All On Board
Least privileged access delivers most secure onboarding
- By Kim Rahfaldt
- Apr 01, 2018
Traditionally, security directors deployed physical access
control systems to secure doors and IT managers controlled
their networks. Physical security and IT security
were managed independently and operated in silos. Today,
this model is no longer successful.
The security landscape has evolved and new threats have emerged.
Security teams need to do more with their systems. Security directors
must transition from controlling access to doors and buildings
to managing the identities that walk through those doors. Using a
policy based identity management platform, organizations can manage
access via the different categories of identities (people) that enter
a building. Identity access management ties systems together to manage
the different identities (employees, contractors, vendors, visitors),
rather than manage systems.
The larger the organization, the more policies and procedures
it has in place. A large employee population generates a complex
identity environment to manage. Employees change jobs, move from
part to full time, contractor to employee or from one department to
another, creating a complicated and ever changing environment for
Physical security is difficult to manage. Most companies use cumbersome
manual processes that involve numerous emails and phone
calls to onboard a new employee. Approvals are needed from multiple
departments before granting the appropriate access, which can
add days to the process. The process is inefficient, wastes money and
New employees, contractors and vendors need access to buildings,
floors or doors, and for access to be removed when they no longer
need it. Access is often not removed for terminated employees until
manually caught or even worse, when there is a security breach. Large
organizations often cannot keep up with manual access requests and
audits due to lack of resources and poor processes. If a company
cannot keep up, they fall out of compliance and risk heavy fines or
sanctions against their business.
How should organizations best manage identities?
Limited Access Approach
The limited access approach grants front door and office floor access.
A new employee must separately request access to all other areas he
or she needs, even the access required to perform their new job. A secure
option, but it requires approvals and processes immediately after
the employee is hired. This option may hinder the employee because
they do not have access to all areas required to do their job.
Full Access Approach
The full access approach requires that every person hired receives
access to many areas throughout a company, either during normal
working hours or around the clock. This approach may be effective
for small businesses, such as a law firm where very few rooms need
additional security, but this is the least secure option for most companies.
A new customer service representative should not need access to
the server room. Large organizations with facilities around the world
do not need to grant a new warehouse employee in Florida access to
the company’s headquarter operations in Seattle.
Least Privileged Access
The least privileged access (LPA) approach provides role-based permissions
to new employees to obtain access to the front door and
all areas needed to perform their job. Once the employee starts, they
must request access to additional areas needed to perform their job.
Access is then granted for a predetermined amount of time and automatically
deactivates access when the time limit expires. LPA provides
an electronic log of all requests and an audit trail to prove compliance.
LPA is the most secure and easily managed onboarding process.
LPA works well in heavily regulated industries, and is sometimes
required. Organizations can match up timeframes with regulations to
meet compliance. For example, background checks may last one year.
Organizations can time access card expirations to match background
check expiration to help a company remain in compliance. NERC
CIP regulated industries require special training to obtain access. If
an employee doesn’t have the training, they fall out of compliance. By
syncing up LPA with NERC training, compliance is maintained and
the company will not have to pay expensive fines.
Organizations can assign access levels per role within the company.
A vice president of IT will have different access levels than a book
keeper. Establishing roles in advance will create a more efficient and
safe environment. Companies will save time and money, and eliminate
loopholes in access.
Once set up, managing LPA is effortless. The data parameters entered
into the identity management system determines who should
have access and for how long. Organizations audit the parameters
set up in the system to make sure they continue to meet company requirements,
but that is determined by each organization. Essentially,
once it is set up, it runs itself.
LPA is recommended as a best practice. It provides
the most secure onboarding process, reduces
risk, helps companies maintain compliance and
This article originally appeared in the April 2018 issue of Security Today.