The three Ps of identity management

Access & Identity Management Handbook 2011 Access Control & Identity Management

Marius Coetzee, COO, Ideco Biometric Security Solutions says an effective identity and access management solution must involve people, possessions and processes.

Marius Coetzee, COO, Ideco Biometric Security Solutions
Marius Coetzee, COO, Ideco Biometric Security Solutions

The many access and identity management solutions implemented in organisations today incorporate different technologies, best practices and skills. Some are based on access control solutions that have been expanded into broader identity solutions; others are based on high-level identity management solutions that drill down into multiple aspects of physical and logical access control.

According to Marius Coetzee, COO of Ideco Biometric Security Solutions, any successful identity and access management (IAM) solution must be based on the three Ps of effective identity management:

1. People.

2. Possessions.

3. Processes.

Traditionally, organisations focus on possessions, using access control and surveillance technologies to protect their assets and premises. These assets are perceived as valuable and are often the easiest to protect. People and processes can be complex entities to manage, requiring time, effort and expertise to successfully control.

The reality, according to Coetzee, is that any effective IAM solution must be built on the foundation of the three Ps if it is to offer the security and reliability organisations require. If any area is neglected, the result will be vulnerabilities that can lead to security breaches.


When dealing with people, it is crucial to determine the level of risk each person entering the organisation poses, whether employee or visitor. Once determined, there needs to be a set of processes that define how the person is handled, how the engagement with the individual or group takes place, the business relationship and the final disengagement when they leave.


As far as staff are concerned, Coetzee recommends screening new hires to confirm their background, criminal and credit records to ensure you have selected the right person for the job. This can be a complex process which must be scaled up to more intense screening for those people who will have access to more sensitive resources and facilities within the organisation and require, for example, specific governance and compliance skills, as well as higher training levels.

All these issues need to be clearly defined in the engagement process before an ongoing relationship is started. If done correctly, each individual will create an identity chain as they go about their daily work, clearly showing who did what, when; this identity chain will be auditable and non-repudiable, meaning there can be no mistake as to who is responsible for every action.

At the end of the relationship, when the individual disengages from the company, there must be a process in place to completely remove his/her access rights. Far too many companies have old employees that can still access the premises and IT resources because their disengagement was not properly handled. This is obviously a serious security breach.


When it comes to allowing visitors in, screening is not possible as their stays are usually short and the information they provide about themselves sparse. Coetzee recommends that each company defines what risk level is acceptable with respect to visitors and confines these guests to the access permissions relative to that level.

This decision is not an easy one. Many companies have experienced the consequences of allowing people claiming to be Telkom technicians or air conditioner maintenance crews free access to their premises. Defining a workable relationship and a manner of identifying those that should be allowed greater unaccompanied access must be developed and strictly implemented.


South African companies are of necessity experienced in protecting their physical possessions, but are not all that well prepared when it comes to protecting their logical assets. Logical security is a relatively new concept in IAM (we exclude common issues such as malware and spam protection) and there have been a number of initiatives to address this topic. Some of these include single sign-on, password replacement technologies and policies to manage the identities of people on cor-porate systems.

As with people, the process of asset management follows a path of acquisition, maintenance and use, and finally disengagement in the form of scrapping or selling the item. Coetzee says corporations must ensure they purchase the right access solutions to provide their company with a level of risk mitigation required due to the sensitivity of the access granted. Once again an audit trail must be maintained throughout the process to accurately verify who did what, when.

When the item is disposed of, Coetzee says it needs to be wiped clean. In other words, any sensitive data or access codes need to be removed, leaving a 'blank slate' that will be of no use to anyone trying to gain unauthorised access to the firm’s logical resources or information. There have been many cases of companies giving old computers away, for example, without removing databases of customer information. Not only does this put you at risk of legal action, your brand’s reputation could also suffer.


When it comes to processes, it all boils down to the trust associated with the level of access each one requires. Coetzee says there are two categories of processes, transactional and operational.

Operational processes

Operational processes deal with who does what and the associated authorisations each individual has to do their work.

Transactional processes

Transactional processes deal with issues such as approving transactions and customer credit limits, as well as the authorisation of transactions completed by other employees. These are sensitive responsibilities and the processes need to ensure only authorised people are able to carry them out and that there is a complete identity chain linking all actions to a verified identity (in other words, a person).

Both types need to be driven by a process lifecycle which is divided into four phases:

1. The request phase in which the employee asks to gain access to a resource to perform a function.

2. The authorisation phase in which the IAM solution authenticates the user and determines if he/she has permission to perform the requested action.

3. The execution phase which allows the function to run, having determined that the user is who they claim to be and is authorised to do this type of transaction.

4. The audit phase, based on the identity chain, which provides a full history should any queries be raised about the transaction.

There is an IAM lifecycle for each of the three Ps that ensures people, possessions and processes within a company are properly secured and accessible only to authorised individuals. Moreover, IAM solutions based on these principles ensure a full identity chain is created no matter what employees or visitors are doing. However, leaving one of the Ps out of the equation results in gaps in a company’s security posture, which in effect means it is vulnerable to attacks from without and within.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Enhanced biometric technology for mines
September 2019, ZKTeco , Mining (Industry), Access Control & Identity Management
Biometric identification and authentication are currently used at various mines in South Africa and in the SADC region.

Improving access in mines
October 2019, Astra Fasteners , Mining (Industry), Access Control & Identity Management, Products
The VP1 controller provides full access control and remote monitoring of intelligent locks without having to wire into a network or install, manage and maintain software.

Invixium and Pyro-Tech partner in South Africa
October 2019 , News, Access Control & Identity Management
Invixium, a manufacturer of IP-based biometric solutions and Pyro-Tech Security Suppliers have announced a new distribution partnership.

Suprema receives FBI PIV/FAP30 certification
October 2019, Suprema , News, Access Control & Identity Management
Suprema has announced that the company's BioMini Slim 3 has received FBI PIV (Personal Identity Verification) and Mobile ID FAP30 certification.

Frictionless access with a wave
October 2019, IDEMIA , Access Control & Identity Management, Residential Estate (Industry)
IDEMIA was the Platinum Sponsor for the Residential Estate Security Conference 2019 and set up its MorphoWave Compact frictionless fingerprint biometric scanner at the entrance to the conference.

Streamlined access and reporting
October 2019, Comb Communications , Access Control & Identity Management, Residential Estate (Industry)
The main focus of the Comb stand was its practical demonstration of the MK II Lite intercom system with third-party integrated products.

Customised and integrated solutions
October 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
iVisit offers both high-end and low-end residential complexes a cost-effective visitor management solution that is fully integrated into Suprema's offerings.

Access solutions for every estate
October 2019, Impro Technologies , Access Control & Identity Management, Residential Estate (Industry)
Impro's flagship Access Portal solution comprises one of the most user-friendly software solutions on the market.

SALTO achieves Environmental Product Declaration (EPD)
October 2019, Salto Systems Africa , News, Access Control & Identity Management
SALTO Systems has announced that it has received the first Environmental Product Declaration (EPD) for XS4 smart locking solutions, including the XS4 Original model for the European and Scandinavian standard ...

Managing staff effectively
September 2019, dormakaba South Africa, iPulse Systems , Integrated Solutions, Access Control & Identity Management
Workforce management solutions allow organisations to track the relationship between productivity and the cost of employment, incorporating issues such as health and safety, T&A, rostering and more.