As one reads through the Access and Identity Management Handbook, you are sure to notice some trends and issues that crop up time and again, either overtly or between the lines. Hi-Tech Security Solutions invited a collection of industry experts to a round-table to talk about identity and access management from the perspective of their daily operations and interactions with the market.
As can be seen from the attendee list, we didn’t only look for people who dealt with traditional access control, but went as far as getting some high-level insight from Deloitte. What follows below is a brief outtake from the discussion. They naturally had far more to say than we can include in an article, however, we have highlighted some of the main issues raised.
The attendees first introduced themselves and gave a brief overview of their take on the market.
Glynn Brookes, a director at Evolving Managing Solutions (EMS), a distributor of fingerprint and card-based access solutions as well as the Commend intercom range was up first. Brookes says EMS has been focusing on IP-based solutions for the last few years, starting with fingerprint biometrics but expanding to other areas as more companies introduced IP solutions. Integration is not a mainstream demand from EMS clients at this stage. Clients want a long-term solution and the interest in mobile and non-Microsoft operating systems, such as iOS from Apple is growing.
John Powell is MD of Powell Tronics, also a distributor. He says Powell Tronics has seen its business growing beyond the traditional box-dropping distributor of the past to include software platforms and integration projects. Powell has found a trend in which users are looking for IP solutions that allow them to bring technologies closer together, like bringing their vending solution onto their network. This allows functionality like cashless vending or having one source of data for the whole company to work from.
Gerhard Fourie is area sales manager for HID Global, focusing on the identity assurance side of business on the logical side. HID focuses on the commercial market and has seen a growing demand for converged solutions bringing the physical and logical side together.
Mark Paynter is from Ideco and says the company has noticed substantial changes in its client base with end users bringing skill sets across from different departments and marrying IT more closely with security. He sees more IT people trying to get into the security space and vice versa. The company has also seen many nameless, fast moving access-related products coming out of Asia.
Barry Jacobs is a solutions architect in the identity management division of Bytes Technology Group, which recently bought Brand New technologies. He’s seen the same trends as the others and sees the lines between the logical and physical spaces blurring. This requires more integration work across the boundaries to deliver added value to the customers. “I’ve been involved in everything from government to retail, hospitality and financial solutions where there’s been a strong need for logical access solutions. We’ve seen our logical space actually grow much faster than our physical space,” he explains. He adds that the mobile market, as it related to access and identity management is on the edge of something interesting, he’s not sure what that will be at the moment, but expects some interesting developments in the mobile space in the future.
Tiaan van Schalkwyk is from the risk advisory side of Deloittes, in a team that focuses on security, privacy and resiliency. And while he focuses on identity management implementation, it’s not from the technology side, he focuses on the governance and process elements that make the technology work in a business environment.
“What we found is that organisations go out and acquire the technology and pay an integrator to put it in. Two years after the massive implementation, costs of millions, they start blaming the integrator for all kind of things and they rubbish the technology,” he says. “The problem is they didn’t look at their policies properly and they didn’t do organisational change management properly and they didn’t define their processes properly. Those are the problems we’ve seen in South Africa and globally. It doesn’t matter what people are doing with technology, they seemingly always end up having a problem with access management.”
He adds that the only places Deloitte has seen a reduction in access management problems is where organisations have implemented role-based access governance. He notes it’s not role-based access control, but the broader spectrum that is built into the risk management of the organisation.
Walter Rautenbach, MD of neaMetrics, a solutions company that started distributing the Suprema range in South Africa and Africa about six years ago. He has seen a benefit to market changes like mergers and acquisitions over the past few years in that it seems to have regulated pricing, making it more competitive. He has also seen an influx of cheaper products from the East, but says people have started realising that when they purchase solutions, they need to buy products that are flexible and that can change as the company’s needs change. The flexibility of the Suprema range was what prompted neaMetrics to partner with the company. In addition, he has found that the distribution and development components of the business complement each other because he finds that 50% of customers are looking for customised (integrated) solutions.
In fact, without the customisation work neaMetrics has been involved with, such as integrating access and surveillance in a partnership with Camsecure, or Easy Roster for rostering in the guarding environment, Rautenbach says it’s unlikely the company would have maintained its level of growth.
How does your convergence grow?
When looking at convergence, whether IP integration, the blurring of the lines between physical and logical access and so forth, what is it that customers want? The ability to provide and support convergence and integration is one thing, but what delivers value to a business isn’t necessarily the same.
