Managing physical access with HelloID?
It has now been some 15-odd years since the Stuxnet worm was spread within the Natanz nuclear complex in Iran via a compromised USB device. The perpetrators used that trick because the complex was completely disconnected from other digital networks for security reasons. An online hack was simply not possible.
Stuxnet is undoubtedly the most famous example, but it was far from the last hybrid attack combining both physical and digital elements. This approach is not surprising, because it is often much more difficult to penetrate a well-secured corporate network online than trying to enter the premises and plug a manipulated device into the network somewhere. Just as unguarded paper containers are often a prime starting point for social engineering hacks and a physical break-in often starts with disabling the camera network. In short, the boundaries between physical and digital attacks are becoming increasingly blurry.
In this article
Security convergence
Security specialists recognise this risk, which is why there is now much more focus on the integration of physical and digital security measures. This is often referred to as security convergence and its basic premise is that nowadays you have to organise security as a unified element. This sounds obvious, but the reality is that physical and IT security have traditionally been treated as entirely separate domains, often managed by different departments.
Now, there are many areas where we can help to improve the cooperation between digital systems and physical security measures. But of course, at Tools4ever, we are particularly interested in what you might call ‘access security convergence’. Despite the increasing sophistication of both digital and physical access systems, they are still typically managed in isolation. With our HelloID platform, we would like to help bridge that gap.
Current approach: Divided access management
Today, many organisations have advanced access security measures in place for both their IT applications and physical locations. In IT environments, passwords are often complemented by Multi-Factor Authentication (MFA) and biometric methods to secure access. In the physical domain, a personalised access badge is now considered the bare minimum for organisations, increasingly, access is granted via an iris scan or via your smartphone.
But the real challenge is in managing individual access rights. How do you manage access to your properties when your organisation has thousands of employees, uses dozens of applications and operates across multiple locations?
- User accounts and access rights to IT systems are in that case typically managed via an IAM platform, which usually assigns accounts and permissions based on an individual’s role and department. This ensures that each employee only gets access to applications and data that they need for the job. For instance, a finance employee would have access to the financial systems based on their role but an IT administrator typically would not.
- Physical access security is usually managed through a central system that, for example, assigns access badges to users and also activates the appropriate access rights for each badge. This determines can access specific buildings and areas; and on which days and what times. It also ensures different departments can have their own physical rooms that are not accessible to staff from other departments.
Both systems use a centralised management platform but they are usually not integrated. What happens when an employee changes roles and moves from the finance department to the IT team? An IAM platform like HelloID will automatically ensure that the digital permissions are changed instantly. But how does that work for their physical access? In many cases, this still involves a manual process where you have to submit a ticket to request the administrator of the badge system to adjust the rights. There the risk is that this disconnect creates mismatches and people unknowingly accumulate more and more physical rights.
HelloID to improve your security convergence?
Can’t we professionalise this further by synchronising both systems? Could we use a centralised IAM platform to manage both digital and physical access rights? With HelloID, this is already possible, and we offer it on two levels:
- Basic: Basic: In this setup, the physical security system continues to manage the detailed access rights for each individual. However, our IAM platform does ensure that new employee accounts are automatically added and activated in the system. It also ensures that when an employment contract ends, the user is deactivated and removed from the system. This keeps the user database in the physical security system always synchronised with the current employee database.
- Advanced: Here, the issuance of physical access rights is centrally managed through the IAM platform. The attribution is primarily based on an individual’s role and other attributes that are provided to the IAM platform by the HR system. This means someone working in the IT department will automatically get access to the IT applications as well as the IT department rooms. While a finance employee, on the other hand, will automatically get access to the finance software and the facilities relevant to their department.
In this way, a single IAM environment allows us to manage all access rights – physical and logical – in a coherent way. By doing so, we not only prevent unnecessary accumulation of access rights, but also mismatches between physical and digital access rights. . As a result, your organisation becomes more efficient, secure, and demonstrably compliant.
How does this work in HelloID?
Let’s break this down into a more concrete example. HelloID offers a comprehensive set of connectors to integrate different systems. We can connect HR systems as source systems for example. An HR system registers details about each employee, such as their role and department. Based on this information, HelloID can then create the required accounts and assign permissions in various target systems – ranging from the Active Directory to the CRM system.
Our connector catalogue is organised into different categories and and by filtering on ‘IT Management and Security,’ you will find applications such as . These are examples of business applications that focus on building management and physical security. For example, Salto Space is an integrated, intelligent access control platform for the various areas within a building. The Salto system manages users’ authorisations, and organisations can choose between access methods such as smartphones, PIN codes, or key cards.
With the Salto Space connector, HelloID can ensure that access settings in Salto Space are synchronised with the information in the source system. This ensures that employees get access to the company buildings and areas that are aligned to their role and responsibilities. For different groups of employees, you can also configure access groups with a predefined set of physical access rights. This management approach is very similar to managing rights for your business applications. For a new employee, HelloID automatically creates an account in the system so that they can get started immediately. And if an employee’s role is changed in the HR system, HelloID automatically ensures that the corresponding physical access rights are also adjusted automatically. This creates a fully integrated physical and digital access management.
Want to know more about HelloID for your physical access security?
It’s obvious that successfully integrating physical and digital access management requires careful preparation. Part of this is drawing up a physical access policy based on the different roles and their activities. You should then incorporate this access policy into the business rules of the HelloID platform. Would you like to learn more about the integration possibilities for managing both digital and physical access security with HelloID? We’re happy to provide all the information you need.
Written by:
Maikel Baars