The three Ps of identity management

November 2010 Access Control & Identity Management

Marius Coetzee, COO, Ideco Biometric Security Solutions says an effective identity and access management solution must involve people, possessions and processes.

Marius Coetzee, COO, Ideco Biometric Security Solutions
Marius Coetzee, COO, Ideco Biometric Security Solutions

The many access and identity management solutions implemented in organisations today incorporate different technologies, best practices and skills. Some are based on access control solutions that have been expanded into broader identity solutions; others are based on high-level identity management solutions that drill down into multiple aspects of physical and logical access control.

According to Marius Coetzee, COO of Ideco Biometric Security Solutions, any successful identity and access management (IAM) solution must be based on the three Ps of effective identity management:

1. People.

2. Possessions.

3. Processes.

Traditionally, organisations focus on possessions, using access control and surveillance technologies to protect their assets and premises. These assets are perceived as valuable and are often the easiest to protect. People and processes can be complex entities to manage, requiring time, effort and expertise to successfully control.

The reality, according to Coetzee, is that any effective IAM solution must be built on the foundation of the three Ps if it is to offer the security and reliability organisations require. If any area is neglected, the result will be vulnerabilities that can lead to security breaches.


When dealing with people, it is crucial to determine the level of risk each person entering the organisation poses, whether employee or visitor. Once determined, there needs to be a set of processes that define how the person is handled, how the engagement with the individual or group takes place, the business relationship and the final disengagement when they leave.


As far as staff are concerned, Coetzee recommends screening new hires to confirm their background, criminal and credit records to ensure you have selected the right person for the job. This can be a complex process which must be scaled up to more intense screening for those people who will have access to more sensitive resources and facilities within the organisation and require, for example, specific governance and compliance skills, as well as higher training levels.

All these issues need to be clearly defined in the engagement process before an ongoing relationship is started. If done correctly, each individual will create an identity chain as they go about their daily work, clearly showing who did what, when; this identity chain will be auditable and non-repudiable, meaning there can be no mistake as to who is responsible for every action.

At the end of the relationship, when the individual disengages from the company, there must be a process in place to completely remove his/her access rights. Far too many companies have old employees that can still access the premises and IT resources because their disengagement was not properly handled. This is obviously a serious security breach.


When it comes to allowing visitors in, screening is not possible as their stays are usually short and the information they provide about themselves sparse. Coetzee recommends that each company defines what risk level is acceptable with respect to visitors and confines these guests to the access permissions relative to that level.

This decision is not an easy one. Many companies have experienced the consequences of allowing people claiming to be Telkom technicians or air conditioner maintenance crews free access to their premises. Defining a workable relationship and a manner of identifying those that should be allowed greater unaccompanied access must be developed and strictly implemented.


South African companies are of necessity experienced in protecting their physical possessions, but are not all that well prepared when it comes to protecting their logical assets. Logical security is a relatively new concept in IAM (we exclude common issues such as malware and spam protection) and there have been a number of initiatives to address this topic. Some of these include single sign-on, password replacement technologies and policies to manage the identities of people on cor-porate systems.

As with people, the process of asset management follows a path of acquisition, maintenance and use, and finally disengagement in the form of scrapping or selling the item. Coetzee says corporations must ensure they purchase the right access solutions to provide their company with a level of risk mitigation required due to the sensitivity of the access granted. Once again an audit trail must be maintained throughout the process to accurately verify who did what, when.

When the item is disposed of, Coetzee says it needs to be wiped clean. In other words, any sensitive data or access codes need to be removed, leaving a 'blank slate' that will be of no use to anyone trying to gain unauthorised access to the firm’s logical resources or information. There have been many cases of companies giving old computers away, for example, without removing databases of customer information. Not only does this put you at risk of legal action, your brand’s reputation could also suffer.


When it comes to processes, it all boils down to the trust associated with the level of access each one requires. Coetzee says there are two categories of processes, transactional and operational.

Operational processes

Operational processes deal with who does what and the associated authorisations each individual has to do their work.

Transactional processes

Transactional processes deal with issues such as approving transactions and customer credit limits, as well as the authorisation of transactions completed by other employees. These are sensitive responsibilities and the processes need to ensure only authorised people are able to carry them out and that there is a complete identity chain linking all actions to a verified identity (in other words, a person).

Both types need to be driven by a process lifecycle which is divided into four phases:

1. The request phase in which the employee asks to gain access to a resource to perform a function.

2. The authorisation phase in which the IAM solution authenticates the user and determines if he/she has permission to perform the requested action.

3. The execution phase which allows the function to run, having determined that the user is who they claim to be and is authorised to do this type of transaction.

4. The audit phase, based on the identity chain, which provides a full history should any queries be raised about the transaction.

There is an IAM lifecycle for each of the three Ps that ensures people, possessions and processes within a company are properly secured and accessible only to authorised individuals. Moreover, IAM solutions based on these principles ensure a full identity chain is created no matter what employees or visitors are doing. However, leaving one of the Ps out of the equation results in gaps in a company’s security posture, which in effect means it is vulnerable to attacks from without and within.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

HID addresses identification challenges at ID4Africa
August 2019 , News, Access Control & Identity Management, Government and Parastatal (Industry)
Being able to verify people’s identities is critical for a nation’s growth and prosperity and yet HID says nearly half of all African citizens can’t prove who they are to vote, travel freely and receive government benefits and services.

Came acquires Turkish company Özak
August 2019, CAME BPT South Africa , News, Access Control & Identity Management
Came broadens its market horizons and signals growth and consolidation in the Middle East.

The benefits of electronic visitor management
August 2019, Powell Tronics , Access Control & Identity Management, Residential Estate (Industry)
Access control is a critical aspect of estate security as it represents the controls put in place to restrict entry (and possibly exit) along the outer boundary of the location.

Addressing risks by means of access control layout and design
August 2019 , Access Control & Identity Management, Security Services & Risk Management
In order to develop a suitable, practical and appropriate security system for any organisation, it is essential to first develop a master security and life safety plan strategy.

Secure hands-free access
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
Suprema’s facial biometric terminals bring no-touch access into secure residential estates, high-rise apartments and luxury homes providing fast, easy and intuitive user authentication with the added benefit of hygiene.

MorphoAccess Sigma Extreme
August 2019, IDEMIA , Products, Access Control & Identity Management
MorphoAccess Sigma Extreme from IDEMIA is a touchscreen device with multiple recognition device interfaces (NFC chip reader, PIN and BioPIN codes, contactless card readers).

Outdoor access terminals
August 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry), Products
Rugged, dust- and weather-proof access control solutions that provide exceptional durability in extreme conditions is a strong requirement for many residential estates.

MorphoWave Compact
August 2019, IDEMIA , Products, Access Control & Identity Management
The MorphoWave Compact captures and matches four fingerprints on either the right or left hand in any direction. It is robust to environmental factors such as extreme light or dust.

MorphoAccess Sigma Lite
August 2019, IDEMIA , Products, Access Control & Identity Management
IDEMIA’s MorphoAccess Sigma Lite and Lite + are fingerprint access control terminals, offering time and attendance in and out function keys.

Eliminating forced gate opening scenarios
August 2019, ET Nice , Home Security, Access Control & Identity Management
When activated by the gate forced open alarm feature, the transmitter transmits a wireless alarm signal up to 750 metres in any direction.