Integrating identity management and access control is a fact in the business world today, however, its implementation is fraught with difficulties including who is responsible for the project and how to make the vendors give customers what they want. Hi-Tech Security Solutions held a round table discussion with a few players in the field.
Just how prevalent is integrating access control and identity management in business today? While the obvious answer would be to say everyone is doing it or wants to do it, we need to consider the tough economic times we are in and the expectation of worsening conditions through the year. Is this something businesses are going to do regardless?
As can be expected, while companies are tightening their belts, they are also keenly focused on improving all aspects of the security areas they have control over – a common South African trait. This means finding ways to prevent buddy clocking, using whatever ethical means at their disposal to limit theft and fraud, and, when they can have an impact, protecting their customers.
Of course there are few companies that will embark on company-wide changes in this economy. Most are satisfied with incremental changes on the path to a big-picture overhaul. The critical factor they face is integrating their current access control and identity management functionality into one centrally managed system – security vendors are not renowned for their adoption of open standards.
Nonetheless, they are making progress, opting for reliable advice from integrators and installers who can either deliver the goods, or build the teams necessary for delivery. Gareth Yeo, business process owner (marketing and HR) at Pick ’n Pay Information Services confirms this is an area his company is working on.
“My focus is ... HR specifically at the access point and it is one of the initiatives we are looking at, at this point,” Yeo says.
He adds that currently he is predominantly focused on time and attendance integration and has had no major issues with technology and its ability to interoperate. Looking forwards, however, the concern for Pick ’n Pay is in the next phases when it starts integrating into turnstiles and point of sale devices, “because it then becomes mission critical, you cannot have a cashier unable to access to the point of sale for any reason.”
Yeo also notes the need to implement effective reporting of integrated systems, making better use of the data collected to further optimise the company’s operations. It is not only about integrating biometric access control to the tills. In the long run he foresees the integrated solution encompassing everything, including who can access the server room or who did access it when a server went down, for example.
As Yeo notes, the impact of integration is more than simply a question of making different technologies work together. As has been seen in the IP CCTV space, IT and security people are not the best of friends when it comes to working together and allowing each other in. An integration project also requires someone to manage the integration and cooperation of people.
Who owns who
It is not only a matter of IT and security working together to create an integrated solution, it is about control. If you use IT’s network, does IT own the project in its entirety? Does the security manager now report to IT? Or, since all the equipment and know-how belongs to security, does IT report to security? How about a cooperative effort, is it even possible? And since we are talking about identification here, why is HR (human resources) not in control since it is supposedly the custodian of data on the company’s employees?
Mike Smiles, MD of Masc Solutions, notes there is a reluctance on the part of each of these parties to relinquish control. “There is nothing preventing you having the level of integration that you are looking for, but there is most certainly a barrier being raised by many IT professionals because they are not supporters of moving the security platform onto their network.”
He raises the point, however, that IT and security are necessary functions in a business and need to support the business. Should the users not be controlling information they use to do business?
Yeo adds that Pick ’n Pay keeps its information centrally “within our current IT department, managed by and supported by our IT department. We would be reluctant not to have it that way; in other words, having a separate service residing with the security department because integration then becomes a nightmare.”
Glynn Brookes, director at Evolving Management Solutions adds, “IT may be the people controlling the system,” he says, “but HR must be the people who are distributing the data. I think at the end of the day, if the data is not available to the people like managers then you are going to have serious problems and be in the situation where you have disparate systems, desperately trying to communicate, with HR controlling parts of it and security guys trying to control the another side, both with limited success.
Dereck Sigamoney of Bytes Systems Integration, Pick ’n Pay’s system integrator, disagrees saying it is “a bit of a misnomer to think that HR has a repository with all this information. I think in large organisations, HR really does not have all this information – where employees should be, what they should be doing, when they should be there and so forth.”
That information is quite well dispersed across the company and sometimes resides in people’s heads. It is the job of the integrator to find the data and integrate it into the solution provided, using IT as the support or conduit for secure access and identity processes.
“I think standards need to be put into place regarding where are you housing this information and what type of information is it,” Sigamoney adds. “I advise the approach of looking at IT as the conduit to delivery, not the custodian of discretion because they are not security personnel and they should not be bogged down with security personnel activities and duties.”
Standards and governance
When talking about integration, it always comes down to a matter of standards. If every vendor develops its own intellectual capital and tries to force customers to stick to its product range, integration will always be a sticky issue. In the security world this not only applies to technology, but people as well. Brookes points out that even when hiring guards to protect premises and/or equipment, the customer accepts that guards conform to some standard in terms of training and experience, but has no idea if the guards’ standards meet the company’s criteria.
