Physical access control technology has remained largely the same through most of its history. A user walks up to a reader, presents a valid access card, and the door opens. Administrators manually entered identities into the access control system, controlling access permissions and roles on the back end. In recent years, while many elements of access control have changed on the front end, back-end operations have, for the most part, remained unchanged.
The emergence of trends such as mobile credentials, hybrid work models, multi-factor authentication, and biometrics have changed the way users gain access to facilities. Administrative and security teams are under intense pressure to keep up – not only with evolving trends, but also with the continuously changing user roles inherent to all businesses. Natural changes within an organization, such as staff turnover, scheduling updates, and limited-term vendor contracts, (often described by identity managers as movers, leavers, joiners) can literally equate to thousands of yearly access changes and inevitably cause a backlog of inaccurate access information. Physical access control systems are ill-equipped to accurately account for these changes as they often operate in isolation from other business systems.
As a result, inaccurate access data is compounded within an access control system – creating an issue which can be called “access chaos.”
Defining Access Chaos
Access chaos can be defined as the state of an access control system wherein many of the identities and the permissions assigned to those identities are missing, incorrect or out of date. Independent research shows that almost 99% of access control systems suffer from access chaos. Afflicted organizations are either unaware they have this issue or are so deep in it that they are unsure how to address it.
Access chaos is often referred to as a hidden issue because, unlike a broken access card reader, it is often not visible to users or administrators. Access chaos manifests in a variety of different ways, making identification even more challenging. It could be that there are more people in the security system than there are current employees, or there are active access control credentials that are unaccounted for. It may be difficult, if not impossible, for administrators to spot these inaccuracies within the system, especially when there are thousands of identities and changing roles in place.
Access chaos is not just a systems issue. Most organizations are aware that their physical access control systems contain inaccurate access data and face challenges in rectifying the issue. Security teams are often reluctant to admit to management that a problem exists within the access system. Clearing out invalid data would require significant manual labor, leading to potential oversights and human error. On the other hand, a complete system reset would be costly and time consuming. Both options are laborious and potentially expensive, leading some organizations to ignore the problem entirely.
Whether you are aware of access chaos or not, the risks are the same. When erroneous data is present, the organization is now subject to the very threats the access control system was designed to prevent. Potentially hundreds, if not thousands, of individuals could have inappropriate access if just 1% of access rights are incorrect. Insider threats and bad actors now have a literal open door to commit theft, workplace violence, and other harmful behaviors, making non-action a non-option.
Overcoming Access Chaos
Once access chaos has been acknowledged, know that there is no single root cause or person to blame for its existence. Access chaos is caused by a variety of system, human and organizational factors compounded over time. Whether it be overwhelmed security administrators doing their best to keep up with the influx of changing permissions requests, the human error these manual changes are subject to, or the disconnect between an access control system and other business systems, access chaos has the unique ability to go unnoticed.
The good news for access chaos sufferers is that there are solutions designed to both prevent and address the issue. Smart software solutions ensure every employee, contractor, and visitor has exactly the right physical access 100% of the time. These solutions also address the industry’s need for advanced back-end developments that make mapping, measuring, and monitoring access easier than ever.
Start by gaining visibility of relevant access control related information across systems. Advanced analytics software can connect data from disparate systems, including human resources (HR), active directory (AD), learning management system (LMS), enterprise resource planning (ERP) and physical access control systems (PACS) solutions, and visualize them through a single interface. Think of it as a visual mind map that lays the foundation needed to accurately validate whether identities are in sync and access rights are set correctly.
Next, use the rules engine functionality of such analytics software to translate safety, security, and compliance policies into daily policy checks. Whether it is essential security controls like ensuring that no past employees still have active access, or internal safety policies that require certain certifications to access high-risk areas, you need this type of software to automate the identification of access compliance and real time security risks across your organization. Security and administrative teams are automatically notified once outdated physical access data, unused badges, or other access chaos contributors are detected, allowing for swift remediation. These tools also ensure the right level of access for temporary identities such as visitors and contractors are maintained, as permissions for these populations are easily overlooked or forgotten.
An essential piece of this process is the monitoring of access via proactive user access reviews. In the past, organizations have tracked and reviewed identity permissions with low frequency, usually yearly at best, using cumbersome manual spreadsheets. Now, user access reviews can be conducted automatically within seconds using advanced software solutions ensuring continuous and consistent compliance. This makes compliance tasks easy when access reviews are required by strict regulatory standards such as HIPAA or FISMAS.
Access chaos existed before the latest access control trends were introduced and will exist long after. Adding in the velocity of personnel changes in today’s workplace, due to both the growing number of movers, leavers, joiners and the new hybrid workforce, access chaos will only increase in complexity.
Today’s variety of access chaos solutions help back-end operations catch up with advancing front-end technologies. Through the thoughtful application of a variety of solutions, organizations can improve the safety, efficiency, and compliance of their facilities, reduce insider threats, and eliminate access chaos once and for all.
About the Author:
Brian McIlravey is the Chief Operating Officer of RightCrowd. Over the last 30 years, Brian has been a frequent speaker at security industry events and has served on many panels and group presentations. He is a former executive member of the ASIS ITSC, the Physical Security Council, and member of the original ESRM Board. He currently sits on three security industry company advisory boards, all security technology companies around the world.