Analysis: Physical/Logical Security Convergence: Page 11 of 30

So Who Should Take The Plunge?

Some enterprises are better suited to convergence initiatives than others (see "Should you Follow the Feds?" below). Large organizations with high overhead related to maintaining user data/identities will get the most value, and convergence makes the best sense in organizations that are highly regulated, where access-control rules and requirements are well-defined.

"An organization must understand what data needs to be protected, otherwise access-control initiatives are just for show," says Benjamin Jun of Cryptography Research.

The biggest indicator of success? How wide the technology chasm is between currently deployed technologies and ideal convergence. Take a common technological baseline of convergence: dual-interface contact and contactless smartcards containing signed identification data, and a user certificate protected by a PIN and/or biometrics. Facility doors should use a contactless reader, while desktop PCs may use either contact or contactless.

A card-management system is necessary to maintain the fleet of smartcards, and you need a certificate authority to handle certificate signing and revocation. By the time you deploy those two elements, you've nearly committed to a full public key infrastucture--adding the remaining PKI elements lets existing apps leverage the new user ID credentials. Finally, an ID-management system may be required to integrate, or "front end," disparate user databases scattered around the organization.