jerald Murphy, vice president and service director for the Robert Frances Group. "A digital certificate is much more flexible, more reliable, and less expensive." A digital certificate is an attachment to an electronic message that verifies the sender is who he or she claims to be. The recipient is able to decode the digital certificate attached to an electronic message, verify the sender's authenticity, and send an encrypted reply. In other words, digital certificate technology verifies that both sender and receiver are who they say they are, and more and more companies are employing the technology. To illustrate the importance of this security technology, and the fear that companies feel toward cyberterrorism, consider this: the MSBlaster computer virus caused $2 billion in damage in just eight days, and the MyDoom computer virus caused $4 billion in damages.
Smart cards are also another line of security defense. Most of us are familiar with the smart card, the plastic card issued by a company to give us access to buildings and departments by swiping the card through a reader. What makes today's smart cards so powerful is the advanced technology in applications and flexibility. "We were limited by space in the old technology," says HID's Peterson. "Today, they actually exchange passwords back and forth, so the data is more secure in a smart card environment."
Now more solutions are available, such as access into a facility, access to copy machines, cashless vending, time and attendance counts, and production control to regulate machinery. "So now the card you use for access control, which is a security component, also becomes valuable in the operation of the organization," says Peterson. "It could be a source of revenue, making things more streamlined and easier to track." What's more, according to Peterson, the cost to implement smart cards throughout an organization has dropped. Companies using smart cards now have the same deployment, but with higher security and higher flexibility of formats, for virtually the same price.
This multifactored authentication, whether it is a combination of biometrics, digital certificates, smart cards, or other security measures, seems to be the best security practice. A multifactored authentication might include swiping a smart card, punching in a number on a pin pad, and then having a machine read a hand or thumbprint - "so I have to have something I carry, something I know, and something I am," says Peterson.
All of which brings us to convergence. With multiple security access points and multiple technologies in play, electronic and physical security operators are finding their environments merging. "People who have IT networks are asking, `Why can't we just incorporate all of our security into the same company-wide network?'" says Jennifer Hart Ackermann, director of marketing for the Security Industry Association. "But it takes some doing because they are disparate systems."
As might be expected, convergence has created logistical and security issues for security personnel, facility managers, relocation specialists, and IT executives. "When telephone networks and data networks are separate, and either one is compromised, rarely would it cause the compromise of the other," says Murphy. "But when we converge things and they go across the same network, and that network gets compromised, everything is exposed."
Convergence is now requiring a balance between the security personnel who want to shut down access and other company executives who want to provide seamless access to business processes. "Companies want to open more interfaces to give [employees and customers] places to interact, conduct business, and potentially make money - which is, of course, a security manager's nightmare," says Murphy. He suggests that companies ask, What is the business benefit to opening this point of exposure compared to the risk? And how much is it going to cost to mitigate that risk? "Frankly, a lot of companies have said the risk is too great," he says.
Cost is also playing a role in today's converging security environment. "If everything can be on one network, and one is half of two, it ought to be cheaper to put things on one network as opposed to two," says Murphy. "But if you already have two, it costs you money to make two into one. Just because I can technically do something doesn't mean it makes business sense to do so."