Monitoring and logging physical access to secure areas using an auditable access control system is a critical security control. By tracking who enters sensitive spaces, when, and for what purpose, organizations can detect and respond to unauthorized access attempts. Proper physical access logging is a key component of a defense-in-depth security strategy.

Where did this come from?

This security control comes from the CSA Cloud Controls Matrix v4.0.10 - 2023-09-26, which can be downloaded at https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4. The CCM is a cybersecurity control framework for cloud computing environments, mapping to industry-accepted standards, regulations, and best practices. For more background on physical security controls, see the AWS whitepaper on physical and environmental security: https://docs.aws.amazon.com/whitepapers/latest/aws-security-whitepaper-overview/physical-and-environmental-security.html

Who should care?

This control is relevant for:

• Datacenter operations managers responsible for securing on-premises IT infrastructure
• Physical security teams charged with protecting sensitive facilities and assets
• Compliance officers who must ensure and demonstrate adherence to regulatory requirements around physical security logging
• IT security engineers integrating physical access control systems with cybersecurity monitoring tools

What is the risk?

Failure to properly log physical access to secure areas could allow attackers to gain unauthorized entry to sensitive IT systems and data. Malicious intruders could steal confidential information, install malware, disrupt operations, or cause other harm. Even accidental or unintentional physical access by personnel without proper authorization poses an insider threat. Comprehensive access logging helps mitigate these risks by providing real-time situational awareness and forensic evidence to investigate incidents.

What's the care factor?

The priority of this control depends on the sensitivity of the assets being physically secured. For core datacenter facilities housing mission-critical systems and regulated data, it is essential to implement robust access logging. The consequences of a physical breach could be severe in terms of data loss, system downtime, reputational harm, and regulatory penalties. For lower-risk environments like general office spaces, a more basic level of physical access tracking may suffice.

When is it relevant?

Physical access logging makes sense for any area containing IT systems, confidential records, valuable equipment, or other sensitive assets. It is especially important for datacenter raised floor spaces, network closets, media storage vaults, and other high-security zones. Logging may be less relevant for spaces that don't house key assets, but could still be helpful for overall situational awareness. Access logs are a common requirement for demonstrating compliance with standards like PCI DSS, HIPAA, and ISO 27001.

What are the trade-offs?

Implementing granular physical access logging requires an investment in specialized security systems like smart card readers, biometric scanners, turnstiles, and video surveillance. There are ongoing costs to securely store and review access logs. Enforcing strict entry/exit procedures can impact the productivity and mobility of personnel. Over-surveillance could be seen as invasive by employees and raise privacy concerns. Organizations must balance the security benefits against financial costs, operational friction, and cultural impact.

How to make it happen?

To implement this control:

1. Identify sensitive areas requiring access control and monitoring. Establish secure perimeters.
2. Deploy electronic access control system (EACS) integrated with employee directory for all entry/exit points. Options include smart cards, mobile credentials, PINs, and biometrics.
3. Configure EACS to log all access attempts with timestamp, location, credential used, and result (allowed/denied). Feed events into central security information and event management (SIEM) platform.
4. Implement video surveillance system covering entry/exit points, doors, hallways, and key assets. Retain footage for at least 90 days.
5. Establish access provisioning and deprovisioning procedures integrated with HR system. Assign access based on job role and least privilege. Revoke upon termination or transfer.
6. Require multi-factor authentication for high-security zones. Enforce anti-passback to prevent credential sharing.
7. Train personnel on access policies and incident reporting. Post signage about monitoring.
8. Use visitor management system to issue temporary badges, enforce escorting, and track entries.
9. Perform periodic user access reviews to verify permissions are still appropriate. Remove stale access.
10. Regularly audit EACS and video logs for anomalies. Investigate and respond to suspicious events.

What are some gotchas?

Some common challenges when deploying physical access logging:

• Legacy access control systems may not support granular logging or SIEM integration. An upgrade may be needed.
• Logging solutions must comply with employee privacy regulations like GDPR. Get legal signoff.
• EACS and surveillance systems require ongoing maintenance, patching, and testing to stay operational. Budget accordingly.
• The EACS admin role is highly privileged and should use a separate account (e.g. breakglass) with MFA and logging. See AWS IAM best practices: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
• Access logs and video footage take up a lot of storage. Use compression and cold tiering to optimize costs.
• Physical security systems have become popular targets for hackers. Lockdown configurations, segment networks, keep software updated, and monitor for IoT threats.

What are the alternatives?

• Unstaffed entry points can use mechanical locks and keys instead of EACS, but this provides minimal logging and is harder to manage at scale.
• A basic EACS without integration to identity systems is better than nothing, but less secure and efficient than a modernized setup.
• Mobile app-based access credentials are more convenient and affordable than physical badges/fobs, but introduce new attack surfaces.
• A SIEM is ideal for aggregating and correlating access logs, but manual log review can suffice for small deployments.

Explore Further

• ISO/IEC 27002 Information Security Controls has an entire section on physical and environmental security: https://www.iso.org/standard/54533.html
• NIST SP 800-116 provides guidelines on implementing electronic access control for federal agencies: https://csrc.nist.gov/publications/detail/sp/800-116/rev-1/final
• The sister control LOG-11 covers logging of logical/remote access to systems rather than physical access
• CIS Control 12.4 requires that authentication logs are retained for at least 90 days

‍