During my recent analyst calls and briefings I came across a bunch of companies and products that all start to tackle an area I have been interested in for quite a while:

getting the "holistic security" approach well beyond the borders of our mindset - beyond the digital realm! Being a CISSP and full of interest for social engineering as well, "security" has always been a wider topic to my understanding. And it looks like the industry is catching up...

First of all, there are those companies that try to bridge the management gap between native systems of both worlds, such as IDpendant. Then there are coampanies such as Imrivata with their SSO appliance or Made4Biz with their "Dynamic Security" product, both of which use combined functionality of established time&attendance (physical access management) solutions together with mechanisms in the IT access management (authentication) domain.

For IDpendant, making the joint administration of access cards (time&attendance with RFID, Legic/Mifare), digital identities and certificates is the main focus - one that I find to be most attractive as lifecycle management for cards and certificates has only recently be added to the functionality of the Identity Lifecycle Manager, property of Microsoft. Microsofts solution does lack the "physical" side though, and that is where the XML oriented middleware kicks in that IDpendant uses to get things together. Getting the RFID object out of the card and writing it to a field in the AD while creating a certificate through the CA at the same time AND getting the card layout printed to the blank card (personalization) is a pretty nice piece of integration work.

Now that Imprivata and Made4Biz are able to get the "attendance" part of the physical solutions as input for their authentication process. the "real integration" of the realms seems to be getting closer! Users can only log in to their workstations if they have previously swiped their access card - nice! Even if users share their passwords, misuse is countered through the deactivation of "absent employee users".

Well, not all that shines is gold (uhh, german sayings...) - there are definitly flaws to that approach, but I see rising interest the topic...

Would love to hear from you guys - thoughts, comments?

PS: on a sidenote, Imprivatas "ProveID" concept is pretty cool - it actually provides IAM technology (authentication, that is) for applications without the need to implement that for each app. Quite the idea behind our KCP vision of layered IAM - simply an authentication layer that pops up any time you need it!