Convergence engineering of IT and traditional access control is no longer a “what if?” but more of an “almost done,” offering security practitioners a new array of innovations that are increasing the effectiveness of access control at their organizations. These revolutionary developments can add business value through cost savings and other returns for those who know how to move their companies’ security operations forward. Here’s a look at some of the progress being made in access control and its potential for the future.
Role-Based Access Control
Role-based access control is coming to the fore because of the increasingly convergent nature of physical and logical technology. The need for solutions that easily create and maintain role-based access control is driving large corporations like Microsoft to call for interoperability specifications while promising to craft future purchasing decisions around vendors who adhere to them. One group working toward such standards is the Physical Security Interoperability Alliance (PSIA), which includes representatives from both vendors and user companies. The alliance’s goal is to see the kind of plug-and-play interoperability common to other technologies, such as laptops, smartphones, televisions, and stereos, become common in physical and logical security systems.
Last September, at the ASIS International 59th Annual Seminar and Exhibits in Chicago, the PSIA announced that it had begun crafting a specification that incorporates Lightweight Directory Access Protocol (LDAP), a published and widely-adopted directory standard, to help map out and unify logical and physical identities via role-based access control (RBAC). A final specification was submitted in May 2014 by a working group of PSIA members and other interested parties.
The conceptual model that the working group pondered is one in which the organizational hierarchy defines roles and policies; job responsibilities and policies determine a role’s access privileges; real-time policies impact privilege sets that are sent and revoked from the logical security domain to the physical security domain; and the logical and physical security domains provide each other with status information for enhanced overall security.
PSIA’s approach has already succeeded in the case of an area control specification for physical security that allows a variety of physical security technologies to interoperate. The specification has been adopted by several of the major access control manufacturers. For example, Kastle Systems recently displayed a Mercury Security access panel—common to access control systems—that had been built to the PSIA’s area control specification and that was controlled and configured by cloud software Kastle had developed. Manufacturers like Kastle already see the customer need for specification-based access control products and are expected to continue development of them once the final specification is widely adopted.
The amount of information that business systems now capture is perhaps inadequately described by the current term “big data.” Access control logs, as voluminous as they are, are an infinitesimal sliver of big data. At an organization such as Microsoft, for example, the security and access control systems log about 350 million transactions per year, generated across approximately 700 sites in more than 100 countries for about 20,000 connected doors and a total of 50,000 security devices. These numbers will grow significantly as Microsoft integrates its newly acquired business, Nokia’s Devices and Services. This enterprisewide collection of data can be used to gain greater business value. One example of this is using travel records to streamline the process of temporary access for employees at other company facilities.
At most organizations today, when a visiting employee arrives at a
site, he or she presents credentials at a lobby reception post. The
designated security person logs the employee’s arrival and creates a
temporary access control card. There are other ways to handle this, of
course, but they all involve administrative time and cost, and can
inconvenience the out-of-town or out-of-country employees who are, after
all, there to work. Microsoft has more than 200,000 employees and
contingent staff, of which nearly half are contingent contractors. At
any given time, more than 5,000 of these are on travel assignments to
one of about 850 locations in more than 100 countries. The temporary
access control procedures described above already incur huge expenses
for a company of this size.
“At Microsoft, our area access administrators invest 20 percent of
their time managing temporary access privileges for the thousands of
Microsoft employees and contractors who travel among our facilities on
any given day,” says Mike Faddis, director at Microsoft Global Security.
“We envision the PSIA specification enabling us to automate privilege
management and significantly minimize these administrative costs, which
will have a notable impact on the bottom line and allow us to focus our
security resources in other areas that assist the business.”
An automated RBAC-based access system populated with employee travel
records could determine the appropriate level of access control for any
company building that an employee will visit. Because the approval
process for travel already in place by the business determines the
validity of access, when he or she arrives, there would be no need to
create a temporary access control card. The employee could present his
or her credential at a reader, and the access control system, which
would be populated with updated privileges by the automated system,
would already know it is okay to let this employee come into the
facility during the trip. The result of this use of big data would be a
significant reduction in costs and administrative time, an increase to
employee convenience, and better security.
In Microsoft’s case, security can also pull travel record data into a
geospatial map that shows the location of every employee. In April
2013, on the day of the Boston Marathon bombing, the company used this
to quickly identify how many employees were on travel in the Boston area
and whether their destination locations were near the explosions. The
company then sent an emergency mobile phone communication to those
employees identified as being in the area, asking if they needed help.
Clouds. When most organizations think of security
clouds, they assume that they are all run by third-party services and
are prone to security issues like those detailed by the Cloud Security
Alliance in its The Notorious Nine: Top Threats of 2013 white paper
released last February, which included data breaches and loss, account
hijacking, denial of service, insufficient due diligence, malicious
insiders, and more. However, there are four different cloud types,
including public, private, and community. The fourth type, a hybrid
cloud, can be used to minimize risks while allowing the beneficial
aspects of cloud computing technology to be reaped, including
scalability and cost-effectiveness.
A hybrid cloud can include a private cloud component, which, as the
name suggests, ensures that some resources and security assets remain
private, rather than shared. In the case of access control data, this
can be desirable, and in some cases legally mandated.
