The New Heart of Security
Security Convergence and Identity become the foundation of digital transformation while COVID-19 transforms access governance
The physical security industry has
before it an incredible opportunity:
to lead business digital transformation
(DX) through security
convergence. Make no mistake about it, this
is our latest inflection point. The emergence
of the cloud and as-a-service platform economy
have created a sense of urgency all the
way up into the corporate boardroom. DX
helps enterprises become increasingly customer
focused and outward facing.
A Multitude of Industries
Organizations from all walks of life
across a multitude of industries —banking,
financial services, manufacturing, energy
and utilities, transportation, life sciences and
many more have realized the importance of
bringing information from the operational
aspects of the company to front of the house.
Security experts now agree that the most
important aspects of security start with the
identity of the people accessing applications
and information related to the enterprise.
Are they authorized? Do their privileges
extend to transactional data? How
long should access be granted? Who else
can see the data? Are their connections secure
from attack? And how can their access
be turned off when they leave the organization?
What about loT devices?
At the center of converged security is
people, identity and trust. And in these unprecedented
times, we need to know exactly
where employees were, at what time and
who they were with. The changing threat
landscape, now with a contagion a constant,
requires a new approach relying on health
and safety access intelligence—all of which
comes from a common identity platform.
Extending a single digital identity that
can be authenticated across logical and
physical environments at the enterprise has
ramifications far beyond physical security.
For users, it means unified cyber-physical
security, greater productivity and the ability
to focus on and leverage high-value tasks
rather than time-consuming manual processing
traditionally associated with identity
Instead of separate siloed departments
simply coexisting and not interacting, security
convergence brings together technologies
from security, HR, IT and Operational
Technology (OT), capturing and correlating
threats and risk and addressing compliance
and policy automatically. It creates a common
identity across people and things, which
also makes it easier and faster to engage customers
and the workforce, create amazing
experiences and offerings and level-up operations.
It co-mingles with cyber controls, facilities
technologies and even behavior analytics
and risk profiles to mitigate risk holistically.
Data Says Users
Security convergence and digital transformation
aren’t some pie-in-the-sky concepts
anymore. C-Suite and facility executives
who have been moving in this direction
now know it’s imperative to embrace it as
we respond and recover from COVID-19.
According to The State of Security
Convergence in the United States, Europe
and India, an ASIS Foundation Convergence
Report published in fall 2019, some
35 percent of respondents said that convergence
has smoothed the way to create
a shared set of practices and goals across
physical security, cybersecurity and business
continuity teams. In 39 percent of
cases, convergence has “clearly enhanced
communication and cooperation.”
Prior to COVID-19 we also saw the following
data points from the ASIS study: almost
80 percent of non-converged organizations
acknowledge that convergence would
strengthen their overall security function
and 40 percent cited the desire to better align
security strategy with corporate goals as
the main catalyst for convergence. It’s likely
those numbers are even higher today. Those
who were already converging functions and
digitally transforming probably find themselves much more prepared to respond to the pandemic and all the
new facets now part of identity management and compliance.
Businesses already down the path of digital transformation
have been able to pivot, survive, thrive and serve customers and
protect their workforce during these disruptive times.
Enterprise security leaders now understand that the effects of
a cyber breach, physical attack, manufacturing loss, or contagion
on site far outweigh the costs of a holistic and converged system.
Those who embrace the digital transformation will enable cohesiveness
of systems and data, with the end result delivering proactive
threat detection and prevention— a unified threat response to
mitigate risk and greater situational awareness.
Identity Management With Muscles
Identity management software platforms integrate with HR
programs and processes to bring together the human side of security,
working in tandem to create a better and safer enterprise.
Identity management with Identity Intelligence technology that
incorporates artificial intelligence and machine learning can set
risk scores, adding filters and exceptions to fiag, escalate and detect
anomalies in access and even production processes. Active
policy enforcement rules-based engines automatically identify
policy violations and unauthorized access as well as operational
and procedural issues. In addition, identification credentials automatically
expire and are taken offiine when access is no longer
granted, reducing risk from a disgruntled employee in-house.