There are no broad standards in South Africa that tie security and business operations together under a common governance platform. A set of governance standards would ideally offer businesses a best practice methodology in running their companies effectively, naturally incorporating security into the best practices.
This local lack is not stopping larger organisations in applying standards, however. Smile says the USA’s Sarbanes-Oxley (SOX) Act is being applied in South Africa by those looking for a reliable process with which to govern their organisations, including the logical and physical access compliance aspect – even though it is not law here.
SOX itself is usually associated with corporate governance rather than optimised and secure business processes. It is therefore necessary to help customers take their governance standards to the next level.
“The game has changed completely, says Smiles, “and I think the customers are looking to us to help them through the corporate governance process, down to how they actually provision a person from the start all the way through until they leave the company. And this applies to contractors that arrive on a daily basis as well as to those who work there for years.”
Brookes adds that governance processes need to be implemented in such a way that they occur at every level of the company, implemented in a standardised manner. And this is often where issues arise.
Corporate governance is the component that says 'you shall not steal in our store', says Sigamoney. It is the compliance processes making this governance principle a reality that causes problems and which need a standardised implementation approach. Mike Ellison from Bytes Systems Integration supports this, noting governance rules span environments, installers and integrators need to take those broad guidelines and incorporate them with the work rules specific to the business the client is in.
Ubusha Technologies’ Julie Wagstaff looks at the issue from a different angle. “We touch on identity with all our clients so most of our interactions are based on moves into the physical access space from the logical area.”
Ubusha has two clients that have integrated their identity and access controls to various degrees. The motivation, especially in one case is to reduce fraud. Ensuring a person is who he/she claims is critical in reducing fraud and other forms of criminality. Crucial to this capability is tying all forms of access and identification into one central (and trusted) database. The next step is to associate the relevant roles according to who you are and what you want, including for visitors. “It is a process of integrating information identities with biometric identities to know who is who in the organisation, what they have access to according to their assigned roles.
Wagstaff suggests the American HSPD-12 (see box) standard is a good example of where integration exercises should go – although it is unlikely we will see this type of standard in South Africa.
Know the rules
No matter how one looks at the governance/standards debate and which particular set is chosen for a particular company, the key issue in every company and every project is getting the high-level stipulations that look good on paper down to the working world. Keeping your shop locked so that customers cannot get in is a good way to stop shoplifting, but it does not really support the business. Effective security processes need to incorporate the needs and processes of the business in their design.
“Most corporates fail because they do not know their work rules before they try to implement their security systems,” explains Ellison. “Unless you understand how you want to manage your business it is very difficult for you or any other party to expect a service provider to do a good job. They can and will guide you with advice, but without the right information they can not guarantee they will be able to give you sufficient information or meet your nebulous requirements.”
There are generally two scenarios installers and integrators come across. In the one the client asks advice and the service provider or a consultant can construct a working solution in cooperation with the client – assuming the information required is available or can be determined through investigations. The other is the tender process where a level playing field is seldom the case as preferred vendors are asked to contribute and sometimes write the tender document.
Brookes adds that these processes are fraught with risk as some clients make the right sounds, but end up opting for the cheapest solutions available, even playing service providers off against each other.
Julian Thorrold, director of IDtek Solutions has experienced a different take on the turf wars. He says the usual situation is that a large facility is looking for an integrated security and fire solution, for example, and opts for a platform that does it all. The person deciding on the platform of choice will then tender for additional kit based on the platform and his/her preferences. The project then starts with a limited rollout, such as card or biometric readers, depending on the situation. The IT department is in a hands-off 'just keep it off my network' mode.
The ideal would be that the vendors make the effort to deliver the optimal product in their sphere of expertise and allow other vendors access to their systems via open interfaces or software development kits. In that way, when the project expands and is logically integrated into other security and operational components of the business, there is not a need for reinstalling open hardware. IT will easily be able to integrate what needs to be integrated without reinventing the wheel.
Of course, these instances do exist, primarily when choosing everything from one vendor. However, a move to open standards and integration is happening in some vendors that realise they will be part of a diverse solution and not the exclusive owner – sadly many industry leaders will still try to own customers by nefarious means for some time. IT and system integrators can generally get around proprietary systems, as many of the round table participants testify, but the hassle and cost involved in integrating proprietary systems is unnecessary – and ongoing.
Naturally, in this scenario, as soon as integration needs to happen and data needs to travel, IT is brought into the situation and throws another spanner in the works because IT has its own way of working and dealing with suppliers and partners. Which takes the company back to the task of integrating disparate people and processes all terrified of becoming obsolete.
