Ask the Five Ws to Enhance Your Physical Identity and Access Management Program
- April 6, 2018
- Posted by: admin
- Category: Security
As an organization, managing physical identity and access management is crucial to protecting people, assets and locations. As such, ensuring the highest level of security relies heavily on an organization’s ability to manage this critical process effectively and efficiently to establish accountability, ensure auditability and analyze current processes and procedures.
To develop a complete understanding of their physical identity and access management (PIAM) needs every organization, regardless of size or industry, needs to consider the 5 Ws of PIAM – Who, What, When, Where and Why.
If your organization is ready to review your PIAM processes here are the questions you need to ask:
1. WHO is allowed to enter a building or certain areas?
Identifying who can access your facilities, or specific areas within your facilities, is a critical first step for organizations trying to understand their PIAM processes. Asking questions such as: “Do employees other than IT department staff need to access our data center?” or “Do visitors access the R&D lab?” will create a deeper understanding of the operational realities of your organization and the people who need access to your facilities. With this understanding, you will then be able to categorize each facility and specific area from most restricted to open access. Thereby setting the policy framework for your PIAM program.
2. WHAT type of identity should they be assigned?
Once you have determined who can gain access to your facilities, the next step is to classify them into groups, such as employees, vendors, contractors, visitors, etc. This is an important step because identity is not only the information that helps establish who a person is, but it also determines someone’s relationship to your organization and the level of trust you as an organization should have for them. For example, someone identified as an Employee about whom much information is gathered should be given a much higher level of trust within an organization than a Visitor about whom very little is known.
In addition to establishing someone’s relationship with an organization, identity types also allow you to understand and control access rights. It is important that organizations establish the criteria for each identity type’s access rights and the information required from them in order to grant access. For instance, a requirement for a Visitor could be that they must show a form of government-issued identification in order to gain access to a facility.
3. WHEN are they allowed access and for how long should their credentials be valid?
Now that you have organized your identities into types, it is important to establish the parameters for each type’s access – the times they can access your facilities and the length of time their credentials should be valid. While it is important to establish these for employees, it is extremely crucial to establish these parameters for contractors, visitors, and vendors. Due to the temporary nature of their relationship with an organization, they must have limited hours of access (e.g., 9 a.m. – 6 p.m., Monday through Friday). Additionally, the length of time their credential is valid needs to be tied to a specific period instead of being valid indefinitely (e.g., length of work contract).
4. WHERE are they allowed to enter, where have they attempted to enter, and where in the world are they at any given moment?
Due to disparate and siloed security systems, many organizations do not have a complete view of who is accessing their facilities. With data being stored in different systems that aren’t integrated – it is impossible to see the full, 360-degree view of an identity’s behavior. This incomplete view puts organizations at a greater risk from both outsider and insider attacks. When reviewing your PIAM program, it is an imperative to understand what data is being stored where and how to bring it together to view the entire lifecycle of your identities.
5. WHY have they been given particular access privileges (in other words, who approved their privileges)?
A common issue in many organizations is people with access to buildings and spaces where they have never been or no longer need to go. Rather than limiting access to specific areas, some organizations have a “one size fits all” approach – everyone gets the same access privileges to all locations by default no matter their role. This approach makes it easy for administrators – there are no approval processes or access requests to respond to – but it is a costly one for the organization in terms of exposure to risk. Furthermore, because everyone gets access to everything, there is no understanding as to who granted them their access privileges and why.
Instead of a “one size fits all” approach, organizations should establish a “least access privilege” policy. “Least access privilege” means giving people access to only the areas needed for their roles. Add to this approach the creation of approval process workflows that include required access guidelines and designated Area Owners to approve access requests. Doing this establishes a clear set of requirements for access as well as clearly delegates responsibilities for approving that access.
HOW Implementing a PIAM Software Solution Answers the 5Ws
Once organizations have answered the 5Ws of Physical Identity and Access Management it becomes increasingly clear that one more question needs answering – HOW do we address all of the identity and access management issues we have identified?
The solution is Quantum Secure’s SAFE Software Suite™. SAFE is policy-driven software that provides consistent control and management of the identities that enter your facilities – whether they are employees, contractors, vendors or visitors.
SAFE allows you to know who is accessing your facilities, organizing and managing them by identity type. SAFE ties all identity records of each individual to one identity, uniquely providing a 360-degree view of each identity. This gives organizations greater visibility for better identity management.
SAFE’s robust platform and unique policy and workflow engine empowers organizations to close common risk loopholes, automate tedious processes and maintain both internal and external compliance requirements. Benefits include greater efficiency and lower costs.
Given its capability to simplify, streamline and improve formerly inefficient and error-prone physical identity and access management processes, SAFE Software Suite™ is the answer to the who, what, when, where and why of physical identity and access management.