Access Control’s Future Is Now

Security by Industry
Access Control’s Future Is Now

Convergence engineering of IT and traditional access control is no longer a “what if?” but more of an “almost done,” offering security practitioners a new array of innovations that are increasing the effectiveness of access control at their organizations. These revolutionary developments can add business value through cost savings and other returns for those who know how to move their companies’ security operations forward. Here’s a look at some of the progress being made in access control and its potential for the future.

Role-Based Access Control

Role-based access control is coming to the fore because of the increasingly convergent nature of physical and logical technology. The need for solutions that easily create and maintain role-based access control is driving large corporations like Microsoft to call for interoperability specifications while promising to craft future purchasing decisions around vendors who adhere to them. One group working toward such standards is the Physical Security Interoperability Alliance (PSIA), which includes representatives from both vendors and user companies. The alliance’s goal is to see the kind of plug-and-play interoperability common to other technologies, such as laptops, smartphones, televisions, and stereos, become common in physical and logical security systems.

Last September, at the ASIS International 59th Annual Seminar and Exhibits in Chicago, the PSIA announced that it had begun crafting a specification that incorporates Lightweight Directory Access Protocol (LDAP), a published and widely-adopted directory standard, to help map out and unify logical and physical identities via role-based access control (RBAC). A final specification was submitted in May 2014 by a working group of PSIA members and other interested parties.

The conceptual model that the working group pondered is one in which the organizational hierarchy defines roles and policies; job responsibilities and policies determine a role’s access privileges; real-time policies impact privilege sets that are sent and revoked from the logical security domain to the physical security domain; and the logical and physical security domains provide each other with status information for enhanced overall security. 

PSIA’s approach has already succeeded in the case of an area control specification for physical security that allows a variety of physical security technologies to interoperate. The specification has been adopted by several of the major access control manufacturers. For example, Kastle Systems recently displayed a Mercury Security access panel—common to access control systems—that had been built to the PSIA’s area control specification and that was controlled and configured by cloud software Kastle had developed. Manufacturers like Kastle already see the customer need for specification-based access control products and are expected to continue development of them once the final specification is widely adopted.

Big Data

The amount of information that business systems now capture is perhaps inadequately described by the current term “big data.” Access control logs, as voluminous as they are, are an infinitesimal sliver of big data. At an organization such as Microsoft, for example, the security and access control systems log about 350 million transactions per year, generated across approximately 700 sites in more than 100 countries for about 20,000 connected doors and a total of 50,000 security devices. These numbers will grow significantly as Microsoft integrates its newly acquired business, Nokia’s Devices and Services. This enterprisewide collection of data can be used to gain greater business value. One example of this is using travel records to streamline the process of temporary access for employees at other company facilities.

At most organizations today, when a visiting employee arrives at a site, he or she presents credentials at a lobby reception post. The designated security person logs the employee’s arrival and creates a temporary access control card. There are other ways to handle this, of course, but they all involve administrative time and cost, and can inconvenience the out-of-town or out-of-country employees who are, after all, there to work. Microsoft has more than 200,000 employees and contingent staff, of which nearly half are contingent contractors. At any given time, more than 5,000 of these are on travel assignments to one of about 850 locations in more than 100 countries. The temporary access control procedures described above already incur huge expenses for a company of this size.

“At Microsoft, our area access administrators invest 20 percent of their time managing temporary access privileges for the thousands of Microsoft employees and contractors who travel among our facilities on any given day,” says Mike Faddis, director at Microsoft Global Security. “We envision the PSIA specification enabling us to automate privilege management and significantly minimize these administrative costs, which will have a notable impact on the bottom line and allow us to focus our security resources in other areas that assist the business.”

An automated RBAC-based access system populated with employee travel records could determine the appropriate level of access control for any company building that an employee will visit. Because the approval process for travel already in place by the business determines the validity of access, when he or she arrives, there would be no need to create a temporary access control card. The employee could present his or her credential at a reader, and the access control system, which would be populated with updated privileges by the automated system, would already know it is okay to let this employee come into the facility during the trip. The result of this use of big data would be a significant reduction in costs and administrative time, an increase to employee convenience, and better security.

In Microsoft’s case, security can also pull travel record data into a geospatial map that shows the location of every employee. In April 2013, on the day of the Boston Marathon bombing, the company used this to quickly identify how many employees were on travel in the Boston area and whether their destination locations were near the explosions. The company then sent an emergency mobile phone communication to those employees identified as being in the area, asking if they needed help.

Clouds. When most organizations think of security clouds, they assume that they are all run by third-party services and are prone to security issues like those detailed by the Cloud Security Alliance in its The Notorious Nine: Top Threats of 2013 white paper released last February, which included data breaches and loss, account hijacking, denial of service, insufficient due diligence, malicious insiders, and more. However, there are four different cloud types, including public, private, and community. The fourth type, a hybrid cloud, can be used to minimize risks while allowing the beneficial aspects of cloud computing technology to be reaped, including scalability and cost-effectiveness.

