Logical and physical security

September 2008 Access Control & Identity Management

Many large organisations operate broad-based departmental structures. Frequently, there is a form of federation within these organisations and this implies that budgets and decision making is managed by the various business units. In certain circumstances, we may see a central body that provides a form of strategic direction, though often-times these folks hold no budget and are therefore not recognised early within the decision making processes.

A few years ago I was tasked by one such organisation to define some high level policies that would be based on principles agreed upon by a few decision makers. The said policy was for identity and access management, which can be a big issue. When doing this for a large financial institution and a multinational to boot, the matter can only get complicated.

I very soon found myself amidst a logical access nightmare that spanned mainframes, two flavours of Unix, AS400 as well as Microsoft Windows. This com-plexity served a large number of users and a business that has invested in COTS applications, as well as many home grown applications. To add to the complexity, a web access management project was also in the mix where internal as well as hundreds of thousands of external user accesses had to be managed.

To top it off the company had offices across South Africa, some more in Sub Saharan Africa, as well as a few in the EU. Oh, and lest I forget, the physical access system was not just one system as some buildings were managed by external parties, leaving an additional few complications in the mix.

At the physical access side I had my first head butt with 'the wall'. They (PHYSICAL SECURITY) were not of the opinion that centralised ID management could benefit them. After all, they have run a database with user information, building access entitlements and some additional attributes for a long time, issuing access cards with some form of RFID for physical access.

My next challenge was with HR. They now have one HR system for all users, but then there were a few such systems, and like many other similar companies they do make use of contractors. Out-sourcing of various functions will leave you with more than one data source for your user population.

When I start talking to companies about automation of user provisioning (as well as de-provisioning) the conversation soon swings to the many different roles that they have for users as well as the various job codes and pay grades.

Now clearly with 1000 users it will be less than optimal to define 999 distinct IT systems access roles. Clearly a form of audit will be required to reconcile this into succinct user roles. As a start this may take the form of defining only a few roles that cover a number of common roles with many common access types within these few roles. An example may be that all users will have a MS AD account to authenticate to the network, plus they all have an e-mail account and access to the Internet through a proxy server. A second role could be all IT systems administrators that will have privileged access to systems plus all of the above.

Now clearly we have to deal with the issue of granting a normal user access to the IT admin role when he/she is moved into a new role, and having a high level of automation is exactly what an identity management system wants to achieve. Moreover, by integrating the IdM system into the physical access system will: deposit new user information from an authoritative source where it is required, and deactivate the user across all previously provisioned systems when he/she leaves. An additional benefit is that the user data does not have to be manually captured, reducing errors and effort for all concerned.

Some companies also make use of strong or two-factor authentication for accessing some systems or gaining access via remote access systems. In such cases an additional authentication credential needs to be provided to the user, often-times in the form of a token that generates authentication codes based on an internal cryptographic key and time. These devices now need to be tied to the user, to the user's account as well as integrated into the various business applications that can or should 'consume' these stronger forms of authentication.

Here too an IdM solution can play a significant role as a user can, on receipt of such a token, use self service via a Web-based user administrative portal to activate the token and also administrate his/her accesses and additional system privileges. Once again, the added benefit is that when his/her services are terminated, his/her reporting manager will know what assets (in this case a token) need to be reclaimed and can instruct the IdM system to remove all of his/her accesses to the various systems in one go, thereby reducing audit exceptions of orphan accounts.

My biggest lesson learned at that time was to engage with all parties early and to position business benefits as well as cost savings, risk reduction and ease of compliance reporting all of the time.

For more information contact Cathy Burns, marketing and communications manager, EMC, +27 (0)11 202 0033, [email protected]

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Revamping Liberty Life’s reception area
Turnstar Systems Access Control & Identity Management Commercial (Industry)
Turnstar supplied and installed four Speedgate Express lanes, each 550 mm wide, as well as two Pulse Special Needs Gates for wheelchair access to Liberty Life.

Hybrid licence plate recognition
ZKTeco Products Access Control & Identity Management Transport (Industry) Logistics (Industry)
The ZKTeco LPRS2000 is a hybrid-recognition vehicle management terminal that combines the latest high-performance UHF reader.

Suprema joins FiRa Consortium
Suprema News Access Control & Identity Management
Suprema recently became a member of the FiRa Consortium, a consultative body that establishes standards for ultra-wideband (UWB) technology, the next generation of wireless communication.

Physical security at distribution centre
Turnstar Systems Transport (Industry) Access Control & Identity Management Products Logistics (Industry)
Turnstar’s Velocity Raptors create a high-security physical barrier at Massmart’s new 75 000 m2 distribution centre in Riversands, Johannesburg .

Integrated smart parking management
ZKTeco Access Control & Identity Management Transport (Industry) Products Logistics (Industry)
ZKTeco smart parking management provides a solution for both small parking lots and busy multi-story car parks, providing maximum efficiency, transparency and security.

UHF RFID standalone terminal
ZKTeco Products Access Control & Identity Management Transport (Industry) Logistics (Industry)
The U2000 increases access control functions and supports TCP/IP communication, Wiegand in/out, two relays, third-party electric locks, door sensors and exit buttons.

PALMKI palm vein recognition technology
Access Control & Identity Management Products
Tactile Technologies has announced the launch of Palmki, a palm vein recognition solution developed and marketed by PerfectID, a Belgian company.

ATG Digital launches solution for emergencies
Access Control & Identity Management Asset Management, EAS, RFID
ATG Digital has launched a Roll Call feature on its app to assist SHEQ managers and safety officers who cite attendance records in an emergency as one of their biggest challenges.

UHF and Bluetooth multi-technology reader
Evolving Management Solutions Products Access Control & Identity Management
The SPECTRE nano offers hands-free identification of the vehicle and/or the driver, as well as interoperable and multi-protocol secure identification.

Identity proofing allows easy virtual ID checks
Access Control & Identity Management Security Services & Risk Management
The identity verification market is expected to grow from $8 billion in 2021 to reach $17,7 billion in 2026 with a CAGR of 17,1%, and identity proofing in particular is gaining popularity.