Splunk in the NHS – It’s not just about online data

When we think about auditing user access, we often tend to focus on IT systems with logs providing reports on credential use, and in some cases, the geographic location of the request. However, a Full Spectrum Information Protection/Assurance approach needs to encompass more than just systems operated by a keyboard. People, Places and importantly “Paper” should be considered too.  

Physical Access Control systems have existed since the first lock and key. Modern systems that rely on proximity cards or tokens have been with us for several years. Systems invariably depend on a computerised backend to manage the users and cards to grant access to areas of the organisation.  

Using an access card to open a door is not significantly different from providing a username and password to your computer at the beginning of each day. The difference is it relies on you using the card you are issued (and noticing if you have misplaced it). There is a big push in the IT security community to enable Multifactor Authentication which often can be thought of as:

1. Who are you? (username) 
2. What do you know? (password) 
3. What do you have? (MFA token) 

But access cards deviate from this, implicitly inferring the answers to 1 & 3, whilst skipping question 2 completely. For this reason, it is critical to have an effective monitoring program to report and manage who is opening secure doors.  

This can be actioned through Splunk. Its flexible design enables it to cope with authentication events from a wide variety of data sources, including access control and physical security systems.  

One of the primary motives for reviewing this data is to fill DSPT requirements. These oblige NHS Trusts to understand who is accessing what, where, when, and ideally, why? It is important to recognise this as an IT challenge, as well as an HR/Security/Management/Executive problem. If your access control system generates logs (or can generate scheduled reports for example), then adding those logs to your central security tool is advisable. It also greatly enhances the overall visibility of your Information Assurance responsibilities.  

Monitoring physical access logs could highlight several scenarios. This includes users logging onto computer systems without having badged in at the beginning of a shift and or using access cards outside of normal hours or workspaces. Unusual access activity can be tracked and reported on, and importantly, can be correlated to job or business function. 

Extending cybersecurity to connected devices used for physical security has been highlighted as an important way that organisations can maximise their operational efficiency and security. Ingesting data from access control and physical security systems is an easy way in which NHS Trusts could increase their overall security posture.

At Apto, we have worked with several NHS Trusts, helping them to utilise Splunk and manage this security risk. Learn more about securing physical access using technology by contacting us today.