This article originally appeared in Access Control Trends & Technologies 2021, a bonus publication to Security Business and Security Technology Executive magazines.
In the corporate world, COVID-19 has seriously affected the security sector— both physical and cybersecurity. Traditionally, physical building security and cybersecurity have been viewed as separate disciplines with unique solutions. However, given the changing nature of security risk, organizations need to start taking a more holistic view of security and IT risk management (ITSRM). This means combining the previously disjointed approach to security dispersing ownership between business, security, and IT teams, the purview and guidance of the modern Chief Information Security Officer (CISO)
The corporate world experienced a significant uptick in physical and cybersecurity threats due to the pandemic sending millions of employees home to work. With office complexes and buildings vacated, the properties were ripe for exploitation by bad actors. Physical security breaches were up in 2020 as a result of business closures, contributing to an increase in commercial burglaries in major metropolitan areas. There was a 134% increase in Philadelphia during 2020, for example, and New York saw a 169% increase in the same year.
But the physical world wasn't the only one under fire. A July 2020 study completed by Tanium of 1,000 executives in the U.S., UK, France, and Germany found that 90% of executives surveyed said they experienced an increase in cyberattacks due to the exponential expansion of the threat surface due to a remote workforce.These statistics showcase the significant increase in risk that corporations are facing from all angles. Combating threats in a pandemic, and in a post-pandemic world requires a broader view of security risk and security management.
While the numbers can make the situation look dire, it’s not all bad news. The technology available today makes linking the physical and cybersecurity realms easier than it ever has been before, and the changing role of today’s CISO provides a more comprehensive view of keeping all forms of security cohesive, and up to date.
But what are the barriers to bridging these two elements of security?
Identity is the core of security, both cyber and physical, but managing it is very complex
CISOs and their supporting departments struggle with providing the right people with the appropriate level of access to the right technology A 2018 study from Okta found that companies have an average of 129 software applications, with 10% of businesses having more than 200 apps. And that number only increased during 2020, as companies required more technology solutions to support remote work.
Making the situation increasingly difficult is that within each of the 129 applications, employees can have access to various levels of entitlements within the application as a whole. The process of managing this level of provisioning for identity and credential management for all employees that join, leave, or move within the organization is already a high-volume task. Additionally, the expansion of the gig economy has forced corporations to have to factor in additional users that need access to corporate data, tools, content, and access to physical spaces from third parties and contractors, only adding to the overall risk for the organization.
Due to the level of detail that is required to ensure accurate provisions, mistakes are bound to happen. Unfortunately, the mistake that happens most often is leaving users over-entitled due to access that has mounted over time (physical or virtual) for tasks that then never get removed.
Managing that amount of change requires technology to support the process. Identity and access management tools have been heavily invested in by organizations to create central control over access to their virtual networks, applications, and data such as Okta, Microsoft AzureAD, G-Suite and many more. These solutions become the gateway to propagate identities and the correct level of control across the entire environment. These systems are also usually automatically connected to HR solutions to ensure up-to-date and authoritative information is being utilized and is connected to the rest of the organization. Having a link to employee directories allows technology to rapidly identify authorized users and de-provision users to remove facility access quickly and easily.
Unfortunately, that same approach has not necessarily been applied in the physical security world. Much of physical security has been legacy systems that have not necessarily kept up with the evolving nature of identity management and access controls to ensure that the user really is who they claim to be.
Forward-thinking CISOs and CSOs are now looking more broadly at security and how to not only mitigate risk but also how they can make their departments more efficient. These leaders are looking at how they connect the IAM solution to other parts of the organization such as physical access control as a more centralized process as well as ensuring that there is a single record of truth on individual access. These CISOs expect access control solutions to integrate their IAM solutions with their physical credentialing and access control. Ultimately, by doing this, their teams save time and effort, by utilizing a single source of truth for access (physical and virtual), automatically eliminating access upon offboarding.
From a data and risk management perspective, with these systems connected, CISOs and threat analysts in the Security Operations Center (SOC) have more data and visibility as they investigate threats and understand the level of risk or exposure from a cyber and physical event.
Applying cybersecurity practices to the physical world
Centralizing employee information in the company system including credentials, level of access, and privileges ensures all points of vulnerability have been identified, and prevents “privilege creep”, where an employee accumulates more access rights than necessary to perform his or her job. The same should be done on the physical access side, to ensure employees only have access to spaces they need to do their job to protect data, privacy, assets and information from possible over-exposure and insider threats.
