Workforce Access Management – Campaign
How do PACS (Physical Access Control Systems) create risk?
Physical access control systems have one main job: to read credentials and flip a circuit to enable entry if they are valid and if the person is allowed. Access is managed using Access Control Lists that define which access a given person has.
However, there is much more complexity to whether or not a person carrying valid credentials should be allowed to pass through any individual entrance. In reality, PACS do come with the risk of insider threat for three distinct reasons:
1. Access chaos within the system
The wrong people often have valid credentials. One reason for this is that the information in your PACS changes constantly – employees leave, permissions expire, trainings lapse. As a result, an estimated 90% of companies with access control have incorrect information in their systems.
This can result in thousands of valid credentials circulating among individuals who should not have permission to be on site.
2. Hybrid workplaces create changing schedules
An employee may not have permission to be in the building that day. Remote work has existed for a long time, but has become widespread in the wake of the COVID-19 pandemic. Now many organizations have a mixture of remote and in-office work, with flexible and changing schedules, taking place in a mixture of owned, leased and co-working spaces.
It is a significant burden on security management to manually update the access control system to reflect all of these shifts, and often it is not kept up to date.
3. Required attributes are missing
Permission to enter is based on more than a person’s identity. They may be required to be employed within a specific group, hold valid certifications, have passed a health check or be an approved contractor. Every organization has its own set of rules and policies that determine whether any individual should have access to any given entrance.
Physical access control systems typically do not have their own rules engines and also lack the ability to manage workflows. Without those capabilities you are left to manual updates, which are virtually impossible to maintain.
With traditional PACS, it is very difficult to trust credentials even when the system says they are valid.
To solve this problem, security professionals can now deploy a layer of technology above the PACS to deliver additional intelligence and manage workforce access across the enterprise. The first step is to recognize that the traditional list-based PACS falls short and can create new insider threat risks for the organization.
The best type of access control
There are three primary types of access control. To compare them, consider an IT Sys Admin named Alpha Beta, working at ACME Corporation, who is using their credentials to enter the data center.
1. List-based access control
Alpha Beta is on the Access Control List (ACL) implemented through discretionary access control. They are granted an ID badge or other credentials that permit access to the data center based on their identity alone.
2. Role-based access control (RBAC)
Instead of a name, the system grants permission based on Alpha Beta’s role within the organization. The rule within the PACS would be, “IT Sys Admins have access to the ACME Data Center.”
3. Attribute-based access control (ABAC)
Permission to enter any space within the facility is granted through the use of policies which combine attributes and conditions. In order to enter the data center with their credentials, Alpha Beta must have the following attributes:
Physical access control systems typically do not have their own rules engines to manage these workflows, which can be virtually impossible to maintain manually.
a. They are an active employee
b. They are part of the IT group
c. They have successfully passed the ISO 27001 training
d. They have an approved access request by the CIO
When Alpha Beta scans their badge at the entrance to the data center, the workforce management technology instantly evaluates the status of the identity and determines if all four conditions are met. If so, it informs the PACS that this individual has permission to enter, and allows entry.
Why you need attribute-based access control (ABAC) for physical security
Also sometimes referred to as policy-based access control, ABAC eliminates the insider threat and other risks caused by PACS. This is a fundamental element of workforce access management, which allows you to:
1. Automatically enable zero-trust policies door by door
Putting zero-trust principles into place for physical access control greatly increases overall security. They ensure no one enters a facility, an office, a server room or any other location without being fully authenticated according to a specific set of conditions.
2. Use person and location-related attributes and environment conditions to determine whether access is granted or denied
Each time a set of credentials is presented, the PACS automatically checks against real-time attributes to confirm that each of the conditions is met. These can include:
|Location-related attributes||Risk Level (high-risk area)
|Environmental Conditions||Date and Time
3. Reduce the reliance on manual input to update PACS, along with the constant need for maintenance
When every individual access permission, personnel change and new certification status must be manually entered into the PACS, it’s virtually impossible to be certain that all the information in the system is correct. Attribute-based access control, powered by workforce access management technology, ensures that all PACS data is up to date.
RightCrowd Workforce Access: the best path to attribute-based access control
Shifting to ABAC can be a major change for an organization. RightCrowd Workforce Access is the software solution that offers a steady, gradual path instead of a expensive disruption to operations and your budget.
Don’t wait to begin making this change. RightCrowd Workforce Access provides a dynamic, context-aware and risk-intelligent improvement to standard access control that you can begin implementing immediately.
RightCrowd Workforce Access adds intelligence before the card swipe.