In a recent article we talked about access control principles and how they apply to any system of access control whether physical, technical or human. In this follow on article we are going to talk about an access control framework that we can use to apply to those principles and achieve the objectives of an access control system.
A hybrid approach
The model we use is called D5EA. It’s a hybrid model based on the well known 5D’s of defence in depth with some additional elements that we use to make the framework part of an overall iterative system.
The 5D’s of defence in depth access control are deter, detect, deny, delay and defend. They can be applied to physical access to a place or electronic access control to information. They formed a well used and effective response to a singular attack.
We have developed our system slightly further when designing access control systems. We found that while the 5D model was effective for an initial system it stopped once it got to defend and there is no basis within the system for continual improvement or for learning from attempts to breach access. It also makes no mention of generating any evidence of its effectiveness as a system.
D5EA Access Control Framework
Our D5EA model has the following steps. Bear in mind that each area has a range of available tools to choose from to reach the desired effect and the tools chosen for each will depend on the objectives of the system from the previous article.
As a primary risk reduction measure deterrence works on the psychology of the threat actor. Looking to influence decision making regarding the targeted areas suitability to an access breach attempt. Elements of target hardening come in here to influence the decision making process. When setting up an access control system I try to consider how far away from the risk area can I begin to influence a person’s decision making. Areas such as targeted signage, publicised polices and communications can increase deterrence.
Where deterrence is not effective and the threat actor makes an attempt to to breach the controlled area then the secondary response is detection. Planning both technical and human detection methods into the access control systems which provide layered opportunities to detect potential threat activity and then actual threat attempts are key. Detection systems can include CCTV, sensors or trained personnel. Detection methods can be linked to later deny and delay systems to warn of actual threat or can be stand alone advanced threat detection methods in anticipation of an attempt to breach the controlled area.
The first hard access control layer is deny. Usually through hardware. The application of doors, walls, solid gates, shutters etc. The application of a physical a barrier to access. Up to this point the access controls had been soft in that the threat could bypass deterrence and detection without noting their presence but this layer is hard. The reality is that no access control measure can supply complete denial and with enough intent any control will simply provide delay. But taken in the context of the risks faced at a controlled area we can separate into denial methods and delay methods.
Delay measures accept that a threat actor will get through eventually but seek to buy time for the organisation to respond. Coupled with effective detection measures they provide the time to response gap that’s is required to protect the controlled area.
For delays to be effective they must be tested or research to discover exactly how much time the delay will generate for response (that’s another article)
No access control system is effective without an adequate response to attempted breaches to defend the controlled space. Great CCTV and doors may seem like a good ‘system’ but if the threat actor knows that nobody is coming then CCTV and doors mean very little.
Effective response may be company controlled (security provider) or public service (police) or a combination of both.
Going back to our principles from last week. Every access control system needs to produce evidence of its effectiveness and its vulnerabilities. We can choose to accept/ignore these or we can exploit the evidence generated for continuous improvement. CCTV reviews, audit logs, penetration testing, incident reports, interviews with threat actors who have failed are all examples of data capable of being exploited and transformed into intelligence. All of the evidence generated should be reviewed in its totality on a periodic basis and also after any incident or near miss regardless of its effectiveness. Certainly any time we have to implement the ‘defend measures’ we should be looking at all of the evidence produced by other layers and undertaking a root cause analysis of why they have not been effective.
The final step is to adapt the system. Based on the data we have reviewed how can we adapt, improve and make the overall system more resilient overall. Not just after an incident but on an ongoing basis. Any system left stagnant any will fail over time so continuous improvement is essential. Any adaptation should seek to move the control measure outwards than the area in which the threat occurred.
The cycle is iterative so it begins again. After we adapt the system how does this effect our deterrence and detection and the process starts over.
This is a very basic overview of the model we use successfully when designing access control systems. While we spoke generally about perimeter access control in the example this system has been applied to areas such as retail stores for items being removed, search areas at major events and information security systems to prevent removal or alteration. The 5D system is not ours. It has been used for a long time in security. We have simply adapted it to our needs and our clients services over time.,
In a follow on article we will look at a formula to apply to the effectiveness and testing of an access control system.