The business of identity

October 2013 Access Control & Identity Management

For managers and executives charged with implementing governance, risk-management and compliance (GRC) policies, the ability to control who can do what, when and where in the workplace is absolutely essential.

However, gaining and maintaining that control can be a daunting and complex task given the diversity of vendors that claim they can assist in addressing the challenges with so-called access and identity management (IAM) or identity management (IdM) solutions. And yet there is nothing particularly complex about managing identities within the workplace, providing one understands and applies the fundamental rules.

Keep it simple. Very simple

The principles of managing access and activity within the workplace can be summarised in just three words: authenticate, authorise, audit. By working with these principles, organisations can set the criteria that will guide the ways in which they control who can do what, when and where.

From controlling who can enter their premises, through to managing electronic payments, organisations can work with identity in a rigorous and structured way. The commercial goal is to increase the security within business processes and make them simpler to administer and monitor.

Authenticate: identify the people who are being managed

Authentication is the foundation upon which any identity-related system or process is built. In order to create a strong foundation for using identity as a business tool, authentication must be consistently accurate, convenient and fast.

Compromise on any of those characteristics and you will weaken the foundation. At some point, that weakness will cause a collapse – there will be a failure in the system and losses will be incurred. And we see that happening all around us. For example, many organisations still rely on conventional access cards as a way of distinguishing one employee from another. But as we all know, anyone can use your card. The same is true of PINs and passwords which means that we are faced with the fact that conventional credentials cannot identify people.

Here’s the crux: you cannot authenticate unless you can identify.

If you compromise on the accuracy of how you authenticate, then the whole house of cards comes tumbling down: unauthorised people access areas of your premises that are potentially high-risk; insider fraudsters make illicit EFT transfers.

Equally, speed and convenience are important factors in the business of authentication. Long-winded and complex authentication procedures slow processes down and create frustration amongst their users. A consequence is that people actively look to circumvent such procedures: they prop doors and gates open to side-step obstructive access systems, they routinely share their passwords and they don’t log-out of supposedly secure IT systems when they leave their desks.

Failure to authenticate, or FTA, lies at the very heart of all the failings in identity-reliant systems that are intended to protect organisations from the consequences of risk. And yet FTA happens over and over again and constantly undermines the very systems that are supposed to mitigate risk.

Currently, competent biometric technology offers the most accurate, rapid and convenient solution to the challenges of authentication. Thousands of local organisations have accepted the validity of the business case for replacing cards, PINs and passwords with biometrics: the technology cuts the losses associated with the abuse of identity and unauthorised access and activity. For example, for some organisations, the savings made by eliminating buddy-clocking far outweigh the costs of introducing biometric-based access and Time and Attendance systems.

Authorise: controlling what people can do

Fortunately, controlling what people can do within the workplace – and when and where they can do it – does not require the same sort of mind-shift that is required to introduce rigorous authentication. Nor do organisations necessarily need to introduce new technologies, such as biometrics, in order to achieve their authorisation goals.

IT-focused identity management solutions have been in universal use for several decades. At the start of business computing in the early 1960s, access to systems and activity within them were controlled by a password or passcode. The whole purpose of these credentials was to ensure users were duly authorised. During the past 50 years, driven by breath-taking innovation, the world of IT has changed dramatically and there is now a multitude of dedicated software that is designed to manage access and activity, to authorise users.

Outside of IT, there have also been substantial advances in the past ten or so years in the way identity is managed within the world of physical access control. Today, it is standard practice for modern access control systems to be linked to HR solutions that manage payroll and ensure the implementation of health and safety policies. These developments are part of an expanding trend that uses identity as a tool to manage workforces in an increasingly centralised, integrated and co-ordinated manner.

To benefit from a co-ordinated application of identity-based information, organisations need to remove the barriers that create a siloed approach to working with identity. It’s now widely accepted that physical access control has an obvious link with payroll systems that manage attendance and hours worked. In its most basic form, the link confirms the times that someone arrives and leaves the workplace. But that fairly simplistic information is really only the tip of the identity management iceberg.

In reality, information related to a person’s identity extends much further beneath that superficial surface. Such information could include things like the validity of certifications that may range from the requirement for statutory health checks to the time-based validity of professional accreditations.

When viewed in this holistic manner, it becomes apparent that identity is not an exclusive preserve of systems that are focused on maintaining security and that identity can be used as business tool far beyond the confines of managing physical access. This broader view of the potential applications of identity-based information highlights the fact that the information does not necessarily have to be used in an input-only, one-way street. It can, for example, be used to automatically inform an employee – perhaps as they enter the workplace or clock-on at their workstation – that they need to undergo that statutory health check or that their professional accreditation needs to be reviewed or updated before a specified date.

In terms of authorisation, there is perhaps merit in considering all of ways that identity and the information that is routinely associated with it can be used to govern and ensure adherence to a wider set of workplace policies and regulations that really have very little to do with physical security at the front gate or main reception.

Audit: creating identity chains

The last of the three fundamental principles is concerned with recording and monitoring who is doing what and where and when they are doing it. Primarily, the audit function creates a link – an Identity Chain – between authentication and authorisation. It provides accurate identity-based information allied to an individual’s authorisations and, if necessary, their location and activity within the workplace at any given time.

As a security tool, a strong audit function can be viewed both as a measure that deters and prevents illicit or unauthorised activity. But its strength is entirely reliant upon the effectiveness of the systems that authenticate identity in the first place. Unless it can provide a definitive link between identity and activity, then the whole concept of auditing begins to fall apart.

Perhaps more than anything else, the importance of that definitive link highlights the imperative of accurate authentication as the foundation for any identity management system. A card, PIN or password only tells us that it was that particular credential that was used to perform a specific activity – such credentials do not identify the person who used them.

If however, the initial authentication is truly accurate – such as that provided by biometric identification – then the audit function really does becomes a powerful deterrent. For example, making an illicit EFT payment becomes a far less attractive crime when the fraudster knows they will have to authorise the transfer by scanning their fingerprint. Simultaneously, a strongly-founded audit function is also a potent preventive measure because specified activities can only ever be performed by duly authorised people.

If you need to clarify your thinking about how best to manage identity within your organisation, you may well find it a valuable exercise to develop your identity solutions and the outcomes you require according to the three fundamentals: authenticate, authorise and audit.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.

Eliminating forced gate opening scenarios
August 2019, ET Nice , Home Security, Access Control & Identity Management
When activated by the gate forced open alarm feature, the transmitter transmits a wireless alarm signal up to 750 metres in any direction.