Granting Access vs. Managing Access Data

Feb. 13, 2023
What’s the difference, why it matters and how only one delivers higher levels of security and intelligence.

Access control has been a mainstay of physical security for ages with the first known locking device originating from Egypt around 6,000 years ago. For thousands of years, ‘access control’ methods (i.e. the use of locks) remained largely unchanged until the mid-1900s.

What began as PIN-controlled access devices quickly evolved to card-based access and, recently, biometric and mobile access. Given this information, many would agree that access control has come a long way.

On the contrary, physical access control has not changed much in the past almost half a century. Although physical access control technology has improved, its primary function remains simply that, to control access and egress from one point to another.

Similarly, administrators continue to manually enter and delete identities from a physical access control system (PACS), statically controlling access permissions and roles. Identities are then verified at the door via credentials, which can be based on what the individual has (badge, fob), knows (PIN, password), or is (biometrics). This has been the way for decades.

What has changed is the context within which access control is being used. Organizations have seen tremendous changes in their workforce. They need to be able to scale up and down, the pandemic has cemented hybrid working as a lasting model, and various compliance standards require organizations to manage access for employees, contractors, and visitors in a more dynamic way.

These changes have pushed PACS’s to their limits. As a result, new software solutions have been created that complement PACS to address these new challenges.

One such category of solutions focuses on aggregating reams of identity and physical access data to flag out-of-date or incorrect identities or access permissions. A second category of software solutions focuses on automating access control processes and making access decisions dynamic in nature.

The combination of those solutions allows our industry to move from simply granting access to managing access.

Going Beyond Granting

Physical access control systems grant access. They enable enrolled identities to gain physical access to some or all protected areas within a single or multiple facilities and specific areas within them. This action of granting access is typically done in a manual way and at the time the identity gets enrolled.

This is problematic for two reasons. First, this method ignores that a workforce continually changes. On average 20% of the workforce population changes each year. As such, rather than enrolling identities at one point in time, the better method is keeping your PACS in sync at all times with the authoritative identity source of the organization.

Secondly, this method implies that access is static. At the time of enrollment, you either are granted access or not. In reality, access rights should be dynamic in nature. A certain individual may be entitled to access a given area today; but a change in role, a change in location, or a change in training requirements may result in that access having to be revoked.

The solution is closing the loop between your PACS and various information systems that contain the source data that is required to properly manage the access to people.  

Using Data as the Base

In order to properly manage access, you need to make sure you use the right data to start with. That brings us to what IT people call the authoritative data sources, or in other words, the systems that hold the source of truth.

When it comes to identities, HR systems like Workday or Peoplesoft, or IT systems like Active Directory (AD), are the authoritative data source for employees. Contractor identities may be managed by your ERP system. When it comes to trainings and certifications, the Learning Management System (LMS) is the source of truth.

A great way to start your access management journey is implementing a physical identity and access governance (PIAG) solution. PIAG software pulls data from relevant information systems and your PACS, correlates the data to show administrators exactly where PACS data differs from what the authoritative data sources state.

This could be a contractor that no longer is covered by a valid contract. Or an employee that doesn’t hold the right certification to enter a high-risk area. Or even worse, a person that was let go but their access was never revoked, causing a high-risk insider threat.

By mining the right data, PIAG software ensures all access rights are reviewed, controlled, and monitored daily. It uses software and algorithms to alert to risks and threats, not manual processes that can leave many risks unchecked.

Achieving True Symbiosis

Software that mines the data can then provide said data to automate changes within the PACS. That is exactly what Physical Identity and Access Management (PIAM) software does.

Modern PIAM solutions use attribute-based access control (ABAC) policies. In short, ABAC is a means of granting access to a user within an access-control system based on rules and policies that relate to characteristics or properties of each identity.

ABAC replaces list-based access control, the traditional means of granting access wherein access rights are manually issued to a user on the back end. With ABAC, access is granted to identities using known attributes (data) gathered from people and business systems such as HR and competency management software.  

For example, using at-hand data, an organization knows for a fact that an employee has the following attributes: is an active employee, has passed any necessary trainings, and has an approved access request given by the CIO.

Because smart PIAM software has aggregated the data from the systems to confirm these facts, the PACS will automatically grant him or her access. Without meeting all of these attributes, the individual’s credentials will not work.

In this way, access is no longer static as is when using list-based access control. Activations are limited in time as some attributes are constantly changing, requiring users to re-authenticate even if previous access was provided.

Audits and User Access Reviews

Beyond identifying and reducing risk and creating the ability to implement ABAC, PIAG and PIAM software help organizations better comply with applicable local, national, or industry-wide mandates.

Mandates such as NIST and ISO 27001 often require organizations to complete intermittent access reviews, which is the laborious task of reviewing and validating user access rights based on locations, systems, and other information.

Completing such audits or access reviews manually is time-consuming, expensive and often wrought with manual errors, which can result in costly fines or even a closure of operations.

These new software solutions help companies demonstrate that physical access management policies are enforced and auditable reporting is available on demand. This means that audits and User Access Reviews can be done at any point, not just at the end of a period.

Moving Forward

As the security industry continues to develop more creative ways to validate identities with biometrics and mobile credentials, it is time the same forward-thinking be applied to how organizations manage and grant access.

Adding data-driven, automated intelligence is the natural next step that propels the process of granting access forward to achieve active access management - the kind of management that meets today’s pressing demand for better, more efficient access control technology beyond simply hardware.

And the kind of management that allows enterprise level organizations better adapt to evolving security, workforce management, and health safety challenges.

Brian McIlravey is the Chief Operating Officer of RightCrowd. Over the last 30 years, Brian has been a frequent speaker at security industry events and has served on many panels and group presentations. He is a former executive member of the ASIS ITSC, the Physical Security Council, and member of the original ESRM Board. He currently sits on three security industry company advisory boards, all security technology companies around the world.