Seven Superior Steps
Enterprises are challenged with having to deal with many categories of identities who need access to myriad of systems and resources that could be geographically dispersed across locations
Today’s instant economy requires that more of a company’s business
processes be open to external stakeholders. Employees, contractors,
vendors, partners, service providers and visitors all need access to
particular assets, facilities and resources within the enterprise. But
how much access is too much? And, if granted, how much risk is the
company taking? To ensure that commercial transactions and internal operations
remain up and running at all times, successful and secure enterprises track the
individuals in each of these classes as identities.
MANAGE AN IDENTITY
Most organizations today rely on the corporate security department to manage
policies on how much physical access to facilities zones and assets should be granted
to each identity. Separately, the IT department manages access to the information
systems. Regardless of the diligence of these departments, changes to the status
of individuals is rarely correlated on a timely basis between the IT and physical
security data silos. Full-time employees may leave the company, change jobs or
move to new locations. Contractors may become permanent employees, complete
their projects or be replaced. There is seldom an integrated and up-to-date profile
on how much access has been granted and what happens when an individual’s
status, class or category changes.
The added dimension of constant changes in the workforce, or the types of
individuals needing short term temporary access makes it a lot harder to manage.
Often times these processes are disjointed and decentralized making it impossible
for business managers to know how much risk the organization is taking. Unbeknownst
to managers granting access in one area of the company, they may potentially
create huge risks in another part of the company.
ORGANIZATIONAL SILOS CREATE RISK
The majority of today’s key business processes are automated. IT manages the underlying
applications for these processes. Security practices relating to application
and database access and authorization are tracked by IT security personnel. However,
this tracking is rarely coordinated with physical security staffs who are tasked
with protecting the facilities and physical assets and who are responsible for managing
building access. Further, there is often a lag before status changes noted in HR
systems are reflected in IT and physical security systems. Here lies vulnerability.
Imagine a disgruntled employee in a two-week termination notice period. The
employee may access the data center outside their normal hours and systematically
download more information in one night, to an external drive, than they ever had
in the prior two years. This often repeated scenario can trigger potentially devastating
damage to the company from loss of data, trade secrets or confidential information.
Detecting such an event, much less preventing it, is very difficult without
correlating the employee’s activity across the information systems, the physical
access control (badge access systems) and HR management systems.
Today’s top threats in the workplace can be linked to a lack of integrated identity
systems that extend across the enterprise.
THE NEED FOR A HOLISTIC IDENTITY MANAGEMENT SOLUTION -
MANAGING SECURITY ACROSS MANY STAKEHOLDERS
Many enterprise functions, from HR to finance to parking, are tasked with ensuring
security. However, few are enabled to do so, or feel that it is someone else’s
responsibility.
Examples of user/stakeholder functions are generally impacted by security
decisions. All these enterprise functions need to access a variety of systems to
accomplish their tasks. Some of these systems are managed by IT, some are managed
by corporate security, and others are managed by operations. The systems
have been established over time to efficiently perform the tasks for which they are
responsible. Obviously, someone that is a visitor to an organization is not going to
get carte blanche access to all the areas inside the corporate facilities.
Similarly, we do not want to grant contractors, who are on short term assignments,
permanent access to facilities. Since many organizations deal with these actions
manually, the policies within the same company about who can access what
types of systems or facilities often vary from site to site. Policies not applied uniformly
lead to higher risk.
PHYSICAL IDENTITY AND ACCESS MANAGEMENT (PIAM)
PIAM software has evolved to resolve these issues, delivering a solution that addresses
the entire extended enterprise. This Physical Identity Management software
must deliver capabilities beyond just onboarding and offboarding.
Modern and effective PIAM software must be comprised of four key building
blocks:
Basic PIAM capabilities: Converged logical-physical on-boarding and offboarding.
- Self-service access request handling: extending the capabilities across the enterprise.
- Access certification and audit of access granted: Is it still relevant and still secure.
- Identity intelligence: learning access patterns over time and identifying anomalies.
SEVEN STEPS TO AN EFFECTIVE PIAM STRATEGY
In addition to taking stock of all the existing applications and systems that need to
be integrated, there is the organization challenge of bridging cultural gaps across
various departmental entities within the same organization. Many of these entities,
until now, did not have to consider the impact of security decisions on other
departments.
A seven-step approach streamlines the process of deploying Physical Identity
and Access Management. Each step is a unique capability that differentiates AlertEnterprise
from all other providers in the market.
STEP 1: USE THE MOST STREAMLINED IT-PHYSICAL
ACCESS CONTROL INTEGRATION
A modern PIAM solution delivers a bundle of features includes a comprehensive
Corporate Badging solution to leverage a dynamic connector framework for realtime
integration with multiple Physical Access Control Systems (PACS) such as
Lenel, Honeywell, AMAG and many others.
Additionally, full integration with IT applications from Microsoft, SAP, Oracle
and many others delivers reliable and secure data transfer with HR, Identity
Management, Directory Services (Active Directory, LDAP, etc.). OT integration
enables access assignment and monitoring across various SCADA/Industrial Control
Systems, providing complete IT-OT-Physical convergence.
This capability enables full control of the target PACS systems including Create
Badge, Disable Badge, Print Badge, and Badge Designer functionality. Additional
capabilities of assigning roles-based area access and door-by-door access authorization,
regardless of the PACS vendor make the PIAM software a powerful tool
for operational security.
