This article originally appeared in the 2020 Access Control Trends & Technology bonus publication.
The role of access control in the modern era of converged infrastructure is set to become one of the most challenging discussions in the security industry for the next decade. The new realities presented by the Covid-19 pandemic has further highlighted the requirement for frictionless and contactless entry. Security leadership now faces a greater burden of ensuring public health and the need to contend with the precipice of exponential changes that may result in an overhaul of their current and likely soon-to-be-extinct access control technologies and processes.
For as long as we have challenged people at an entry, we have used access control. This will always be our first line of defense from a potential threat. However, in the last 50 years, as digital technology became a part of the entry process, we have seen access control become more relevant in business operations. Many traditional methods have been challenged by emerging solutions like facial recognition, contactless biometric and mobile credentials but thus far none have emerged as the clear paradigm-shifter.
The most substantial change in access control is that it no longer applies to simply a door. Convergence of systems across every area of our world has made it both difficult and challenging to segment and secure processes from the nation-state syndicates and bad actors. The consequences of events such as 911 and breaches of large corporations like Target have only amplified the need for more stringent converged access controls. Pre-pandemic, one of the growing concerns was privacy and how best to utilize an employee’s biometric information without the burden and potential liability of storing that information in a database or server. Now organizations are faced with a must-be-addressed health-related view of access control. It would be hard to argue that existing “communal-touch” methods are no longer viable.
New Definitions of What is Access
This new paradigm within the already changing landscape of access control is leading to the need for a clear definition of identity-driven access management which is being driven by greater interconnectivity of systems in the IT, OT, PS, and IoT arena. Access control is now part of the entry into all things such as IT Information Technology, OT Operational Technology, PS Physical Security, IoT Internet of Things, and CoT Cellular of Things. This broad-brush now entails our understanding of all the domains of security since they are all interconnected and with that the birth of the new paradigm of access control management and its technology.
Access Control IT, OT, and Physical Security
- Access management has always been a rudimentary process driven by controlling people with processes to managing security and access to critical and non-critical infrastructure.
- Access granted or denied is a very one-dimensional concept since it relies primarily on a physical card, password, biometric reader, or using a two or three-part authentication process at the reader.
- Access control does not define identity it merely allows permission-based on access control management processes.
- Where does the validation of the person begin and end? And equally important, who controls the mechanism for validation?
- What are the role and implications of relying on a Bring-Your-Own-Device approach?
Access Control Information Technology
- Traditionally alphanumeric passwords
- Two-part encrypted password defined by biometric or question-based authentication
- Identity authentication methodology
Operational Technology Access Control
- Traditionally alphanumeric passwords
- Non-intelligent systems with one-dimension access control
- Open PLC programable logical controls and SCADA Supervisory control and data acquisition
- Unsecured communication systems
Physical Security Access Control
- Card-based access
- Two-part authentication with biometric
- Three-part with Iris, retinal scan, facial recognition or palm or finer recognition
Credentialing as access control has generated a multitude of solutions that are striving to define the permission based on a secured defined identity. This path has led to establishing the six domains of identity recognition within the access control world:
1. Facial recognition in IT, OT, PS, IoT
2. Biometric authentication using retinal, and finger, temperature, heart, body movement, breathing, voice and palm print technology
3. Intelligent cards with biometric authentication on board
4. Intelligent entry systems using behavioral and voice technology tied to sensors
5. Visitor and Access management using defined permission with multifactor authentication tied to challenging questions and behavioral tracking systems.
6. Products that recognize you AI, deep learning and machine learning and intelligent chip embedded biological chips, and sensor technology
New Norms for Access Control
The process of access control is changing and with that it is critical to understand that we must now establish a new norm which incorporates the aspects of identity recognition and acceptance as part of the overall promise of entry. We no longer can define access control as part of a siloed process, but rather a part of a new organic and multi-dimensional converged eco-system. These are the six steps that are tied to the 6 domains of identity recognition.
It is very clear that the process of identity-driven access control is moving to the edge and with this is the use of technology to make that happen. The inevitability of the use of a biometric or mobile credential (ideally with the biometric enrollment managed by the enterprise and not the end-user) tied to a sensor that is connected to a door strike that communicates over cellular may be closer than you think.
