Raising the Standards

Physical access control can benefit from adopting an
IT-centric approach

Scott Sieracki, Viscount Systems

The convergence of physical and logical access is certainly not a new phenomenon. Ever since security systems and related peripheral devices made the jump to IP, there has been a desire to combine the two functions to derive greater intelligence and value from these solutions. In addition, security systems on the corporate network closely align security and IT departments within an organization because of the growing concern about cybersecurity threats and the need to view access and identity across the enterprise more cohesively.

In today’s enterprise, an organization’s physical access control should adhere to the same standards and deployment models that any other IT application would.

This is not the world that most organizations live in, however, because most access control systems – the platforms that monitor physical access to facilities – are based on legacy architectures that operate in a standalone nature.

Increasingly, though, end users are looking for ways to eliminate these silos as part of a larger effort to build unified systems that operate with common practices. The first step in that process occurs when organizations start to view access control as an extension of identity management.

Because of the growing need for robust identity management across the enterprise, an increasing number of organizations are looking to provision the physical and logical identities of users through a common set of rules and policies. Many organizations in both the public and private sectors have invested millions of dollars into managing and protecting virtual identities because of increasing cyber threats, and now it has become necessary to apply those rules, policies and procedures from the virtual world to elevate and transform physical access control.

The U.S. government has been at the forefront when it comes to achieving unification of physical and logical security with the issuance of the Federal Identity, Credential and Access Management Roadmap and Implementation Guidance, better known as FICAM. Released in 2009 and revised in 2011, the goal of FICAM is to streamline logical and physical access among federal government agencies. Although FICAM was developed with government entities in mind, it can also serve as a guide that private sector organizations can use when building comprehensive access control policies.

Unification as a Business Tool

The cost savings and operational efficiencies that can be achieved through the unification of access control in an IT-centric security environment are numerous. In a true IT-centric access control model, the application software platform looks and responds like any other native IT application, deployed and supported by in-house IT staff. This access control model delivers myriad benefits in a wide variety of environments, including government, enterprise, education and healthcare.


The many high-profile data breaches that have occurred over the past several years have been a source of great concern for security professionals. From retail giant Target to the U.S. Office of Personnel Management, the number of people whose personal data has been compromised by hackers is astronomical. Given the increasing pace of migration to digital technology, the chances that more network-based systems will fall victim has risen.

Organizations face a multi-layer threat situation when it comes to cyber vulnerabilities, especially with the growth of the Internet of Things (IoT) and the demand for a secure, mobile enterprise. Malicious viruses can either infiltrate or disable IP-based devices, or hackers can use unsecured endpoints to gain access to corporate networks. The Carbanak cyber gang, for example, was able to steal nearly $1 billion from 100 financial institutions with such tactics. After using a spear phishing campaign to infect the IP devices of employees, the cyber thieves tapped into video surveillance systems via administrators’ computers, allowing them to view what was happening within the facility.

A report issued by the U.S. Government Accountability Office (GAO) in December 2014 found that the Interagency Security Committee, which is responsible for developing security standards for non-military federal facilities, had not addressed the risk of cyber threats to building and access control systems as part of its Design Basis Threat report. This risk needs to be addressed; from fiscal year 2011 to fiscal year 2014, the GAO found that the number of cyber incidents reported to the U.S. Department of Homeland Security involving industrial control systems increased from 140 to 243, a spike of more than 70 percent.

Cybersecurity experts also generally said that building and access control systems are vulnerable to cyber attacks. One expert, for example, plainly stated that access control systems were not designed with cybersecurity in mind, the GAO reported.

Additionally, individuals within the white hat hacker community have tried to draw attention to the cybersecurity gaps that exist in access control by detailing specific vulnerabilities. At the annual hacking convention DEF CON, security researcher Shawn Merdinger demonstrated how he was able to successfully attack a network controller manufactured by one of the most venerable brands in the industry.

Experience Freedom

An IT-centric access control platform is, by the nature of its design, an inherently more cyber secure solution.

The architecture leverages encryption bridges that are used to communicate with the application software. The entire application – decision-making, software, etc. – is located behind the firewall to ensure the highest level of cybersecurity protection.

A key advantage of this software architecture is that, when any cybersecurity or operating system-level patches need to be installed, the work can be done on the server in real time, under the same policies and practices as other IT systems. Companies can push out updates without having to worry about the security and compatibility of databases and an embedded system outside the firewall.

In addition, access logs can be exported to other network security or business intelligence systems running on an organization’s IT infrastructure, which, in essence, makes the identity management platform a part of the overall information security strategy. For instance, if a company has a business intelligence software suite and it receives an alert that an attack is underway against the system, it can make immediate changes throughout the entire security enterprise.

End users need to be asking their integrators about the types of compliance tools that have been used on access control systems to better gauge the cybersecurity safeguards in place in comparison with standards established by industry bodies, such as PCI, NIST, etc. If researchers, like the aforementioned Merdinger, are searching out the vulnerabilities in access control, then we can assume that malicious hackers are, as well. That is why it is paramount that organizations take steps to harden any network-based system.

End users need to be asking their integrators about the types of compliance tools that have been used on access control systems to better gauge the cybersecurity safeguards in place in comparison with standards established by industry bodies.

Looking Forward

It is clear that the role of IT in deploying security will only increase moving forward. CISOs, CSOs and IT security managers require solutions that operate on the standards they are used to seeing in their environments, and that offer greater efficiencies and cybersecurity safeguards. The days of closed systems and devices are coming to an end, while the dawn of IT-centric, unified solutions is just beginning to break.

Scott Sieracki (scott.sieracki@viscount.com) is the CEO of Viscount Systems (www.viscount.com).