How does physical access control differ from the logical access control described in earlier chapters?

Logical Access Controls

Logical access controls tools are used for credentials, validation, authorization, and accountability in an infrastructure and the systems within. These components enforce access control measures for systems, applications, processes, and information. This type of access control can also be embedded inside an application, operating system, database, or infrastructure administrative system. Physical access control is a mechanical form and can be thought of physical access to a room with a key. The line is often unclear whether or not an element can be considered physical or logical access control. Physical access is controlled by software, the chip on an access card and an electric lock grant access through software. Thus, physical access should be considered a logical access control. A benefit of having logical access controlled centrally in a system allows for a user’s physical access permissions to be instantaneously revoked or amended. For example, when an employee is fired, his or her badge access can be disabled, as can the employee’s multiple system access accounts. Persons in possession of the proper access card, the appropriate security level, and in some cases a pin are granted entry to a room once the credentials are checked against a database.

Logical Access Controls

Logical access control tools are used for credentials, validation, authorization, and accountability in an infrastructure and the systems within. These components enforce access control measures for systems, applications, processes, and information. This type of access control can also be embedded inside an application, operating system, database, or infrastructure administrative system. Physical access control is a mechanical form and can be thought of physical access to a room with a key. The line is often unclear whether or not an element can be considered physical or logical access control. Physical access is controlled by software, the chip on an access card, and an electric lock grant access through software. Thus, physical access should be considered a logical access control. A benefit of having logical access controlled centrally in a system allows for a user's physical access permissions to be instantaneously revoked or amended. For example, when an employee is fired, his or her badge access can be disabled, as can the employee's multiple system access accounts. Persons in possession of the proper access card, the appropriate security level, and in some cases a personal identification number (PIN) are granted entry to a room once the credentials are checked against a database.

Logical access controls

Logical access controls are the features of your system that enable authorized personnel access to resources. To many folks, distinguishing between logical access control and I&A is confusing. Logical access controls are those controls that either prevent or allow access to resources once a user’s identity already has been established. Once a user is logged in, they should have access only to those resources required to perform their duties. Different user groups usually have access to different resources, which ensures a separation of duties. Describe how the separation of duties occurs. A good portion of this discussion should be about account management. User accounts are usually part of a role-based group. Describe the names of each role and what resources each role has access to. The resources that you will want to take into consideration include systems, directories, network shares, and files. You can summarize this information in a table similar to Table 16.8.

Table 16.8. Role-Based Group Accounts Mapped to Resources

Discussion of anonymous and guest accounts, whether they are allowed or not, should be described. Group accounts, whether they are allowed or not, should be described. System accounts—accounts set up for the purpose of accommodating system processes and programs—may or may not be allowed. If system accounts are allowed, you’ll need to give justification as to why they are allowed and what processes and programs use these accounts.

Logical Access Controls

Logical access controls can be one of the easiest access controls to sabotage. Such systems generally have a set limit for the number of incorrect passwords, PINs, and so on that can be entered before the system will lock out the account for some period of time. In this case, we can use something along the lines of a denial-of-service attack to render the system unusable for any accounts that we would care to target in such a manner.

In the case that we have direct access to the logical access control, which could be as simple as the login prompt on a server, we only need to enter the targeted account name and a bad password the required number of times to hit the level of an account lockout. Depending on the system in question, we may or may not see an error message indicating that the account has been locked out.

The duration of such account or system lockouts depends on the configuration of the logical access control in question. Many lockouts will resolve themselves within a specified period of time, often 10 to 20 min. Some systems require the account or system to be manually unlocked by a helpdesk support technician or system administrator. Accounts or systems that require a manual unlock will tend to take longer to regain functionality, even when reported immediately. For systems that unlock accounts automatically, the saboteur will need to either continuously work to keep the account locked, or set up an automated process to do so.

