Access Chaos: The Overlooked Security Concern Creating Dangerous Risks on Your Campus
To maintain a secure environment, many corporate, educational, and other campuses have deployed physical access control systems (PACS). These systems rely on accurate permissions to determine who can access specific areas of a campus based on pre-determined rights and roles. But what happens when the permissions, rights, and roles inside the system are not accurate or do not align with other business systems?
The wrong people often have valid credentials. Erroneous data present in an access control system results in potentially hundreds, if not thousands, of individuals with inappropriate access. Such inappropriate access puts a campus at risk for theft, insider threats, physical violence, cybercrime, and other damaging incidents. The very system designed to prevent risk is now creating it, blanketing a campus in a false sense of security with severe implications.
This scenario is referred to as access chaos and it affects nearly all PACS in use today.
Access Chaos Defined
Access chaos is the state within an organization and its access control system in which many of the identities and the permissions assigned to those identities are missing, incorrect, or out of date and thus, creating chaos.
Access chaos is often referred to as a hidden issue because it is not always visible.
For example, incorrect permissions have a way of looking like all other permissions—just as system administrators easily overlook changing employee roles. Because access chaos manifests in different forms, most organizations are unaware of its presence, or fail to openly acknowledge it. For organizations that are aware of their own access chaos, remediation may seem overwhelming. Bringing an access control system up to date manually requires time, labor, and financial resources that many organizations currently lack. And with access rights, badges, staff schedules, and disparate security layers constantly changing, maintaining accurate access can feel out of reach. This leads administrators and organizations to ignore the problem entirely, leaving gaping holes in what was originally a thoughtful physical security plan, and drastically increasing insider threat risks.
Often, access chaos is not noticed or addressed until a devastating event occurs impacting the organization. Depending on the type of incident, the deploying organization could be found liable for negligence. Imagine if a hospital failed to deprovision the ID card of an employee who was terminated for cause. The individual, who now had inappropriate access to the building, could potentially gather valuable patient information, commit U.S. Health Insurance Portability and Accountability Act (HIPAA) violations, spread infectious diseases, assault patients, or cause other damages. In all these instances, the hospital could be found financially and legally liable while simultaneously suffering from a loss of reputation and credibility.
Factors Contributing to Access Chaos
While access chaos can seem—and is—scary, it is also very natural in the lifecycle of most PACS. Access chaos does not have a single source but is rather caused by a variety of factors that compound over time.
For example, traditional access control systems require manual inputs to grant, revoke, or change access permissions and roles. When system administrators are left to make such changes, there is a large opportunity for human error. One overlooked email could result in multiple instances of inappropriate access with access chaos worsening as this practice repeats.
This issue is further compounded because access control systems traditionally operate in a silo, often separated from people systems such as Human Resources and Active Directory. They might also be separated from large Identity and Access Management (IAM) systems controlling access rights across IT and cybersecurity resources.
When isolated from other business systems, system administrators may struggle to manually keep up with the sheer number of incoming access requests. For campuses that rely on a number of HR and credentialing systems to keep various departments updated, the security team cannot afford to be left out of the loop.
Frequent personnel changes are another common source of access chaos on a campus as these environments traditionally employ a large staff. This equates to frequent employee turnover, regular onboarding, and credentialing procedures, as well as internal promotions and transfers (commonly known as leavers, movers, and joiners). Hospital and university campuses are also frequently visited by guests and contractors alike, requiring specialized processes for temporary identities. These movers, leavers, and joiners require frequent changes to their access permissions, which may result in a backlog of manual requests for administrators.
Such factors have only worsened due to recent trends. The ongoing pandemic and subsequent “Great Resignation” resulted in a more complicated workforce with hybrid and at-home working more popular than ever. There are also a record number of individuals losing or leaving their jobs, creating frequent requests for manual access changes, and stretching thin labor resources able to carry out such requests. Lastly, the introduction of biometric and mobile credentials, as well as concepts like Just in Time (JIT) credentialling, has only complicated the management of access identities within a system. Given these rapid changes, campuses of all sizes are struggling to address their own access chaos.
Solving Access Chaos on Campus
As much as campuses are struggling to curb access chaos, there are organizations working equally hard to create solutions. Campuses can now address and prevent this problem with the help of the right technology to map, measure, and monitor it.
Advanced analytics software easily connects a PACS to otherwise disparate systems, including Human Resources, Active Directory, Learning Management System, and more. Access to the information provided by these systems creates a virtual “mind map” of an identities’ access rights and permissions. In a single view, system administrators can see and receive automatic updates regarding the individual’s employment, credentialing, and campus status. If any change in status is detected, access permissions can be flagged automatically, limiting manual processes and ensuring access rights are always set correctly.
The same analytic software can also be used to conduct daily policy checks. In this way, security teams can measure risk by automating the identification of access compliance across a campus. Daily notifications alert personnel to outdated physical access data, unused badges, timetabling conflicts, potential compliance infractions, and more access chaos contributors. These tools also ensure the right level of access for temporary identities such as campus visitors and contractors are frequently maintained.
Lastly, conducting automated user access reviews is a proven—and often mandatory—way to proactively monitor access. Frequent user access reviews track and review identity permissions to ensure internal and regulatory compliance as mandated by HIPAA or U.S. Federal Information Security Modernization Act requirements. Previously, these checks were conducted using paper and pen or spreadsheets on a yearly basis. Now, user access reviews can be conducted automatically within seconds using advanced software innovations.
Campuses of all sizes and types are always—and will always—be at risk of physical security infiltrations. While physical access control systems help manage this risk, insider threats and bad actors are still there wishing to cause harm. If an access system contains even one drop of access chaos, threat actors could strike. To avoid liability and protect their assets, campus security teams and administrators must acknowledge their system’s own inherent access chaos. Only then can the proper steps be taken to create a more secure, safer, and compliant campus for all who enter.
Brian C. McIlravey is an experienced and established senior business leader with C-level experience and more than 30 years in public and private sector security with extensive experience in security and the technology that drives it. McIlravey is a frequent industry speaker and recognized SME in physical security software.