However, many organizations haven’t managed the level of access that they provide to their physical security administrators and users with the same rigor as they do cyber access. Controls need to be put in place to manage what a physical security team can see, do, and act within the security platform itself. The ‘guards’ put in charge of security need to be provisioned in a granular way to the access control system. It is important to not over-provision users of the security system itself to have more access than is necessary in order to do their job.
For example, let’s look at insider threats. Insider threats aren’t a new phenomenon, they’ve been a high priority to detect and deter for years. However, now not only are insiders attempting to steal and disrupt operations in the cyber realm through advanced attacks, but they are now also targeting the physical world through inappropriate access to sensitive areas.
This means that no longer are attacks either cyber or a physical security problem, they are one and the same.
To you help you ensure that you are applying the best practices from IAM to your physical access control solution here are a few tips:
- CISOs — check that your physical security solution has enabled multi-factor authentication (MFA). There are more than 15 billion logins are available for sale on the dark web and your security admins, front desk clerks, guards are all vulnerable to bad password management and hygiene. MFA is the easiest, quickest, and widely supported way to protect from unauthorized access from compromised login credentials. And while the digital world has rapidly adopted this best practice, the physical world is lagging behind.
- Implement a least-privileged approach for admins, security teams and guard access to the physical security system. Why? As shared above, entitlement creep is abundant, and the more access your guards have than is required for their position, the greater the exposure could be from an insider threat or compromised credential to grant excessive access to sensitive spaces across the corporate footprint.
What’s the impact? Imagine a bad actor who purchases a security guard’s username and password online. Without a second means of authentication, that intruder can slide right into a company’s online system. Furthermore, if that security guard has been over-provisioned, the intruder can now grant themselves physical access to whatever they would like, including data centers and server rooms with key confidential information.
Applying the systems of checks and balances that have been proven to be successful in the cyber world to the physical world will not only improve access control to a company’s building but ultimately will result in stronger security overall by preventing access to all points of entry.
The changing role of CISOs offer opportunities to make cyber and physical security management cohesive
As threats to cybersecurity are manifesting more and more as gaps in access control, whether that be of the building itself or the data and security centers, it is clear that a cohesive solution is an answer to the problem.
Fortunately, organizations are catching on to the extremely detrimental effects of a security breach and are making structural changes to support the mitigation of cyber and physical security threats. Today’s CISO is more important than ever before, with the responsibility of cultivating enterprise-wide security strategy. Having a more comprehensive view of security for the entire organization, rather than disjointed teams handling cyber and physical security needs, dovetails well with the changing need of technology and process solutions to address threats. Additionally, with the greater visibility by the CISO into all aspects of security, he or she can now ensure consistent practices are being implemented to protect the tools that are meant to protect their employees.
Viewing identity management and access control data together can identify new security risks
A June 2020 study by McKinsey & Company found that the pandemic has accelerated the digital economy by seven years. The digital adoption of applications for corporate work, in conjunction with tech solutions for physical security, is not just a temporary fix; these solutions are here to stay.
You’ve heard it said, ‘data is the new oil.’ This means that in the age of technology, data is the new commodity that businesses must manage as a rich resource. Managing users’ and administrators’ identity and access control data in virtual and physical environments with a single framework provides central visibility into individuals’ access to all systems and spaces as well as aggregate data on who is utilizing them.
Combining physical data and cyber analytics creates a powerful, unified view of users and access. Advanced analytics can then utilize the combined power of identity data in real and virtual worlds to better detect anomalous activity, identify potential threats to security leaders and support faster, more effective, incident investigations. By integrating identity management and access control together organizations gain a 360-degree view of their facilities to monitor and track access events alongside cyber incidents. Having the ability to manage users and administrators from one framework provides insight into who has access to internal applications and data, as well as which physical location and facility are they accessing it from. Furthermore, integrating video into your access control allows for verification and visual proof in investigations and remediation activities.
This is the true value of connecting IAM with access control platforms — central visibility to control access across the physical and virtual environments. And the further integrated your systems are, the more easily you are able to manage access rights across services, provide centralized compliance reports, and, if needed, provision and de-provision users and administrators quickly.