5 Things to Consider When Simplifying or Upgrading Physical Identity and Access Management
Simple, secure, seamless: it’s what every security professional wants in a physical identity and access management (PIAM) solution, but wanting is a far cry from reality. PIAM relies on collecting, analyzing, using, and reporting on security information in a centralized way. Whether you’re seasoned in the practice or just considering it, here are the five most important questions to ask of your PIAM program.
1. Who Has Access to Your Facilities or Networks?
Many different types of people may require access to your premises, networks, software, and information:
- Permanent and temporary employees
- Freelancers and other contractors
- Executive and managerial staff
- Partners and suppliers
- Customers and other visitors
It can be difficult to create streamlined processes and systems that can manage all of this information in a truly consistent way. You might be asking different questions for employees, visitors, or contractors, meaning you don’t have the whole picture.
Recordkeeping can also be highly manual, especially for physical security, which means it’s spotty and prone to error. Many security teams still rely on spreadsheets, emails, and paper-based processes when managing physical access control systems. It becomes almost impossible to demonstrate consistent compliance when you have the manual collection of information across multiple formats and systems.
This also generates inefficiencies in management, monitoring, and reporting, resulting in significant resource overhead to support inherently slow and inaccurate processes.
2. What Do People Need to Access?
There’s an almost infinite number of permutations for what a particular person may require access to for their role:
- Different job roles and profiles will require varying types of access
- Individuals may not know the level of access they need to request
- Security policies must be consistent in providing “appropriate” and enforceable levels of access
- It’s difficult to validate access requests based purely on physical authentication
Even if physical security focuses purely on access to premises or part of the corporate campus, this is far from simple:
- Do specific people need access to the cafeteria?
- Should this specific person be allowed onto a loading dock?
- This person isn’t an engineer, do we grant them access to the server room?
Job roles and their related access needs change over time. It’s challenging to keep track of authentication requirements and controls as a result of changes to responsibilities.
3. When Do People Require Access?
In an increasingly global marketplace, managing access 24x7 introduces additional challenges for a physical security-based approach:
- Some premises or systems may have a requirement that access is only available at certain times of the day or week
- Properly provisioned credentials are issued, and, critically, revoked when there’s no longer any requirement for access. Limiting the access time window, or having credentials expire after a specific duration or date is the best practice.
- An identity system allows you to connect credential expiration to specific expiration dates, durations, or areas like contract or NDA end dates
- It can be challenging to offer a consistent approach to timed or duration-based access if you’re relying on physical security
- If time credentials and access rights are held in multiple disparate systems, then creating a unified approach is almost impossible
4. Where Do People Require Access?
Physical security is already well-suited to controlling where people go, but even in this area, an identity perimeter can prove useful:
- If a person gets through the initial point of entry, should they then have access to the entire premises? Identity management helps you to determine the areas for allowable and restricted access.
- Identity management helps you map who they are to what they are trying to do and where they require access
- Premises permissions often involve several stakeholders. Identity management provides a consistent approach with granular rules on locations and credentials.
5. Why Do People Require Access?
There need to be objective reasons behind granting access, backed up by robust security policies and protocols:
- Why has this individual been granted this level of access?
- Who was involved in the decision-making process to grant this specific access?
- Why is this access appropriate and necessary?
An adequate PIAM solution can answer any of these data points on any identity, employee, contractor, and visitor at any time. To learn more about simplifying and streamlining physical identity and access management, read our eBook.
Interested in learning more? Explore our unified PIAM solution, HID SAFE™, or get started free with the cloud-based WorkforceID™.
Get the latest blogs on identity and access management delivered straight to your inbox.
Ian Lowe is Product Marketing Director for HID SAFE and is passionate about marketing all things related to identity, cybersecurity, IoT, cloud and digital transformation. In his 19-year career, Ian has become a recognized product marketing and sales enablement leader, having created and launched successful cloud-based identity and security solutions that are used by top technology firms, financial services organizations and governments around the world today.