Combine and standardise physical and IT security measures to minimise risk

November 2007 Access Control & Identity Management

Organisations incur significant overheads, as well as generate increased security risks, when employees misuse or abuse network resources.

Serious losses – of financial and competitive edge in particular – are incurred when intellectual property or sensitive information leaves the confines of the organisation or when computer fraud occurs.

“Users on the inside have access to business critical system resources, making the network susceptible to attacks and exploitation through the use of their privileged status,” says Karel Rode, solutions strategist at CA.

Up to and including the early nineties, an insider was defined as someone who had physical access to a computing facility – typically an employee or the system administrator. Physical security was deemed to be sufficient, as a security guard was able to identify individuals – a precaution that was enhanced by the ‘second factor’ authentication of a swipe card.

“This principle is no longer applicable and an insider is no longer referred to as an employee of the company, as this would give a contractor or temp similar privileges. Additionally, the user may connect via a remote access connection, removing physical access considerations,” Rode says.

“Someone who has achieved insider privileges, by gaining access to a computer, could pose a potential threat. This means that significant technical controls to protect against privilege abuse are needed. Without the proper security policies and governance, it is hard to accurately identify the level of threat and even harder to appropriately implement preventative controls,” he adds.

Reducing the risk

So what can companies do to reduce the risk of information loss, whilst providing staff with the required access to network facilities?

One possible solution would be to merge physical and IT security, says Rode.

Rode suggests that the most practical point of departure would be for companies to look closely at their user populations and determine where the most accurate store of active users exists within the company. This might be the current HR system for permanent staff and some other data store for contractors and temps.

He adds that companies must reconsider their current process for issuing corporate badges to employees. As companies expand in large campus environments, employees might need access to multiple buildings where each location has a different physical access control system. This is a situation that may not be under a company’s control if the company is a tenant and does not have input into the building access systems.

Rode suggests standardising staff security measures. This would make it possible for the company to limit staff access to areas and resources that pertain to their role. Companies could even limit access to certain times of the day. This approach would benefit companies that want to limit shift workers who only need to access selected zones at specified times. Taking things a step further, companies that run IP video surveillance, would be able to track, monitor and record any instances where a violation or failed repeated access has taken place.

“This leaves us with the logical access to systems, resources, applications, files and folders. The logical access scenario will succeed if companies have a data classification standard in place, which they can use within the rule definition process. This will ensure that only designated users with specific group membership or directory attributes can gain access to read, modify or delete files, or access application resources within their designated realm,” Rode concludes.

For more information contact Karel Rode, Computer Associates, +27 (0)11 236 9152,,

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Enhanced biometric technology for mines
September 2019, ZKTeco , Mining (Industry), Access Control & Identity Management
Biometric identification and authentication are currently used at various mines in South Africa and in the SADC region.

Improving access in mines
October 2019, Astra Fasteners , Mining (Industry), Access Control & Identity Management, Products
The VP1 controller provides full access control and remote monitoring of intelligent locks without having to wire into a network or install, manage and maintain software.

Invixium and Pyro-Tech partner in South Africa
October 2019 , News, Access Control & Identity Management
Invixium, a manufacturer of IP-based biometric solutions and Pyro-Tech Security Suppliers have announced a new distribution partnership.

Suprema receives FBI PIV/FAP30 certification
October 2019, Suprema , News, Access Control & Identity Management
Suprema has announced that the company's BioMini Slim 3 has received FBI PIV (Personal Identity Verification) and Mobile ID FAP30 certification.

Frictionless access with a wave
October 2019, IDEMIA , Access Control & Identity Management, Residential Estate (Industry)
IDEMIA was the Platinum Sponsor for the Residential Estate Security Conference 2019 and set up its MorphoWave Compact frictionless fingerprint biometric scanner at the entrance to the conference.

Streamlined access and reporting
October 2019, Comb Communications , Access Control & Identity Management, Residential Estate (Industry)
The main focus of the Comb stand was its practical demonstration of the MK II Lite intercom system with third-party integrated products.

Customised and integrated solutions
October 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
iVisit offers both high-end and low-end residential complexes a cost-effective visitor management solution that is fully integrated into Suprema's offerings.

Access solutions for every estate
October 2019, Impro Technologies , Access Control & Identity Management, Residential Estate (Industry)
Impro's flagship Access Portal solution comprises one of the most user-friendly software solutions on the market.

Managing staff effectively
September 2019, dormakaba South Africa, iPulse Systems , Integrated Solutions, Access Control & Identity Management
Workforce management solutions allow organisations to track the relationship between productivity and the cost of employment, incorporating issues such as health and safety, T&A, rostering and more.

Hennie Lategan joins Centurion as head of exports
September 2019, Centurion Systems , News, Access Control & Identity Management
Centurion Systems has announced the appointment of Hennie Lategan as the head of the company’s exports department.