One Person, One Identity, One Credential: Converging Logical-Physical Identity and Access Management -- Part 2

| 0 Comments | 0 TrackBacks
Part 2: The Building Blocks

This is the second part in a four-part look at the potential for combining physical and logical identities in an enterprise. This article provides a high-level overview of the capabilities and benefits of integrating IT-based identity management systems with physical security access systems--and the current challenges in accomplishing such integration.

Recently, a California Water Service Co. auditor resigned his post in the morning. That evening, he returned to a company building, accessed a former co-worker's computer--and the applications necessary to arrange to wire himself $9 million


Converged identity and access management (IAM), which ties together a person's logical and physical identities and access rights within an enterprise and assigns them one credential, can help prevent such incidents. First, a converged IAM solution would have ensured the auditor's building access card was deactivated. It might also have noted that the co-worker was not physically present in the building and refused to accept the normal system login data while also automatically alerting security.

Engineering such solutions is not inexpensive or easy. Yet illicit funds transfers, data theft or destruction, sabotage and other malicious acts by current or former insiders are also expensive--and increasing. In a recent survey conducted by McAfee Inc., 68 percent of respondents said the greatest threat to their data was from inside sources.

Statistics like those are one driver behind converged IAM--which need not be a green-field deployment. Many larger enterprises already have several key pieces of technology in place on which to build converged identities. These include human resource systems, directory software, and identity management provisioning tools on the IT side, plus physical access control systems (PACS) on the security or facilities side of the enterprise.

The birthing of multiple identities

Converged IAM can't exist without connections, preferably automatic, software-driven ones, between these logical and physical identity systems. These ties usually begin with links between human resources systems and a critical IT network component, the enterprise directory. HR systems, such as those from PeopleSoft and SAP, essentially ensure the employee receives proper salary and benefits. The directory software, such as Microsoft's Active Directory or others based on the Lightweight Directory Access Protocol (LDAP), ensures the employee has the network, software and database access--the virtual provisions--she'll require to do her work.

Many large enterprises already use identity management tools from vendors like CA, IBM Tivoli, Novell, Oracle and Sun, to provision users from the HR system into the enterprise directory.

That process is fairly well automated. The disconnection between logical and physical identity usually appears when it's time to provision a user's physical access rights--at the most basic, where and when that person is allowed to be within the enterprise. In many enterprises, this task is typically still manual: a phone call, email or fax from HR alerts the physical security department to put the new employee into the PACS and create an access badge for him (see diagram).

BirthingIDs.jpg

That's more than a logistical gap. Typically, very little information about the user's logical access rights is transferred to the PACS. The PACS tells the identity management tool very little about the user's physical access permissions. In essence, two identities are born and are free to move about the enterprise without correlation--and that's a security risk.

"If there are role changes up there on the digital side, that must change down in the physical; if last name changes in digital, last name must change in physical; something happens in digital, the same thing has to take effect in physical," said Ajay Jain, CEO of Quantum Secure. "If you cannot keep those personas concomitant with each other all the time, security can be compromised--it will be very easy to compromise."

Integrating the PACS with the enterprise directory enables enterprises to address the issue of disconnected physical-logical identities, said Erik Larsen, director of product management for Lenel Systems International. "We see the value to the customer is that [integration] allows them to have a better understanding of who has rights to their network and their physical facilities. It allows them to manage access rights and people's responsibilities within the organization more efficiently," he said.

Integration issues

One challenge to integrating the IT and PACS identity systems is technological: many older PACS are based on closed, proprietary platforms, making it difficult to seamlessly transfer data between them and IT identity and directory systems, which are based on standard languages and platforms.

Standardizing multiple existing identities is no small process, either. In his webinar "Enhanced Identity & Compliance Management Delivered Through Systems Integration," Brandon Arcement, manager, global security technology for Johnson Controls, explained that one client assumed it could create common user IDs in its various databases and applications in a long afternoon; on further investigation, it determined it would need six months to tackle the task.

The value of standardizing logical identities is rising to meet the work involved to do so, as logical identity management tools become increasingly sophisticated. In particular, they are beginning to streamline how enterprises provision logical access rights. Most identity management tools today enable enterprises to define roles and associate logical rights to those roles. Then, instead of individually assigning applications or network portals to new or promoted employees, the new user can simply be assigned a role in which those permissions are already embedded (see diagram).

RolesIDfin.jpg

These roles-based permissions can be extremely granular: for example, a role might detail not just an application, but also which functions within the application a user may access. This capability helps ensure regulatory compliance.

