Access Control is one of the cornerstones of security. It implies identifying people (or systems), authenticating them, and granting or denying access to a given asset. That asset can be a building, a room, a network, a computer system or certain functionality within an application. As such, it applies to both physical and logical assets. The end goal is plain and simple – protect those assets that matter to the business.
Despite access control being a universal concept, we see very big differences between physical access control and logical access control. While physical and logical access control are both concerned with regulating who or what can access certain assets, logical access control refers to restricting virtual access to data, digital resources and computer networks, whereas physical access control restricts people’s access to physical spaces. The people dealing with them are different, the technologies are different, and the policies and processes are different. To understand why that is, we need to go back in time.
A Walk Down Memory Lane
The protection of physical assets has always been a matter of putting up barriers and controlling how people can pass those barriers. In the early days, this meant fences, walls, doors, guards, locks and keys. Physical access then later evolved to include turnstiles, access badges and cameras. Physical Access Control Systems and Video Management Systems were introduced to manage these physical access controls. No coincidence that the responsibility for physical security was often given to people with a law enforcement or military background.
Conversely, the protection of logical assets really took off once data and applications moved from mainframes to decentralized servers and personal computers, and later, to the cloud. While cyber security initially was focused on protecting the network, it gradually shifted to protecting the data. This is when Identity and Access Management (IAM) technologies came into the picture.
Rather than handling users and access rights within each application, IAM solutions introduced a centralized and more robust way of managing identities and assigning and revoking access rights based on policies. First, policies centered around an individual’s role (Role Based Access Control), wherein roles are assigned to users and access rights are granted to those pre-defined roles. More recently, policies began taking into account other relevant attributes, such as employment status, certification status, etc., to decide on a person’s access rights (Attribute Based Access Control).
Convergence: Why and How?
So where does the idea of convergence between physical and logical access control come from? Simply put, it all starts with identities. You need to know – at all times – who is part of your workforce. Managing these identities and their related attributes, like a unique identifier, a role, a location, and more, is of fundamental importance. Any access control system needs to remain in sync with the authoritative source for ‘people’, which in most organizations today is either the HR system or Active Directory.
Next, you need clearly defined policies and procedures that determine who gets what access, how it is being assigned or requested and how it is being revoked. In the past, those policies existed on paper and were implemented and enforced by humans who manually updated access rights. Today, those policies can be put into a PIAM system, which is based on rules and workflows to ensure those policies get enforced in an automated way.
So that brings us to convergence. Why would you try to manage identities for physical and logical access control in two different systems? Why would you define access policies and procedures in two different systems? This clearly does not make sense from a risk management perspective.
Does that mean that we should simply merge these two domains to create a single team of people and a single system handling both? Not necessarily. Physical access control comes with quite a bit of specialized knowledge related to access control hardware such as door controllers, door readers, video cameras and smart cards. It also requires strong links with building management and automation. Logical access control comes with different specialized knowledge considerations related to keeping user credentials both secure (Multifactor Authentication) and easy to use (Single Sign-On); and fine-grained entitlements for different IT systems scattered around both internal servers and cloud providers. Logical access also has strong links with both IT and cyber security.
The Pragmatic Path Forward
Moving forward, a pragmatic form of convergence is recommended. First, managers in charge of physical and logical access control should sit down with each other regularly to align their access control policies and procedures. Secondly, every company should define what their single authoritative source for people and their data is. Note that there could be different authoritative sources for employees and contractors, but any system or application that handles access control should integrate with, or at least sync up with, those source(s) daily.
From a solution perspective, we expect that Identity and Access Management (IAM) systems and Physical Identity and Access Management (PIAM) systems will start to interface with each other. A logical next step would be to merge the capabilities of those systems into a single solution. One central system that interfaces with the authoritative people source, that manages all access control rules and workflows, and uses different types of drivers and interfaces to enforce those policies across logical and physical systems, infrastructure and applications.
The end result would be a major step forward in keeping organizations both more secure and safer. When a new person starts, the start date in the HR system will automatically trigger a set of rules and workflows to create login credentials and an access badge, and set the appropriate access to systems, applications and buildings across the organization. Security or safety requirements, like mandatory trainings and certifications that impact access to systems or facilities, are automatically validated and enforced. So next time you run into your colleague dealing with ‘the other side’ of access control, invite him or her for a coffee, and start your organization’s own convergence journey.