Bart Vansevenant, Chief Product Officer of RightCrowd explains why advanced physical identity and access management solutions are redefining access control.

Physical access control systems (PACS) have long been the standard for securing buildings and restricting access to high-security interior locations. However, in a world where physical identity and access management (PIAM) is the new security imperative, most PACS presently in use present an identity crisis with missing, incorrect or out of date information that poses a potential threat to an organization’s cyber-physical security.

A case of mistaken identity

PACS identity crisis stems from the preconceived and often false notion that it is doing what it is supposed to do 100% of the time – ensuring that only the right people have physical access those areas they are authorized to enter. However, the reality is that most PACS authorization data is not up to date with access permissions intact for ex-employees, contracted or transient workers and past visitors. The result is a state of access chaos that is difficult, if not impossible, to manually resolve. Hence the PACS initiatives that were initially implemented to reduce risk are now the source of potential risks.

Incorrect access control data can be caused by a variety of factors compounded over time. This includes the use of manual tasks to manage access permission changes, recent workforce trends such as hybrid working that necessitate complex access rights and the sheer number of personnel changes and rash of recent layoffs that many enterprise operations are experiencing. The fact is legacy access control systems deployed at large organizations simply lack the capability to keep up with so many changes.

PIAM takes the lead

With the ability to centralize and manage access through a single platform, PIAM solutions offer a more comprehensive approach to security and risk mitigation. While PACS still play an indispensable role in securing facilities, they need the software muscle of a modern PIAM solution for managing large numbers of identities and access permissions. PIAM solutions will keep an organization’s PACS synchronized with all other business operations, ensuring that all identity management processes and data are accurate, secure and stable, ensuring better overall security and workforce management.  

Advanced PIAM solutions work by putting an intelligent automation and policy layer on top of existing PACS. Advanced analytics connect available data from disparate business systems, beginning with PACS and including human resources (HR), active directory (AD), learning management system (LMS) and access control systems (PACS) solutions.

The software then wraps all relevant contextual data around each identity. In doing so, many of the applicable access controls become automated based on security policies, safety rules and compliance regulations, while accurate cardholder information is maintained at all times.

Advantages of automation

The identity crisis suffered by PACS is exactly why PIAM automation is needed. When the identity data stored in a PACS database does not match up with the information available within the organization’s other critical systems, problems exist. The most glaring issue comes in the form of an insider threat, wherein authorized users have access to areas that should not be accessible to them.

Such potential insider threats are hard to spot because they look like all other identities with access permissions. The larger the organization and the more an organization scales, the more likely it is that these insiders go unnoticed, making it more difficult to maintain physical access control policies. 

Automated PIAM solutions effectively eliminate the risk of insider threats by enabling attribute-based access control (ABAC). With ABAC, instead of statically defining someone’s access or setting it based on a person’s role, individuals’ access is set and revoked in a dynamic way based on attributes. ABAC is a more secure alternative to traditional access control lists, wherein access rights are granted directly to a user. For example, traditional PACS may statically define that John has access to the data center.

If John would move to a different role or leave the organization, a change in access would be dependent on someone manually revoking John’s access to the data center. With ABAC, access permissions are determined by applying set policies that define what access an individual should have to perform their specific job. In this example, you could have a policy that says, ‘access to the data center’ is granted to persons that are part of the IT department, have an active employment status, are located in the HQ facilities and have successfully passed the ISO27001 training.

If John were to move into a different role, the PIAM system would automatically pick that up from the integrated HR system and the above policy would automatically remove John’s access to the data center. In this way, insider threats (identities with expired access, insufficient training, etc.) are autonomously stopped and prevented before any potential harm to the organization, its data and/or people are inflicted.

In addition to ABAC, leading PIAM solutions automate many of the error-prone, manual processes associated with legacy PACS. As a workforce changes, new employees are on-boarded, others change roles or move to other locations and at some point staff leave the organization. PIAM solutions are designed to automatically handle these joiners, movers and leavers by streamlining the process of requesting and replacing access badges (or other credential types), while allowing for self-request access and related approval workflows.

This advanced level of automation also applies to visitor management and contractor on-boarding processes, including enforcing requirements related to NDAs, external watchlists, safety compliance and more. In other words, a PIAM solution eliminated manual, error-prone processes while greatly enhancing security and safety controls.

Re-defining PACS

New, more highly advanced PIAM solutions are redefining how PACS provide access control. Whereas PACS used to be the do-it-all systems for managing and controlling physical access, PIAM delivers a more holistic and intelligent solution on an enterprise level. As a result, PACS solutions can get back to doing what they do best – physically opening doors – while the logical layer is relegated to PIAM.