Logical and physical security

September 2008 Access Control & Identity Management

Many large organisations operate broad-based departmental structures. Frequently, there is a form of federation within these organisations and this implies that budgets and decision making is managed by the various business units. In certain circumstances, we may see a central body that provides a form of strategic direction, though often-times these folks hold no budget and are therefore not recognised early within the decision making processes.

A few years ago I was tasked by one such organisation to define some high level policies that would be based on principles agreed upon by a few decision makers. The said policy was for identity and access management, which can be a big issue. When doing this for a large financial institution and a multinational to boot, the matter can only get complicated.

I very soon found myself amidst a logical access nightmare that spanned mainframes, two flavours of Unix, AS400 as well as Microsoft Windows. This com-plexity served a large number of users and a business that has invested in COTS applications, as well as many home grown applications. To add to the complexity, a web access management project was also in the mix where internal as well as hundreds of thousands of external user accesses had to be managed.

To top it off the company had offices across South Africa, some more in Sub Saharan Africa, as well as a few in the EU. Oh, and lest I forget, the physical access system was not just one system as some buildings were managed by external parties, leaving an additional few complications in the mix.

At the physical access side I had my first head butt with 'the wall'. They (PHYSICAL SECURITY) were not of the opinion that centralised ID management could benefit them. After all, they have run a database with user information, building access entitlements and some additional attributes for a long time, issuing access cards with some form of RFID for physical access.

My next challenge was with HR. They now have one HR system for all users, but then there were a few such systems, and like many other similar companies they do make use of contractors. Out-sourcing of various functions will leave you with more than one data source for your user population.

When I start talking to companies about automation of user provisioning (as well as de-provisioning) the conversation soon swings to the many different roles that they have for users as well as the various job codes and pay grades.

Now clearly with 1000 users it will be less than optimal to define 999 distinct IT systems access roles. Clearly a form of audit will be required to reconcile this into succinct user roles. As a start this may take the form of defining only a few roles that cover a number of common roles with many common access types within these few roles. An example may be that all users will have a MS AD account to authenticate to the network, plus they all have an e-mail account and access to the Internet through a proxy server. A second role could be all IT systems administrators that will have privileged access to systems plus all of the above.

Now clearly we have to deal with the issue of granting a normal user access to the IT admin role when he/she is moved into a new role, and having a high level of automation is exactly what an identity management system wants to achieve. Moreover, by integrating the IdM system into the physical access system will: deposit new user information from an authoritative source where it is required, and deactivate the user across all previously provisioned systems when he/she leaves. An additional benefit is that the user data does not have to be manually captured, reducing errors and effort for all concerned.

Some companies also make use of strong or two-factor authentication for accessing some systems or gaining access via remote access systems. In such cases an additional authentication credential needs to be provided to the user, often-times in the form of a token that generates authentication codes based on an internal cryptographic key and time. These devices now need to be tied to the user, to the user's account as well as integrated into the various business applications that can or should 'consume' these stronger forms of authentication.

Here too an IdM solution can play a significant role as a user can, on receipt of such a token, use self service via a Web-based user administrative portal to activate the token and also administrate his/her accesses and additional system privileges. Once again, the added benefit is that when his/her services are terminated, his/her reporting manager will know what assets (in this case a token) need to be reclaimed and can instruct the IdM system to remove all of his/her accesses to the various systems in one go, thereby reducing audit exceptions of orphan accounts.

My biggest lesson learned at that time was to engage with all parties early and to position business benefits as well as cost savings, risk reduction and ease of compliance reporting all of the time.

For more information contact Cathy Burns, marketing and communications manager, EMC, +27 (0)11 202 0033, [email protected]





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

The future of security: intelligent automation
Access Control & Identity Management AI & Data Analytics IoT & Automation
As the security landscape evolves, businesses are no longer looking for stand-alone solutions, they want connected, intelligent systems that automate, streamline, and protect.

Read more...
Smart automation is changing security
SA Technologies IntelliGuard Access Control & Identity Management
Security has come a long way from manual check-ins, logbooks, and standalone surveillance cameras. With the rise of intelligent automation, security is now faster, smarter, and more connected than ever.

Read more...
The future of security in South Africa
ATG Digital Access Control & Identity Management
Security technology is evolving rapidly, but is local innovation keeping pace? Some global players recognise the potential of South African products for international markets, but can our manufacturers and service providers thrive without external support?

Read more...
Integration enhances estate access control
Access Control & Identity Management
With one-third of residential burglaries starting at the front door, the continued seamless integration of Glovent’s estate management platform with Impro access control software is welcome news for estates.

Read more...
T&A in South Africa’s retail sector
ERS Biometrics Access Control & Identity Management
Using existing systems, ERSBio provides a practical and more cost-effective way for businesses to manage operations, reduce payroll mistakes, and enhance overall efficiency through innovative T&A processes.

Read more...
Navigating the complexities of privileged access management
Editor's Choice Access Control & Identity Management
Privileged Access Management and Identity Access Management are critical pillars of modern cybersecurity, designed to secure access to sensitive resources, enforce principles like least privilege, and implement just-in-time access controls.

Read more...
Paxton opens second experience centre
Paxton News & Events Access Control & Identity Management
Security technology manufacturer, Paxton, has opened a new experience centre in Cape Town on 12 February in partnership with its exclusive distributors, Reditron and Regal Security.

Read more...
DoorBell with built-in AI
Ajax Systems Access Control & Identity Management Products & Solutions Smart Home Automation
Ajax Systems has announced the release of Ajax DoorBell, which features built-in AI, an IR sensor, and app control, seamlessly integrating into the Ajax ecosystem to ensure efficiency and security confidence.

Read more...
Physical security evolving beyond security teams
ATG Digital Access Control & Identity Management
The landscape of physical security is undergoing a major shift. Traditionally, selecting access control and visitor management solutions fell squarely on the shoulders of security professionals, but today includes legal, IT, technical operations and more.

Read more...
A passwordless future?
Access Control & Identity Management
The digital landscape is evolving rapidly, and with it comes the urgent need for more secure authentication methods. Passwords, once the cornerstone of online security, are now easy targets for cybercriminals.

Read more...