Security requirements aside, a key factor in this transition will be the optimization of previously expended capital; avoiding the need to “rip and replace” infrastructure. Adding a camera in the mix and either Lidar or Optex you have the potential to define piggybacking and tailgating at every door. This process lends credence to the discussions surrounding the use of cloud access/identity at the edge. There is a growing sentiment by large organizations that with intelligent identity access processes they may be able to connect all the business domains, therefore, create a new operational identity to entry model which doesn’t need the burden of infrastructure -- especially if they tie it to secured cellular solutions and bypass the LAN environment segmenting the entire operational environment including access and identity from the IT data transaction world.
With the movement to identity-driven access control, we need clear policies and procedures as well as governance to ensure there are protections to the individual and the entity. The guidance established by HIPAA (Health Insurance Portability and Accountability Act), GDPR (General Data Protection Regulation), The California Privacy Act are a few of many ways that we must incorporate protections as we move into this world of Access, Identity, to Entry.
Now that we have understood that everything is changing, we must now define and understand how to manage this interconnected world driven by identity. The DHS created a process that will help our world stay on the rails and hopefully not get derailed using technology. The goal simply put was to define a process of determining entry in the Federal and now in the public domain. The goal is the understanding and the importance of multi-factor identity authorization in the process of access management.
https://www.dhs.gov/sites/default/files/publications/896_ICAM_Acquisition-Guidance_060818-508.pdf
The future of Access control and Identity management in the world of IT, OT, PS, IoT
• IoT and IIoT identity-based access control
• OT Identity based access control
• PS Identity based frictionless access control
• IT Identity-based agent and access control
• COT (Cellular of Things) Secured communication tied to Identity and access control
The Future of Identity Tied to Access control
• Unified identity: The convergence of identity and building the unification of privacy.
• Access, Identity, to Entry in the converged technological world.
• Bridging data protection with identity management in the world of IoT
• The path forward: Aligning assessment, testing, and Integration with identity
• Identity per industry: leveraging the rule of compliance and regulation to harness entry thru identity
Inevitably, however, once we establish a conclusively defined identity tied to entry the rule of privacy must become imperative. The holder of the identity inevitably must be the individual, not the entity. The use of a defined biometric algorithm tied to the individual locked by a process using open consent is the holy grail of access control in the modern era.
Our world is faced with a burden of guilt in obfuscating our rights for the “global interconnected world”. We as humans must control our right to be free of manipulation and misuse of our identity. Our world is quickly approaching awareness with the recent conversation of tying health to an identity card tends to drift into the realm of big brother, and with China in full surveillance mode, we are seeing the progenitor of what George Orwell called Oceania, the totalitarian state wherein the ruling party wields total power “for its own sake” over the inhabitants.
So, can we have identity and still retain privacy? I believe we can but it is going to take the use of Identity governance within the overall process of access management. The use of technology such as a thermal camera to determine the temperature in response to the need to control entry in the post-COVID-19 pandemic world is another area to be defined. The workplace may be in a paradigm shift of its own due to the justifiable fears of contracting Covid-19 as we see identity-driven access control becoming more important than ever.
However, with this there must be protections put in place to ensure the employee rights are secure defined. As we come to the realization that access control is no longer a one-dimensional issue and that all things are connected, then we also must define a new expectation that identity is the underlying key to the new equation and with that will grow the need to take a firm but equal stance in how that is interwoven with our interconnected world.
Protecting Identity Rights
As we move to protecting identity as part of the access, we must realize that there will be challenges. One of the greatest challenges is identity theft and the world of fraud and misappropriation.
The unification of Access, Identity, to Entry in the IT, OT, PS, and IoT world is a reality and with the use of biometrics across many industries such as banking, transportation, retail and critical infrastructure, we are relying on systems to work as well as be secure. While nothing is 100% foolproof, I have always stated that the 80-20% rule applies. As we strive to become more secure using identity, we also have to understand that the layers of protection will inevitably fall short and it is our choice to accept a world that is totally imperfect by the use of one-dimensional access management or know that the 80% will afford us a chance to protect ourselves our property and our future.
About the author: Pierre Bourgeix is the CTO and founder of ESI Convergent, a management consulting firm focused on helping companies assess and define the use of people, processes, and technology within the physical and cybersecurity arena. ESI Convergent was formed to not only help end-users but also manufacturers in defining the proper strategy to drive products successfully into the marketplace. As a thought leader in the Security Industry Pierre Bourgeix has helped companies successfully launch and position products and solutions globally. ESI Convergent can produce market analysis, product briefs, product specifications, Physical and cyber assessments, and advisory practice surrounding cyber and physical security convergence in the security and risk management arena.