Making the Choice - Fixed costs, customized solutions and user convenience - determining factors in buying physical identity and access management

Making the Choice

Fixed costs, customized solutions and user convenience - determining factors in buying physical identity and access management

Making the ChoiceThe migration of physical security technology to a network platform has made it easier and more convenient for organizations to integrate the various modalities of physical security into a unified configuration to better safeguard their employees, visitors, premises and material/intellectual property. Open architecture further enables central control of the various security systems on a single platform, providing higher levels of operational efficiency across the enterprise as well as improved standardization of policies and procedures.

Similar operational benefits have been achieved from advanced physical identity and access management (PIAM) software solutions that allow security identities to be managed and streamlined across disparate physical security systems within an organization by creating a single identity for each individual across all physical security systems. Integrating physical with logical systems, the software can ensure synchronized and policy-based on- and off-boarding of identities and their physical access levels across multiple security systems.

With increasing frequency, enterprise-wide physical identity and access management software systems are playing key roles in organizational strategy. Physical identity and access management software is a ready-made solution for organizations looking to upgrade and enhance their physical security strategies, remain compliant with requirements mandated by various regulations or integrate and maintain alignment with security policies during and after a corporate consolidation.

To Build or Buy

Without question, PIAM software is an effective tool that can readily address multiple challenges where improving efficiencies through identity management is needed. The uncertainty arises when making the decision as to whether a PIAM software package that addresses compliance, operational and quality needs should be developed internally or purchased as a commercial, off-the-shelf (COTS) solution.

The appeal of building an in-house, custom application is often founded on the belief that company processes, business challenges and unique needs are better understood within an organization, rather than by an outside vendor. The solution can be developed more accurately and less expensively.

Conversely, many identity management issues and requirements are similar in nature, and it will save time, and potentially costs, to purchase a COTS package developed by a more specialized software developer.

Understanding the differences between these two approaches can yield significant benefits, but it’s not an easy choice to make. There are, however, three key areas that should be considered when making the choice between an in-house developed solution and a COTS package:

Cost. If considering an in-house developed solution, costs must include the time-intensive process of developing the outline/application, assigning personnel and determining charge-back costs for development, testing and support. Because of the nature and complexity of the PIAM application, the development must take into consideration workflow that integrates a variety of business system processes as well as the integration between existing hardware and/or software systems. For example, when one set of privileges changes, whether physical or logical, that alteration must trigger automatic, complementary revisions in other sets.

With regard to the development team, assignment of personnel is dependent upon the technology resource pool and their experience with this platform. The team may have to be expanded to include personnel with expertise in specific business processes.

Based on these drawbacks, recent trends indicate that organizations are no longer looking within to create and maintain the custom applications that address large scale identity management needs, but rather are turning to external, professional resources that offer application-targeted solutions built on best practices and with a proven track record.

Unlike an in-house developed software program, costs for COTS solutions can be negotiated and determined up front. Any additions or custom developments can be quantified prior to the start of the project, and a schedule for incremental upgrades or changes can be identified for budgeting purposes. In addition, COTS solutions usually provide a better ROI over the long term based on more robust features, greater reliability and the ability to scale at a lower cost than an in-house solution.

Customization. In many organizations and vertical industries, regulatory compliance is the impetus for instituting an identity management program. For example, corporations subject to the Sarbanes-Oxley Act require stringent management of user identities and access to information while ensuring system integrity. The CFATS rule governs the petrochemical industry, while the Gramm-Leach-Bliley Privacy Act protects information in the finance arena. In other areas, NERC/FERC security regulations govern the energy sector, and HIPAA privacy rules are enforced in healthcare. Banks need to comply with the Basel Committee on Banking Supervision, and pharmaceutical companies are regulated by the Drug Enforcement Agency. Government agencies perhaps face the greatest need for compliance, including FIPS 201/ HSPD-12 credentialing requirements and TSA regulations for airports.

Custom solutions that are in compliance with mandated access control requirements are more readily available from vendors who understand the requirements from both the business/regulation side and the technical side. The work is done, built into the application, and in most instances, the software program will meet the customer’s requirements out of the box.

Convenience. Operation and use of PIAM software must easily and readily include the capability to manage all types of identities including permanent and temporary employees, contractors, service providers and vendors. It should be an easy and straightforward process to manage details of a physical identity, such as biographic and biometric information, as well as results of security checks and historical usage. In addition to aggregating access level information from various systems, PIAM software should encompass details such as risk level, area owner, multiple approvers and prerequisites for access, while providing audit trails of all transactions. These features, and other proven system amenities, make implementation and use of COTS software more convenient than a homegrown solution.

The ideal COTS solution will take cost, customization and convenience into account, as Quantum Secure did when we created our policy-driven SAFE software suite. We believe a COTS solution should be designed to connect disparate physical security, IT and operational systems, automate manual security processes around contractors and reduce both costs and risks.

The host of applications provided to automate physical security system functions must include physical identity management, role-based access, self-service administration, identity/event correlation and reporting. Control should be provided through a single, Web-based interface that is easy to manage and use.

A properly designed and engineered COTS solution, for physical access and identity management, will be the more cost effective solution every time.

This article originally appeared in the February 2014 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • Camden CM-221 Series Switches

    Camden CM-221 Series Switches

    Camden Door Controls is pleased to announce that, in response to soaring customer demand, it has expanded its range of ValueWave™ no-touch switches to include a narrow (slimline) version with manual override. This override button is designed to provide additional assurance that the request to exit switch will open a door, even if the no-touch sensor fails to operate. This new slimline switch also features a heavy gauge stainless steel faceplate, a red/green illuminated light ring, and is IP65 rated, making it ideal for indoor or outdoor use as part of an automatic door or access control system. ValueWave™ no-touch switches are designed for easy installation and trouble-free service in high traffic applications. In addition to this narrow version, the CM-221 & CM-222 Series switches are available in a range of other models with single and double gang heavy-gauge stainless steel faceplates and include illuminated light rings. 3

  • A8V MIND

    A8V MIND

    Hexagon’s Geosystems presents a portable version of its Accur8vision detection system. A rugged all-in-one solution, the A8V MIND (Mobile Intrusion Detection) is designed to provide flexible protection of critical outdoor infrastructure and objects. Hexagon’s Accur8vision is a volumetric detection system that employs LiDAR technology to safeguard entire areas. Whenever it detects movement in a specified zone, it automatically differentiates a threat from a nonthreat, and immediately notifies security staff if necessary. Person detection is carried out within a radius of 80 meters from this device. Connected remotely via a portable computer device, it enables remote surveillance and does not depend on security staff patrolling the area. 3

  • Compact IP Video Intercom

    Viking’s X-205 Series of intercoms provide HD IP video and two-way voice communication - all wrapped up in an attractive compact chassis. 3