A physical access control system (PACS) determines "who" is allowed to enter or exit an area, where" they are allowed to enter or exit, and "when" they are allowed to enter or exit. Instead of standard locks and keys, a PACS system will use an electronic reader and some form of credential, quite often a proximity card.
The proximity card is held near the reader, and the two communicate with each other through radio frequency fields, in a way similar to NFC and RFID. The PACS system maintains a database of users, and manages when and where those users are given access based on entitlements. In addition, an audit trail of access events is normally maintained.
For more than two decades the physical security industry has talked much about unifying logical and physical identities. In early April, the Physical Security Interoperability Association (PSIA) released a draft proposal that takes a step in that direction.
The Physical-Logical Access Interoperability (PLAI) specification proposes a standard for propagating logical identities (and their associated privileges and credentials) from an HR or IAM database to the PACS database. For example, when Wiley joins ACME as a Manager, a record for Wiley is created in the IAM system. As a result, a parallel record is automatically created in the PACS database, with an understanding that Wiley is a Manager, and therefore given physical access to areas appropriate for Managers. Additionally, when Wiley uses his credential for accessing those areas, the audit information is automatically pushed into the IAM system.
The PLAI proposal specifies a standard mapping of logical identities (identities in the HR/IAM database) to physical identities (identities in the PACS database), and a means for automatically, propagating changes between the systems. The proposed standard is based on the use of LDAP and RBAC-RPE (a policy-enhanced extension to RBAC with support for dynamic attributes, such as time of day, which might need to be considered when determining user permissions). Notably absent is any reference to a standard provisioning protocol known as the System for Cross-domain Identity Management (SCIM).
Unifying logical and physical identities holds the promise of enabling better security and more efficient administration in future IAM and PACS products.
For example, in a unified system, users in the future might be required to use their proximity card to enter the building before accessing local computers on the LAN. Or, if Wiley is in ACME headquarters using the local Finance system, then an alert might be raised if the VPN server receives a remote authentication request for Wiley's account. In addition, PACS events might be used as inputs to an IAM authentication policy engine, or a risk engine that monitors user behavior (used for Risk-Based Authentication).
For the PACS admin, a unified identity relieves the burden resulting from organizational restructuring, changes to contracts, acquisition or divestment of business units, and temporary access needed for traveling employees or guests.
Even though the benefits are clear and compelling, progress in the creation of a standard has been very slow coming. There are number of reasons for this.
With a few exceptions, core PACS technology has no standards. In the world of IT, we depend on standards to create and expand markets. Not so in the world of physical security. The business models of PACS vendors depend on using proprietary products to maintain high margins and customer lock-in.
There are organizational barriers to integrating logical and physical systems. The buyer of physical security products is typically the security department or facilities management, not IT. Only sometimes do the physical security systems fall under the management of the CIO or CTO. This has been slowly changing over the past decade with the growth of IP-based physical security hardware (such as IP cameras, and more recently IP door controllers). But in many cases, the pitch to integrate physical and logical systems requires two sets of value propositions, presented to two different departments: first to IT (an ability to enhance logical security), and second to Security (more efficient security administration).
IT may not want responsibility for management of another system, and Security might worry about losing resources and control to IT. Even if both agree that integration is a good thing, they still have to agree on who will pay for it, and the solutions are expensive. Because existing technologies are proprietary, integration normally requires custom coding and changes to standard workflows.
If the PSIA is successful, costs for integration will be reduced, and organizations will evolve. Will they be successful? A market that demands a standard is helpful, and noteworthy is the membership of Microsoft and Cisco in the PSIA. Both companies are very large buyers of physical security hardware, and can require the standard for their purchases.
Mance Harmon is the Director of Ping Identity Labs. In a previous life, Mance was founder and CEO of BlueWave Security, which developed TCP/IP-based physical security solutions. The company was acquired by JST Partners in Dec. 2011