The three Ps of identity management

Access & Identity Management Handbook 2011 Access Control & Identity Management

Marius Coetzee, COO, Ideco Biometric Security Solutions says an effective identity and access management solution must involve people, possessions and processes.

Marius Coetzee, COO, Ideco Biometric Security Solutions
Marius Coetzee, COO, Ideco Biometric Security Solutions

The many access and identity management solutions implemented in organisations today incorporate different technologies, best practices and skills. Some are based on access control solutions that have been expanded into broader identity solutions; others are based on high-level identity management solutions that drill down into multiple aspects of physical and logical access control.

According to Marius Coetzee, COO of Ideco Biometric Security Solutions, any successful identity and access management (IAM) solution must be based on the three Ps of effective identity management:

1. People.

2. Possessions.

3. Processes.

Traditionally, organisations focus on possessions, using access control and surveillance technologies to protect their assets and premises. These assets are perceived as valuable and are often the easiest to protect. People and processes can be complex entities to manage, requiring time, effort and expertise to successfully control.

The reality, according to Coetzee, is that any effective IAM solution must be built on the foundation of the three Ps if it is to offer the security and reliability organisations require. If any area is neglected, the result will be vulnerabilities that can lead to security breaches.

People

When dealing with people, it is crucial to determine the level of risk each person entering the organisation poses, whether employee or visitor. Once determined, there needs to be a set of processes that define how the person is handled, how the engagement with the individual or group takes place, the business relationship and the final disengagement when they leave.

Employees

As far as staff are concerned, Coetzee recommends screening new hires to confirm their background, criminal and credit records to ensure you have selected the right person for the job. This can be a complex process which must be scaled up to more intense screening for those people who will have access to more sensitive resources and facilities within the organisation and require, for example, specific governance and compliance skills, as well as higher training levels.

All these issues need to be clearly defined in the engagement process before an ongoing relationship is started. If done correctly, each individual will create an identity chain as they go about their daily work, clearly showing who did what, when; this identity chain will be auditable and non-repudiable, meaning there can be no mistake as to who is responsible for every action.

At the end of the relationship, when the individual disengages from the company, there must be a process in place to completely remove his/her access rights. Far too many companies have old employees that can still access the premises and IT resources because their disengagement was not properly handled. This is obviously a serious security breach.

Visitors

When it comes to allowing visitors in, screening is not possible as their stays are usually short and the information they provide about themselves sparse. Coetzee recommends that each company defines what risk level is acceptable with respect to visitors and confines these guests to the access permissions relative to that level.

This decision is not an easy one. Many companies have experienced the consequences of allowing people claiming to be Telkom technicians or air conditioner maintenance crews free access to their premises. Defining a workable relationship and a manner of identifying those that should be allowed greater unaccompanied access must be developed and strictly implemented.

Possessions

South African companies are of necessity experienced in protecting their physical possessions, but are not all that well prepared when it comes to protecting their logical assets. Logical security is a relatively new concept in IAM (we exclude common issues such as malware and spam protection) and there have been a number of initiatives to address this topic. Some of these include single sign-on, password replacement technologies and policies to manage the identities of people on cor-porate systems.

As with people, the process of asset management follows a path of acquisition, maintenance and use, and finally disengagement in the form of scrapping or selling the item. Coetzee says corporations must ensure they purchase the right access solutions to provide their company with a level of risk mitigation required due to the sensitivity of the access granted. Once again an audit trail must be maintained throughout the process to accurately verify who did what, when.

When the item is disposed of, Coetzee says it needs to be wiped clean. In other words, any sensitive data or access codes need to be removed, leaving a 'blank slate' that will be of no use to anyone trying to gain unauthorised access to the firm’s logical resources or information. There have been many cases of companies giving old computers away, for example, without removing databases of customer information. Not only does this put you at risk of legal action, your brand’s reputation could also suffer.

Processes

When it comes to processes, it all boils down to the trust associated with the level of access each one requires. Coetzee says there are two categories of processes, transactional and operational.

Operational processes

Operational processes deal with who does what and the associated authorisations each individual has to do their work.

