Seven Superior Steps

Enterprises are challenged with having to deal with many categories of identities who need access to myriad of systems and resources that could be geographically dispersed across locations

Today’s instant economy requires that more of a company’s business processes be open to external stakeholders. Employees, contractors, vendors, partners, service providers and visitors all need access to particular assets, facilities and resources within the enterprise. But how much access is too much? And, if granted, how much risk is the company taking? To ensure that commercial transactions and internal operations remain up and running at all times, successful and secure enterprises track the individuals in each of these classes as identities.

MANAGE AN IDENTITY

Most organizations today rely on the corporate security department to manage policies on how much physical access to facilities zones and assets should be granted to each identity. Separately, the IT department manages access to the information systems. Regardless of the diligence of these departments, changes to the status of individuals is rarely correlated on a timely basis between the IT and physical security data silos. Full-time employees may leave the company, change jobs or move to new locations. Contractors may become permanent employees, complete their projects or be replaced. There is seldom an integrated and up-to-date profile on how much access has been granted and what happens when an individual’s status, class or category changes.

The added dimension of constant changes in the workforce, or the types of individuals needing short term temporary access makes it a lot harder to manage. Often times these processes are disjointed and decentralized making it impossible for business managers to know how much risk the organization is taking. Unbeknownst to managers granting access in one area of the company, they may potentially create huge risks in another part of the company.

ORGANIZATIONAL SILOS CREATE RISK

The majority of today’s key business processes are automated. IT manages the underlying applications for these processes. Security practices relating to application and database access and authorization are tracked by IT security personnel. However, this tracking is rarely coordinated with physical security staffs who are tasked with protecting the facilities and physical assets and who are responsible for managing building access. Further, there is often a lag before status changes noted in HR systems are reflected in IT and physical security systems. Here lies vulnerability. Imagine a disgruntled employee in a two-week termination notice period. The employee may access the data center outside their normal hours and systematically download more information in one night, to an external drive, than they ever had in the prior two years. This often repeated scenario can trigger potentially devastating damage to the company from loss of data, trade secrets or confidential information. Detecting such an event, much less preventing it, is very difficult without correlating the employee’s activity across the information systems, the physical access control (badge access systems) and HR management systems.

Today’s top threats in the workplace can be linked to a lack of integrated identity systems that extend across the enterprise.

THE NEED FOR A HOLISTIC IDENTITY MANAGEMENT SOLUTION - MANAGING SECURITY ACROSS MANY STAKEHOLDERS

Many enterprise functions, from HR to finance to parking, are tasked with ensuring security. However, few are enabled to do so, or feel that it is someone else’s responsibility.

Examples of user/stakeholder functions are generally impacted by security decisions. All these enterprise functions need to access a variety of systems to accomplish their tasks. Some of these systems are managed by IT, some are managed by corporate security, and others are managed by operations. The systems have been established over time to efficiently perform the tasks for which they are responsible. Obviously, someone that is a visitor to an organization is not going to get carte blanche access to all the areas inside the corporate facilities.

Similarly, we do not want to grant contractors, who are on short term assignments, permanent access to facilities. Since many organizations deal with these actions manually, the policies within the same company about who can access what types of systems or facilities often vary from site to site. Policies not applied uniformly lead to higher risk.

PHYSICAL IDENTITY AND ACCESS MANAGEMENT (PIAM)

PIAM software has evolved to resolve these issues, delivering a solution that addresses the entire extended enterprise. This Physical Identity Management software must deliver capabilities beyond just onboarding and offboarding. Modern and effective PIAM software must be comprised of four key building blocks:

Basic PIAM capabilities: Converged logical-physical on-boarding and offboarding.

  • Self-service access request handling: extending the capabilities across the enterprise.
  • Access certification and audit of access granted: Is it still relevant and still secure.
  • Identity intelligence: learning access patterns over time and identifying anomalies.

SEVEN STEPS TO AN EFFECTIVE PIAM STRATEGY

In addition to taking stock of all the existing applications and systems that need to be integrated, there is the organization challenge of bridging cultural gaps across various departmental entities within the same organization. Many of these entities, until now, did not have to consider the impact of security decisions on other departments.

A seven-step approach streamlines the process of deploying Physical Identity and Access Management. Each step is a unique capability that differentiates AlertEnterprise from all other providers in the market.

STEP 1: USE THE MOST STREAMLINED IT-PHYSICAL ACCESS CONTROL INTEGRATION

A modern PIAM solution delivers a bundle of features includes a comprehensive Corporate Badging solution to leverage a dynamic connector framework for realtime integration with multiple Physical Access Control Systems (PACS) such as Lenel, Honeywell, AMAG and many others.

Additionally, full integration with IT applications from Microsoft, SAP, Oracle and many others delivers reliable and secure data transfer with HR, Identity Management, Directory Services (Active Directory, LDAP, etc.). OT integration enables access assignment and monitoring across various SCADA/Industrial Control Systems, providing complete IT-OT-Physical convergence.

This capability enables full control of the target PACS systems including Create Badge, Disable Badge, Print Badge, and Badge Designer functionality. Additional capabilities of assigning roles-based area access and door-by-door access authorization, regardless of the PACS vendor make the PIAM software a powerful tool for operational security.

PIAM capabilities include:

  • Support for all major access control vendors
  • Built-in integration with directory services like AD and LDAP
  • Perfect integration with enterprise applications like HR, IAM and others

STEP 2: EXTEND IDENTITY MANAGEMENT AND IDENTITY GOVERNANCE BEYOND IT

A fully converged solution enables corporations to manage identities for employees, contractors and visitors, while providing complete identity governance capabilities, together with management of IT and OT roles, and Physical Access Authorizations. A full identity lifecycle can be managed, along with role-based access assignments, workflow automation, access certifications and transaction authorizations. Unified “Area Administrator,” User Self-Service and Delegated Administration views further enhance the feature set.

