First appeared on SecurityInfoWatch.com
Physical access control technology has remained largely the same throughout most of its history: A user walks up to a reader, presents a valid credential and opens the door. Administrators manually enter identities into the electronic access control (EAC) system, controlling access permissions and roles on the back end. Although many elements of EAC have changed on the front end, back-end operations have, for the most part, remained unchanged.
The emergence of mobile credentials, hybrid work models, multifactor authentication and biometrics changed the way users gain access to facilities. Administrative and security teams are under intense pressure to keep up, not only with evolving trends, but also with the constantly changing user roles inherent to all businesses.
Natural changes within an organization, such as staff turnover, scheduling updates and limited-term vendor contracts (often described by identity managers as “movers, leavers, joiners”), can equate to thousands of yearly access changes and inevitably cause a backlog of inaccurate access information. EAC systems are ill-equipped to accurately account for these changes, because they often operate in isolation from other business systems.
As a result, inaccurate access data is compounded within an EAC system, which creates an issue that can be called “access chaos.” Although it’s primarily an issue for system administrators, it’s worthwhile for security pros to be aware of the problem to advise as necessary.
Defining Access Chaos
Access chaos can be defined as the state of an EAC system wherein many of the identities and the permissions assigned to those identities are missing, incorrect or out of date. Independent research shows that almost 99% of EAC systems suffer from access chaos. Afflicted organizations either are unaware they have this problem or are so deep in it that they’re unsure how to address it.
Access chaos often is referred to as a hidden issue, because, unlike a broken card reader, it often isn’t visible to users or administrators. Access chaos manifests in a variety of different ways, which makes identification even more challenging. It could be that more people are in the security system than there are current employees, or active EAC credentials are unaccounted for. It might be difficult, if not impossible, for administrators to spot these inaccuracies within the system, particularly when there are thousands of identities and changing roles in place.
Access chaos isn’t just a systems issue. Most organizations are aware that their EAC systems contain inaccurate access data and face challenges in rectifying the issue. Security teams often are reluctant to admit to management that a problem exists within the access system.
Clearing out invalid data would require significant manual labor, which could lead to potential oversights and human error. However, a complete system reset would be costly and time-consuming. Both options are laborious and potentially expensive, which leads some organizations to ignore the problem.
Unfortunately, regardless of whether you’re aware of access chaos, the risks are the same. When erroneous data is present, the organization now is subject to the threats the EAC system was designed to prevent. Potentially hundreds, if not thousands, of individuals could have inappropriate access if just 1% of access rights are incorrect. Insider threats and bad actors now have an open door to commit theft, workplace violence and other harmful behaviors, which makes nonaction a nonoption.
Overcoming Access Chaos
No single root cause or person is to blame for the existence of access chaos. Access chaos is caused by a variety of system, human and organizational factors compounded over time. Whether it be overwhelmed security administrators doing their best to keep up with the influx of changing permissions requests, the human error manual changes are subject to or the disconnect between an EAC system and other business systems, access chaos has the unique ability to go unnoticed.
The good news is there are solutions designed to prevent and address the issue. Smart software solutions ensure every employee, contractor and visitor has exactly the correct physical access 100% of the time. These solutions also address the industry’s necessity for advanced back-end developments that make mapping, measuring and monitoring access easier than ever before.
Start by gaining visibility of relevant EAC-related information across systems. Advanced analytics software can connect data from disparate systems, including human resources, active directory, learning management system, enterprise resource planning and EAC systems, and visualize them through a single interface. Think of it as a map that lays the foundation necessary to accurately validate whether identities are in sync and access rights are set correctly.
Next, use the rules engine functionality of such analytics software to translate safety, security and compliance policies into daily policy checks. Whether it’s essential security controls, such as ensuring that no past employees still have active access, or internal safety policies that require certain certifications to access high-risk areas, this type of software is necessary to automate the identification of access compliance and real-time security risks across an organization.
In such systems, security and administrative teams are notified automatically after outdated EAC data, unused badges or other access chaos contributors are detected, which allows for swift remediation. These tools also ensure the correct level of access for temporary identities, such as visitors and contractors, because permissions for these people are overlooked or forgotten easily.
An essential piece of this process is the monitoring of access via proactive user-access reviews. In the past, organizations tracked and reviewed identity permissions with low frequency, perhaps yearly at best, and used cumbersome manual spreadsheets. Now, user-access reviews can be conducted automatically within seconds through the use of advanced software solutions that ensure continuous and consistent compliance. This makes compliance tasks easy when access reviews are required by strict regulatory standards, such as HIPAA.
Access chaos existed before the latest EAC trends were introduced and will exist long after. Adding in the velocity of personnel changes in today’s workplace because of the growing number of “movers, leavers, joiners” and the new hybrid workforce, access chaos only will increase in complexity.
Today’s variety of solutions can help back-end operations to catch up with advancing front-end technologies. Through the thoughtful application of a variety of solutions, organizations can improve the safety, efficiency and compliance of their facilities, reduce insider threats and eliminate access chaos once and for all.
Brian McIlravey is the chief operating officer of RightCrowd. He is a former executive member of the ASIS ITSC, the Physical Security Council and member of the original ESRM board.