PIAM capabilities include:
- Support for all major access control vendors
- Built-in integration with directory services like AD and LDAP
- Perfect integration with enterprise applications like HR, IAM and others
STEP 2: EXTEND IDENTITY MANAGEMENT AND IDENTITY
GOVERNANCE BEYOND IT
A fully converged solution enables corporations to manage identities for employees,
contractors and visitors, while providing complete identity governance
capabilities, together with management of IT and OT roles, and Physical Access
Authorizations. A full identity lifecycle can be managed, along with role-based
access assignments, workflow automation, access certifications and transaction
authorizations. Unified “Area Administrator,” User Self-Service and Delegated
Administration views further enhance the feature set.
Key capabilities include:
- Common identity for logical and physical identities
- Identity lifecycle management with automated workflow
- Access certification and authorization: logical and physical
- Contractor management and visitor management capabilities
- IT roles, OT roles and physical access authorizations
STEP 3: LEVERAGE BUILT-IN COMPLIANCE AND ACTIVE
POLICY ENFORCEMENT
A built-in controls repository houses controls for compliance with multiple regulations
and company policies. Automatic verification of training and background
certification allows rules to be enforced. In the event requirements are not met,
physical access can be automatically revoked.
Compliance and Active Policy Enforcement features enable organizations to
meet regulatory requirements easily. In addition, organizations can now easily enable
roles-based and individual user-based access to critical assets based on user
profile attributes. Most PIAM solutions lack this capability.
Key capabilities include:
- Regulatory compliance requirements
- Validate training and certification systems
- Roles-based access to critical assets—dynamic update upon role change
Automated notifications allows the software to ascertain if requested access
meets regulatory compliance or company policy requirements, and then notify security
managers.
STEP 4: PLAN FOR ENTERPRISE SCALABILITY AND
GLOBAL DEPLOYMENT
PIAM software needs to be designed to scale to hundreds of thousands for users
for large enterprises and government applications. A major government agency
uses our software worldwide to globalize their deployment, cover eighteen time
zones across the globe and unify security policies across 200 countries. Our solution
is fully scalable, and supports geographically dispersed deployments.
High availability as well as enterprise fail-over and backup capabilities rely on
the most flexible technology architecture for an enterprise-class platform. Database,
operating system and other component technologies are interchangeable and
can support specific requirements that organizations may choose mandate.
Key capabilities include:
- PACS globalization
- Aggregated reporting
- Powerful yet flexible technology platform
STEP 5: ENABLE IT-OT CONVERGENCE TO PROTECT
CRITICAL INFRASTRUCTURE
Recent incidents such as the Target Corp. data breach and the PG&E substation
physical attack have underlined the need for holistic security to close the gaps between
IT and physical security of critical assets. AlertEnterprise enables organizations
to fully integrate their IT systems with OT, not only for unified provisioning
but also for monitoring and correlation of blended threats. IT and OT administrators
should be able to easily define and enforce these policies.
IT-OT convergence delivers role-based and user-based access:
- Roles that should have corporate access and authorizations.
- Roles that should have sensitive area access and authorizations.
- Roles that have OT system access, combined with IT Access..
STEP 6: BUILD RISK INTELLIGENCE RIGHT INTO YOUR PROCESS
Purpose-built Risk Analytics and Risk Management features provide capabilities
not available in traditional badging solutions. AlertEnterprise can leverage user
attributes, access patterns, and policy violations to calculate risk scores for individual
users. Our solution automatically detects anomalies and sends alerts on
exceptions. Combined with customizable reports and dashboards, and a dynamic
reports designer, enterprises can leverage this capability to address hard-to-find insider threat vectors and indicators of
compromise.
Key capabilities include:
- Risk scoring attributes
- Access behavior monitoring
- Anomaly detection
- High-risk individual accessing high
risk area
STEP 7: SELECT CYBER-AWARE
PIAM SOFTWARE
As organizations focus cybersecurity
measures on protecting their network
perimeters, attackers are starting to
test new and previously untapped vulnerabilities
in corporate armor. This
often includes cyberattacks on PAC
system components, and even video
surveillance/CCTV systems. The next
era of the hybrid attack is here and it
is imperative to address the blended
threats that exist across the silos of IT,
OT (Operational Technology, SCADA,
ICS and IoT) and Physical Security.
Consequently, enterprises are increasingly
concerned about their PACS being
vulnerable to cyberattacks.
Key capabilities include:
- Monitor PACS privileged user or
administrator activity
- Alerting on unauthorized configuration
changes
- Alerting when badges or identities
are created in the PACS back end
bypassing standard procedures.
ADDITIONAL STEPS
Implementing a converged logical and
physical security solution can be a complex
task with many moving parts. It is
important to select a solution that can
address all of the seven steps outlined
above. Having a solution that will scale
to the needs of the enterprise is key to
future proofing your security.
ENTERPRISE CONSOLIDATION OF
PHYSICAL ACCESS CONTROL
Many large enterprises, multinational
corporations and government institutions
operate multiple facilities that
include owned buildings, leased properties
and plant operations that extend
across cities, states and countries. Many
of these facilities operate Physical Access
Control Systems that were procured
over long periods of time, owned
by landlords, or acquired as a result of
company mergers.
Guardian Physical from Alert Enterprise
is a PIAM software solution
designed to meet all the criteria outlined
here. It establishes a common operating
environment and extends all the benefits
of common identity management
across multiple PACS, buildings and
geographies. It uniquely leverages all
existing access control systems by overcoming
limits on the number of users a
system can support and by converting
native systems to completely scalable
enterprise systems with common provisioning
and reporting
across systems and
multiple vendors.
This article originally appeared in the March 2016 issue of Security Today.