The power of security convergence is most evident when it
automates and detects seamlessly across more than one domain,
like IT and physical security. Consider this real-world scenario: a
utilities company employee enters the company through the main
lobby, takes the elevator to his fioor and badges in to gain access
through that level’s main door. He proceeds to his desk and signs
into the company network to access his email. At the same time
someone is using the identical access credentials remotely via the
VPN. Obviously he can’t be physically present locally and remotely.
A converged platform detects the external intrusion by automatically
identifying the access anomaly and allows security to
immediately disable access, preventing a potential threat.
Now, let’s put this in a COVID-19 context. With the pandemic
and the return to work, modification to identity management is
required for safety, company policy and compliance reporting.
Health and Safety access governance software solutions help
organizations open safely in a frictionless, controlled and secure
way by automating and enforcing COVID-19 related policies and
procedures. Automated batch email/text notifications with self-service
links send requests to the remote workforce for self-attestation
and self-reporting offsite and enable access by the worker to the facility
based on health, travel and other company policies. Physical
security can help enforce health and safety policies through technology,
including reminders, prompts, automation, self-attestation
Here’s an example: An employee completes the self-reporting
health and travel questionnaire, which triggers workflow based
on answers. These health questionnaires collect data and document
employee activity during lockdown, including infection,
symptoms or exposure. The request routes to the manager for action
and the workflow can be configured to specific needs.
Once the manager reviews the request, it is determined that
based on the answers the employee is high risk and per policy his
access will be revoked for 14 days while in quarantine. Enterprises
administer the self-service process to view, edit and approve health
exposure risks of the workforce and disable access based on policy.
When the quarantine period is over, the employee receives an automated
notification to request reinstatement and the self-attestation
questionnaire. The employee is cleared and requests to be reinstated,
following work flows to provide supporting documentation,
such as a medical discharge or physician’s letter. Access is reenabled
and the employee is notified with instructions to come to work.
Health and Safety access governance and intelligence provides
support for prescreening of the workforce during site entry with
automated policy enforcements. Pre-registered and onsite visitors/
contractors check-in/check-out with prescreening, watch list
and other checks prior to access. In the production or distribution
facility, Health and Safety analytics track confirmed or potentially
exposed COVID-19 workers, identify exposed areas for
lockdown and/or sanitization, social distancing violation, location
heat map and other actionable health and safety analytics.
Identity management also allows you to automate your communications
and deliver clear expectations and procedures to
your workforce, visitors and contractors pre-visit and onsite—
adding to a seamless experience.
Real-time Active Enforcement
Technology like Identity Intelligence and the active policy enforcement
rules-based engine automatically identify policy violations
and unauthorized access. This allows security managers to
proactively monitor and respond to security violations as well as
operational and procedural issues. During the COVID-19 outbreak,
this could include travel history to restricted countries or
regions. Integration with travel and HR applications can detect
when and where a person booked travel and has badged in, providing
the enterprise the ability to build a solid risk profile of
activity. If someone in the workforce recently visited a restricted
location, security and HR teams can be automatically notified
to disable badge access to help avoid exposure and potential
transmission. In the scenario where someone in the workforce
becomes sick they would be considered a high risk. Any requests
for physical access to a facility would require special approval according
to company and local or federal health authority policies.
With an outbreak, modification to the visitor experience is
also required. It is the first point of contact and along with lobby
and security staff is part of the front lines for safety. Enterprises
can configure their Visitor Identity Management (VIM) system
to provide clear communication of current policies during the
outbreak, reinforcing WHO best practices. VIM can easily be
configured to prompt guests to answer specific screening questions
related to recent travel and sign off on legal documents.
Security is no longer simply about keeping bad guys out. Security
has become the business enabler during the digital transformation.
It’s now the fundamental component
of protecting people and workspaces and identity
stands at the center.
This article originally appeared in the September 2020 issue of Security Today.