Making the Choice - Fixed costs, customized solutions and user convenience - determining factors in buying physical identity and access management

Making the Choice

Fixed costs, customized solutions and user convenience - determining factors in buying physical identity and access management

Making the ChoiceThe migration of physical security technology to a network platform has made it easier and more convenient for organizations to integrate the various modalities of physical security into a unified configuration to better safeguard their employees, visitors, premises and material/intellectual property. Open architecture further enables central control of the various security systems on a single platform, providing higher levels of operational efficiency across the enterprise as well as improved standardization of policies and procedures.

Similar operational benefits have been achieved from advanced physical identity and access management (PIAM) software solutions that allow security identities to be managed and streamlined across disparate physical security systems within an organization by creating a single identity for each individual across all physical security systems. Integrating physical with logical systems, the software can ensure synchronized and policy-based on- and off-boarding of identities and their physical access levels across multiple security systems.

With increasing frequency, enterprise-wide physical identity and access management software systems are playing key roles in organizational strategy. Physical identity and access management software is a ready-made solution for organizations looking to upgrade and enhance their physical security strategies, remain compliant with requirements mandated by various regulations or integrate and maintain alignment with security policies during and after a corporate consolidation.

To Build or Buy

Without question, PIAM software is an effective tool that can readily address multiple challenges where improving efficiencies through identity management is needed. The uncertainty arises when making the decision as to whether a PIAM software package that addresses compliance, operational and quality needs should be developed internally or purchased as a commercial, off-the-shelf (COTS) solution.

The appeal of building an in-house, custom application is often founded on the belief that company processes, business challenges and unique needs are better understood within an organization, rather than by an outside vendor. The solution can be developed more accurately and less expensively.

Conversely, many identity management issues and requirements are similar in nature, and it will save time, and potentially costs, to purchase a COTS package developed by a more specialized software developer.

Understanding the differences between these two approaches can yield significant benefits, but it’s not an easy choice to make. There are, however, three key areas that should be considered when making the choice between an in-house developed solution and a COTS package:

Cost. If considering an in-house developed solution, costs must include the time-intensive process of developing the outline/application, assigning personnel and determining charge-back costs for development, testing and support. Because of the nature and complexity of the PIAM application, the development must take into consideration workflow that integrates a variety of business system processes as well as the integration between existing hardware and/or software systems. For example, when one set of privileges changes, whether physical or logical, that alteration must trigger automatic, complementary revisions in other sets.

With regard to the development team, assignment of personnel is dependent upon the technology resource pool and their experience with this platform. The team may have to be expanded to include personnel with expertise in specific business processes.

Based on these drawbacks, recent trends indicate that organizations are no longer looking within to create and maintain the custom applications that address large scale identity management needs, but rather are turning to external, professional resources that offer application-targeted solutions built on best practices and with a proven track record.

Unlike an in-house developed software program, costs for COTS solutions can be negotiated and determined up front. Any additions or custom developments can be quantified prior to the start of the project, and a schedule for incremental upgrades or changes can be identified for budgeting purposes. In addition, COTS solutions usually provide a better ROI over the long term based on more robust features, greater reliability and the ability to scale at a lower cost than an in-house solution.

Customization. In many organizations and vertical industries, regulatory compliance is the impetus for instituting an identity management program. For example, corporations subject to the Sarbanes-Oxley Act require stringent management of user identities and access to information while ensuring system integrity. The CFATS rule governs the petrochemical industry, while the Gramm-Leach-Bliley Privacy Act protects information in the finance arena. In other areas, NERC/FERC security regulations govern the energy sector, and HIPAA privacy rules are enforced in healthcare. Banks need to comply with the Basel Committee on Banking Supervision, and pharmaceutical companies are regulated by the Drug Enforcement Agency. Government agencies perhaps face the greatest need for compliance, including FIPS 201/ HSPD-12 credentialing requirements and TSA regulations for airports.

Custom solutions that are in compliance with mandated access control requirements are more readily available from vendors who understand the requirements from both the business/regulation side and the technical side. The work is done, built into the application, and in most instances, the software program will meet the customer’s requirements out of the box.

Convenience. Operation and use of PIAM software must easily and readily include the capability to manage all types of identities including permanent and temporary employees, contractors, service providers and vendors. It should be an easy and straightforward process to manage details of a physical identity, such as biographic and biometric information, as well as results of security checks and historical usage. In addition to aggregating access level information from various systems, PIAM software should encompass details such as risk level, area owner, multiple approvers and prerequisites for access, while providing audit trails of all transactions. These features, and other proven system amenities, make implementation and use of COTS software more convenient than a homegrown solution.

The ideal COTS solution will take cost, customization and convenience into account, as Quantum Secure did when we created our policy-driven SAFE software suite. We believe a COTS solution should be designed to connect disparate physical security, IT and operational systems, automate manual security processes around contractors and reduce both costs and risks.

The host of applications provided to automate physical security system functions must include physical identity management, role-based access, self-service administration, identity/event correlation and reporting. Control should be provided through a single, Web-based interface that is easy to manage and use.

A properly designed and engineered COTS solution, for physical access and identity management, will be the more cost effective solution every time.

This article originally appeared in the February 2014 issue of Security Today.

  • Ahead of Current Events Ahead of Current Events

    In this episode, Ralph C. Jensen chats with Dana Barnes, president of global government at Dataminr. We talk about the evolution of Dataminr and how data software benefits business and personnel alike. Dataminr delivers the earliest warnings on high impact events and critical information far in advance of other sources, enabling faster response, more effective risk mitigation for both public and private sector organizations. Barnes recites Dataminr history and how their platform works. With so much emphasis on cybersecurity, Barnes goes into detail about his cybersecurity background and the measures Dataminr takes to ensure safe and secure implementation.

Digital Edition

  • Environmental Protection
  • Occupational Health & Safety
  • Spaces4Learning
  • Campus Security & Life Safety