Making the Choice - Fixed costs, customized solutions and user convenience - determining factors in buying physical identity and access management

Making the Choice

Fixed costs, customized solutions and user convenience - determining factors in buying physical identity and access management

Making the ChoiceThe migration of physical security technology to a network platform has made it easier and more convenient for organizations to integrate the various modalities of physical security into a unified configuration to better safeguard their employees, visitors, premises and material/intellectual property. Open architecture further enables central control of the various security systems on a single platform, providing higher levels of operational efficiency across the enterprise as well as improved standardization of policies and procedures.

Similar operational benefits have been achieved from advanced physical identity and access management (PIAM) software solutions that allow security identities to be managed and streamlined across disparate physical security systems within an organization by creating a single identity for each individual across all physical security systems. Integrating physical with logical systems, the software can ensure synchronized and policy-based on- and off-boarding of identities and their physical access levels across multiple security systems.

With increasing frequency, enterprise-wide physical identity and access management software systems are playing key roles in organizational strategy. Physical identity and access management software is a ready-made solution for organizations looking to upgrade and enhance their physical security strategies, remain compliant with requirements mandated by various regulations or integrate and maintain alignment with security policies during and after a corporate consolidation.

To Build or Buy

Without question, PIAM software is an effective tool that can readily address multiple challenges where improving efficiencies through identity management is needed. The uncertainty arises when making the decision as to whether a PIAM software package that addresses compliance, operational and quality needs should be developed internally or purchased as a commercial, off-the-shelf (COTS) solution.

The appeal of building an in-house, custom application is often founded on the belief that company processes, business challenges and unique needs are better understood within an organization, rather than by an outside vendor. The solution can be developed more accurately and less expensively.

Conversely, many identity management issues and requirements are similar in nature, and it will save time, and potentially costs, to purchase a COTS package developed by a more specialized software developer.

Understanding the differences between these two approaches can yield significant benefits, but it’s not an easy choice to make. There are, however, three key areas that should be considered when making the choice between an in-house developed solution and a COTS package:

Cost. If considering an in-house developed solution, costs must include the time-intensive process of developing the outline/application, assigning personnel and determining charge-back costs for development, testing and support. Because of the nature and complexity of the PIAM application, the development must take into consideration workflow that integrates a variety of business system processes as well as the integration between existing hardware and/or software systems. For example, when one set of privileges changes, whether physical or logical, that alteration must trigger automatic, complementary revisions in other sets.

With regard to the development team, assignment of personnel is dependent upon the technology resource pool and their experience with this platform. The team may have to be expanded to include personnel with expertise in specific business processes.

Based on these drawbacks, recent trends indicate that organizations are no longer looking within to create and maintain the custom applications that address large scale identity management needs, but rather are turning to external, professional resources that offer application-targeted solutions built on best practices and with a proven track record.

Unlike an in-house developed software program, costs for COTS solutions can be negotiated and determined up front. Any additions or custom developments can be quantified prior to the start of the project, and a schedule for incremental upgrades or changes can be identified for budgeting purposes. In addition, COTS solutions usually provide a better ROI over the long term based on more robust features, greater reliability and the ability to scale at a lower cost than an in-house solution.

Customization. In many organizations and vertical industries, regulatory compliance is the impetus for instituting an identity management program. For example, corporations subject to the Sarbanes-Oxley Act require stringent management of user identities and access to information while ensuring system integrity. The CFATS rule governs the petrochemical industry, while the Gramm-Leach-Bliley Privacy Act protects information in the finance arena. In other areas, NERC/FERC security regulations govern the energy sector, and HIPAA privacy rules are enforced in healthcare. Banks need to comply with the Basel Committee on Banking Supervision, and pharmaceutical companies are regulated by the Drug Enforcement Agency. Government agencies perhaps face the greatest need for compliance, including FIPS 201/ HSPD-12 credentialing requirements and TSA regulations for airports.

Custom solutions that are in compliance with mandated access control requirements are more readily available from vendors who understand the requirements from both the business/regulation side and the technical side. The work is done, built into the application, and in most instances, the software program will meet the customer’s requirements out of the box.

Convenience. Operation and use of PIAM software must easily and readily include the capability to manage all types of identities including permanent and temporary employees, contractors, service providers and vendors. It should be an easy and straightforward process to manage details of a physical identity, such as biographic and biometric information, as well as results of security checks and historical usage. In addition to aggregating access level information from various systems, PIAM software should encompass details such as risk level, area owner, multiple approvers and prerequisites for access, while providing audit trails of all transactions. These features, and other proven system amenities, make implementation and use of COTS software more convenient than a homegrown solution.

The ideal COTS solution will take cost, customization and convenience into account, as Quantum Secure did when we created our policy-driven SAFE software suite. We believe a COTS solution should be designed to connect disparate physical security, IT and operational systems, automate manual security processes around contractors and reduce both costs and risks.

The host of applications provided to automate physical security system functions must include physical identity management, role-based access, self-service administration, identity/event correlation and reporting. Control should be provided through a single, Web-based interface that is easy to manage and use.

A properly designed and engineered COTS solution, for physical access and identity management, will be the more cost effective solution every time.

This article originally appeared in the February 2014 issue of Security Today.

Featured

  • Progressing in Capabilities

    Progressing in Capabilities

    Hazardous areas within industries like oil and gas, manufacturing, agriculture and the like, have long-sought reliable video surveillance cameras and equipment that can operate safely in these harsh and unpredictable environments. Read Now

  • A Comprehensive Nationwide Solution

    A Comprehensive Nationwide Solution

    Across the United States, manufacturing facilities, distribution centers, truck yards, parking lots and car dealerships all have a common concern. They are targets for catalytic converters. In nearly every region, cases of catalytic converter thefts have skyrocketed. Read Now

  • Planning for Your Perimeter

    Planning for Your Perimeter

    The perimeter is an organization’s first line of defense and a critical element of any security and surveillance program. Even if a building’s interior or exterior security is strong, without a solid perimeter surveillance approach any company or business is vulnerable. Read Now

  • The Key Issue

    The Key Issue

    It is February 2014. A woman is getting ready in her room on a cruise ship when she hears a knock on the door; it is a crewmember delivering breakfast. She is not presentable so she tells him to leave it by the door. Read Now

Featured Cybersecurity

New Products

  • VideoEdge 2U High Capacity Network Video Recorder

    VideoEdge 2U High Capacity Network Video Recorder

    Johnson Controls announces a powerful recording solution to meet demanding requirements with its VideoEdge 2U High Capacity Network Video Recorder. This solution combines the powerful capabilities of victor with the intelligence of VideoEdge NVRs, fueled by Tyco Artificial Intelligence, for video management that provides actionable insights to save time, money and lives. 3

  • CyberAudit Introduced to Manage Systems, Intuitive Interface

    CyberAudit Web

    CyberLock, Inc. announces the release of CyberAudit Web 9.4! CyberAudit-Web (CAW), the software suite for managing CyberLock systems, provides an intuitive interface to assign keys, set expirations, monitor staff and configure access schedules. 3

  • HID Signo Readers

    HID Signo Readers

    HID Global has announced its HID® Signo™ Biometric Reader 25B that is designed to capture and read fingerprints in real-world applications and conditions. 3