Ellison admits that the actual access control devices used will be proprietary and the vendors may not want to make it too easy to mix and match these systems any time soon. However, he adds, “once you move away from your core access control hardware, that is the hardware that controls those card readers, everything beyond that should in essence be open and non proprietary.”
This is where IT people can assist as they have been through the open/proprietary fight.
He admits this does not always happen and the lack of openness often causes problems for companies when they can not integrate their chosen solutions into their access control – which means they need to start buying new hardware or pay for integrators to make the systems play ball. “Truly open systems will integrate with a much wider range of products from a much wider range of suppliers, giving the end user a much bigger choice when selecting point of sale, identity management, video products and so forth,” he adds. “The critical question for the client is to identify its core system and then understand what it integrates with.”
Although there are good reasons to opt for best-of-breed solutions for each part of your security infrastructure, Wagstaff notes that, from architecture perspective, it is ideal for companies to standardise on one specific access control system. If you have disparate systems scattered across your organisation, like government has, it is going to cost money and the client may be forced to look at upgrading or buying totally new technology in some cases.
Brookes notes it is important to understand that integration is all about data, not getting into and out of a building. Integration is all about data being moved to and fro, and ultimately used to optimise processes and operations. However, if the physical system is not good quality and is not maintained and operating correctly, you have no data. That means you have no control and your business in vulnerable.
Little things count
Agreeing with this, 4C Technology’s Mark Kane believes that most of the access control products available on the market are pretty good and they do the job intended whether installed as stand-alone systems or integrated with other technologies. Many problems people find in integration projects stem from the physical installation and the integrators doing the work.
Depending on the skills of the installer, a standalone system may appear to be working well until it is expected to work in an integrated solution – then problems start and service professionals turn out to be not quite so professional. “Quite often a change of installer will change a non-working problem into one that works perfectly well.”
On a positive note, Thorrold notes that spending time with the client will often provide a clear answer as to what to install as the client will insist on certified solutions that integrate with their business software or with certain existing preconditions. This is where effective consulting services come into play as the time needed to understand what the client really wants is often cut short by integrators and vendors for the sake of making a sale.
Yeo agrees, noting Pick ’n Pay has invested substantially in its business software, and insists its vendors deliver proposed solutions that integrate effortlessly into its systems.
Ellison says this seemingly simple process often fails because the consultant hired to specify the solution fails to document the genuine requirements of the client, either by rushing or by not having the correct experience to understand what is required, or by trying to find a solution that fits within the budget, but does not actually give the client anything.
However, according to Thorrold, the problem is there are no “truly independent consultants out there who are product diagnostic. If you have a proper consultant who has done his/her homework, spends time with the customer and then goes out and speaks to the suppliers, the customer then has a very good chance of getting what it needs.”
All told, the issue of integrated access management and identity is one of those concepts that is a must-have in every organisation’s future. The actual process of making it happen in a company that already has disparate solutions in operation is where we hit a snag. Integrators can use software to force the issue and drag proprietary products into an integrated solution, but this approach has its own cost and reliability, and perhaps even warranty issues.
The solution? Sadly, vendors are not going to come to the party to make their clients’ lives any easier so it will be up to consultants and integrators to provide solutions that do the job today and are designed to handle changes in technology and business requirements over their lifespans. Easier said than done when the focus today seems to be on making a sale, any sale at any cost.
What is more, internal politics will need to be squashed. Sun Microsystems used to say 'the network is the computer', today’s convergent reality is 'the network is the company'. If integrators and consultants are to have any success at integration projects, IT will need to learn to work with other departments; at the same time, other departments will need to learn to work with IT as it has the skills and experience in managing, protecting and transporting data which is the lifeblood of every company.
In August 2004, as part of ongoing efforts to heighten resource protection within US government agencies, President Bush issued Homeland Security Presidential Directive (HSPD-12) to establish a policy for a common identification standard for all federal employees and contractors. The identification standard, as delineated in the FIPS PUB 201 document, addresses operational requirements, technical frameworks, architecture and specifications for an automated system that provides secure and reliable forms of identification.
According to the standard a secure and reliable automated system that complies with HSPD-12 must establish the true identity of an individual and control their access to all logical systems and physical facilities. To make that happen, smart cards or Common Access Cards (CACs) must be issued to agency employees and contractors, and must provide authentication to networks and applications based on the specific roles of individuals within the government. These cards should also do double duty by granting access to federal buildings in accordance with the user’s security clearance level. They must interoperate with IT systems from multiple vendors.
A full description is found in a positioning paper by Novell, Novell’s Identity Assurance Solution for HSPD-12, downloadable at http://www.novell.com/industries/government/northamerica/novell_position_paper.pdf.
© Technews Publishing (Pty) Ltd | All Rights Reserved