Four Risks in Manual Identity Enrollment

November 13, 2012

Manual processes are the weakest link in an automated system. As corporations strive to be more lean and efficient, employees are often tasked with extra duties and stresses that can aggravate the problem. Greater workload and the overall faster pace many companies work at – and employees struggle to keep up with – can undermine the most devoted employee's quest for accuracy in the task of manually entering information using a keyboard.

For physical identity management and identity enrollment, manual processes are particularly problematic. Inaccuracy is one issue; another is neglect. The multiple tasks competing for an employee's time and attention might also lead even a good employee to neglect or delay a manual task related to identity management. In either case, the result is an unacceptable level of risk to the organization.

The following potential risks demonstrate why enrollment in an identity management system is a process that is too important to be put at the mercy of human error.

An identity is not properly on-boarded.Misspelling a person's name is more than a typographical error when it comes to an identity management system – it's a security risk. Not fully entering a visitor's information correctly is another possibility, and either scenario could lead to someone who is not accurately accounted for in the system being on the premises. Such errors can also lead to the creation of multiple ghost/orphan entries that clog up the system, slow down processes and increase operational costs.
An identity cannot be properly vetted. For maximum security, an identity management system should cross-check an enrollee against third-party background checks, security checks, watchlists, etc. However, automated systems that perform such cross-checks are intolerant of misspelled names and incomplete information. Doing a background check on a misspelled name is the equivalent of not doing the check at all. A result could be approval of someone who is on a prohibited list (but whose name was misspelled and therefore did not match), an occurrence that would totally undermine the vetting process and provide access to an individual who represents a risk to the organization.
An identity is not properly off-boarded. A consequence of a heavy workload is that tasks that are perceived as less urgent can sometimes be postponed. In the case of a visitor management system, for example, it might seem more urgent to enter a visitor in the system because they are already on the premises for a specific meeting. However, off-boarding might seem less urgent and even be overlooked entirely in the rush of other duties. However, this can have huge consequences. When an identity is not properly off-boarded for any reason, the effect is to extend that enrollee's access and privileges within the organization. In effect, an unauthorized person is allowed continued access. Organizations should also beware of establishing manual processes that involve on/off-boarding an identity at a certain time, such as once a week. This manual practice leaves a large window of time in which identities are not properly controlled, and the practice may be even more risky if it is predictable or widely known.
Manual processes create a separate data silo. Manual processes are much less likely to be integrated into the enterprise identity management system and, therefore, are more likely to create a separate silo of data. This silo doesn't interface with any other system within the organization and does not benefit from the enterprise's abundance of identity information since it is not part of a unified system of identity management. Working separately from, and less securely than, the rest of the identity management system, manual processes also often require regular intervention from physical and IT security staff to remediate problems and exceptions, consuming time and resources that could be better used elsewhere.

Manual approaches to data control are rife with flaws that can negatively impact the integrity of any organization's processes. For identity management systems, the risks can be enormous, extending far beyond the consequences of simple typographical errors. By their nature, manual processes tend to be separate, less efficient and more error-prone. Where and as much as possible, manual processes should be replaced by automated systems that are less prone to variables. What's needed is a unified security platform that works with the existing physical security infrastructure, integrates with corporate and IT systems, and provides global compliance and card access management. Such a unified system can solve critical pain points associated with manual processes.

Ajay Jain is President and CEO of Quantum Secure

With the advent of Internet of Things (IoT) technology and Industrial Internet of Things (IIoT), the cyber security practices are increasingly getting integrated with the physical security practices.

We will provide insight on NDAA Section 889 and how the act has evolved and impacted business, so that organizations can better mitigate risk and stay compliant.