Managing other resources, such as a global communications infrastructure
for reaching users, can be handled by a public cloud, representing
another part of the hybrid system. In this way, mission-critical
applications and data can be protected while data from outside sources
can be pulled in as needed. For example, some company security
operations centers are now using the U.S. Geological Survey’s earthquake
data from its cloud system to be able to prepare a more immediate
response at company facilities whose safety and access control may be
damaged by seismic activity.
The world is moving into an era of interconnected devices. The new
ways that we can interact with them and through them are already
beginning to have an impact on access control. Take, for example, an
application that has been developed by a Canadian company, Viscount
Systems. The app takes advantage of a smartphone’s ability to act as a
Quick Response (QR) code scanner. QR codes are a type of optically
machine-readable matrix bar code that is attached to an item and that
records information related to that item.
Imagine that you have a QR code attached to a door. You point your
cell phone camera at it and the app looks at the QR code and sends the
identity credentials contained in that smartphone to the access control
server. If you are authorized based on your credentials, the door opens.
This is an example of how security can leverage device ubiquity with a
camera and application. Other options being explored are near field
communications (NFC) and fingerprint readers to control access using
Another project that Viscount is working on would allow the same
smartphone app to be used to scan a QR code that is attached to special
glass walls made of a type of glass that contains heat-blocking
nanocrystals embedded in niobium oxide glass and fused with tin-doped
indium oxide. When the phone sends the user credentials and QR code to
the access control system, it triggers an electric charge that runs
through the glass and causes it to darken into opacity. In this way, the
access control system can trigger visual security—for example, a room
where proprietary or classified operations, technology, or information
is being temporarily handled or displayed. A global security operations
center building that was recently toured by coauthor Bates contained a
meeting room with electric sensitive glass on its wall. With a scan by
the smartphone of the QR code, or tap of the NFC tag by an authorized
user, the wall immediately became transparent or darkened.
Proof of Concept
Microsoft is also involved in a proof-of-concept project with
Viscount Systems that illustrates how RBAC-based access control, big
data, cloud computing, and device ubiquity can all come together to
security’s benefit. The exercise was part of Microsoft Global Security’s
Good Samaritan Project, designed to create social networks to provide
aid more quickly in the event of emergencies by using two technologies.
One of the projects submitted as part of the exercise was Microsoft’s
Kinect motion-sensing device, which uses a natural user interface (NUI)
that can recognize and track the movements of a human body in front of a
camera. Kinect is well known as a component of electronic games, where
NUI allows the users to make gestures to control play. The system is
also used in gesture-based computing. The second technology was
Viscount’s Freedom security platform, which integrated Kinect software
with Windows phones through an Azure Cloud access control application.
The project was designed to address a situation where someone needs
help quickly but is not able to call for it. The technological part of
the system had Kinect devices placed on the ceiling similarly to CCTV
cameras. Software written for the NUI allowed someone who needed help to
make a gesture to signal the device. (Kinect also understands voice
commands, so calling out would also trigger it.) The device would then
replicate the functionality of the emergency callbox and notify the
security operations center, which could then observe the situation via
Kinect and CCTV and summon emergency responders to the scene.
Because in a situation such as a heart attack every second counts, a
parallel path incorporated a role-based access control system. Included
in the RBAC user profiles was information on who was nearby at any given
time, and that could be extended to include any medical skills
possessed by people verified to be in the building because they had
badged in—for example, employees with CPR and first-aid certification.
An emergency message was sent to the smartphones of these individuals,
alerting them that someone needed immediate assistance and their
location—a combination of access control and crowd-sourcing.
The proof of concept was entered into a competition titled “Be What’s
Next” in the Microsoft Science Fair, a global competition with hundreds
of entries, and it was one of the 16 winners. Although the Good
Samaritan project has not yet been developed for market, it has spawned
an interesting spin-off in use by Microsoft. In the company’s facilities
around the world, operational load sharing is now in place using the
A visitor to a Microsoft facility in Redmond, Washington, for
example, steps up to a screen and is prompted to speak or use gestures
that trigger interaction with security staff who may be in the United
Kingdom, India, or other countries around the world. The security staff
can notify the person the visitor has come to see that the guest has
arrived. For those already enrolled in the security ecosystem,
credentials can be verified by simply presenting their smartphone to an
NFC reader to gain access.
In 1970, Alvin Toffler famously wrote, “Future shock is the
shattering stress and disorientation that we induce in individuals by
subjecting them to too much change in too short a time.” It might be
argued that in 2014, mankind is more likely to thrive on change than be
crushed by it. That certainly appears to be the case in access control,
where technology is spawning new ways to increase the effectiveness of
Shayne P. Bates, CPP, is director,
security cloud strategy, at LMC Consulting Group, through which he works
with several global clients, including Microsoft Global Security. He
has served as chair of the ASIS International Commission on Information
Security, and as chair of the ASIS Information Technology Security
Council. He was formerly vice president of strategic partnerships for
Brivo Systems, LLC, and principal, security consulting, at Koffel
Associates. Ann Longmore-Etheridge is contributing editor at Security Management and editor of ASIS Dynamics.