A hybrid cloud can include a private cloud component, which, as the name suggests, ensures that some resources and security assets remain private, rather than shared. In the case of access control data, this can be desirable, and in some cases legally mandated.

Managing other resources, such as a global communications infrastructure for reaching users, can be handled by a public cloud, representing another part of the hybrid system. In this way, mission-critical applications and data can be protected while data from outside sources can be pulled in as needed. For example, some company security operations centers are now using the U.S. Geological Survey’s earthquake data from its cloud system to be able to prepare a more immediate response at company facilities whose safety and access control may be damaged by seismic activity.

Device Ubiquity

The world is moving into an era of interconnected devices. The new ways that we can interact with them and through them are already beginning to have an impact on access control. Take, for example, an application that has been developed by a Canadian company, Viscount Systems. The app takes advantage of a smartphone’s ability to act as a Quick Response (QR) code scanner. QR codes are a type of optically machine-readable matrix bar code that is attached to an item and that records information related to that item.

Imagine that you have a QR code attached to a door. You point your cell phone camera at it and the app looks at the QR code and sends the identity credentials contained in that smartphone to the access control server. If you are authorized based on your credentials, the door opens. This is an example of how security can leverage device ubiquity with a camera and application. Other options being explored are near field communications (NFC) and fingerprint readers to control access using smartphones.             

Another project that Viscount is working on would allow the same smartphone app to be used to scan a QR code that is attached to special glass walls made of a type of glass that contains heat-blocking nanocrystals embedded in niobium oxide glass and fused with tin-doped indium oxide. When the phone sends the user credentials and QR code to the access control system, it triggers an electric charge that runs through the glass and causes it to darken into opacity. In this way, the access control system can trigger visual security—for example, a room where proprietary or classified operations, technology, or information is being temporarily handled or displayed. A global security operations center building that was recently toured by coauthor Bates contained a meeting room with electric sensitive glass on its wall. With a scan by the smartphone of the QR code, or tap of the NFC tag by an authorized user, the wall immediately became transparent or darkened.

Proof of Concept

Microsoft is also involved in a proof-of-concept project with Viscount Systems that illustrates how RBAC-based access control, big data, cloud computing, and device ubiquity can all come together to security’s benefit. The exercise was part of Microsoft Global Security’s Good Samaritan Project, designed to create social networks to provide aid more quickly in the event of emergencies by using two technologies. One of the projects submitted as part of the exercise was Microsoft’s Kinect motion-sensing device, which uses a natural user interface (NUI) that can recognize and track the movements of a human body in front of a camera. Kinect is well known as a component of electronic games, where NUI allows the users to make gestures to control play. The system is also used in gesture-based computing. The second technology was Viscount’s Freedom security platform, which integrated Kinect software with Windows phones through an Azure Cloud access control application.

The project was designed to address a situation where someone needs help quickly but is not able to call for it. The technological part of the system had Kinect devices placed on the ceiling similarly to CCTV cameras. Software written for the NUI allowed someone who needed help to make a gesture to signal the device. (Kinect also understands voice commands, so calling out would also trigger it.) The device would then replicate the functionality of the emergency callbox and notify the security operations center, which could then observe the situation via Kinect and CCTV and summon emergency responders to the scene.

Because in a situation such as a heart attack every second counts, a parallel path incorporated a role-based access control system. Included in the RBAC user profiles was information on who was nearby at any given time, and that could be extended to include any medical skills possessed by people verified to be in the building because they had badged in—for example, employees with CPR and first-aid certification. An emergency message was sent to the smartphones of these individuals, alerting them that someone needed immediate assistance and their location—a combination of access control and crowd-sourcing.

The proof of concept was entered into a competition titled “Be What’s Next” in the Microsoft Science Fair, a global competition with hundreds of entries, and it was one of the 16 winners. Although the Good Samaritan project has not yet been developed for market, it has spawned an interesting spin-off in use by Microsoft. In the company’s facilities around the world, operational load sharing is now in place using the same technology.

A visitor to a Microsoft facility in Redmond, Washington, for example, steps up to a screen and is prompted to speak or use gestures that trigger interaction with security staff who may be in the United Kingdom, India, or other countries around the world. The security staff can notify the person the visitor has come to see that the guest has arrived. For those already enrolled in the security ecosystem, credentials can be verified by simply presenting their smartphone to an NFC reader to gain access.

In 1970, Alvin Toffler famously wrote, “Future shock is the shattering stress and disorientation that we induce in individuals by subjecting them to too much change in too short a time.” It might be argued that in 2014, mankind is more likely to thrive on change than be crushed by it. That certainly appears to be the case in access control, where technology is spawning new ways to increase the effectiveness of security’s mission.

Shayne P. Bates, CPP, is director, security cloud strategy, at LMC Consulting Group, through which he works with several global clients, including Microsoft Global Security. He has served as chair of the ASIS International Commission on Information Security, and as chair of the ASIS Information Technology Security Council. He was formerly vice president of strategic partnerships for Brivo Systems, LLC, and principal, security consulting, at Koffel Associates. Ann Longmore-Etheridge is contributing editor at Security Management and editor of ASIS Dynamics.