A converged approach to enterprise security

November 2012 Access Control & Identity Management

There is an urgent requirement for organisations to reinforce control over access to their systems.

In terms of managing identity, Applied Identity Control (AIC) is certainly the new kid on the block. Despite the astonishing losses caused by rising incidents of ICT-based crime, organisations are still battling to manage identity throughout their business processes.

Marius Coetzee
Marius Coetzee

From insider fraud and banking scams through to the cyber theft of corporate secrets and customer data, it is clear that there is an urgent requirement for organisations to reinforce control over access to their systems and the activities within them. Enter Applied Identity Control or AIC.

Hi-Tech Security Solutions spoke to Ideco MD, Marius Coetzee, and Mark Eardley of Supervision about the concept of AIC and how it positions identity authentication at the heart of a converged or unified approach to systems-based security.

Mark Eardley
Mark Eardley

The four cornerstones of AIC

The four cornerstones of AIC are authenticate, authorise, audit, automate. According to Eardley, security-conscious organisations whose operations are heavily reliant on ICT will probably already be using established technologies to create competencies in the last three of AIC’s principles. “They will have governing systems in place that are designed to authorise and audit activities. But, almost universally, the integrity of these automated functions is completely undermined by an inability to accurately authenticate users.”

Eardley stresses that the strength of any form of identity management system is based entirely on the accuracy of the authentication component. “If that is weak, the whole structure comes tumbling down. Organisations are so busy looking at the top of the security mountain – where they want to be – that they have not noticed the gaping crevasse at their feet.

“Consequently, a rising number of organisations are falling into that dangerous hole. The Postbank cyber heist of R42m at the start of 2012 is reported to have been based on a failure to authenticate users of the bank’s payment systems. As part of the theft, strong passwords and complex PINs may well have been authenticated, but these things are not people, are they? These credentials can only identify themselves. They do not identify people. In terms of AIC they most certainly do not authenticate.”

The starting point for AIC

Coetzee says, “When we use the word ‘authenticate’ in the context of AIC we are talking about the consistent ability to accurately identify people. Cards, PINs and passwords – or CPPs - do not have this ability. Because their use cannot be restricted to a specific person, they have never been able to authenticate identity.

“So, we say it is quite wrong, that it is absolutely incorrect and also completely misleading to talk about CPPs as being able to authenticate identity. They cannot and they do not.”

Coetzee supports his views by pointing out that the world of physical security recognised this fundamental security flaw many years ago, “For example, many organisations know that fingerprint-based authentication ends the losses caused by people sharing cards and clocking-on for one another. But organisations are perhaps much less aware about what happens when CPPs are exploited by insider fraudsters and cyber villains to access systems and commit their crimes.”

“Failure to authenticate, or FTA, is a fundamental flaw common to all forms of CPP,” says Eardley. “They cannot tell if the user is Jack or Jill. They cannot differentiate between the people using them, which means that they cannot authenticate.”

Eardley sees FTA as such an important concern because of the immense risks it creates in all sorts of IT-based systems and processes. People acquire other people’s CPPs and then access systems and operate within them as if they were authorised users.

“And what is to stop them?” asks Eardley. “If a particular smartcard and PIN is authorised to transfer money from your bank account, then that is exactly what the system allows. The fact that you did not make the transfer is totally irrelevant as far as the system is concerned. The system works. It might not work in the way it was intended to, but it still transfers your money.

“We should not underestimate the enormous losses that organisations are suffering as a direct consequence of FTA. After all, it is the basis for the vast majority of cybercrime.”

For Eardley, that blunt fact warrants some heavy emphasis. “If you think about all the various forms of cybercrime, from having your payment cards and bank account defrauded through to multi-million cyber-heists, almost all of it comes down to someone using someone else’s card, password or PIN. From crooked insiders making illicit EFT payments through to organised villains stealing highly sensitive corporate information, failure to authenticate is leading directly to escalating losses across all sorts of organisations and in all sorts of IT-based systems.”

Overcoming the risks and losses caused by FTA

The consequences of FTA can take many forms. For example, a container-load of goods is delivered to your warehouse. How do you know what was delivered and who took the goods into stock? Some scribbled signatures on a delivery note are not much help when half the stock goes missing before it gets added to your inventory. Or maybe it all gets entered on the inventory but only half actually ends up in the warehouse.

Coetzee says that AIC deals with the who, what, when and where of business transactions: “The ‘who’ bit is clearly really important. Who delivered the goods? Who took them into stock? Who added them to the inventory? Failure to authenticate these identities creates risks and leads directly to recurring losses. FTA leaves the doors wide open for the villains.”

Addressing the challenge of FTA is not difficult. Coetzee points out that for millions of local employees, fingerprint-based authentication systems verify their identities every day as they access the workplace and clock-on to attendance and payroll systems. The whole purpose of fingerprint technology in these systems is to authenticate – to accurately confirm the identities of these employees. Who is where on your premises? Who is authorised to be in that hazardous environment? Who is being recorded by the time and attendance system?

