Is your organization suffering from Access Chaos?
Ask yourself these three questions:
- When was the last time you checked to see if there was any outdated or inaccurate information stored within your access control system?
- Would you recognize invalid permissions if you saw them?
- Can you guarantee right now that your access control database is 100% accurate?
If you are unable to answer these questions with confidence, your access control system that was initially designed to reduce risk is now potentially creating risk.
In an ideal world, a physical access control system would accurately account for continually changing access roles, ensuring that those identities with appropriate authority are granted access and those without are not. However, in reality, many access control systems lack the capability to keep up with rapidly changing staff and contractor populations, related access rights, badging and other changes in authority, roles and responsibilities. This creates significant vulnerabilities within an organization: let’s call it Access Chaos — a threat that is often invisible to security management.
Access Chaos describes the state of an access control system where there is a significant amount of missing, outdated and/or incorrect information, including many of the roles and permissions assigned to identities.
Such inappropriate access creates chaos within the system and subsequently puts an organization at risk of theft, physical violence or other harmful incidents the access control system was intended to prevent.
Independent research shows that more than 90% of companies with access control systems experience Access Chaos and are either unaware or unsure how to address it. They could start from scratch and reset the entire system, but that could take years, requiring scarce labor and capital to execute.
If this situation sounds familiar to you, then you are likely experiencing Access Chaos.
What Causes Access Chaos?
Because most physical access control systems operate in isolation, every access change requires manual input. This laborious process quickly leads to outdated information, access rights accumulation, and the wrong people having access. If even 1% of access rights are incorrect, this means dozens, hundreds or even more individuals could have inappropriate access to your facilities, including high-risk areas containing secure systems and high-value assets. This constitutes an insider threat.
Access Chaos occurs and compounds over time as personnel changes happen. For example, a warehouse employee might be promoted and moved to an office location without revoking their permission to enter the warehouse they were previously stationed at. Or an employee might be transferred or relocated without their badge having been de-provisioned from the old office campus, leaving a valid badge that could be lost or misused. Access permissions and statuses frequently change, but administrative oversights, the sheer volume of requests, and a disconnect between internal systems will inevitably cause a backlog of inaccurate access information.
The evolving business environment, accelerated in recent years by the pandemic, has created a new set of vulnerabilities. In a hybrid work model, some employees come into the office regularly on a set schedule or as they please, but not every day. Security administrators charged with managing access for hybrid employees struggle to keep up with these shifting schedules and frequent access change requests. The pandemic and subsequent “Great Resignation” have caused many employees to lose or leave their jobs. With these rapid changes, companies of all sizes are struggling to identify and manage inappropriate or outdated access, resulting in Access Chaos.
The Effects of Access Chaos
Access Chaos manifests itself in a variety of different forms, creating a variety of unique challenges for physical security teams. In most cases, it is impossible to tell if your current access permissions are correct due to changing schedules, roles and employment statuses. Perhaps there are more people in the access control database than employees and active contractors. In this case, security personnel may not be able to easily identify who should and should not have access based on current roles. If this same database is used for employee mustering during an emergency, the identification of employees or visitors still at risk will not be accurate, leading to potential harm or loss of life.
Access Chaos also poses a threat when it comes to ensuring regulatory compliance. Whether it be occupation limits, social distancing requirements or other industry-based regulations, an organization’s inability to accurately control access to high-value or hazardous assets could have costly implications. For example, a pharmaceutical business could be fined if an employee whose certifications had lapsed was still working in a laboratory. Another organization could be subject to legal and financial liability for an incident wherein a threat actor was unintentionally provided access because a terminated employee’s badge was still valid. In scenarios such as this, the symptoms of Access Chaos are hidden until it is too late and an undesirable event has occurred.
Access Chaos Relief
While it can be devastating to recognize that an organization is suffering from Access Chaos, there is technology that can solve the problem by automating the identification of access compliance and security risks. Using data from access control systems, human resources (HR), active directory (AD), learning management system (LMS), and enterprise resource planning (ERP) solutions, powerful analytical software can discover and alert users to risks such as out-of-date physical access data, unused badges, changing work schedules and potential compliance infractions. This kind of access visibility would otherwise be virtually impossible for security teams to accomplish manually.
The symptoms of Access Chaos can be further reduced with the inclusion of access control wearables. These can make access permissions visible to all, providing continuous, multi-factor authentication throughout a facility. Advanced wearables even make it possible to leverage existing building access cards to create business rules such as zone access control, contact tracing, visitor group tethering and fast mustering.
Amazingly, more than 90% of current access control systems contain out-of-date data. Your database may be right today — but will it be right tomorrow? While it can seem like an overwhelming problem, it is possible to address Access Chaos with software that quickly and automatically identifies invalid permissions and inappropriate access. Recognizing that your organization is suffering from or at risk of Access Chaos is the first step to creating an improved security stance and environment of reduced risk.
But first, you need to acknowledge the problem.
For more articles on access management, visit:
Access control considerations for healthcare settings