Van Schalkwyk says the common idea of linking access at the door and logical access is a concept that’s been around for a long time. “We’ve got clients considering it again, especially those that are also thinking about things like additional biometric authentication for sensitive transactions. The problem is it has proven very difficult to execute and people end up locking themselves out of their computers and outside the building because things go horribly wrong. Sometimes the cause is bad integration so it’s still a technology that’s being perfected. It’s definitely not easy to accomplish.”
Powell adds that his company has done a couple of proof-of-concept projects in this convergence space and it can work well with the applications the company specifies, but problems occur when they need to log into third-party applications (like SARS, for example) where issues such as Java support or something else prevents the solution from working.
“This is where it starts falling down because it’s not supported across all software platforms,” he says. “That’s been our experience.”
Jacobs adds that it’s not only about access to a system, it’s almost becoming a fraud prevention tool where large transactions or change of access or banking details have to be authorised. And this is where biometrics is starting to play a key role for Bytes.
Brookes notes that while there are requests like this from clients, the people asking for them are unique amongst customers. He says the bigger problem is that when a company designs an integrated solution, they do it with certain other systems in mind. So, while it works in a specific environment, in a few years when additional systems need to be integrated or some of the existing systems are upgraded, they don’t talk to each other and it’s a continual process of integration and development to keep everything talking to each other. “Too often, the people who will ultimately be our customers are not the people who see the benefits in integrated solutions.
“I think in two or three years time, the solutions to our current issues are going to come from outside the security industry and we’re going to have to meet and adapt to those solutions rather than the other way around. I think at the moment we’re trying to be drivers because we’re all wanting to sell stuff, but I think ultimately, the customer’s the driver.”
Another problem Fourie highlights in the whole integration/convergence saga is not necessarily related to new technology, but the legacy systems customers are currently running. They still run these systems because most of them don’t have developers on board that can actually do the integration and ripping everything out at once is not a viable option. This is a problem that’s not going away and may lead to larger companies being in a position to offer some form of professional integration services by keeping legacy skills on board.
It’s different up in Africa, however. The benefit in other countries on the continent is that there is a significant lack of legacy equipment so service providers can roll out solutions from a clean slate, which makes things much simpler when it comes to integration and convergence.
Cloudy access and identity?
When it comes to effectively managing data related to access and identity services, it’s reasonable to assume that companies would consider using hosted or cloud services as they do in other areas of business. Jacobs says Bytes does offer an identity service that is hosted. Companies can do enrolments at the HR level as well as background checks etc. and it is all an Internet-based service that feeds into a physical access control system if the person is employed. He says there is significant interest in the service and some clients have already implemented it.
He adds, however, that some larger companies are interested, but hesitant because of the question of where the data lives. With the Protection of Personal Information Act (PoPI) about to hit in 2014, this question will need to be carefully addressed.
neaMetrics also has customers interest in hosted solutions, but as with Bytes, the main concern of potential clients is where their data is and if it’s secure. Therefore, if clients want the ease of using a service that they don’t have to manage themselves, they need to measure the risk of having their data offsite and the method in which it is secured. To overcome this Rautenbach says many companies are opting to go the cloud route, but keep the data on their own cloud services to be able to better manage it.
Surprisingly, the impact of government is not to be underrated in this industry. Brookes says that many of the standards lacking at the moment could be driven by government to ensure they conform to some policy. Whether its biometrics or card standards, industry will follow government’s lead if and when it lays down a standard. The latest identity cards from Home Affairs might be the impetus needed to define this type of standard.
Fourie brings another perspective into the cloud debate, that of services that consume Opex versus Capex expenditure on the client side. As all companies, from small to large suffer under the tight global economy, vendors are adjusting their pricing from the traditional purchase and licensing models to those that are easier for companies to afford and benefit from. He notes, however, that the integrators and installers are key in this effort and need to understand the benefits of long-term revenue for continued services over quick wins.
The ultimate test
As noted in other parts of this publication, the implications of PoPI could be significant to those in the access and identify market. One’s identity is naturally something everyone wants to protect and any company holding this information will soon only be able to do so with the individual’s permission and the ability to store it securely. Is the industry ready or will there be a panic as the deadline looms?
Van Schalkwyk says he expects to first see an overreaction before people (and government) really get to understand the details of PoPI and it becomes more palatable. Questions that need to still be clearly defined include what exactly 'personally identifiable information' is and how that impacts cloud services (not to mention the way information is stored when, for example, someone allows their driver’s licence to be scanned when entering a business location).
He adds that the cloud question has a further impact if organisations use a service that stores personal data overseas. Do companies understand the other jurisdiction’s privacy legislation and can they get proper contractual agreements enforced between the two.
