The current state of the access control infrastructure at many enterprise companies might best be described as fractured. Multiple disparate physical and logical access control systems and cumbersome manual processes are all too common. While standardizing on a single system corporate-wide might address one symptom of the problem, it would require a huge capital outlay to rip and replace multiple systems.
The real long-term access control issue for the enterprise is how to manage identities. It is critically important to ensure that individuals have the correct permissions to enter only the areas for which they are authorized, both for the sake of security and to maintain compliance. With large numbers of employees, geographically distributed campuses and ever-changing authority levels, keeping permissions current is a vast job.
Sophisticated software can build a layer across many disparate systems to enable the creation of a single identity for each individual across the organization. Integrating physical with logical security systems, this software can ensure synchronized and policy-based on- and off-boarding of identities and their physical access levels across multiple security systems.
Effectively managing identity in an organization addresses multiple challenges and provides additional opportunities. Imagine enabling human resource and LDAP-format databases to connect instantly with physical access control systems, to receive real-time reports across any number of physical access control systems, to manage badge/credentialing systems more efficiently and to track visitors and third-party contractors while linking them to an internal identity. Other new opportunities include the ability to correlate identities with alarms, events and other situations, and to grant access based on a risk profile of an identity or location. Access can also be granted based on training or other special requirements.
All types of identities can be managed with advanced software, including permanent and temporary employees, contractors, service providers and vendors. Users can manage details of a physical identity, such as biographic and biometric information, results of security checks and historical usage. Software provides a central location to search and assign access levels to an identity across multiple physical access control systems and can specify details such as time schedule of access (e.g. during business hours or 24/7). An urgent termination feature can allow authorized personnel to immediately deny physical access. In addition to aggregating access level information from various systems, the administrator can manage details such as risk level, area owner, multiple approvers and prerequisites for access, such as training. The system can provide audit trails of all transactions.
From a risk perspective, automated identity management systems enable organizations to lower liability and maximize protection of assets. Furthermore, systems promote standardization within a security organization and implementation of best practices.
Cost is another important benefit. A unified, software-based approach to identity management reduces the need for labor-intensive and repetitive processes that also have a potential for errors.
A proliferation of regulatory requirements provides an additional incentive to manage identities more effectively. End-user companies are subject to a growing number of regulations that require verification of identities and access to facilities and information.
For example, all corporate entities are subject to Sarbanes-Oxley Act compliance, which requires management of user identities and access to information while ensuring its integrity. Vertical markets have their own specific regulations, such as the CFATS anti-terrorism requirements of the petrochemical industry; Gramm-Leach-Bliley which protects information in the finance arena; HIPAA privacy rules for healthcare; and NERC/FERC security regulations in the energy sector. Governments face compliance with FIPS 201/HSPD-12 credentialing requirements, and airports are regulated by TSA and others. Banking companies seek to comply with Basel II requirements that include risk management, and pharmaceutical companies are regulated by the Drug Enforcement Administration. Managers need to be able to easily monitor regulatory infractions and proactively enforce security policies and rules, and centralized identity management systems can help.
Software systems enable compliance initiatives to be automated in real time to create a transparent, traceable and repeatable global process to manage governance and compliance. To comply with regulations takes strict governance of security controls across both physical and IT infrastructures and management of risk on a holistic level. These software innovations help to resolve the disconnect between the access systems and identification.