(Editor’s Note: This is the 77th article in the “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress.)
In this article, we will examine the concept of micro-automation as it applies to physical access control. This article, while it can stand alone, builds on the previous “Real Words or Buzzwords?” article Data Literacy. It shines a spotlight on a technology product that enables the effective utilization of data, in this case access-privilege data, where this has only been possible at small scales.
Physical Access Controls’ Dark Secret
The 50-year “dark secret” of facility access control is that electronic access control never truly solved the shortcomings of physical lock-and-key systems. Whether locks and keys are mechanically or electronically operated, access control privileges are still less and less manageable as two things grow in size: the number of controlled doors or gates, and the number of credential holders in the system.
Consider the following real-world example of one company’s story. They have 25,000 employees. Every year 2,000 individuals exit the company, 2,500 are hired to back-fill empty positions or fill new ones, 800 change roles or working locations, 1,000 are added due to acquisitions, and another 500 leave due to subsidiary sell-offs. On average, 25% of all people records change every year. That’s 6,250 personnel changes.
Over 1,000 access credential holders are contractors, for whom the status of their company’s insurance policies are make-or-break access privilege requirements. Some of the contractors work for multiple primary contractors, and the scopes of the primary contractor work determines what areas of the facility the subcontractor may have access to.
Additionally, several thousand employee and non-employee credential holders have safety training requirements that must be up to date for them to access specific areas or operate certain machinery.
This company believed it likely that at any point in time at least several hundred of their credential holders’ have inappropriate access privileges resulting from a variety of human mistakes. It has proven impossible – through manual processes – for them to keep all access privileges accurate across the entire company.
Furthermore, some percentage of the access privilege errors are cumulative, meaning that they are not solved by people leaving the company. For example, several access groups contain too many privileges, and now span protected areas they were not originally intended to span. Thus, the incorrect access privilege liability grows each year, and the organization is increasingly subject to the very threats the access control system was designed to prevent.
Many of their greatest risk exposures stem from highly complex privilege requirement situations that they just can’t get a handle on. For example, if a serious injury accident were to happen involving a contractor whose training has expired and whose employer’s insurance has lapsed, the company would have a multi million-dollar liability.
On top of the financial costs, there would be negative emotional impacts on other employees, contractors and investors as well as a diminishing of the company’s reputation.
Addressing Access Privilege Complexity, Chaos
Previously, addressing large-company access management problems required ripping and replacing physical access control systems globally, integrating them with a central IT-managed identity management system (IDMS), and completely re-working how physical access control privileges are managed. A small team would be assigned the task of redoing all the access privileges, which is a gargantuan manual effort.
During such widespread rip-and-replace disruptions, access privilege accuracy typically worsens before it finally gets better on a site-by-site basis. However, at the point of project completion access privilege accuracy then begins a new downward slide, because such an upgrade project doesn’t address the root problem: data management regarding access privilege requirements.
It’s a Data Problem
Much of the data on who should have what privileges resides in multiple physical and electronic locations, with some of it existing only in the minds of various access privilege decision makers. Key data that relates to access privileges is held and managed outside of the access control system.
Because 75% or more of the access privileges are not problematic, customers just “live with” the situation by accepting some amount of excess privilege assignment. Although “least privilege” is the desired principle to apply to access management, it has not been possible to effectively manage the complex privilege factors at large scales.
To their credit, Lenel Systems tried to tackle the problem with its Policy feature, but the database technology available for Lenel to use wasn’t up to managing access privilege data in the way that’s needed.
Lenel was the first physical access control company to make good use of what we now think of as traditional database technology, which is based on the concept of fixed data records. Every record in the database has the same structure (such as first name, middle name, last name, email address, telephone number, etc.).
However, that kind of database doesn’t fit the data management needs of physical access control privileges, which can vary significantly from site to site, and even from building to building on a large corporate campus.
Graph Databases and Knowledge Graphs
The type of database technology needed has evolved over the past 10 years, driven by the needs of companies like Google, Netflix, LinkedIn, Facebook and so on. The database is called a “graph database.”
Unlike the fixed data records of traditional databases, a graph database stores information differently, because it’s purpose is to capture data about objects and map the relationships between the objects. The visualizations of that data are called knowledge graphs, and you can see examples on the Knowledge Graphs page of the Data Language website. Google has a 3-minute video titled, Introducing the Knowledge Graph that I highly recommend you watch.