Transactional processes

Transactional processes deal with issues such as approving transactions and customer credit limits, as well as the authorisation of transactions completed by other employees. These are sensitive responsibilities and the processes need to ensure only authorised people are able to carry them out and that there is a complete identity chain linking all actions to a verified identity (in other words, a person).

Both types need to be driven by a process lifecycle which is divided into four phases:

1. The request phase in which the employee asks to gain access to a resource to perform a function.

2. The authorisation phase in which the IAM solution authenticates the user and determines if he/she has permission to perform the requested action.

3. The execution phase which allows the function to run, having determined that the user is who they claim to be and is authorised to do this type of transaction.

4. The audit phase, based on the identity chain, which provides a full history should any queries be raised about the transaction.

There is an IAM lifecycle for each of the three Ps that ensures people, possessions and processes within a company are properly secured and accessible only to authorised individuals. Moreover, IAM solutions based on these principles ensure a full identity chain is created no matter what employees or visitors are doing. However, leaving one of the Ps out of the equation results in gaps in a company’s security posture, which in effect means it is vulnerable to attacks from without and within.



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Disconnect between confidence in identity security and operational reality
Access Control & Identity Management News & Events
New FIDO Alliance and HID study reveals gap between identity security confidence and reality; 94% of enterprises claim they can revoke employee access within 24 hours, yet 35% experienced delays or failures in the past two years.

Read more...
Paxton Solo training available to security installers
Paxton Access Control & Identity Management News & Events
Following the launch of Solo, Paxton’s brand-new access control system, the security manufacturer is rolling out dedicated Solo training sessions across South Africa to support security installers working with the system.

Read more...
Controlling access for people and vehicles
IDEMIA STid Security Technews Publishing Editor's Choice Access Control & Identity Management Asset Management Industrial (Industry) Mining (Industry)
When it comes to access control, the security requirements of mines and the industrial sector are similar, requiring a layered approach that combines physical barriers, digital authentication, and continuous monitoring to protect personnel, assets, and operational continuity.

Read more...
Paxton launches new phone-based security system: Solo
Paxton News & Events Access Control & Identity Management
Paxton has officially unveiled Solo, a phone-based, cloud-hosted access control system. As part of the launch, installers can claim a free Solo starter kit from Paxton, allowing them to trial the system and see how it can work for their business.

Read more...
Taking control of IAM in the AI era
Access Control & Identity Management AI & Data Analytics
AI and Shadow AI are proliferating, creating a series of new risks for organisations. To gain control over who and what has access to corporate data, organisations need unified control over their entire environment.

Read more...
Impro announces Primo update
News & Events Access Control & Identity Management Integrated Solutions
Impro Technologies recently held a launch event in which it introduced a series of new products, from new readers through to its updated Primo access management software.

Read more...
If you cannot prove identity, you cannot claim security
Access Control & Identity Management Information Security
Cybersecurity planning for 2026 is a structural change in how attacks are executed and how trust is exploited, demanding that companies stop layering tools on top of infrastructure and instead prioritise intelligence and identity.

Read more...
Paxton set to launch game-changing new system
Paxton Access Control & Identity Management News & Events
Access control is evolving fast. Installers and end users are looking for systems that are simple to install, easy to manage remotely, and flexible enough to scale. In response, Paxton is exploring how emerging technologies can reshape access control.

Read more...
NEC XON secures mobile provider’s hybrid identities
NEC XON Access Control & Identity Management Information Security Commercial (Industry)
For a leading South African telecommunications operator, identity protection has become a strategic priority as identity-centric attacks proliferate across the industry. The company faced mounting pressure to secure both human and non-human identities across complex hybrid environments.

Read more...
Cloud security in visitor management and access control
SA Technologies Access Control & Identity Management Infrastructure Residential Estate (Industry) Commercial (Industry)
Cloud has become the default platform for modern security operations, from visitor management portals and remote access control to incident logging, reporting, analytics, and integrations. But “in the cloud” does not mean “someone else is securing it for us”.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.