The five Ws to enhance your Physical Identity and Access Management program
As an organisation, managing Physical Identity and Access Management (PIAM) is crucial to protecting people, assets and locations. As such, ensuring the highest level of security relies heavily on an organisation’s ability to manage this critical process effectively and efficiently to establish accountability, ensure auditability and analyse current processes and procedures.
To develop a complete understanding of their Physical Identity and Access Management (PIAM) needs every organisation, regardless of size or industry, needs to consider the five Ws of PIAM – who, what, when, where and why.
If your organisation is ready to review your PIAM processes here are the questions you need to ask:
- WHO is allowed to enter a building or certain areas?
Identifying who can access your facilities, or specific areas within your facilities, is a critical first step for organisations trying to understand their PIAM processes. Asking questions such as: “Do employees other than IT department staff need to access our data centre?” or “Do visitors access the R&D lab?” will create a deeper understanding of the operational realities of your organisation and the people who need access to your facilities. With this understanding, you will then be able to categorise each facility and specific area from most restricted to open access. Thereby setting the policy framework for your PIAM program.
- WHAT type of identity should they be assigned?
Once you have determined who can gain access to your facilities, the next step is to classify them into groups, such as employees, vendors, contractors, visitors etc. This is an important step because identity is not only the information that helps establish who a person is, but it also determines someone’s relationship to your organisation and the level of trust you as an organisation should have for them. For example, someone identified as an employee about whom much information is gathered should be given a much higher level of trust within an organisation than a visitor about whom very little is known.
In addition to establishing someone’s relationship with an organisation, identity types also allow you to understand and control access rights. It is important that organisations establish the criteria for each identity type’s access rights and the information required from them in order to grant access. For instance, a requirement for a visitor could be that they must show a form of government-issued identification in order to gain access to a facility.
- WHEN are they allowed access and for how long should their credentials be valid?
Now that you have organised your identities into types, it is important to establish the parameters for each type’s access – the times they can access your facilities and the length of time their credentials should be valid. While it is important to establish these for employees, it is extremely crucial to establish these parameters for contractors, visitors and vendors. Due to the temporary nature of their relationship with an organisation, they must have limited hours of access (e.g. 9am to 6pm, Monday through Friday). Additionally, the length of time their credential is valid needs to be tied to a specific period instead of being valid indefinitely (e.g. length of work contract).
- WHERE are they allowed to enter, where have they attempted to enter and where in the world are they at any given moment?
Due to disparate and siloed security systems, many organisations do not have a complete view of who is accessing their facilities. With data being stored in different systems that aren’t integrated – it is impossible to see the full, 360-degree view of an identity’s behaviour. This incomplete view puts organisations at a greater risk from both outsider and insider attacks. When reviewing your PIAM program, it is an imperative to understand what data is being stored where and how to bring it together to view the entire lifecycle of your identities.
- WHY have they been given particular access privileges (in other words, who approved their privileges)?
A common issue in many organisations is people with access to buildings and spaces where they have never been or no longer need to go. Rather than limiting access to specific areas, some organisations have a ‘one size fits all’ approach – everyone gets the same access privileges to all locations by default no matter their role. This approach makes it easy for administrators – there are no approval processes or access requests to respond to – but it is a costly one for the organisation in terms of exposure to risk. Furthermore, because everyone gets access to everything, there is no understanding as to who granted them their access privileges and why.
Instead of a ‘one size fits all’ approach, organisations should establish a ‘least access privilege’ policy. ‘Least access privilege’ means giving people access to only the areas needed for their roles. Add to this approach the creation of approval process workflows that include required access guidelines and designated area owners to approve access requests. Doing this establishes a clear set of requirements for access as well as clearly delegates responsibilities for approving that access.
HOW implementing a PIAM software solution answers the five Ws
Once organisations have answered the five Ws of Physical Identity and Access Management it becomes increasingly clear that one more question needs answering – how do we address all of the identity and access management issues we have identified?
The solution is HID SAFE™ Enterprise. HID SAFE Enterprise is policy-driven software that provides consistent control and management of the identities that enter your facilities – whether they are employees, contractors, vendors or visitors.
HID SAFE Enterprise allows you to know who is accessing your facilities, organising and managing them by identity type. HID SAFE Enterprise ties all identity records of each individual to one identity uniquely providing a 360-degree view of each identity. This gives organisations greater visibility for better identity management.
HID SAFE Enterprise’s robust platform and unique policy and workflow engine empowers organisations to close common risk loopholes, automate tedious processes and maintain both internal and external compliance requirements. Benefits include greater efficiency and lower costs.
Given its capability to simplify, streamline and improve formerly inefficient and error-prone physical identity and access management processes, HID SAFE Enterprise is the answer to the who, what, when, where and why of physical identity and access management.
Click here to learn more about about how HID SAFE Enterprise can help your organisation answer the five Ws.
Images courtesy of Quantum Secure.