Access control is an essential part of both physical security and electronic information security. As security risks and regulatory compliance requirements continue to grow, strengthening access control continues to grow in importance. This article considers several ways that Role-Based Access Control — now in widespread corporate use for electronic information systems (i.e. IT security) — can be successfully applied to physical security, either by leveraging IT security efforts or by following applicable portions of the 2004 ANSI/INCITS standard for Role-Based Access Control (RBAC, commonly pronounced “are-back”).
According to a December 2010 report titled, “Economic Analysis of Role-Based Access Control”, (http://1.usa.gov/HtNI9B), RBAC has saved the U.S. economy more than $6billion during the past 16 years. More than half of all organizations that have more than 500 employees use RBAC for at least some access control.
RBAC has become the predominant model for advanced access control in the IT world because it reduces the cost of access management. In contrast, RBAC is generally not applied to physical access control system (PACS) deployments. Because physical access control systems are often networked at the enterprise level, and many interface with HR and corporate directory systems, it is very feasible to utilize RBAC for strengthening physical access and reducing the effort required to keep access privileges up to date.
At ISC West 2012 one access control company demonstrated its role-based PACS product, and in this article we include a look at how RBAC appears in the product’s user interface. However, a role-based PACS is not necessarily required to adopt Role-Based Access Control for physical access management. RBAC can be used with many existing access control systems, and this article will present some ways that can be done.
Restoring Physical Access Integrity
In most but not all medium- and large-sized organizations, the state of physical access management is far from ideal. Many risks due to weaknesses in access management have been overlooked or downplayed, particularly in situations where available security resources and tools simply did not fully match up to the access management burden. This occurs for mechanical locks and keys as well as for card-based access.
A poor state of lock and key management is often tolerated. This is usually because bringing locks and keys back to a known good state would entail a gargantuan level of effort, an unacceptable financial cost, and a painful interruption to the business that would result from the wholesale rekeying of locks.
Even when starting from a clean slate for access card management and mechanical key management, the initially accurate privilege and key assignments do not last for long. Often, due to PACS product limitations in managing card access privileges, compromises are made in access level definitions, to the point where over time the access level names no longer accurately represent the scope of access privilege being provided. Thus, access management is no longer transparent, and the integrity of privilege management it too hard to maintain.
When mechanical keys are lost or unreturned by departing personnel, locks are often not rekeyed according to desired practice. Key record-keeping easily becomes outdated, and the integrity of the mechanical key program degrades.
However, technology has advanced to the point where any organizations can upgrade the caliber of their access management, and maintain its integrity going forward with considerably less effort than has been required in the past.
Full Spectrum Physical Access Control
Mechanical lock cores for more than 200 models of existing door locks plus many filing cabinet locks can now be replaced by battery-free electronic lock cores, which use a single electronic key type that can be programmed for any selection of locks. This brings lock and key management in line with access card management, enabling a unified approach to be taken for all of physical access management.