“Who Are You?” – Some Thoughts About Identity and Physical Access Control
Physical Security Technology: The IT Perspective #2
By Chris Fine
This article is the second in a series of columns highlighting some of the relationships and parallels between Information Technology (IT) and the world of physical security technology (access control, surveillance, and other physical security systems). All views expressed are those of the author unless indicated otherwise. We try not to be boring.
Based on this column’s title, you might expect a tutorial on the complex topic of Identity and Access Management (IAM). This column is more of a thought exercise about the role that identity (ID), and its verification, play in the world of physical access control systems (PACS), and how that relates to the broader and evolving role of identity and access management in the enterprise.
Questions about the quality and use of ID have become more critical than ever, given the response to the COVID-19 pandemic. COVID-19 is driving fundamental changes in remote-versus-local work patterns and a corresponding requirement to collect data for safety and health purposes. Return-to-office (RTO) applications often incorporate badge-swipes and other physical security data into their analytics, contact tracing, etc. Thus, there is a strong need for ID to be accurate and trustworthy – i.e., maintained properly and verified by strong credentials.
As we will see, there are differences today between ID and credentials in the IT and physical access environments. Changing requirements indicate that a re-thinking may be in order.
The IT Environment and Logical Access
In the IT world, ID is usually tied to "login credentials." Login credentials – username, password, or equivalent – are used far and wide in cyberspace for everything from system access rights to ownership of files and data, group membership, etc. In most enterprise IT systems, IDs and login credentials are stored in a secure central database: Active Directory, Kerberos, or equivalent. Each person normally has one primary ID, stored in one place, with one set of credentials. There are exceptions, of course, but it's reasonable to think of "one ID, one place" as the norm. The growth of cloud computing places additional emphasis on the importance of a single ID, shared among different systems and environments.
Login ID and credentials are often referred to as "logical access" information because they're used in cyberspace and control access to resources and information in that domain.
IT credentials today are often based on two pieces of information: Username and password. Security controls may require the user to specify a password that is not easy to crack and to change the password every so often. More robust credentials can include an additional "factor," like a changing PIN code generated by an app that is uniquely tied to you and a device in your possession. PIN-based "step-up authorization" is used where additional security is necessary, but it's somewhat more cumbersome to use than a regular login. Step-up authorization is common for remote logins, such as work-from-home, but it’s also becoming more the norm for all logins, as the apps get easier to use.
Centrally managed ID ties into the HR cycle workflow. New hires are added, name changes are accommodated, and leavers are locked out of the system. If a person gets transferred or takes a new role, the ID and its associated authorizations reflect that. These may be manual or automatic processes. Control monitoring systems can check and enforce other requirements for accuracy and integrity while protecting information and looking for anomalies.
The IT environment in a given organization might or might not be fully unified across systems and platforms, even if there is a single repository. However, if an organization follows good practices, the logical environment can at least reach the "trust but verify" level of security – i.e., reasonably trustworthy given constant monitoring.
PACS (Physical Access) and IT (Logical Access) ID and Credentials: Parallel Worlds
It surprised me when I originally got into the PACS world that the IDs and credentials in PACS work differently from the IT environment. They are often kept centrally, but in a different database from the rest of enterprise IT. Various manual or automatic processes may work to keep the two databases in sync, but the identities and credentials for people in the system exist in parallel. The "factors" for PACS credentials are also different from IT. Often, each person has a badge with a photo, held near a reader device to access a space. One part of the credential is the number read off the badge by the reader. The second part of the credential is the picture, verified by a manual process of inspection.
These systems are separate because of their differing infrastructures and requirements and for historical reasons. The closed architecture of most PACS makes them quite challenging to unify. There are a few forms of unified ID today, like the US Government's FIPS credentials. However, these are expensive and complex to maintain, putting them beyond the reach and priorities of most organizations.
How Effective Are PACS Credentials Today?
In a PACS system where ID is associated with two pieces of information on a badge – number and photo – the credential is not strong. The badge number is just a number, often unencrypted, and can be read off the badge electronically. One seldom sees each person's photo examined, except at high-security locations like data centers, which usually require another form of photo ID and supervised sign-in. The badge number can, therefore, be cloned, and the photo faked or concealed from minimal inspection.
The problem of weak PACS credentials is exacerbated by the fact that the relationship between the badge and the actual person is also weak. In this case, the only "identity" involved is, "this is the person holding this badge right now." That doesn't mean that it's the actual person assigned the badge, nor does it prove they're the right person by making them provide some additional info. If somebody looks at a badge photo, that just means, "this is someone who may be, or at least looks like, the person in this photo." Some locations may require a memorized PIN to be entered at the badge reader (i.e., another factor), but that PIN rarely changes and may not even be unique per individual. Any additional measures can impact the smooth flow of traffic. Think of the TSA line at the airport and imagine if each person had to remember a PIN.
Arguably, PACS has been "good enough," at least until now, but it has real flaws in practice and design and needs to get better. Envision the typical office building. PACS ID's aren't thoroughly checked. Visitors and service people go in and out. Tailgating (holding the door open for a person behind you) occurs. Most people pose minimal security risk going in and out, so security teams check for "Do Not Admit" cases and other types of suspicious behavior, looking for exceptions. All this has become more complicated in recent years with the growth of flex space, co-working, work-at-home, and other factors that have removed the perimeter of protected physical area. The fact that PACS and logical ID are separate means that the HR process can get out of sync (for example, a former employee with an active badge). How secure is this picture?
Some newer systems use smartphone apps in addition to, or instead of, physical badges. Apps can incorporate multiple factors and other advanced functionality. However, this approach requires careful implementation, especially when many people are involved, due to the impact on crowd flow. Most people don't want (or remember) to stop to enter a PIN or password, or otherwise identify themselves beyond "this is the person holding this phone." Each person has to dig out a phone, turned on with operative batteries, with the app running, in the first place, before he or she can authenticate. People may object to having corporate control of an app on their devices – and managing corporate apps on personal devices can be a nightmare for IT.
Another approach incorporates biometrics, which is quite promising. In particular, computer vision is advancing so rapidly that we will undoubtedly see its integration into PACS soon. Biometric factors add the critical dimension of "something you are," which can be tough to fake. However, these systems are complicated and expensive (although the cost is declining), and they don’t always work quickly or reliably enough. Administration of biometric credentials requires extra steps as well, while collecting and storing very personal information which has to be protected and controlled.
There’s no one answer to "How accurate should PACS be?" The answer depends on how powerful and cost-effective the technology is at a given point (the art of the possible); how much investment is available; and how secure the facility or asset must be at a particular location.
Unified ID Must Accommodate PACS's Unique Operational Requirements
Unified logical and physical ID solutions promise to address some of the challenges of weak PACS credentials and parallel databases, but the technology is relatively new, and all the stakeholders need to consider the approach carefully.
The security teams responsible for PACS and its operation are reluctant to introduce any unnecessary complexity; they have to “live with it” every day. The system has to make the "yes/no" decision, globally, potentially millions of times a day, with minimal elapsed time per transaction and close to zero downtime. Each decision has to propagate through multiple layers of hardware and software, over distance, to open a door or a turnstile. Whatever their weaknesses, PACS systems and their ID verification operations are fast and reliable, thanks to mature technology; any new system needs to be as good or better.
In addition to speed and reliability, a unified system must accommodate PACS's specific use cases and exception conditions. For example, a person’s ID may have logical access, but not physical – or the reverse. A remote consultant is an example of logical, not physical, access. An electrical contractor is an example of physical, but not logical, access. A well-designed unified ID system accommodates these exceptions and requirements via flexible attributes and a defined access management architecture. Another example is visitor credentials – rarely seen on IT systems but required for PACS.
A tactical attempt to glue PACS and logical ID together using today's separate systems is a challenging approach of questionable effectiveness. What's needed is true unification over time, aligned closely with the enterprise's security and risk strategy, and incorporating new technologies that are designed to support universal, unified ID.
Needed: Unified ID and Stronger Credentials
My view is that most organizations and vendors should improve the quality of PACS ID and credentials to the degree feasible. Physical and logical ID should move toward unification. Higher risk levels and advancing technology are the drivers of this view.
Threats are growing; health, safety, and regulatory requirements are increasing; and workplace borders have become fluid. For example, what combination of physical and logical ID accommodates the challenges of temporary spaces and remote work? This changing risk picture demands improved functionality, flexibility, scalability, and accuracy.
Technology is improving. For example, the addition of AI to PACS, coupled with cheaper, better biometrics, can help solve the weak association between ID with an actual person, while allowing for traffic flow. Open systems and standards promise to lower the cost and complexity of new systems to create a unified ID. New investment in physical security and other "PropTech" startups is increasing, which will produce further innovation and help to loosen the hold of entrenched vendors in the market.
Organizations should work with vendors to mitigate the weaknesses of PACS credentials while accommodating performance and UX requirements. The approach in each case, and the level of investment, should be closely aligned to the enterprise's risk, security, functionality, and control requirements. The design and implementation should incorporate as much off-the-shelf technology as possible, emphasizing open standards and platforms.
The following are four areas of focus where an organization can look to invest as part of a roadmap to enhance the security and performance of PACS ID and credentials, as well as ID security overall:
- A robust, flexible, unified, and centralized ID system for physical and logical access that works with cloud and on-premise technology, incorporates multiple factors and can be integrated with PACS.
- Biometrics and other advanced "factors" incorporated into credentials, without slowing down or inconveniencing the end-users. This is rapidly becoming available with video-based solutions especially.
- Integration of PACS with IoT and other sensing systems as these become more common. Sensing systems can help increase the accuracy and reliability of ID and credentials by providing additional elements of data that can be correlated with behavior. IoT systems are becoming more open and standardized, which is promising.
- Better data analytics, control monitoring, and anomaly detection, using big data techniques, AI, and proactive reporting. Technology is rapidly advancing in this area.
The longer-term return on prudent investment in the areas above can be significant. Each improvement can generate multiple benefits and capabilities. All of them can be part of a corporate-level strategic initiative for risk management, security, safety, and data integrity. An integrated approach can be a win for the people who have the unified credentials, too – easier to use, more straightforward, and less prone to error or attack.
What do you think?
Chris Fine, founder of the consulting firm Integrated Technologies LLC (www.integrativetech.io), is an experienced independent advisor and consultant, specializing in strategy, technology, innovation, and business/market development. Chris's background includes over 30 years of engineering, IT, management, and financial work. Some of his areas of technology and market expertise include enterprise technology, AI, cyber and physical security systems, communication and collaboration products and networks, workplace technology, and the Internet of Things (IoT). Chris's recent focus, working with vendors, Real Estate professionals, IT groups, and end-users, has been the future of work and the workplace, including technologies, user and operator experience, office layout, remote work, and security, before, during and after COVID-19. Chris's extensive speaking background includes industry conferences, corporate events, podcasts, and webinars. He is the author or co-author of multiple industry studies, White Papers, and other publications.