Identity and Credentials
What credential does one need to get backstage at a rock concert? Perhaps it is a high-tech color coded scan-able photo ID. Or maybe, you just have to be a friend of a friend of the security guy at the door. There might be a wide range of somewhat random criteria that will get you access. When addressing security, defining the necessary credential and implementing it diligently and consistently throughout the entire organization is crucial. There is nothing random, and no individual(s) that can override or undermine the security clearance system.
An Access Management System & Security Strategy
Every organization should have a security strategy which facilitates common processes for controlling access of individuals. A strategy which ensures facilities remain secure and also enables a positive user experience when moving from one location to another. It is a functional balance. The users with proper credentials should be able to gain their level of appropriate access without feeling encumbered or restricted by the process, yet the access management system never should spark or propagate a nonchalant cultural attitude within the organization. The security strategy needs to account for control of all person types including employees, contract staff, and various types of visitors – from vendors pedaling their wares to public authorities performing their civic duties. There is an abundance of moving parts to account for – far beyond the scope of a system that might be limited to just allowing professors in a university to enter their lounge. Large corporations have multitudes of people who, on a daily basis, enter and exit a variety of premises. Each individual may have different levels of clearance, and each facility area potentially has different levels of security concerns. That is why the access management system needs to have the flexibility to expand and contract for all such individual access combinations and situations.
Access Control Strategy Tools
A key part of any access control strategy is the tool a person uses to obtain access to a restricted space. This tool can be their government ID, a key, an access card, a password, or even a part of their body. It might even be a combination of some of these. Each organization has its unique elements, and they need to be identified and accounted for with the incorporation of the best available access permitting tool. Within your current system, the first step is to discover what your organization is doing today. Are there common credentials or technologies in use across the enterprise which can be leveraged? You need to evaluate if enhanced security measures are based on a solid foundation now in place, or a system that displays so many weaknesses that it is deemed best to start again from the ground up and build the security structure you need. A non-technical simple survey may be sufficient for current evaluation, but if the information received is inconclusive, consider using an expert to collect the data. The ‘don’t try this at home’ premise may be best to put into effect. Often a survey conducted by an outside source – that has a high level of expertise in all related areas – is the difference-maker in creating a modern, manageable access system. Identifying the right type of tool, or credential, is essential – and one of the initial steps – in creating a successful security strategy.
Access control predates technology; even guards, locks and keys have potential to be compromised or “hacked.” According to HID Global – referencing data reported by Verizon – 57% of data breaches involve physical access breaches. Vulnerable physical security tools can have catastrophic consequences, and that is why your organization needs to stay informed about the level of vulnerability each credential solution bares and match it to the level of risk associated with the area being secured. Please reference this informative article titled How Secure is Your Security Badge for more information about credential hacking.
Sustainability of the Chosen Security Access System
We are living in a technological age. Everyone experiences the benefits of these advancements. At the same time, new tech always means that whatever is at the top of the curve last year – or even today – will ultimately become obsolete; the only variable is the time frame within which this occurs. It may be considered acceptable to run business computer systems that are solid and functional even though they may not have all the latest bells and whistles, but in the world of security, the evaluation criteria and choices made are much more critical. As technology moves forward, a system may very likely experience new and unanticipated security breaches; the opportunities to exploit weaknesses expand. To keep on the edge of the wave, avoid obsolete technologies or credential solutions that are trending downward. Don’t let price, discounts, or sales pressure influence your decisions related to considering older technology. At the same time, be selective when considering cutting-edge solutions until market leaders emerge and the solution is widely supported. Due diligence is important. Will the manufacturer stay in business? Will the product be discontinued? Is the supply chain strong? There should be internal research beyond just the service provider’s input. Generally, an evaluation and recommendation from a security consulting firm that is not ‘product pushing’ is worth its weight in gold. Your organization plans to be around for more than the short term – so choose a solution that will be sustainable for several years.
Pick One – or Two – Layers of Security Credentials
Consider the use case. The numbers of people who require access, the regulatory requirements, range of weather conditions, and the balance of industrial versus office space are all factors that may narrow the security options. Additionally, any high risk areas require a very strong credential. Two factor authentication (a combination of different credential types) is a good practice to mitigate risk against compromised security credentials. This makes sense. It adds in an enhanced additional layer to make access entail more than one step, and diminish compromises and exploitation of the system. A professional in this field can advise as to whether any biometric solution may involve privacy issues or challenges with certain populations due to physical or religious constraints. This is always a consideration to be factored into access security decisions made.
Crafting a Credential
In crafting a security credential, your organization should be well aware of the following points:
- The security of some credentials may vary based on their ingredients or configuration. Many commonly used credentials have security features that are not enabled.
- The more secure you make the credential, the more complex the engineering, costs, and supporting processes.
- Various back office support systems may be required for high security credentials including IT security provisioning tools.
- Consult with an expert when a high security credential is necessary.
Incorporating & Maintaining an Access Security System
Your security enables your organization to function efficiently – while retaining all resources, information, and corporate secrets – ensuring that only those with clearance can have access. An access security system can have many variables in the manner in which it is incorporated and maintained. It should be considered that spending resources to manage multiple vendors, systems, contracts, and locations can be inefficient and costly. A single point of contact is preferred and always recommended by professional security consulting firms. Their assistance can extend to vendor support contracts, application support, service management, standards & procedures, and of course, overall subject expertise. On the physical side, undesirable people penetration incidents are eliminated within the virtual fortress of your organization’s access security system. There is an old slang phrase that states, “You’re either in – or you’re out!” Make that a solid reality with a security credential system that works best for all your needs and situations.