Key capabilities include:

  • Common identity for logical and physical identities
  • Identity lifecycle management with automated workflow
  • Access certification and authorization: logical and physical
  • Contractor management and visitor management capabilities
  • IT roles, OT roles and physical access authorizations

STEP 3: LEVERAGE BUILT-IN COMPLIANCE AND ACTIVE POLICY ENFORCEMENT

A built-in controls repository houses controls for compliance with multiple regulations and company policies. Automatic verification of training and background certification allows rules to be enforced. In the event requirements are not met, physical access can be automatically revoked.

Compliance and Active Policy Enforcement features enable organizations to meet regulatory requirements easily. In addition, organizations can now easily enable roles-based and individual user-based access to critical assets based on user profile attributes. Most PIAM solutions lack this capability.

Key capabilities include:

  • Regulatory compliance requirements
  • Validate training and certification systems
  • Roles-based access to critical assets—dynamic update upon role change

Automated notifications allows the software to ascertain if requested access meets regulatory compliance or company policy requirements, and then notify security managers.

STEP 4: PLAN FOR ENTERPRISE SCALABILITY AND GLOBAL DEPLOYMENT

PIAM software needs to be designed to scale to hundreds of thousands for users for large enterprises and government applications. A major government agency uses our software worldwide to globalize their deployment, cover eighteen time zones across the globe and unify security policies across 200 countries. Our solution is fully scalable, and supports geographically dispersed deployments.

High availability as well as enterprise fail-over and backup capabilities rely on the most flexible technology architecture for an enterprise-class platform. Database, operating system and other component technologies are interchangeable and can support specific requirements that organizations may choose mandate.

Key capabilities include:

  • PACS globalization
  • Aggregated reporting
  • Powerful yet flexible technology platform

STEP 5: ENABLE IT-OT CONVERGENCE TO PROTECT CRITICAL INFRASTRUCTURE

Recent incidents such as the Target Corp. data breach and the PG&E substation physical attack have underlined the need for holistic security to close the gaps between IT and physical security of critical assets. AlertEnterprise enables organizations to fully integrate their IT systems with OT, not only for unified provisioning but also for monitoring and correlation of blended threats. IT and OT administrators should be able to easily define and enforce these policies.

IT-OT convergence delivers role-based and user-based access:

  • Roles that should have corporate access and authorizations.
  • Roles that should have sensitive area access and authorizations.
  • Roles that have OT system access, combined with IT Access..

STEP 6: BUILD RISK INTELLIGENCE RIGHT INTO YOUR PROCESS

Purpose-built Risk Analytics and Risk Management features provide capabilities not available in traditional badging solutions. AlertEnterprise can leverage user attributes, access patterns, and policy violations to calculate risk scores for individual users. Our solution automatically detects anomalies and sends alerts on exceptions. Combined with customizable reports and dashboards, and a dynamic reports designer, enterprises can leverage this capability to address hard-to-find insider threat vectors and indicators of compromise.

Key capabilities include:

  • Risk scoring attributes
  • Access behavior monitoring
  • Anomaly detection
  • High-risk individual accessing high risk area

STEP 7: SELECT CYBER-AWARE PIAM SOFTWARE

As organizations focus cybersecurity measures on protecting their network perimeters, attackers are starting to test new and previously untapped vulnerabilities in corporate armor. This often includes cyberattacks on PAC system components, and even video surveillance/CCTV systems. The next era of the hybrid attack is here and it is imperative to address the blended threats that exist across the silos of IT, OT (Operational Technology, SCADA, ICS and IoT) and Physical Security. Consequently, enterprises are increasingly concerned about their PACS being vulnerable to cyberattacks.

Key capabilities include:

  • Monitor PACS privileged user or administrator activity
  • Alerting on unauthorized configuration changes
  • Alerting when badges or identities are created in the PACS back end bypassing standard procedures.

ADDITIONAL STEPS

Implementing a converged logical and physical security solution can be a complex task with many moving parts. It is important to select a solution that can address all of the seven steps outlined above. Having a solution that will scale to the needs of the enterprise is key to future proofing your security.

ENTERPRISE CONSOLIDATION OF PHYSICAL ACCESS CONTROL

Many large enterprises, multinational corporations and government institutions operate multiple facilities that include owned buildings, leased properties and plant operations that extend across cities, states and countries. Many of these facilities operate Physical Access Control Systems that were procured over long periods of time, owned by landlords, or acquired as a result of company mergers.

Guardian Physical from Alert Enterprise is a PIAM software solution designed to meet all the criteria outlined here. It establishes a common operating environment and extends all the benefits of common identity management across multiple PACS, buildings and geographies. It uniquely leverages all existing access control systems by overcoming limits on the number of users a system can support and by converting native systems to completely scalable enterprise systems with common provisioning and reporting across systems and multiple vendors.

This article originally appeared in the March 2016 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • 4K Video Decoder

    3xLOGIC’s VH-DECODER-4K is perfect for use in organizations of all sizes in diverse vertical sectors such as retail, leisure and hospitality, education and commercial premises. 3

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • EasyGate SPT and SPD

    EasyGate SPT SPD

    Security solutions do not have to be ordinary, let alone unattractive. Having renewed their best-selling speed gates, Cominfo has once again demonstrated their Art of Security philosophy in practice — and confirmed their position as an industry-leading manufacturers of premium speed gates and turnstiles. 3