Such roles-based provisioning could also help with identity maintenance. An employee may accumulate many permissions over time as her job titles and responsibilities change; roles-based changes could help ensure access to special projects or files are deactivated.

Roles can also speed deployment and security of single sign-on (SSO) solutions, in which a user signs onto the network only once to access all her permitted applications. Many SSO solutions incorporate devices that generate one-time-only passwords, so users don't need to remember them. That reduces the administrative costs of password management--still a big productivity cost center for IT help desks.

Physical roles managed by logical systems?

Physical access rights can also be embedded in those identity management system-defined roles. Integration between IT's identity management system and a PACS could enable those rights to be embedded on a smart physical credential. Further, as more security tools, such as card readers, doors, surveillance cameras, sensors, etc., become IP-based and attached to the enterprise network, they too could be linked to identity management systems. That would help tie together physical movements with activities in logical systems.

It's not a theoretical capability: Daniel Raskin, chief identity strategist at Sun Microsystems, noted that the badge he uses to enter Sun's facilities integrates with two IT-based Sun products, Sun Access Manager and OpenSSO, to give him physical/logical access. But he adds: "I haven't seen a lot of demand or queries for that."

Some identity management vendors flat out say they'd rather let someone else integrate the physical security components. "It's very customized work you're talking about because the standards are minimal in the [physical] industry," said Dave Hansen, corporate senior vice president and general manager, CA Security Management. "There's definitely a role there for a middle person."

Not surprisingly, some of these players in the middle point out their systems have abilities not necessarily shared by logical IAM vendors. "What we control from our SSO is what privileges for application level access you can get from a given location," said David Ting, CTO, Imprivata. "[Identity management platforms] can do certain levels of application and web resource authorization, but they can't tie into location. So we supplement what they can't do."

Others see their role as complementary. "We're just leveraging what [identity management systems] are doing to manage identities across the IT space to provision access control privileges as well," said Arcement at Johnson Controls.

 "We're kind of the ecosystem," agreed Hansen, noting that the identity management systems can propagate the authentication from the PACS and its security devices across the logical world. "We have the hooks into all the operating systems to do the authentication," he said.

# # #

In Part Three of this series, we'll look in more detail about how vendors like Imprivata, Johnson Controls and others are integrating PACS and IT-based identity management systems.



Part 2: The Building Blocks

This is the second part in a four-part look at the potential for combining physical and logical identities in an enterprise. This article provides a high-level overview of the capabilities and benefits of integrating IT-based identity management systems with physical security access systems--and the current challenges in accomplishing such integration.

Recently, a California Water Service Co. auditor resigned his post in the morning. That evening, he returned to a company building, accessed a former co-worker's computer--and the applications necessary to arrange to wire himself $9 million


Converged identity and access management (IAM), which ties together a person's logical and physical identities and access rights within an enterprise and assigns them one credential, can help prevent such incidents. First, a converged IAM solution would have ensured the auditor's building access card was deactivated. It might also have noted that the co-worker was not physically present in the building and refused to accept the normal system login data while also automatically alerting security.

Engineering such solutions is not inexpensive or easy. Yet illicit funds transfers, data theft or destruction, sabotage and other malicious acts by current or former insiders are also expensive--and increasing. In a recent survey conducted by McAfee Inc., 68 percent of respondents said the greatest threat to their data was from inside sources.

Statistics like those are one driver behind converged IAM--which need not be a green-field deployment. Many larger enterprises already have several key pieces of technology in place on which to build converged identities. These include human resource systems, directory software, and identity management provisioning tools on the IT side, plus physical access control systems (PACS) on the security or facilities side of the enterprise.

The birthing of multiple identities

Converged IAM can't exist without connections, preferably automatic, software-driven ones, between these logical and physical identity systems. These ties usually begin with links between human resources systems and a critical IT network component, the enterprise directory. HR systems, such as those from PeopleSoft and SAP, essentially ensure the employee receives proper salary and benefits. The directory software, such as Microsoft's Active Directory or others based on the Lightweight Directory Access Protocol (LDAP), ensures the employee has the network, software and database access--the virtual provisions--she'll require to do her work.

Many large enterprises already use identity management tools from vendors like CA, IBM Tivoli, Novell, Oracle and Sun, to provision users from the HR system into the enterprise directory.

That process is fairly well automated. The disconnection between logical and physical identity usually appears when it's time to provision a user's physical access rights--at the most basic, where and when that person is allowed to be within the enterprise. In many enterprises, this task is typically still manual: a phone call, email or fax from HR alerts the physical security department to put the new employee into the PACS and create an access badge for him (see diagram).

