For managers and executives charged with implementing governance, risk-management and compliance (GRC) policies, the ability to control who can do what, when and where in the workplace is absolutely essential.
However, gaining and maintaining that control can be a daunting and complex task given the diversity of vendors that claim they can assist in addressing the challenges with so-called access and identity management (IAM) or identity management (IdM) solutions. And yet there is nothing particularly complex about managing identities within the workplace, providing one understands and applies the fundamental rules.
Keep it simple. Very simple
The principles of managing access and activity within the workplace can be summarised in just three words: authenticate, authorise, audit. By working with these principles, organisations can set the criteria that will guide the ways in which they control who can do what, when and where.
From controlling who can enter their premises, through to managing electronic payments, organisations can work with identity in a rigorous and structured way. The commercial goal is to increase the security within business processes and make them simpler to administer and monitor.
Authenticate: identify the people who are being managed
Authentication is the foundation upon which any identity-related system or process is built. In order to create a strong foundation for using identity as a business tool, authentication must be consistently accurate, convenient and fast.
Compromise on any of those characteristics and you will weaken the foundation. At some point, that weakness will cause a collapse – there will be a failure in the system and losses will be incurred. And we see that happening all around us. For example, many organisations still rely on conventional access cards as a way of distinguishing one employee from another. But as we all know, anyone can use your card. The same is true of PINs and passwords which means that we are faced with the fact that conventional credentials cannot identify people.
Here’s the crux: you cannot authenticate unless you can identify.
If you compromise on the accuracy of how you authenticate, then the whole house of cards comes tumbling down: unauthorised people access areas of your premises that are potentially high-risk; insider fraudsters make illicit EFT transfers.
Equally, speed and convenience are important factors in the business of authentication. Long-winded and complex authentication procedures slow processes down and create frustration amongst their users. A consequence is that people actively look to circumvent such procedures: they prop doors and gates open to side-step obstructive access systems, they routinely share their passwords and they don’t log-out of supposedly secure IT systems when they leave their desks.
Failure to authenticate, or FTA, lies at the very heart of all the failings in identity-reliant systems that are intended to protect organisations from the consequences of risk. And yet FTA happens over and over again and constantly undermines the very systems that are supposed to mitigate risk.
Currently, competent biometric technology offers the most accurate, rapid and convenient solution to the challenges of authentication. Thousands of local organisations have accepted the validity of the business case for replacing cards, PINs and passwords with biometrics: the technology cuts the losses associated with the abuse of identity and unauthorised access and activity. For example, for some organisations, the savings made by eliminating buddy-clocking far outweigh the costs of introducing biometric-based access and Time and Attendance systems.
Authorise: controlling what people can do
Fortunately, controlling what people can do within the workplace – and when and where they can do it – does not require the same sort of mind-shift that is required to introduce rigorous authentication. Nor do organisations necessarily need to introduce new technologies, such as biometrics, in order to achieve their authorisation goals.
IT-focused identity management solutions have been in universal use for several decades. At the start of business computing in the early 1960s, access to systems and activity within them were controlled by a password or passcode. The whole purpose of these credentials was to ensure users were duly authorised. During the past 50 years, driven by breath-taking innovation, the world of IT has changed dramatically and there is now a multitude of dedicated software that is designed to manage access and activity, to authorise users.
Outside of IT, there have also been substantial advances in the past ten or so years in the way identity is managed within the world of physical access control. Today, it is standard practice for modern access control systems to be linked to HR solutions that manage payroll and ensure the implementation of health and safety policies. These developments are part of an expanding trend that uses identity as a tool to manage workforces in an increasingly centralised, integrated and co-ordinated manner.
To benefit from a co-ordinated application of identity-based information, organisations need to remove the barriers that create a siloed approach to working with identity. It’s now widely accepted that physical access control has an obvious link with payroll systems that manage attendance and hours worked. In its most basic form, the link confirms the times that someone arrives and leaves the workplace. But that fairly simplistic information is really only the tip of the identity management iceberg.
In reality, information related to a person’s identity extends much further beneath that superficial surface. Such information could include things like the validity of certifications that may range from the requirement for statutory health checks to the time-based validity of professional accreditations.
When viewed in this holistic manner, it becomes apparent that identity is not an exclusive preserve of systems that are focused on maintaining security and that identity can be used as business tool far beyond the confines of managing physical access. This broader view of the potential applications of identity-based information highlights the fact that the information does not necessarily have to be used in an input-only, one-way street. It can, for example, be used to automatically inform an employee – perhaps as they enter the workplace or clock-on at their workstation – that they need to undergo that statutory health check or that their professional accreditation needs to be reviewed or updated before a specified date.
In terms of authorisation, there is perhaps merit in considering all of ways that identity and the information that is routinely associated with it can be used to govern and ensure adherence to a wider set of workplace policies and regulations that really have very little to do with physical security at the front gate or main reception.
Audit: creating identity chains
The last of the three fundamental principles is concerned with recording and monitoring who is doing what and where and when they are doing it. Primarily, the audit function creates a link – an Identity Chain – between authentication and authorisation. It provides accurate identity-based information allied to an individual’s authorisations and, if necessary, their location and activity within the workplace at any given time.
As a security tool, a strong audit function can be viewed both as a measure that deters and prevents illicit or unauthorised activity. But its strength is entirely reliant upon the effectiveness of the systems that authenticate identity in the first place. Unless it can provide a definitive link between identity and activity, then the whole concept of auditing begins to fall apart.
Perhaps more than anything else, the importance of that definitive link highlights the imperative of accurate authentication as the foundation for any identity management system. A card, PIN or password only tells us that it was that particular credential that was used to perform a specific activity – such credentials do not identify the person who used them.
If however, the initial authentication is truly accurate – such as that provided by biometric identification – then the audit function really does becomes a powerful deterrent. For example, making an illicit EFT payment becomes a far less attractive crime when the fraudster knows they will have to authorise the transfer by scanning their fingerprint. Simultaneously, a strongly-founded audit function is also a potent preventive measure because specified activities can only ever be performed by duly authorised people.
If you need to clarify your thinking about how best to manage identity within your organisation, you may well find it a valuable exercise to develop your identity solutions and the outcomes you require according to the three fundamentals: authenticate, authorise and audit.
© Technews Publishing (Pty) Ltd | All Rights Reserved