Chaos, What Chaos?
This article was originally published in Security Journal Americas (July Edition – pages 56 & 57).
Brian C. McIlravey, President & Chief Operating Officer, RightCrowd explains how access chaos affects almost all physical access control systems.
Modern workplaces are in a permanent state of change. Staff turnovers, travelling sales teams, contractors, temporary workers and visitors all contribute to the potentially hundreds of individuals that enter a workplace every day. Workplace fluctuations have only been exacerbated in recent years by the COVID-19 pandemic, introducing a hybrid workforce that sees some employees working in the office some days but perhaps not others. These movers, leavers and joiners each require their own set of unique access permissions to enter secured facilities and areas traditionally managed by physical access control systems.
Unfortunately, traditional physical access control systems have not similarly progressed to account for that evolving workforce.
The management of identities and roles within access control systems has remained largely the same since their inception. One reason for this is, most physical access control systems operate in isolation, disconnected from other business systems. This means that every access change request requires a manual input from Identity Managers or other security personnel. Given the continually changing state of access rights, maintaining an accurate physical access system is becoming difficult, if not impossible, for even the best security teams. Physical access control systems are similarly ill-equipped to accurately account for these changes, inevitably causing a backlog of inaccurate access information and creating an underlying issue known as Access Chaos.
Identifying Access Chaos
Access Chaos can be defined as the state of an access control system wherein many of the identities and the permissions assigned to those identities are missing, incorrect or out of date. Independent research shows that almost 99% of access control systems suffer from Access Chaos. Afflicted organizations are either unaware they have this issue or are so deep in Access Chaos that they are unsure how to address it.
“Given the continually changing state of access rights, maintaining an accurate physical access system is becoming difficult, if not impossible, for even the best security teams.”
Access Chaos is often referred to as a hidden issue because, unlike a broken access card reader, it is often not visible to users or administrators. Access Chaos manifests in a variety of different ways, making identification even more challenging. It could be that there are more people in the security system than there are current employees, or there are active access control credentials that are unaccounted for. It may be difficult, if not impossible, for administrators to spot these inaccuracies within the system, especially when there are thousands of identities and changing roles in place.
Access Chaos is not just a systems issue. Most organizations are aware that their physical access control systems contain inaccurate access data and face challenges in rectifying the issue. Security teams are often reluctant to admit to management that a problem exists within the access system. Clearing out invalid data would require significant manual labor, leading to potential oversights and human error. On the other hand, a complete system reset would be costly and time-consuming. Both options are laborious and potentially expensive, leading some organizations to ignore the problem entirely.
Whether you are aware of Access Chaos or not, the risks are the same. When erroneous data is present, the organization is now subject to the very threats the access control system was designed to prevent. Potentially hundreds, if not thousands, of individuals could have inappropriate access if just 1% of access rights are incorrect. Insider threats and bad actors now have a literal open door to commit theft, workplace violence, and other harmful behaviors, making non-action a non-option.
Once Access Chaos has been acknowledged, know that there is no single root cause or person to blame for its existence. Access Chaos is caused by a variety of system, human and organizational factors compounded over time. Whether it be overwhelmed security administrators doing their best to keep up with the influx of changing permissions requests, the human error these manual changes are subject to, or the disconnect between an access control system and other business systems, Access Chaos has the unique ability to go unnoticed until it is too late.
Taming Your Access Chaos
The good news for Access Chaos sufferers is that there are solutions designed to both prevent and address the issue. Smart software solutions ensure every employee, contractor, and visitor has exactly the right physical access 100% of the time. These solutions also address the industry’s need for advanced back-end developments that make mapping, measuring, and monitoring access easier than ever.
Start by gaining visibility of relevant access control related information across systems. Advanced analytics software can connect data from disparate systems, including Human Resources (HR), Active Directory (AD), Learning Management System (LMS), Enterprise Resource Planning (ERP) and Access Control Systems (PACS) solutions, and visualize them through a single interface. Think of it as a visual mind map that lays the foundation needed to accurately validate whether identities are in sync and access rights are set correctly.
Next, use the rules engine functionality of such analytics software to translate safety, security, and compliance policies into daily policy checks. Whether it is essential security controls like ensuring that no past employees still have active access, or internal safety policies that require certain certifications to access high-risk areas, you need this type of software to automate the identification of access compliance and real-time security risks across your organization.
Security and administrative teams are automatically notified once outdated physical access data, unused badges, or other Access Chaos contributors are detected, allowing for swift remediation. These tools also ensure the right level of access for temporary identities such as visitors and contractors are maintained, as permissions for these populations are easily overlooked or forgotten.
An essential piece of this process is the monitoring of access via proactive User Access Reviews. In the past, organizations have tracked and reviewed identity permissions with low frequency, usually yearly at best, using cumbersome manual spreadsheets. Now, user access reviews can be conducted automatically within seconds using advanced software solutions ensuring continuous and consistent compliance. This makes compliance tasks easy when access reviews are required by strict regulatory standards such as HIPAA or FISMAS.
Access Chaos existed before the latest workforce trends were introduced and will exist long after. Adding in the velocity of personnel changes in today’s workplace, due to both the growing number of movers, leavers, joiners and the new hybrid workforce, Access Chaos will only increase in complexity.