printer friendly version

Geeks working with guards

An integrated approach to managing physical access to premises and logical access to IT systems is desirable, but made difficult by the processes being owned by different parts of the organisation.

There is every reason for organisations to seek an integrated approach to managing physical access to premises and logical access to IT systems. However, this laudable aim is made difficult by the processes being owned by different parts of the organisation (guards and gates versus geeks and technology). It is also impeded by the proprietary nature of many physical access control systems as well as a lack of standards.

The key business drivers that make identity and access management important are financial discipline, operational risk and compliance with legal and regulatory requirements.

Financial discipline: The competitive business environment makes financial discipline a priority for organisations. Financial discipline is not just about saving costs but also about doing things smarter. Organisations that succeed in achieving financial discipline will be those that survive and grow by providing their products and services more efficiently and more effectively than their competitors. Technologies that recognise individuals and their preferences are important by making it easier for customers to do business with your organisation rather than with your competitors. Financial discipline also means managing operations more effectively, making employees more efficient and reducing administrative overheads.

Operational risk: Organisations survive in the face of many risks, including market risk and operational risk. Market risk includes for example, investing in products that do not meet the needs of the customers or where competitors provide better or cheaper products. Operational risk covers aspects such as processes being vulnerable to theft, fraud, disruption or mismanagement. Better management of the way in which employees, partners and customers are identified and their access is controlled and audited can mitigate some of these operational risks.

Although hacker and virus attacks are well publicised, the insider remains the greatest threat to an organisation in terms of potential to cause financial loss. One of the main reasons for this is that the insider understands the organisation’s systems and is hence able to spot and exploit any weaknesses. Another is that they have physical access to systems and this is often poorly managed.

Regulatory compliance: A further aspect concerns compliance with regulation and the law. In some sectors there is now regulation relating to the security of information and information systems.

Managing who is able to access what information (both physically as well as logically) is critical to complying with these regulations as well as reducing risk. Improving the identity management process, including the provisioning, authentication and access control processes, can reduce costs and improve efficiency. Opening up the organisation to allow partners and customers to access information and to securely purchase products can provide competitive advantages and worthwhile improvements in efficiency.

Access management

The processes for physical and logical access management are the same – to control who can have access to what resources. The processes are also the same:

Authentication – proving who you are to gain access. In logical access control this was a username and password. In physical access this was recognition by guards and possession of a pass. Here we immediately see a convergence since most physical access control systems now use a form of card to permit access and many organisations are moving towards a strong form of logical authentication such as a smartcard.

However there are challenges: there are many physical access systems vendors and not all systems are compatible, the cards used for physical access may not be suitable for logical access and the physical access control system may be for a building that is shared between multiple tenants.

Authorisation – the access control policy. In physical access control the policy controls which area you are allowed to access at what times and the gate or door is the policy enforcement point. In logical access control the structure of platform, application and data can be immensely complex but the idea is the same, to control what data can be accessed in what way at what time, and there can be multiple policies and policy enforcement points. Once again there is no single repository for policy and no integration between logical and physical policy management or policy enforcement.

Auditing – tracing who did what which is important to allow analysis of what happened following an incident. Physical access control systems mostly log who passed through gates, IT systems log who accessed various logical assets; however these logs cannot easily be consolidated. Physical access control also includes video monitoring of areas including access control points and integrating this material poses an additional challenge.

The value of this integration is illustrated by a real life example: an organisation suffered from fraudulent transactions being performed using its IT systems. These were investigated by the police and the employee whose user-ID was implicated denied responsibility and claimed that his user-ID and password must have been stolen. However, examination of the audit log for a vending machine near the terminal used showed that the employee had used his physical access pass to obtain a beverage shortly before the fraudulent activity.

Administration – managing the identities and policies. Here the processes for administering physical access are very similar to those for administering logical access but are performed by different people using different tools. When an employee joins an organisation they need to be given physical access to the premises and logical access to the systems and data needed to perform their job. When the employee leaves the organisation these access rights need to be withdrawn. Yes, there are orphan accounts for physical access.

Convergence of physical and IT security

Organisations need to manage the digital identity across entire organisations, authenticating to all corporate assets with a single credential, provisioning all IT systems, Web services, devices and entrance badges and securing access to files, directories and databases while monitoring of all these activities.

Common provisioning processes and technology: to automate the processes for the creation, administration and removal of access rights across all of the different security environments both physical and logical. The access rights given should be based on the functional role of the person being given them. There should be integration between the provisioning system and the human resources system (or other authoritative source of data on the people in the organisation).

This is important to provide separation of duties between the people who have the right to make changes, and the people who have the right to use the systems. This helps to reduce the potential for administrators (or others) to unilaterally give themselves the privileges necessary in order to improperly access the premises or the systems.

Auditing: It is essential that all activities and access rights can be audited, and the audit tools and information should fit within a recognised auditing methodology. Activities include those of administrators as well as users, and cover the platforms, applications and administration tools. It should be possible to link actions to the identity of the people performing the activity rather than anonymous system accounts. It should also be possible to see access rights belonging to each individual and to trace how those rights were acquired and under what authority.

One specific approach to ensuring that individuals’ access rights match those they need is through ‘attestation’. A report of the access rights possessed by each person is sent (via e-mail) to their supervisor who then checks these if they are correct. If they are correct the approval provides proof if they are incorrect the non approval triggers a process to remove them.

The process for collecting information should be tamper proof. For example, administrators (or others) should not be permitted to disable logging of their activities, or to alter the log of what they did. The audit information should be transmitted across the network and stored securely. Reports on the activities for different uses should be accessible. It should be possible to raise alerts in realtime when certain actions are detected (for example repeated failed access attempts).

Michael Small, CA principal consultant Security Management

Share this article:

Further reading: