Introducing identity control

November 2011 Access Control & Identity Management

Ideco’s Marius Coetzee talks about how identity management is changing.

In an interview with Hi-Tech Security Solutions, Marius Coetzee, CEO of Ideco, outlines the principles of identity control.

As the disciplines of access control and identity management draw closer together, there is an opportunity to combine technologies and expertise from both disciplines in order to create business processes that are faster and more secure. Currently, there is little convergence between major players in the two fields – companies like Novell are not specialists in user-authentication and biometric companies like Morpho are not specialists in identity management.

Coetzee recognises that there is a clear and pressing need to encourage thinking around a new discipline – identity control. As he explains, “At Ideco, we want to encourage interactions that will provide a stronger link between two functions that are often quite separate – how we identify people and how that identity is managed.”

Linking recognition and response

For many years there has been a clear division between these two functions. Coetzee suggests that this division has been reinforced because authentication technologies are completely different to those employed within traditional identity management. And so are the companies that develop and deploy the technologies.

“We are talking about the difference between recognition and response”, says Coetzee. He draws an analogy with the differences between our senses and our thinking.

“We recognise elements around us through our senses. We see them, hear them, touch them and smell them. And we respond accordingly. Of course, the two are deeply interrelated but, as functions, they are utterly different. Our response is a function of our level of competency or the ability to influence or direct behaviour or the course of an event – this is the definition of control.”

In identity-based systems, the link between recognition and response is fundamental. For example, a physical access control system relies on its ability to recognise and respond appropriately, to either grant or deny entry.

Response can also be reactive or proactive. A proactive response will anticipate many other criteria such as potential risks and compliancy criteria before access is granted.

Coetzee says, “The accuracy of the response depends entirely on the accuracy of the recognition. Poor recognition means poor response.”

To illustrate this point, he uses the example of a card-based access system. “A modern card system is 100% effective at recognising cards. Consequently, it will react with 100% accuracy. That is the great strength of such systems. It is also their greatest weakness, they can only recognise cards. The person using the card is irrelevant to these systems. I can use your card and you can use mine. Card recognition is what it is, card recognition.

“The same weakness applies to systems that work with PINs and passwords. They are designed to recognise codes and lack any ability to recognise the person using the code. And yet we still persist in using them as the foundation for most identity management (IdM) solutions out there.”

Bridging the identity gap

Coetzee refers to this disconnect between recognition and response as the identity gap. He points out that many systems are able to manage and track a multitude of activities based on the authorisations that are allocated to system users. “We see high levels of competency in this regard within modern workforce management solutions that not only handle access and time worked, but also govern requirements relating to occupational health and safety.

“In terms of response, modern IdM solutions within IT also deliver high levels of functionality concerning access and activity.”

In any of these systems, it is obviously problematic if user-recognition relies on cards, PINs or passwords. It comes back to the fact that poor recognition leads to poor response. The wider the identity gap becomes, the more control organisations lose. If you cannot recognise users, if you cannot identify people, then you cannot hope to control what they can do.

Obviously, the purpose of an identity-based solution is not to control and manage cards or pins and passwords. Its objective is to manage people such as employees, partners, suppliers, contractors and customers within a set of rules that govern their access and activity.

Coetzee sees fingerprint biometrics as an obvious way to reduce the identity gap because they are so much more effective at recognising people: “The technology allows us to move much closer to achieving the twin goals of identity control: accurate recognition and accurate response.”

“It is this ability that has prompted thousands of SA organisations to replace cards and PINs with fingerprint recognition in order to reinforce the integrity of processes that control access and activity.”

The power of recognition

The benefits of narrowing the identity gap extend far beyond physical access control; the following areas are heavily reliant on recognition:

* Financial transactions: EFTs, payment cards and billing management systems.

* IT systems: managing and monitoring who does what, where and when.

* Licensing systems: motor vehicles and firearms.

* Civil identity solutions: passports, border control and ID documents.

In each of these areas, the process of confirming identity has become increasingly automated and is frequently performed remotely. A consequence of this automation is that the ability to recognise people has been diluted.

“Personal interactions have been replaced by interactions between people and systems. For example, we routinely conduct our financial transactions without dealing with somebody who actually knows and recognises us. Instead we use PINs and passwords and consequently are exposed to the widely-publicised risks of identity fraud.”

Coetzee suggests that competent identity control systems should be able to:

* Accurately recognise the identity.

* Proactively ensure compliance.

* Reliably direct the appropriate response.

* Diligently build audit chains that link identity with activities.

Creating audit chains

A key outcome of recording recognition and response within an identity control system is the ability to produce audit chains that link people with their activities. Coetzee says that the significance of such audit chains is entirely reliant on accurate recognition. He explains, “If we build definitive links between people and their actions, we can simultaneously prevent and deter unauthorised activity within the system.

“Firstly, we can prevent such activity by accurately controlling who can do what. Secondly, a potent deterrent to unauthorised activity is created by recording what they have done. However, if recognition is poor, if the identity gap is wide because the system relies on cards or PINs, then there is a proportionately weak link in the audit chain and we cannot positively connect identities and activities.”



Credit(s)




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

How to specify the right turnstile finish
September 2019, Turnstar Systems , Access Control & Identity Management
Purchasing a turnstile gives you a large amount of flexibility when it comes to choosing the right finish.

Read more...
Enhanced biometric technology for mines
September 2019, ZKTeco , Mining (Industry), Access Control & Identity Management
Biometric identification and authentication are currently used at various mines in South Africa and in the SADC region.

Read more...
Improving access in mines
October 2019, Astra Fasteners , Mining (Industry), Access Control & Identity Management, Products
The VP1 controller provides full access control and remote monitoring of intelligent locks without having to wire into a network or install, manage and maintain software.

Read more...
Invixium and Pyro-Tech partner in South Africa
October 2019 , News, Access Control & Identity Management
Invixium, a manufacturer of IP-based biometric solutions and Pyro-Tech Security Suppliers have announced a new distribution partnership.

Read more...
Suprema receives FBI PIV/FAP30 certification
October 2019, Suprema , News, Access Control & Identity Management
Suprema has announced that the company's BioMini Slim 3 has received FBI PIV (Personal Identity Verification) and Mobile ID FAP30 certification.

Read more...
Frictionless access with a wave
October 2019, IDEMIA , Access Control & Identity Management, Residential Estate (Industry)
IDEMIA was the Platinum Sponsor for the Residential Estate Security Conference 2019 and set up its MorphoWave Compact frictionless fingerprint biometric scanner at the entrance to the conference.

Read more...
Streamlined access and reporting
October 2019, Comb Communications , Access Control & Identity Management, Residential Estate (Industry)
The main focus of the Comb stand was its practical demonstration of the MK II Lite intercom system with third-party integrated products.

Read more...
Customised and integrated solutions
October 2019, Suprema , Access Control & Identity Management, Residential Estate (Industry)
iVisit offers both high-end and low-end residential complexes a cost-effective visitor management solution that is fully integrated into Suprema's offerings.

Read more...
Access solutions for every estate
October 2019, Impro Technologies , Access Control & Identity Management, Residential Estate (Industry)
Impro's flagship Access Portal solution comprises one of the most user-friendly software solutions on the market.

Read more...
Managing staff effectively
September 2019, dormakaba South Africa, iPulse Systems , Integrated Solutions, Access Control & Identity Management
Workforce management solutions allow organisations to track the relationship between productivity and the cost of employment, incorporating issues such as health and safety, T&A, rostering and more.

Read more...