CA Pushes New Physical And IT Security Interoperability StandardCA Pushes New Physical And IT Security Interoperability Standard

Computer Associates is spearheading an initiative to create a standard that will allow physical security devices, such as building access cards, to interoperate better with traditional IT security applications, such as provisioning and access management apps and smart cards used to access IT resources.

At the RSA Security Conference in San Francisco, CA unveiled the Open Security Exchange, which it defined in a statement as "a collaborative group that is defining best practices and promoting vendor-neutral specifications for integrating the management of security devices and policies across the enterprise."

So far, the Open Security Exchange consists of only a handful of founding member companies: Computer Associates, which sells its eTrust line of security software; smart-card maker Gemplus; HID, which makes building access devices; and Tyco Fire & Security's Software House, which provides integrated physical security management applications.

Some attendees questioned whether CA's announcement was truly about creating an open standard to exchange physical and IT security information, or a veiled partnership announcement around CA's pending eTrust 20/20 application, which is designed to collect information from various security applications, including building access. CA says eTrust 20/20 will adhere to the exchange's standards. CA unveiled eTrust 20/20 early last year and the application is in testing.

When asked if the exchange's specifications, available for download at http://opensecurityexchange.com, would be submitted to an existing standards organization, Russell Artzt, VP of CA's eTrust security brand, said the company would work with groups such as Oasis to formalize the new standard. No timeline for submission of the specification was offered.

The government has been working on methods to combine building access cards and IT access cards for some time, but analysts say progress has been slow. People at the Defense Department are still walking around with two access cards around their neck, one for building access and one for IT access, says John Pescatore, VP and research director at Gartner.

But, analysts say, there are benefits to making the disparate technologies interoperable. To this day, there are still big integration challenges between building access and IT access devices. And, because physical access logs and IT security logs aren't standardized, it's difficult to conduct forensics analysis, which combines both physical location and IT access, in a way that would stand up in court should an investigation lead to prosecution.

However, while dozens of companies sell provisioning and ID-management applications, Computer Associates is the only one that sells access-management software and is currently a member of the Open Security Exchange. "There's definitely a long way to go as far as getting IT industry support for this," says Eric Ogren, a senior analyst at the Yankee Group.

When asked about the lack of other major IT companies, CA's Artzt said other software and hardware companies would play a role in the ongoing development of the exchange. He even said IBM, a major provider of access-management software and a competitor to CA, had an "open invitation" to join.

Regardless of whether Open Security Exchange turns out to be a true independent forum for open standards, the need for physical and IT security interoperability is real, experts say. "Anything that can be done to improve interoperability is a good thing for the industry," says Spire Security analyst Pete Lindstrom. Gartner's Pescatore agrees, saying CA's announcement pushes it "further than anyone else has done to address this problem."