One Person, One Identity, One Credential: Converging Logical-Physical Identity and Access Management -- Part 1

| 2 Comments | 0 TrackBacks
Why read this four-part series? It will explain the convergence of physical and logical identities--a nascent, but logical and likely outcome of the implementation of identity management tools and Internet Protocol-based security tools. It will offer examples of how synchronizing the creation and management of physical and logical identities creates business, regulatory and security benefits. Security, IT and executive readers will come away with a high level understanding of the technological and logistic challenges involved in converged IAM; current solutions for addressing these; and how IAM convergence is benefiting users.

**************
What is converged physical-logical identity and access management (IAM)?

For Shape.Net, a health and fitness club management firm, it's a profit center: converged identity management has enabled Shape.Net to offer its health club clients 24/7 access to their facilities--which they in turn offer to their fitness customers. After hours, a customer swipes a proximity card tied to Brivo System's web-based access control service that in turn queries a Shape.Net database in real-time to verify the health club customer is current on her bill and should be allowed entry.
At Toronto Pearson International Airport, converged IAM means greater productivity, satisfied clients, reduced costs and improved security. Instead of waiting days or weeks for credentials, the airport's Pass/Permit Control Office can now provision new users, even to highly secure areas, within 20 minutes. Its system, the centerpiece of which is Quantum Secure's SAFE, ties together disparate physical access control systems and external identity databases and automates workflows to create a singular trusted identity and one credential to match.

One identity, one credential: that is the basic definition of converged IAM. Achieving it requires synchronizing an individual's physical and logical identities and access rights within and across the enterprise (see graphic).

IAM1rev.jpg

"Identities," plural, is the key word. Virtual and physical identities tend to proliferate in most enterprises. On the logical side, a person may have one virtual identity within the enterprise human resource software, such as a PeopleSoft or SAP system. That identity typically consists of salary, benefits, insurance, social security number and other specific employee details.

Then there's a logical identity within the information technology department's directory software, such as those from Microsoft, Novell, CA, Sun, or Oracle. This directory knows which network, database and software applications the logical identity may access. Within those intranets, databases and applications, the user may have still more identities, in the form of different user IDs and passwords or PINs he uses to log into each one.

That user also will have at least one more identity: a physical credential of some sort used for access to parking garages, buildings, floors, warehouses, etc. In enterprises with more than one brand of physical access control system (PACS) and several facilities or areas users must enter, a user may have more than one physical access credential--and therefore, more than one physical identity.

The permutations seem endless--and the key goal for converged IAM is cleaning up or at least mapping all these logical identities to create a singular, authoritative identity. That is, IMA PERSON equals I MA. PERSON equals PERSON, Ima, etc.

Why converge identities?

A sensible reason for converging identities is that when disconnected logical and physical identities proliferate, it's time-consuming, expensive and inefficient to manage them. That's true for IT, for physical security, for risk managers and business units.

These inefficiencies are most apparent in regulatory compliance, the big driver behind many identity management projects. Meeting regulatory compliance standards is more difficult when identities multiply, because correlating the actions of disconnected physical and logical identities across systems, assets and facilities is usually a manual, labor-intensive process.

Another issue is that security can be more easily compromised when physical and logical identities are separate. A physical identity may appear legitimate to a standalone PACS, but what if that identity is no longer trusted by the enterprise network? That's what happens when an employee is terminated in the logical systems, but that information isn't immediately relayed to a PACS. If the enterprise has more than one PACs, and they are not integrated with each other, it may take several more steps to ensure all PACs refuse the ex-employee's credentials.

Physical or logical credentials that stay live long after an employee has left an enterprise are always a compliance gap and, at worst, can leave the virtual or physical door open for mischief and attack.

One identity, one credential

Converging logical and physical identity and access management (IAM) within the enterprise is designed to solve these problems. In its ideal form, converged IAM creates one identity assigned to one credential that encompasses all of an identity's logical and physical access privileges. When one set of privileges changes, whether physical or logical, that alteration triggers automatic, complementary revisions in the other set. The most common example: an employee termination on the logical side being instantly--and thoroughly--reflected on the physical side.