Access Control

Access control is often the first and possibly most robust controls that can be implemented to ensure privacy and security in the healthcare environment. When you think about a typical healthcare environment and all the sensitive information present, you quickly understand the importance of limiting the access to that information to only authorized individuals who need to have access to the information in order to perform their job responsibilities and deliver healthcare services. Although similar in nature, it is important to distinguish between physical and logical access control. Since physical security is often the first line of defense we will start there. Since systems that store sensitive healthcare information are located within the physical walls of healthcare service providers, we can focus on the outside and work our way in. Considering the defense-in-depth security methodology, we are able to achieve our first layer of access control just by limiting physical access to information systems. This does not mean we do not need logical security, but rather we can gain some comfort in knowing that well-designed and properly maintained physical security access controls can deter or prevent unauthorized individuals from being able to physically access sensitive information or healthcare systems. Since we must avoid creating single points of failure and there are some threats that exist regardless of physical security controls, logical access controls are the next layer in effective security and required to support the CIA triad. Logical access controls should be developed to support the system architecture and be implemented at as many layers as possible. This typically means ensuring proper access control at both the network and system level. For example, a healthcare practitioner’s access should be controlled when he or she logs into the network and again when he or she wants to access a particular system hosted on the network. From a more practical and healthcare-focused view, organizations do not want just anyone to be able to view or access patient information. So do organizations just need to implement controls preventing only outsiders from accessing patient records? The answer is no. Just because a person is employed by a healthcare organization does not mean they should be allowed to access sensitive patient information. In fact, effective access control is based on the concept of least privilege (individuals should only be able to access the information required to perform their job – no more, no less) and we will discuss in greater detail a little later. Once a healthcare organization ultimately determines who should be able to access information, the next challenge becomes the “how.” Thinking back to our discussion on defense-in-depth, it makes sense that there is no single approach or access control to accomplish the task. In fact, the more layered the controls, the better. In order to understand how to best implement access controls, let us take a look at the three types of controls: administrative, physical, and technical.

It is best to think of these as independent but interconnected elements that work together to ensure appropriate levels of access control for healthcare organizations. Figure 4.2 shows the relationship among the control types.

Although the three categories work together and can be implemented independently, we recommend the sequence of administrative, physical, and technical and that is the order they will be discussed in this book. Administrative controls, when supported by senior leadership, set the foundation (aka “tone at the top”) for the organization’s access control objectives. These are often “soft” controls based on policies and organizational culture and regulatory requirements. Physical controls are usually the first layer of defense and often provide perimeter support for technical controls. These can range from door locks and ID badge systems to physical partitions separating employee work and patient care areas. Technical controls usually reside at the system level and are the mechanisms in place to support the organization’s privacy and security policies. A common example would be requiring a valid username and password before accessing the system.

Now that we have drawn the distinction between physical and logical access controls, we will review three common logical access control models. The three models commonly used in logical access control include discretionary access control (DAC), mandatory access control (MAC), and role-based access control (RBAC).

DAC – Is a control mechanism where the user explicitly allows access to other users or programs that the user has ownership or control over.

MAC – Is a control mechanism where the user permissions are explicitly controlled by the information system. The permissions are enforced by a collection of prebuilt access rules within the system. When the user is assigned permissions to a system object, the system restricts the activity of the user in accordance with the object’s permission level. For example, a user cannot share information with unauthorized users or system objects.

RBAC – Is a control mechanism based on business-specific functions within an organization. For example, the role of “Accountant” can view accounts payable information, but the role of “Accounting Manager” can perform accounts payable transactions.

Logical Access Controls

The final defensive measure covered in this chapter is the use of logical access controls to restrict access to services based on criteria set by administrators. The concept of logical access controls is nothing new, but the impact they can have on security if implemented properly can be profound. An easy-to-understand example of logical access controls is implementing access control lists to limit access to protocols used for remote administration.

Remote administration is a fact of life for many large organizations. Due to the geographical separation of administrators from the systems they manage, many times administrative functions occur from remote subnets, cities, or even countries. Because of the dynamic nature of networking and administration, many times administrators will implement remote administration interfaces without regard to who will actually have access to them.

