Imprivata CEO Omar Hussain: Getting Physical With Security

Recent high-profile data breach incidents have placed in the spotlight for many IT departments and corporate executives the importance of innovative solutions for effective identity and access management (IAM) solutions. Imprivata, which specializes in identification and access management appliance solutions, is positioning itself as the vanguard for better corporate security.

Imprivata was founded by entrepreneurs who pioneered identity management technology while working at Polaroid’s small-business division. Imprivata’s security solutions have earned the company a citation by Info Security Products Guide, a publication tracking security-related products and technologies, for its execution of products, people, performance and potential as a “Hot Companies” winner for 2007.

Imprivata’s CEO, Omar Hussain, has strong views on his company’s vision to deliver breakthrough appliance-based authentication and access management solutions. His goal is to provide out-of-the-box functionality and ease-of-use mechanisms to his customers and partners worldwide.

He knows that the odds are still against that happening easily. Forrester Research recently pegged adoption rates at no higher than 30 percent for comprehensive IAM products.

Hussain is convinced, however, that the key to bringing corporate security to its next level lies in fostering a foundation for the convergence of physical and logical security systems. Hussain shared his thoughts on convergence with the E-Commerce Times.

E-Commerce Times: What factors are driving the convergence of physical and logical security systems?

Two things are at the wheel. In the government market it is the legislation that requires both physical and logical (network) security. In the commercial market it is a need for more complete security and for economic concern. But there are no laws requiring this heightened security in this space.

ECT: How critical is the cost factor in considering convergence options?

It is very expensive for a company to change its physical security layout. But this is a necessary expenditure because there is a problem caused by the instant user close out. Procedures are usually in place at many companies to remove a worker from the physical security system when the worker is fired or quits. This involves collecting access badges and canceling keypad codes, etc. But nobody remembers to lock the former worker out of the logical system–the network.

Many companies today have two systems of security running separately. They have the physical building barriers and the logical or network boundaries. But they are not tied together. Often, depending on the industry involved, compliance and reporting rules place additional burdens on securing physical and logical systems.

ECT: What are the barriers that enterprises face in deciding to integrate converged security solutions?

Convergence of physical and logical boundaries has been talked about for years. Until now, implementation approaches were not good for commercial use. Doing a security convergence would require equipment upgrades to new security hardware that cost massive financial outlays.

When corporate executives realize that cost of converging security is not going to lead to adoption, they need a way to leverage what they have to accommodate convergence. The ideal solution would be a one-click button to match up two related identities. For instance, the network log-on is one identity. The building access is the second identity. What is needed is a mechanism to set rules and policies to cover both entities.

ECT: What is it going to take for the industry to see higher IAM adoptions?

That is a philosophical issue. There are two or three real drivers to achieving this. On the network side we need to add another form of access recognition — tokens, etc., to bolster a strong authentication. On the physical side we need a solution to the employee tailgating problem. This is a big, big problem. It occurs when a worker uses his access card or password to enter a controlled access and is followed in by others who may or may not be authorized to enter with him.

Either way, there is no record of the additional access and presence in the physical system. We also need a way to prove who is in the building using a login on the logical side, the network.

ECT: Isn’t this similar to previous security concerns when corporations ventured onto networks?

Yes, in the early days of network security, companies had to rely on firewalls to protect the network from outside intrusion. At first it was too expensive for all companies to deploy so nobody but banks had firewalls. Now firewalls are so ubiquitous that they are built into network routers.

At the start of the network security process, purchasing firewalls was impractical for many companies. The same thing is happening with the need to deploy convergence. The cost has to come down and the complexity has to go away. Then convergence will happen just as hardware and software security via firewalls and routers got accepted into mainstream business.

ECT: How do you see the market potential for accepting new measures for security?

We face a huge untapped market. The logical side is all secured at the perimeter with multi-layered solutions. On the physical side there are cameras and keypads, etc. There is no system available today to identify the user in both because no system talks to both parts of the security systems. We need more coverage of both parts of the security fields. We need to focus more on the part that involves where the user is within the physical system.

From a business standpoint, the need is there. The value to the company is evident. The ROI is justified. But until now, the solution to convergence has been lacking.

ECT: How is Imprivata addressing these issues?

Our solution does that. We run an open source platform and add proprietary software to it. It is still very early for widespread adoption. We have to integrate two different markets. The physical side is very mature and well established. We need to get both sides to cooperate. In many enterprises it is very political between these two factions of security.