The importance of convergence in AIC

Coetzee says that thousands of SA organisations are using fingerprint-based systems to address each of these questions accurately and securely. He is however adamant that fingerprint authentication can deliver even more commercial benefits: “Who is certified as technically competent and duly authorised to operate that machinery. Who is altering your invoices? Who is making EFT payments and who is reading sensitive documents and making copies?

“If any of these operational functions are controlled by CPPs, then you are fully-exposed to the full spectrum of abuses that arise from FTA. And that leads directly to the escalating losses caused by all the various forms of systems-based crime.”

Beyond applications within physical workforce security, Coetzee sees the integration of fingerprint technology into all of an organisation’s identity-reliant processes as an obvious way to complete the circle in terms using accurate user-authentication as a business tool to reduce risks and prevent losses.

“Systems integration is one of Ideco’s key strengths, giving us the technical capabilities to incorporate fingerprint-based authentication into a diversity of business systems,” says Coetzee. “The business case for fingerprint technology is already well established within physical security systems because it cuts the losses caused by unauthorised access and activity. I would encourage organisations to now start thinking about how to extend that proven success into other areas of their operations.”

Authorise, audit, automate: no problem at all

In Eardley’s opinion, compared to the way we authenticate identity, we really are light-years ahead in terms of how technologies routinely authorise and audit access and activity within commercial processes. “Just consider everything that happens automatically when you use the functionality provided for your online banking. You can move money around your accounts, check transaction histories, make payments and create lists of beneficiaries. You can download proof-of-payment and receive SMS or mail messages concerning activity on your accounts.”

Within corporate IT systems, assigning authorisations and tracking activities is something we take for granted – established, proven technologies just handle it all for us. Want e-mail alerts for exception-reporting? No problem. Want them pushed via SMS. Easy. Want stock-control systems that are linked to sales points? Done it. Want behavioural analysis of activity in your IT system? Got it.

The way we process identity data and what we can do with it seems to be only limited by the objectives we set for these automated functions.

But as long as FTA remains a persistent, recurrent problem within all sorts of business systems, the question Eardley poses is this: why bother with all that expenditure and effort if you cannot authenticate the identity of the people using your systems?



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

The power of PKI and private sector innovation
Access Control & Identity Management News & Events Government and Parastatal (Industry)
At the recent ID4Africa 2025 Summit in Addis Ababa, the spotlight was firmly on building secure, inclusive, and scalable digital identity ecosystems for the African continent.

Read more...
Biometric security key for phishing-resistant MFA
Products & Solutions Access Control & Identity Management
New FIDO-compliant USB, Bluetooth, and NFC BioKeys with biometric login and centralised management for phishing-resistant, passwordless multifactor authentication (MFA) for enterprise users.

Read more...
Gallagher Security releases OneLink
Gallagher Animal Management Products & Solutions Access Control & Identity Management
Gallagher Security has announced OneLink, a cloud-based solution that makes it faster, easier and more cost-effective to deploy security anywhere in the world, transforming how security can be delivered to remote sites and distributed infrastructure.

Read more...
Suprema unveils BioStar Air
Suprema neaMetrics News & Events Access Control & Identity Management Infrastructure
Suprema launches BioStar Air, the first cloud-based access control platform designed to natively support biometric authentication and feature true zero-on-premise architecture. BioStar Air simplifies deployment and scales effortlessly to secure SMBs, multi-branch companies, and mixed-use buildings.

Read more...
Continuous AML risk monitoring
Access Control & Identity Management Security Services & Risk Management Financial (Industry)
AU10TIX, launched continuous risk monitoring as part of its advanced anti-money laundering (AML) solution, empowering businesses to detect behavioural anomalies and emerging threats as they arise.

Read more...
The future of security: intelligent automation
Access Control & Identity Management AI & Data Analytics IoT & Automation
As the security landscape evolves, businesses are no longer looking for stand-alone solutions, they want connected, intelligent systems that automate, streamline, and protect.

Read more...
Smart automation is changing security
SA Technologies IntelliGuard Access Control & Identity Management
Security has come a long way from manual check-ins, logbooks, and standalone surveillance cameras. With the rise of intelligent automation, security is now faster, smarter, and more connected than ever.

Read more...
The future of security in South Africa
ATG Digital Access Control & Identity Management
Security technology is evolving rapidly, but is local innovation keeping pace? Some global players recognise the potential of South African products for international markets, but can our manufacturers and service providers thrive without external support?

Read more...
Integration enhances estate access control
Access Control & Identity Management
With one-third of residential burglaries starting at the front door, the continued seamless integration of Glovent’s estate management platform with Impro access control software is welcome news for estates.

Read more...
T&A in South Africa’s retail sector
ERS Biometrics Access Control & Identity Management
Using existing systems, ERSBio provides a practical and more cost-effective way for businesses to manage operations, reduce payroll mistakes, and enhance overall efficiency through innovative T&A processes.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.