One of the dangers associated to implementing administrative interfaces without proper controls in place is that anyone who can access the interface can attempt to authenticate and possibly gain access to administrative functions. Logical access controls can help bridge this security gap.

For example, administrators can implement logical access controls that only allow connection to administrative interfaces from IP addresses or management subnets that are predefined by the administrators. This allows legitimate administrators to connect to the management interfaces and conduct their business but denies access to those connections that are not defined as part of the logical access control rules.

Of course, there is always a caveat to what we think is a great plan. If one of the systems we defined as valid system to conduct administrative tasks with is compromised, an attacker will be able to circumvent the logical access controls altogether. This is why it is important to consider implementing controls in addition to logical access controls, such as the use of certificates for authentication.

Modem Hardening

Besides leaving modems disconnected or turned off when not specifically in use, you can harden modems by utilizing the logical access controls that are available within the modem settings themselves. Modems can be set to automatically return a call or “call back” a modem that is dialing into the network before allowing access to occur. This setting forces an attacker to provide a legitimate phone number for a modem he or she is using and provides investigators information that can be used while attempting to identify the source of an attempted or successful breach. You can also define a list of authorized phone numbers that the modem will accept calls from. Although this setting will still allow spoofing to occur, an attacker must first figure out what the legitimate phone numbers are.

Authorization and access control in the real world

We can see authorization and access control used in our personal and business lives on an almost constant basis, although the portions of these that are immediately visible to us are the access controls. Looking specifically at logical access controls, we can see them used when we log in to computers or applications, when we send traffic over the Internet, when we watch cable or satellite television, when we make a call on our mobile phones, and in thousands of other places. In some cases, such measures are visible to us and require us to enter a password or a PIN, but a large portion of them happen in the background, completely invisible to the tasks we are carrying out and taken care of by the technologies that facilitate our tasks.

In the sense of physical access controls, we see these rather frequently as well, although it may not register to us that we are seeing them. Most of us carry around a set of keys that allow us access to our homes, cars, and other devices, and these are the credentials for access to them. Many of us also carry proximity badges that allow us access to our places of employment, schools, and in case of driver’s license places like bars. We can also see the access controls that manage the movement of vehicles in everyday use in vehicle-oriented areas such as parking garages and parking areas at airports, and in the vicinity of high-security areas such as the White House in the United States.

Logical and technical controls

Logical controls, sometimes called technical controls, are those that protect the systems, networks, and environments that process, transmit, and store our data. Logical controls can include items such as passwords, encryption, logical access controls, firewalls, and intrusion detection systems.

Logical controls enable us, in a logical sense, to prevent unauthorized activities from taking place. If our logical controls are implemented properly and are successful, an attacker or unauthorized user cannot access our applications and data without subverting the controls that we have in place. This allows for multiple functions like finance, human resources, and sales to all be run on one server, but none of them to have access to each other. If one is compromised they are not all compromised.

7 Integration of Physical and Logical Security

Physical security involves numerous detection devices such as sensors and alarms, and numerous prevention devices and measures such as locks and physical barriers. It should be clear that there is much scope for automation and for the integration of various computerized and electronic devices. Clearly, physical security can be made more effective if there is a central destination for all alerts and alarms and if there is central control of all automated access control mechanisms such as smart card entry sites.

From the point of view of both effectiveness and cost, there is increasing interest not only in integrating automated physical security functions but in integrating, to the extent possible, automated physical security and logical security functions. The most promising area is that of access control. Examples of ways to integrate physical and logical access control include the following:

Use of a single ID card for physical and logical access. This can be a simple magnetic-strip card or a smart card;

Single-step user/card enrollment and termination across all identity and access control databases;

A central ID-management system instead of multiple disparate user directories and databases;

Unified event monitoring and correlation.

