Effective Access Control nearly completes Security

In earlier blogs overview on ‘Risk Chain’, ‘Methodology to break’ the chain and ‘Five layers’ of Security was presented. There are various Security processes which contribute to complete the de-risking need. If we try to put score on each component of Security need, we will be able to prioritize the implementation requirement vis-à-vis risk. Threat” exposure is not possible without movement of men, material, or information. Therefore, controlling, regulating, and monitoring movements to-n-fro Secured - Non-Secured area is important. 

Crime is not possible without access breach therefore, reasoned ‘Access control’ establishment nearly completes the Security. Access control is “The practice of regulating entrance to a property, a building, or a room to authorised person”, access could be physical or digital. Un-authorised access could be for property or information (damaging Or stealing). Out unauthorised movement of material (property) and information is also access breach.  Generally, Security Managers considers Gate Security as only the Access Control, but complete access control consists of several other aspects like Securing access from perimeter, material movement management etc.

Foundation for “gate access control” is effectively distinguishing between authorised and un-authorised. Within distinguishing of Authorised and Unauthorised, several processes exist. Recognising authorised (flow) is easy comparing unauthorised hence gate access control is mainly designed or engineered on regulating unauthorised. Once authorised users are handled well (with comfort and convenience), remain is unauthorised. This sometimes create concerns and inconvenience for the authorised users, as they are regulated/need to follow the process to filer unauthorised.

The differentiation between authorised/authorised starts with “effective recognition at registration” i.e. creating ability to identify who is right for registration. Often registration process is ignored and therefore weak, which may lead to registration of wrong person. Generally, process is implemented around issuing of ID card under ‘Registration process’, but to whom the ID-card is to be issued is not considered and thought through well. Connect this situation with issuance of system password, but to whom is important to know. Point to remember “right person accessing without ID-card is not a threat comparing wrong person accessing with ID-card”. Hence only having registration process to issue ID-card is not important, person is important.

While managing routine Gate Security, team forgets this basic check and only looks for ID-card issuance but to whom ID-Card or entry pass is being issued, is not taken into consideration. Registration process is first and important chance to filter. Tools are available to take care that actual ID-card holder is only entering i.e. biometrics based access control. Therefore, the filter in the beginning is important – Security should have answer of “To whom we are registering? Is he is the right person?”.

“Background checks” is one of the tools to identify ‘go’ or ‘no go’. But such checks generally are limited to HR concerns only i.e. education or previous employment verifications etc. I faced a question in recent, “what is the biggest Security concern?” and my answer was “surprises”, an event for which Security System and Manager is not prepared. The worst, nor perceived. “Insider threat” is one of those surprises. Main reason for not able to prevent insider threat is, not able to filter. HR considers on-boarding filtration differently, there are trainings on “interviewing techniques” as the aim is right hiring as per desired skills. Is there’s training for “Security registration techniques”?. Customised trainings are available and imparted but due to Security concerns and other reasons never advertised. Remember “Risk chain”, adversary can create maximum impact when he has capabilities. Entering as authorised registration person give him more capabilities to be near to the asset or target, therefore insider threat is a great-risk and generally Security arrangement is not prepared for it.  The Security Manager must have robust registration system to filter and avoid mistakes like:

1. Outsourcing registration process without adequate checks, DoA mapping, lapse tracking mechanism, process control and governance. Practically it is giving authority for allowing unknown to penetrate in system.
2. No integration between Security and HR systems or lose-end at HR or Security end.
3. Poor data management, especially when it is large site and/or multi-location organization, missing unique identification.
4. No data management for watch-list checks, and lack of coordination with law enforcement agencies and neighboring agencies for sharing of watch-list criminal data.
5. No authorization management i.e. who can approve registration. Generally, no link established, most of the times process is available for “authorized signatory” but implementation is poor.
6. On technology side several mistakes like poor card management, majority organization are using smart cards for access control but only CSN which is easy to clone.
7. No process for lost card management, provision to report / auto-deactivate.

Security Manager must be one step ahead, more important is to focus on minute details especially when Security need is high. In addition, “access control of right person is daily activity” that means for highly sensitive locations, all key personnel should be under clandestine watch. 

Following practices help in maintaining the effective access control:

1. Correct registration process
• Fool proof enrolment
• Correctness of data – remember and avoid GiGo.
• Background checks especially for people working in critical areas
• No dependency on Security Operator for registration – strong governance, better proactive rather auditive.
• Encrypted ID-cards for sensitive areas. Key control for ID-cards being encoded.
2. Gate Access control
• Well-designed gate (remember CPTED concept) – no space for bypassing the access control. Enough space for screening, exception handling area, response & containment area, denial lanes – avoid chaos.
3. Integrated access control system
• As far as possible, implement access control system where data travels from HR system, rather manual entry This will avoids authority at operator end to create ID-card for anyone.
• Ensure Access control system is integrated with HR system for auto-deactivation of ID card during separation.
• Alarm panel and effective monitoring process – ensure access control system alarms are acted, least false alarms from system enable operator to focus.
• Analyzing of in/out data to know the loopholes e.g. pairing in and out to find correctness in people flow, system performance.
4. Vigilance - Keeping people working in sensitive areas under watch – big brother watching concept.

There are many more measures for Security access control on perimeter, gate protection, material movement management etc. Security managers can derive own practices and code to match the ground requirement. As per study, access control contributes 55% to 60% of overall Security operations. This is applicable to almost all types of industries. Therefore, if Security managers takes care of Access Control effectively, design the system (5 layers) for managing access control well, the Security need is nearly completed.