Identity management in enterprise environments is an integral part of both physical and data access. However, identity and access management is complex and can be complicated.
Identity management in enterprise environments is an integral part of both physical and data access. However, identity and access management is complex and can be complicated. Physical identity and access management (PIAM) systems could help ease these complexities. A PIAM system centralizes an enterprise’s ability to manage the lifecycle of identities by processing physical identification, authentication and access management. By 2022, the global PIAM market is expected to reach US$861.5 million, at CAGR of 15.7 percent from 2016 to 2022, according to market research company Global Information. Drivers for growth include increased security and operations management concerns, compliance mandates and technology development.
“Most organizations today rely on the corporate security department to manage policies on how much physical access to facilities zones and assets should be granted to each identity. Separately, the IT department manages access to the information systems. Regardless of the diligence of these departments, changes to the status of individuals is rarely correlated on a timely basis between the IT and physical security data silos,” said Jasvir Gill, CEO of AlertEnterprise. “Full-time employees may leave the company, change jobs or move to new locations. Contractors may become permanent employees, complete their projects or be replaced. There is seldom an integrated and up-to-date profile on how much access has been granted and what happens when an individual’s status, class or category changes.”
Now, more than ever, enterprises are needing to fill those gaps. That’s where a PIAM system can help.
Enterprise questions for PIAM
When choosing a PIAM system, enterprise users must take an array of questions into consideration. According to Magnus Malmström, VP of Product at identity and security company Nexus Group, enterprises should search for responses to the following questions:
- How can I implement best practices and standardize my security organization?
- How do I lower my liability and maximize asset protection?
- How do I future-proof my entire security investment?
- How can I leverage my existing security infrastructure on a global scale?
- How can I reduce manual processes that can be labor intensive, repetitive and may have potential errors?
- How do I optimize my resources, technologies and security operations?
- How can I keep up with government of organizational and industry regulations?
- How can I easily monitor infractions and proactively enforce my security policies and rules?
- How can I regularly report and audit my security landscape?
- How can I secure user provisioning of RFID cards and key fobs, PKI smart cards and mobile tokens?
Challenges
Enterprises are required to open up more of their business processes to external stakeholders as a result of today’s instant economy. This means that everyone from employees to contractors to vendors, partners, service providers and visitors all need access to particular assets, facilities and resources. However, this raises the question, how much access is too much? Not only that, but what kind of risk does this put the company in?
Don Campbell, VP of Products at Quantum Secure pointed to the inefficiency and ineffectiveness of manual identity management processes as a major challenge for enterprise customers. “Whether it is managing visitors, employees or contractors, manual processes are slow, error-prone and costly. Customers stand to gain significant ROI by automating these processes to improve accuracy, speed up many of the process steps and collect valuable data that can be used to gain further cost savings and operational improvements,” he said.
Even with the majority of today’s key business processes being automated, there are still challenges. “IT manages the underlying applications for these processes. Security practices relating to application and database access and authorization are tracked by IT security personnel; however, this tracking is rarely coordinated with physical security personnel who are tasked with protecting the facilities and physical assets and who are responsible for managing building access,” Gill said. “Further, there is often a lag before status changes noted in HR systems are reflected in IT and physical security systems. Herein lies vulnerability.” Another major challenge is the number of systems from different vendors the enterprises are deploying. These systems are then oftentimes managed by different departments, such as IT, corporate security and operations, resulting in a lack of interoperability.
“These systems have been established over time to efficiently perform the tasks for which they are responsible. While each function may perform their own prescribed set of tasks very well, the systems may not be designed to interact with each other, particularly with regard to how much access and authorization to give a particular employee or contractor,” Gill explained. “The most effective mechanism for managing these decisions is an integrated individual profile from which responsible managers can holistically determine the combined level of risk inherent in each employee’s assigned access and authorization levels.”