Jacobs echoes the cross-border data storage concern. Bytes has retail operations in multiple African countries, but stores the data in a central server in South Africa. How will companies handle that type of service, both from a service provider as well as from the customer perspective?
Paynter adds that the question of how this will impact on storing fingerprint records internally as well as across borders since, we assume, your fingerprint will definitely qualify as personal information. He adds that any biometric equipment should have an internationally accepted minimal standard, such as FBI accreditation, to ensure that personal information is not subjected to manipulation or identity inaccuracies.
Van Schalkwyk throws another spanner in the spokes by mentioning the ECT Act, where something as simple as communications with clients was on an opt-out basis – i.e. anyone can send you a marketing e-mail as long as they give you the option to opt-out of future communications. PoPI changes that to an opt-in approach where the receiver must first give permission to receive the communication. And as Powell mentions, imprisonment of directors is part of PoPI, making it more important than ever to comply.
Another issue is that of access. When you collect information on someone, the data subject must be allowed to have access to the information you’ve collected about him or her, so this will probably drive the central collection of information to allow companies to avoid having permanent staff operating information desks.
“It’s wonderful to host everything centrally to manage it, but now we fall under the PoPI Act and you are now the owner of that data,” adds Jacobs. “You have to manage it and take the risks related to that, along with the penalties that go with non-compliance.”
The biggest risk in this scenario is for smaller companies, says Rautenbach, because it’s no longer a matter of having someone sign a contract saying you can store their data. You now have to have the processes in place that determine how long you store it for, what you can and can’t do with it and what happens to it after a certain event (such as an employee resigning) or after a certain time limit. Moreover, when implementing security systems, an integrator may get the required permission, but can it then transfer this to the customer once the system is running? Can the integrator keep the information, even if it’s as a backup?
Powell says the best option at this stage would be to go to the end of the line, the user or guest and get explicit permission rather than risking transferring information between business partners. Of course, the actual nitty gritty of PoPI still needs to be defined and tested in court.
Bringing mobile into access
Everything and everyone today seems to be focused on doing stuff for mobile devices, whether its news reporting, financial apps or supposedly simplified access control. However, as with all areas of technology, the capability is often far ahead of the need or willingness to use new systems.
Companies such as HID have developed near-field communications (NFC) systems that allow users to use their smartphones to badge into the office or open a hotel door (among other things), but the uptake is still more the exception than the rule. One of the reasons for this is the proprietary nature of this technology at the moment.
As an example, Brookes says Apple and Samsung, among others, have simple ways to transfer contact information between phones, but the ability to interact on the same level with other brands isn’t there. There is no standard that all brands or access manufacturers use, which makes buying decisions for the end user all the more difficult.
Van Schalkwyk believes these issues will sort themselves out over time, but it will take a while before the market sees a uniform manner in which applications can address these requirements.
The attendees also agree that all too often, the push for converged physical and logical access is derived from their service providers wanting to sell a technology that the user actually doesn’t see a need for. If you can’t show customers the real benefits they can achieve from their solution, you are simply flogging a dead horse. Even worse, when you convince them to buy it and it doesn’t deliver as promised, you may find your future business with them is somewhat limited.
It’s always a complex task to bring out one or two primary topics from a round-table where people with years of experience in market-leading companies contribute. That said, from this round-table we have learned that while the quest for integrated solutions continues, there are still many, if not the majority of customers out there that want best-of-breed solutions for the various elements of their access and identity implementations and are not considering integration. Integrators pressing for converged or integrated solutions need to be able to specify the value these systems will provide, and then deliver that value.
And while the primary impact of PoPI will be on the customers and businesses that collect personal data, the security industry needs to be aware of the new law to ensure their operations and installations comply and to effectively advise their clients. This will be even more important for the growing number of service providers in the security industry that provide hosted services, such as Identity as a Service. It’s not merely a case of what data you can or can’t store, it’s the process of gathering and
storing it securely, as well as destroying it at the appropriate time.
Barry Jacobs, firstname.lastname@example.org
Gerhard Fourie, email@example.com
Glynn Brookes, firstname.lastname@example.org
John Powell, email@example.com
Mark Paynter, firstname.lastname@example.org
Tiaan Van Schalkwyk, email@example.com
Walter Rautenbach, firstname.lastname@example.org
|Tel:||+27 11 543 5800|
|Fax:||+27 11 787 8052|
|Articles:||More information and articles about Technews Publishing|
© Technews Publishing (Pty) Ltd | All Rights Reserved