The Rise of IT Department & Integration with Identity Management
Convergence has been a continual trend in the security industry for over a decade. It began with simple integrations of similar types of security equipment such as adding video cameras to an intrusion system or break-glass detectors to an access control system. The level of integration, however, has quickly evolved – now physical security is being integrated with systems designed with functionality outside of security applications. End users are no longer satisfied with a lack of return on investment from security equipment. Rather, their priorities have shifted from wanting to improve the effectiveness of their security systems toward finding new ways to earn a positive return on investment from these very systems.
Historically, physical access control has always been a local, on-site responsibility for those in charge of security management. This is due to huge variations in the methods used to secure buildings, both regionally and by building type. As such, it has always been difficult for larger enterprises to roll out ‘one-size fits all’ access control solutions across multiple sites because of huge variances in the requirements for a given system. The result therefore is that end users responsible for managing these systems now require different training or must issue multiple credentials for multiple locations.
Many of these pain points and inefficiencies could be eliminated if credentials are managed centrally; this is where logical integration becomes beneficial. Despite companies often possessing multiple access control systems (each with their own unique database of access rights), they also often have a central database, known as an active or corporate directory. An active or corporate directory is a database that companies use to keep track of employees, contractors, and even customers for a variety of purposes including human resources or IT login credential management.
As this database spans multiple sites, it could potentially be used to pull user credentials to create physical access control credentials for the entire enterprise. There is already a wide variety of different levels of logical and physical access control integration. However, pulling physical security access rights from the corporate or active directory is essentially doing so in its most basic and simple form.
Features and benefits of integrating these two systems
- Automation of credential management: Rules-based access control can be implemented by automating system assignments. For example, when a new user is added from the corporate/ active directory, the system can also look every attribute (location, job role, time with the company, etc) associated with the employee. The system then sets default access rights depending on an employee’s attributes. This can greatly speed up the process of adding new users, and it also helps sync access rights with the company’s corporate structure.
- Unifying credentials: Integrating logical and physical security systems also creates more opportunities to unify credentials. Access control badges or cards can be used for additional functions outside of physical security. Examples include using the credential for two-factor authentication when accessing the IT network, secure printing, or micropayments in the company cafeteria.
- Improved auditing capabilities and increased accountability: Across an enterprise, the summation of access right changes, on-boarding/off-boarding, and temporary access rights provisioned from its access control system equals a huge volume of requests each month. Without an overarching system, the methods available to senior management for accessing and reviewing logs are limited and inefficient.
- Corporate governance integration and automation: Logical integration provides the potential to roll out uniform governance across all of the company’s access control systems by enforcing company policy through identity management. Policy checks can be programmed into permission requirements, allowing companies to ensure that best practices are followed. The system also allows the company to verify whether policy was followed, further increasing accountability among employees.
Barriers to further adoption
- Cybersecurity concerns: Connecting every access control system to the IT network, and also managing all of the identities associated with the company via a single system creates huge network risk. If the system is hacked, every identity associated with the company is quickly compromised. Additionally, connecting all the new devices offers hackers new routes into the network, which means that all of the hardware’s software needs to be updated regularly to reduce cybersecurity risk.
- The lack of an ‘off-the-shelf’ solution: Logical integration projects often require large commissioning and design efforts because they are highly complex both initially and after implementation, particularly with respect to maintenance. This means there is a cost involved for the entire lifecycle that the system remains in place.
- Lack of developed identity management infrastructure: Many smaller-sized enterprises lack identity management platforms capable of supporting physical access management. And with many larger-sized projects, end users often find that their current authorization policies and best practices have not been updated since they first adopted the identity management system. The result is that these systems must be updated before being integrated with physical access.
By Jim Dearing – Analyst, Access Control & Fire, IHS Technology