As an example of the utility of this integration, suppose that an alert indicates that Bob has logged on to the company’s wireless network (an event generated by the logical access control system) but did not enter the building (an event generated from the physical access control system). Combined, these two events suggest that someone is hijacking Bob's wireless account.

For the integration of physical and logical access control to be practical, a wide range of vendors must conform to standards that cover smart card protocols, authentication and access control formats and protocols, database entries, message formats, and so on. An important step in this direction is Federal Information Processing Standard (FIPS) 201-2 [Personal Identity Verification (PIV) of Federal Employees and Contractors], issued in 2013. The standard defines a reliable, government-wide PIV system for use in applications such as access to federally controlled facilities and ISs. The standard specifies a PIV system within which common identification credentials can be created and later used to verify a claimed identity. The standard also identifies federal government-wide requirements for security levels that depend on risks to the facility or information being protected.

Fig. 69.4 illustrates the major components of FIPS 201-2–compliant systems. The PIV front end defines the physical interface to a user who is requesting access to a facility, which could be either physical access to a protected physical area or logical access to an IS. The PIV front end subsystem supports up to three-factor authentication; the number of factors used depends on the level of security required. The front end uses a smart card, known as a PIV card, which is a dual-interface contact and contactless card. The card holds a cardholder photograph, X.509 certificates, cryptographic keys, biometric data, and the cardholder unique identifier (CHUID). Certain cardholder information may be read-protected and require a personal identification number (PIN) for read access by the card reader. In the current version of the standard, the biometric reader is a fingerprint reader or an iris scanner.

The standard defines three assurance levels for verification of the card and the encoded data stored on the card, which in turn lead to verifying the authenticity of the person holding the credential. A level of some confidence corresponds to use of the card reader and PIN. A level of high confidence adds a biometric comparison of a fingerprint captured and encoded on the card during the card-issuing process and a fingerprint scanned at the physical access point. A very high confidence level requires the process just described to be completed at a control point attended by an official observer.

The other major component of the PIV system is the PIV card issuance and management subsystem. This subsystem includes the components responsible for identity proofing and registration, card and key issuance and management, and the various repositories and services (public key infrastructure directory and certificate status servers) required as part of the verification infrastructure.

The PIV system interacts with an access control subsystem, which includes components responsible for determining a particular PIV cardholder’s access to a physical or logical resource. FIPS 201-1 standardizes data formats and protocols for interaction between the PIV system and the access control system.

Unlike the typical card number/facility code encoded on most access control cards, the FIPS 201 CHUID takes authentication to a new level through the use of an expiration date (a required CHUID data field) and an optional CHUID digital signature. A digital signature can be checked to ensure that the CHUID recorded on the card was digitally signed by a trusted source and that the CHUID data have not been altered since the card was signed. The CHUID expiration date can be checked to verify that the card has not expired. This is independent from whatever expiration date is associated with cardholder privileges. Reading and verifying the CHUID alone provide only some assurance of identity because they authenticate the card data, not the cardholder. The PIN and biometric factors provide identity verification of the individual.

Fig. 69.5, adapted from Ref. [3], illustrates the convergence of physical and logical access control using FIPS 201-2. The core of the system includes the PIV and access control system as well as a certificate authority for signing CHUIDs. The other elements of the figure provide examples of the use of the system core for integrating physical and logical access control.

If the integration of physical and logical access control extends beyond a unified front end to an integration of system elements, a number of benefits accrue, including the following [3]:

Employees gain a single, unified access control authentication device; this cuts down on misplaced tokens, reduces training and overhead, and allows seamless access.

A single logical location for employee ID management reduces duplicate data entry operations and allows for immediate and real-time authorization revocation of all enterprise resources.

Auditing and forensic groups have a central repository for access control investigations.

Hardware unification can reduce the number of vendor purchase-and-support contracts.

Certificate-based access control systems can leverage user ID certificates for other security applications, such as document electronic signing and data encryption.

Finally, let us briefly look at a physical security checklist. The effectiveness of the recommendations in the physical security checklist is most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization.