|For many companies, the current state of their access control infrastructure is best described as being fractured|
For many companies, the current state of their access control infrastructure is best described as being fractured. Multiple disparate physical and logical access control systems and cumbersome manual processes are all too common. Standardizing one system throughout a company might address part of the problem, but replacing multiple systems may require large amounts of capital.
A long-term access control issue for any company how to manage its identities. It is important to ensure that individuals only have permission to enter authorized areas, both for the sake of security and compliance. With large numbers of employees, geographically distributed campuses and ever-changing authority levels, keeping permissions current is an important issue to address. Sophisticated identity management software can enable a single identity to be created for each individual across any organization. Integrating physical security systems with logical security systems creates software which can ensure synchronized and policy-based on-/off-boarding of identities.
Identity management challenges and opportunities
Although effectively managing identity can be a challenge, it also provides many opportunities for any organization. These include enabling human resource and LDAP-format databases to connect instantly with physical access control systems and to receive real-time reports across any number of physical access control systems. It is also possible to manage badge/credentialing systems more efficiently and to track visitors and third-party contractors and link them to an internal identity. Other new opportunities include the ability to correlate identities with alarms and events and to grant access based on a risk profile of an identity or location. Access can also be granted based on training or other special requirements.
...effectively managing identity can be a challenge, but it also provides many opportunities for any organization
All types of identities can be managed with advanced software, including permanent and temporary employees, contractors, service providers and vendors. Users can manage details of a physical identity, such as biographic and biometric information, the results of security checks and historical usage. Software also enables various access levels to be assigned to an identity across multiple physical access control systems and can specify details such as time of scheduled access.
An urgent termination feature can allow authorized personnel to immediately deny physical access. In addition to aggregating access level information from various systems, the administrator can manage details such as risk level, area owner, multiple approvers and prerequisites for access, such as training. The system can also provide audit trails of all transactions.
From a risk perspective, automated identity management systems enable organizations to lower liability and maximize protection of assets. Furthermore, systems promote standardization within a security organization and implementation of best practices.
Cost is another important benefit. A unified, software-based approach to identity management reduces the need for labor-intensive and repetitive processes.
Regulatory compliance needs incentivize effective identity management
|Keeping permissions current is an important issue to address|
A proliferation of regulatory requirements provides an additional incentive to manage identities more effectively. End-user companies are subject to a growing number of regulations that require verification of identities and access to facilities and information. For example, all corporate entities are subject to Sarbanes-Oxley compliance, which requires management of user identities and access to information while ensuring its integrity. Vertical markets have their own specific regulations, such as the CFATS, anti-terrorism requirements of the petrochemical industry, Gramm-Leach-Bliley which protects information in the finance arena, HIPAA privacy rules for healthcare and NERC/FERC security regulations in the energy sector. Governments face compliance with FIPS 201/HSPD-12 credentialing requirements and airports are regulated by TSA. Banking companies seek to comply with Basel II requirements that include risk management and pharmaceutical companies are regulated by the Drug Enforcement Administration. Centralized identity management systems allow managers to easily monitor regulatory infractions and proactively enforce security policies and rules.
Software systems enable compliance initiatives to be automated in real time to create a transparent, traceable and repeatable global process to manage governance and compliance. To comply with regulations takes strict governance of security controls across both physical and IT infrastructures and management of risk on a holistic level.