Convergence engineering of IT and traditional access control is no longer a “what if?” but more of an “almost done,” offering security practitioners a new array of innovations that are increasing the effectiveness of access control at their organizations. These revolutionary developments can add business value through cost savings and other returns for those who know how to move their companies’ security operations forward. Here’s a look at some of the progress being made in access control and its potential for the future.
Role-Based Access Control
Role-based access control is coming to the fore because of the increasingly convergent nature of physical and logical technology. The need for solutions that easily create and maintain role-based access control is driving large corporations like Microsoft to call for interoperability specifications while promising to craft future purchasing decisions around vendors who adhere to them. One group working toward such standards is the Physical Security Interoperability Alliance (PSIA), which includes representatives from both vendors and user companies. The alliance’s goal is to see the kind of plug-and-play interoperability common to other technologies, such as laptops, smartphones, televisions, and stereos, become common in physical and logical security systems.
Last September, at the ASIS International 59th Annual Seminar and Exhibits in Chicago, the PSIA announced that it had begun crafting a specification that incorporates Lightweight Directory Access Protocol (LDAP), a published and widely-adopted directory standard, to help map out and unify logical and physical identities via role-based access control (RBAC). A final specification was submitted in May 2014 by a working group of PSIA members and other interested parties.
The conceptual model that the working group pondered is one in which the organizational hierarchy defines roles and policies; job responsibilities and policies determine a role’s access privileges; real-time policies impact privilege sets that are sent and revoked from the logical security domain to the physical security domain; and the logical and physical security domains provide each other with status information for enhanced overall security.
PSIA’s approach has already succeeded in the case of an area control specification for physical security that allows a variety of physical security technologies to interoperate. The specification has been adopted by several of the major access control manufacturers. For example, Kastle Systems recently displayed a Mercury Security access panel—common to access control systems—that had been built to the PSIA’s area control specification and that was controlled and configured by cloud software Kastle had developed. Manufacturers like Kastle already see the customer need for specification-based access control products and are expected to continue development of them once the final specification is widely adopted.
The amount of information that business systems now capture is perhaps inadequately described by the current term “big data.” Access control logs, as voluminous as they are, are an infinitesimal sliver of big data. At an organization such as Microsoft, for example, the security and access control systems log about 350 million transactions per year, generated across approximately 700 sites in more than 100 countries for about 20,000 connected doors and a total of 50,000 security devices. These numbers will grow significantly as Microsoft integrates its newly acquired business, Nokia’s Devices and Services. This enterprisewide collection of data can be used to gain greater business value. One example of this is using travel records to streamline the process of temporary access for employees at other company facilities.