Using graph database technology, a truly workable solution to the large-scale physical access privilege problem would be one that could:
- Be implemented gradually on a risk-prioritized facility-by-facility basis
- Utilize any or all of the existing access control manual processes and person decision points
- Work with any brand of physical access control system currently in place or planned
- Utilize a standards-based approach to obtaining privilege management data from the full spectrum of systems in use, potentially utilizing but not requiring an SDK or API interface
- Keep pace with organizational changes in roles and responsibilities
- Instantly adapt to changes in the types of access privilege data comping from interfaced systems
- Keep all physical access control privileges up to date daily
Such a graph database solution for access privilege management does exist, and you can use it with any number of access control systems by an approach that is the exact opposite of the rip-and-replace massive upgrade scenario.
The solution can automatically gather the data from whatever systems have the data, whether those systems are managed by Security, HR, IT, Accounting, Training/Learning Management, and so on. It then uses AI-based analysis to determine who should have access to what, and then notifies the individuals with access management roles so that they can update privilege assignments accordingly.
Defining Micro-Automation
Micro-automation is the term I coined to refer to automating small but complex parts of manual workflows, like those involved in large-scale physical access management.
The human data gathering and “figure it out” steps currently required cannot keep pace with the needs of the large-scale access control systems now being managed. As a result, humans cope on a “best-efforts, best-guess” basis – as has been the case so far with large-scale physical access control management.
The graph database solution is also capable of updating the physical access control systems directly via the access control system’s available integration capabilities. However, that is not necessarily the best way to deploy the solution.
The simplest approach is to use the system to support the current access control system administrators by automating the humanly hard parts – the data gathering and data analysis actions – and simply providing the system admins with exact information about what access changes are needed. This gives the likely highly tasked personnel some relief, while at the same time tightening up physical access management.
The Graph Database Solution
The breakthrough graph database solution is the digital identity and access modeling software called Gathid, whose name came from “gathered identities,” spelled the way an Aussie says “gathered.”
The solution was designed to perform identity and access management (IAM) for IT and OT logical access control systems as well as physical access control systems.
Gathid can collect data from the multiple workforce data sources typically found in most organizations, as described above.
Micro Automation Keeps Humans in the Loop
Gathid can accept data in automated/scripted CSV file exports from legacy systems, including physical access control systems, as well as the built-in API connectors of more modern products. It is not dependent upon physical security system integration.
It automates the processes of privilege data collection, privilege analysis, and presents a viewable picture that is updated daily. It informs the individuals who manually perform access management tasks of privilege changes that need manual follow-up action, such as reminders to take required training or provide evidence of renewed insurance coverage.
The patented Gathid Identity Graph ensures a baseline of reality through its daily modeling, which keeps system admins updated on a daily analysis. Gathid keeps access management stakeholders in the loop by notifying them of access changes requiring approval, access policy violations, or privileges nearing expiration – such as for deadlines related to training or insurance requirements.
One-Way Data Flows
Provides a Safe Automation Path
It is important to note that Gathid’s data flows are one-way: out from the various systems providing data and into Gathid. Gathid then performs the data analysis and notifies the access control system admins about the changes needed.
There are no system integration errors to worry about. Micro-automation keeps humans in the loop doing what they have always done, but now being supported by automated data collection and analysis. There is no situation where a facility must live with broken access control privileges until an access control systems integration gets fixed.
For full automation, the initial data flows into Gathid remain the same. The only potential change at any site is whether to use integration to achieve a new data flow out of Gathid and into the access control system. Whether to automate that data flow depends on whether doing so will free up enough staff time to make the change worthwhile. That can be evaluated on a site-by-site basis.
Empowering Humans
with Instant Accurate Data
The people who currently define or approve access privilege assignments now perform the same roles, but in a fraction of the time previously required, and with the benefit of having ALL the access data instantly viewable in the Gathid Identify Graph – regardless of the number of credential-holders and the complexity of the access privilege requirements.
Gathid can also visually answer questions posed about who has access to what protected assets, when privileges will expire, and identify separation of duty violations across any number of protected areas, assets and user population segments. There is no need for system admins to look up a bunch of data and “figure things out” to provide an answer, because Gathid provides it instantly.
The Role of Micro-Automation
Any aspect of physical security system management that is too large to manage with manual efforts, or too complex for an individual person to deal with, is a candidate for micro-automation, whether or not the automation is AI-based.
Future articles will continue to explore the automation landscape for physical security.
