Defogging Identity-Based Access Control

A simple explanation of a complex new concept that’s changing physical access control.


Professionals in every industry have a specialized and acronym-laden jargon deftly wielded to communicate insider concepts and stymie casual observers. The security industry, historically no stranger to obtuse buzzwords, is currently in even worse linguistic shape than most. The problem is convergence.

Security is attempting to bring together identity management, video surveillance, access control and IT. These meetings are earnest and clumsy, promising and frustrating, and, perhaps most of all, confusing. Experts from five different industries are now slinging incompatible jargon at each other, and a lot of pretty straightforward ideas are being obscured in the crossfire.

For the next thousand or so words, let's get back to basics and look at the four big questions in the merger between identity management and access control: What? Why? When? and How?

What Is It?

The world is becoming identity based. Today, access to physical and logical resources tends to be managed by ad-hoc, single-purpose systems. A card gets you into a building, and a password logs you onto a computer. The card and password aren't linked to each other, and neither is strongly tied to your identity. Counting physical keys, prox cards, PINs, alarm codes and computer passwords, an average person has about a dozen identity representations. I have 8,398. The disadvantages are obvious.

An identity-based access control system tries to improve the situation by separating your identity from your privileges. Your identity is then linked to a credential (a smart card or passport or entry in a database), which is secured against physical or electronic forgery attempts. Once there's a good way to determine your identity, an identity-based system lets privilege providers specify what you are, or aren't, allowed to do. Your identity is then managed by a central authority (such as your employer, industry consortia, or government), while local privileges and access rights are managed by your building facilities supervisor, IT department, HR staff, or drill sergeant.

Why Do We Need It?

There's a ribald old joke that everyone seems to know; it asks why a dog licks a certain part of its own anatomy. The familiar punch line: “Because it can.” You don't need to look for more subtle reasons access control and identity management should come together. Their merger provides improvements to security, convenience and lower total cost of ownership by eliminating the redundancies and loopholes inherent in running separate and parallel systems. If it can be done, it should.

Physical and information security were already fully converged hundreds of years ago. Think of the man riding “shotgun” on a Wells Fargo stagecoach. It's only in the past few decades that the two practices have separated. Instead of “Why should convergence happen?” the question should be, “Why has it taken so long for modern-day convergence to really get under way?”

The answer is one part technical and two parts political. Until recently, technology just hasn't been flexible enough to accomplish the most obvious integrations. Physical and IT security systems may have started out as the same organism, but they have since evolved in response to pretty different environmental pressures. Traditional physical security and access control have always stressed reliability and predictability—think CCTV and Wiegand. IT and identity management systems have stressed innovation and interoperability—think TCP/IP and .NET.

The result is that access control became too primitive and identity management too unreliable. The ugliness of the user interface screens of most head-end security systems would make a modern IT developer cringe, and the intermittent failure rate of all but the best WiFi installations is woefully too high to be trusted with as simple a task as throwing a door strike. The good news is that technology usually improves quickly under the right market motivation, and that motivation is now arriving in spades.

This content continues onto the next page...