BirthingIDs.jpg

That's more than a logistical gap. Typically, very little information about the user's logical access rights is transferred to the PACS. The PACS tells the identity management tool very little about the user's physical access permissions. In essence, two identities are born and are free to move about the enterprise without correlation--and that's a security risk.

"If there are role changes up there on the digital side, that must change down in the physical; if last name changes in digital, last name must change in physical; something happens in digital, the same thing has to take effect in physical," said Ajay Jain, CEO of Quantum Secure. "If you cannot keep those personas concomitant with each other all the time, security can be compromised--it will be very easy to compromise."

Integrating the PACS with the enterprise directory enables enterprises to address the issue of disconnected physical-logical identities, said Erik Larsen, director of product management for Lenel Systems International. "We see the value to the customer is that [integration] allows them to have a better understanding of who has rights to their network and their physical facilities. It allows them to manage access rights and people's responsibilities within the organization more efficiently," he said.

Integration issues

One challenge to integrating the IT and PACS identity systems is technological: many older PACS are based on closed, proprietary platforms, making it difficult to seamlessly transfer data between them and IT identity and directory systems, which are based on standard languages and platforms.

Standardizing multiple existing identities is no small process, either. In his webinar "Enhanced Identity & Compliance Management Delivered Through Systems Integration," Brandon Arcement, manager, global security technology for Johnson Controls, explained that one client assumed it could create common user IDs in its various databases and applications in a long afternoon; on further investigation, it determined it would need six months to tackle the task.

The value of standardizing logical identities is rising to meet the work involved to do so, as logical identity management tools become increasingly sophisticated. In particular, they are beginning to streamline how enterprises provision logical access rights. Most identity management tools today enable enterprises to define roles and associate logical rights to those roles. Then, instead of individually assigning applications or network portals to new or promoted employees, the new user can simply be assigned a role in which those permissions are already embedded (see diagram).

RolesIDfin.jpg

These roles-based permissions can be extremely granular: for example, a role might detail not just an application, but also which functions within the application a user may access. This capability helps ensure regulatory compliance.

Such roles-based provisioning could also help with identity maintenance. An employee may accumulate many permissions over time as her job titles and responsibilities change; roles-based changes could help ensure access to special projects or files are deactivated.

Roles can also speed deployment and security of single sign-on (SSO) solutions, in which a user signs onto the network only once to access all her permitted applications. Many SSO solutions incorporate devices that generate one-time-only passwords, so users don't need to remember them. That reduces the administrative costs of password management--still a big productivity cost center for IT help desks.

Physical roles managed by logical systems?

Physical access rights can also be embedded in those identity management system-defined roles. Integration between IT's identity management system and a PACS could enable those rights to be embedded on a smart physical credential. Further, as more security tools, such as card readers, doors, surveillance cameras, sensors, etc., become IP-based and attached to the enterprise network, they too could be linked to identity management systems. That would help tie together physical movements with activities in logical systems.

It's not a theoretical capability: Daniel Raskin, chief identity strategist at Sun Microsystems, noted that the badge he uses to enter Sun's facilities integrates with two IT-based Sun products, Sun Access Manager and OpenSSO, to give him physical/logical access. But he adds: "I haven't seen a lot of demand or queries for that."

Some identity management vendors flat out say they'd rather let someone else integrate the physical security components. "It's very customized work you're talking about because the standards are minimal in the [physical] industry," said Dave Hansen, corporate senior vice president and general manager, CA Security Management. "There's definitely a role there for a middle person."

Not surprisingly, some of these players in the middle point out their systems have abilities not necessarily shared by logical IAM vendors. "What we control from our SSO is what privileges for application level access you can get from a given location," said David Ting, CTO, Imprivata. "[Identity management platforms] can do certain levels of application and web resource authorization, but they can't tie into location. So we supplement what they can't do."

Others see their role as complementary. "We're just leveraging what [identity management systems] are doing to manage identities across the IT space to provision access control privileges as well," said Arcement at Johnson Controls.

 "We're kind of the ecosystem," agreed Hansen, noting that the identity management systems can propagate the authentication from the PACS and its security devices across the logical world. "We have the hooks into all the operating systems to do the authentication," he said.

# # #

In Part Three of this series, we'll look in more detail about how vendors like Imprivata, Johnson Controls and others are integrating PACS and IT-based identity management systems.



No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/61

Leave a comment