The three Ps of identity management

Access & Identity Management Handbook 2011 Access Control & Identity Management

Marius Coetzee, COO, Ideco Biometric Security Solutions says an effective identity and access management solution must involve people, possessions and processes.

Marius Coetzee, COO, Ideco Biometric Security Solutions
Marius Coetzee, COO, Ideco Biometric Security Solutions

The many access and identity management solutions implemented in organisations today incorporate different technologies, best practices and skills. Some are based on access control solutions that have been expanded into broader identity solutions; others are based on high-level identity management solutions that drill down into multiple aspects of physical and logical access control.

According to Marius Coetzee, COO of Ideco Biometric Security Solutions, any successful identity and access management (IAM) solution must be based on the three Ps of effective identity management:

1. People.

2. Possessions.

3. Processes.

Traditionally, organisations focus on possessions, using access control and surveillance technologies to protect their assets and premises. These assets are perceived as valuable and are often the easiest to protect. People and processes can be complex entities to manage, requiring time, effort and expertise to successfully control.

The reality, according to Coetzee, is that any effective IAM solution must be built on the foundation of the three Ps if it is to offer the security and reliability organisations require. If any area is neglected, the result will be vulnerabilities that can lead to security breaches.


When dealing with people, it is crucial to determine the level of risk each person entering the organisation poses, whether employee or visitor. Once determined, there needs to be a set of processes that define how the person is handled, how the engagement with the individual or group takes place, the business relationship and the final disengagement when they leave.


As far as staff are concerned, Coetzee recommends screening new hires to confirm their background, criminal and credit records to ensure you have selected the right person for the job. This can be a complex process which must be scaled up to more intense screening for those people who will have access to more sensitive resources and facilities within the organisation and require, for example, specific governance and compliance skills, as well as higher training levels.

All these issues need to be clearly defined in the engagement process before an ongoing relationship is started. If done correctly, each individual will create an identity chain as they go about their daily work, clearly showing who did what, when; this identity chain will be auditable and non-repudiable, meaning there can be no mistake as to who is responsible for every action.

At the end of the relationship, when the individual disengages from the company, there must be a process in place to completely remove his/her access rights. Far too many companies have old employees that can still access the premises and IT resources because their disengagement was not properly handled. This is obviously a serious security breach.


When it comes to allowing visitors in, screening is not possible as their stays are usually short and the information they provide about themselves sparse. Coetzee recommends that each company defines what risk level is acceptable with respect to visitors and confines these guests to the access permissions relative to that level.

This decision is not an easy one. Many companies have experienced the consequences of allowing people claiming to be Telkom technicians or air conditioner maintenance crews free access to their premises. Defining a workable relationship and a manner of identifying those that should be allowed greater unaccompanied access must be developed and strictly implemented.


South African companies are of necessity experienced in protecting their physical possessions, but are not all that well prepared when it comes to protecting their logical assets. Logical security is a relatively new concept in IAM (we exclude common issues such as malware and spam protection) and there have been a number of initiatives to address this topic. Some of these include single sign-on, password replacement technologies and policies to manage the identities of people on cor-porate systems.

As with people, the process of asset management follows a path of acquisition, maintenance and use, and finally disengagement in the form of scrapping or selling the item. Coetzee says corporations must ensure they purchase the right access solutions to provide their company with a level of risk mitigation required due to the sensitivity of the access granted. Once again an audit trail must be maintained throughout the process to accurately verify who did what, when.

When the item is disposed of, Coetzee says it needs to be wiped clean. In other words, any sensitive data or access codes need to be removed, leaving a 'blank slate' that will be of no use to anyone trying to gain unauthorised access to the firm’s logical resources or information. There have been many cases of companies giving old computers away, for example, without removing databases of customer information. Not only does this put you at risk of legal action, your brand’s reputation could also suffer.


When it comes to processes, it all boils down to the trust associated with the level of access each one requires. Coetzee says there are two categories of processes, transactional and operational.

Operational processes

Operational processes deal with who does what and the associated authorisations each individual has to do their work.

Transactional processes

Transactional processes deal with issues such as approving transactions and customer credit limits, as well as the authorisation of transactions completed by other employees. These are sensitive responsibilities and the processes need to ensure only authorised people are able to carry them out and that there is a complete identity chain linking all actions to a verified identity (in other words, a person).

Both types need to be driven by a process lifecycle which is divided into four phases:

1. The request phase in which the employee asks to gain access to a resource to perform a function.

2. The authorisation phase in which the IAM solution authenticates the user and determines if he/she has permission to perform the requested action.

3. The execution phase which allows the function to run, having determined that the user is who they claim to be and is authorised to do this type of transaction.

4. The audit phase, based on the identity chain, which provides a full history should any queries be raised about the transaction.

There is an IAM lifecycle for each of the three Ps that ensures people, possessions and processes within a company are properly secured and accessible only to authorised individuals. Moreover, IAM solutions based on these principles ensure a full identity chain is created no matter what employees or visitors are doing. However, leaving one of the Ps out of the equation results in gaps in a company’s security posture, which in effect means it is vulnerable to attacks from without and within.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

A contact-free hotel experience
Issue 7 2020, Technews Publishing , Access Control & Identity Management
Check-in and go straight to your room without stopping at the reception desk at Hotel Sky in Sandton and Cape Town.

AI digitises coronavirus management
Issue 7 2020, NEC XON , Access Control & Identity Management
NEC XON is using NeoFace Watch and specialised thermography cameras to measure temperature and identify employees and visitors.

Combining visual and IR face recognition
Issue 7 2020, Suprema , Access Control & Identity Management
The FaceStation F2 offers face recognition and anti-spoofing performance.

Anviz unveils FaceDeep5
Issue 7 2020, ANVIZ SA , Access Control & Identity Management
Anviz Global has unveiled its new touchless facial recognition identity management and IoT biometric device.

Touchless biometric options
Issue 6 2020, Entry Pro , Access Control & Identity Management
When it comes to estate access control management, the foremost topic of conversation at the moment seems to be the importance of touchless biometrics.

Fast access to Kevro production facilities
Issue 6 2020, Turnstar Systems , Access Control & Identity Management
Employee and visitor access at Kevro’s Linbro Park premises in Gauteng is controlled through eight Dynamic Drop Arm Barriers from Turnstar.

Know your facial recognition temperature scanner
Issue 6 2020, ViRDI Distribution SA , Access Control & Identity Management
Facial recognition with temperature measurement is, for the most part, available in one of two technologies – thermopile and thermography/IRT.

Suprema integrates with Paxton’s Net2 access control
Issue 6 2020, Suprema , Access Control & Identity Management
Suprema has announced it has integrated its devices with Paxton’s access control system, Net2.

Contactless check-in at hotels
Issue 6 2020 , Access Control & Identity Management
Onity has delivered the DirectKey mobile access solution to hotel chains around the globe, which allows for contactless check-in and property access.

UFace facial recognition now in SA
Issue 6 2020, Trac-Tech , Access Control & Identity Management
Trac-Tech has secured the distribution rights to the UFace range of contactless biometric facial recognition and identity management IoT devices.