Splunk in the NHS – It’s not just about online data

When auditing user access, we usually focus on IT systems that provide reports on credential use and geographic location of the request. However, a Full Spectrum Information Protection/Assurance approach needs to consider more than just systems operated by a keyboard. People, places, and importantly, “paper” should be included too.

Physical Access Control systems have been in existence since the first lock and key. Modern systems that rely on proximity cards or tokens have been in use for several years. These systems depend on a computerized backend to manage users and grant access to different areas of the organization.

Using an access card to open a door is not much different from entering a username and password to log in to your computer every day. The only difference is that you use the card issued to you (and notice if you have misplaced it). The IT security community is pushing for Multifactor Authentication, which can be thought of as:

1. Who are you? (username)

2. What do you know? (password)

3. What do you have? (MFA token)

However, access cards skip question 2 and infer the answers to 1 & 3. This makes it critical to have an effective monitoring program to report and manage who is opening secure doors.

Splunk can be used to monitor access events from a wide variety of data sources, including access control and physical security systems. Reviewing this data can help meet the DSPT requirements of NHS Trusts, enabling them to understand who is accessing what, where, when, and why. This is an IT challenge as well as an HR/security/management/executive problem. If your access control system generates logs, adding those logs to your central security tool is advisable. This also enhances the overall visibility of your Information Assurance responsibilities.

Monitoring physical access logs can highlight several scenarios, such as users logging onto computer systems without badging in at the beginning of a shift, or using access cards outside of normal hours or workspaces. Unusual access activity can be tracked, reported, and correlated to job or business function.

Extending cybersecurity to connected devices used for physical security is an important way for organizations to maximize their operational efficiency and security. NHS Trusts can increase their overall security posture by ingesting data from access control and physical security systems.

At Apto, we have assisted several NHS Trusts in utilizing Splunk to manage this security risk. You can learn more about securing physical access using technology by contacting us today.