The technology exists to accomplish converged IAM. Mature identity management systems and provisioning tools exist at the IT level. More security systems and devices are now Internet Protocol-based and can more easily share data with IT systems. Older systems can be integrated through third party bridge software so that both IT and PACS can draw data from a central, authoritative identity database.

Therein lays the rub: creating authoritative identity stores requires enterprises to figure out how many identities they have, how and by whom these are created, managed and terminated.

Determining these processes, or creating them anew, cuts across every functional enterprise boundary: IT identity management specialists, IT security experts, human resources personnel, business unit end users, physical security experts. Additional identities can include enterprise trading partners, contractors, temporary employees, and vendors.

Finally, there's the question of how much IAM convergence is truly required for a given entity. Vertical industries rife with regulatory requirements to govern privacy, security, hazardous or controlled materials benefit from more granular degrees of convergence--such as limiting access to specific areas or applications based on logical/physical data. Other entities may be content with ensuring physical access is automatically revoked when HR declares an account inactive.

That said, converged IAM initiatives are under way. They are most likely to be found in heavily regulated or critical infrastructure industries, such as finance and power. Lessons learned here are likely to influence how a broader range of Fortune 5000 level enterprises and even smaller entities manage identities.

In Part Two of this feature, Security Squared will provide an overview of the IT and physical security technology enabling converged IAM as well as the technical challenges to accomplishing that. In Part Three, we'll examine solutions for bringing disparate, proprietary PACS and multiple physical identities to IT identity systems. In Part 4, we'll discuss the human factors involved in converged IAM, from identity ownership to creating roles and rules for converged identities, as well as the foundation converged identities create for additional enterprise integration.



Why read this four-part series? It will explain the convergence of physical and logical identities--a nascent, but logical and likely outcome of the implementation of identity management tools and Internet Protocol-based security tools. It will offer examples of how synchronizing the creation and management of physical and logical identities creates business, regulatory and security benefits. Security, IT and executive readers will come away with a high level understanding of the technological and logistic challenges involved in converged IAM; current solutions for addressing these; and how IAM convergence is benefiting users.

**************
What is converged physical-logical identity and access management (IAM)?

For Shape.Net, a health and fitness club management firm, it's a profit center: converged identity management has enabled Shape.Net to offer its health club clients 24/7 access to their facilities--which they in turn offer to their fitness customers. After hours, a customer swipes a proximity card tied to Brivo System's web-based access control service that in turn queries a Shape.Net database in real-time to verify the health club customer is current on her bill and should be allowed entry.
At Toronto Pearson International Airport, converged IAM means greater productivity, satisfied clients, reduced costs and improved security. Instead of waiting days or weeks for credentials, the airport's Pass/Permit Control Office can now provision new users, even to highly secure areas, within 20 minutes. Its system, the centerpiece of which is Quantum Secure's SAFE, ties together disparate physical access control systems and external identity databases and automates workflows to create a singular trusted identity and one credential to match.

One identity, one credential: that is the basic definition of converged IAM. Achieving it requires synchronizing an individual's physical and logical identities and access rights within and across the enterprise (see graphic).

IAM1rev.jpg

"Identities," plural, is the key word. Virtual and physical identities tend to proliferate in most enterprises. On the logical side, a person may have one virtual identity within the enterprise human resource software, such as a PeopleSoft or SAP system. That identity typically consists of salary, benefits, insurance, social security number and other specific employee details.

Then there's a logical identity within the information technology department's directory software, such as those from Microsoft, Novell, CA, Sun, or Oracle. This directory knows which network, database and software applications the logical identity may access. Within those intranets, databases and applications, the user may have still more identities, in the form of different user IDs and passwords or PINs he uses to log into each one.

That user also will have at least one more identity: a physical credential of some sort used for access to parking garages, buildings, floors, warehouses, etc. In enterprises with more than one brand of physical access control system (PACS) and several facilities or areas users must enter, a user may have more than one physical access credential--and therefore, more than one physical identity.

The permutations seem endless--and the key goal for converged IAM is cleaning up or at least mapping all these logical identities to create a singular, authoritative identity. That is, IMA PERSON equals I MA. PERSON equals PERSON, Ima, etc.

Why converge identities?

A sensible reason for converging identities is that when disconnected logical and physical identities proliferate, it's time-consuming, expensive and inefficient to manage them. That's true for IT, for physical security, for risk managers and business units.

These inefficiencies are most apparent in regulatory compliance, the big driver behind many identity management projects. Meeting regulatory compliance standards is more difficult when identities multiply, because correlating the actions of disconnected physical and logical identities across systems, assets and facilities is usually a manual, labor-intensive process.

Another issue is that security can be more easily compromised when physical and logical identities are separate. A physical identity may appear legitimate to a standalone PACS, but what if that identity is no longer trusted by the enterprise network? That's what happens when an employee is terminated in the logical systems, but that information isn't immediately relayed to a PACS. If the enterprise has more than one PACs, and they are not integrated with each other, it may take several more steps to ensure all PACs refuse the ex-employee's credentials.

Physical or logical credentials that stay live long after an employee has left an enterprise are always a compliance gap and, at worst, can leave the virtual or physical door open for mischief and attack.

One identity, one credential

Converging logical and physical identity and access management (IAM) within the enterprise is designed to solve these problems. In its ideal form, converged IAM creates one identity assigned to one credential that encompasses all of an identity's logical and physical access privileges. When one set of privileges changes, whether physical or logical, that alteration triggers automatic, complementary revisions in the other set. The most common example: an employee termination on the logical side being instantly--and thoroughly--reflected on the physical side.

The technology exists to accomplish converged IAM. Mature identity management systems and provisioning tools exist at the IT level. More security systems and devices are now Internet Protocol-based and can more easily share data with IT systems. Older systems can be integrated through third party bridge software so that both IT and PACS can draw data from a central, authoritative identity database.

Therein lays the rub: creating authoritative identity stores requires enterprises to figure out how many identities they have, how and by whom these are created, managed and terminated.

Determining these processes, or creating them anew, cuts across every functional enterprise boundary: IT identity management specialists, IT security experts, human resources personnel, business unit end users, physical security experts. Additional identities can include enterprise trading partners, contractors, temporary employees, and vendors.

Finally, there's the question of how much IAM convergence is truly required for a given entity. Vertical industries rife with regulatory requirements to govern privacy, security, hazardous or controlled materials benefit from more granular degrees of convergence--such as limiting access to specific areas or applications based on logical/physical data. Other entities may be content with ensuring physical access is automatically revoked when HR declares an account inactive.

That said, converged IAM initiatives are under way. They are most likely to be found in heavily regulated or critical infrastructure industries, such as finance and power. Lessons learned here are likely to influence how a broader range of Fortune 5000 level enterprises and even smaller entities manage identities.

In Part Two of this feature, Security Squared will provide an overview of the IT and physical security technology enabling converged IAM as well as the technical challenges to accomplishing that. In Part Three, we'll examine solutions for bringing disparate, proprietary PACS and multiple physical identities to IT identity systems. In Part 4, we'll discuss the human factors involved in converged IAM, from identity ownership to creating roles and rules for converged identities, as well as the foundation converged identities create for additional enterprise integration.



No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/60

2 Comments

You may want to investigate the Federation for Identity and Cross-Credentialing Systems (FiXs), a coalition of commercial companies, government contractors, and not-for-profit organizations whose mission is to establish and maintain a worldwide, interoperable identity and cross-credentialing network built on security, privacy, trust, standard operating rules, policies, and technical standards. The FiXs network verifies and authenticates the identity of personnel seeking to enter U.S. military installations and other government-controlled areas, as well as commercial sites tied to the network and is a good example of a deployed convergence if Logical-Physical Identity and Access Management.

Check out what we are doing with FiXs toward this end. The Federation for Identity and Cross-Credentialing Systems (FiXs) is a coalition of commercial companies, government contractors, and not-for-profit organizations whose mission is to establish and maintain a worldwide, interoperable identity and cross-credentialing network built on security, privacy, trust, standard operating rules, policies, and technical standards. The FiXs network verifies and authenticates the identity of personnel seeking to enter U.S. military installations and other government-controlled areas, as well as commercial sites tied to the network.

Leave a comment