Improving Security
How PIAM systems help turn the security tide for distributed<br> buildings and facilities
- By Despina Stamatelos
- February 01, 2021
The global economy is changing.
Organizations are acquiring new
spaces as they expand to cover new
territory. Where once the average-sized
company might be housed in a
single building, today they can operate
campuses all over the world. Whether it’s a
corporate campus with multiple facilities in
a single location or a global operation with
offices on every continent, organizations
are facing new challenges on a much larger
scale.
One growing challenge is access management,
particularly concerning visitors.
Many organizations have an access control
system (ACS) that helps protect environments
by securing access through doors.
But access control is static in nature and
can’t always provide operators with clear
policies to follow. Even if the ACS could,
there is no guarantee that the policies would
be up to date. This is because compliance
needs and external regulations change and
new processes get added over time. All of
which can slow things down or, worse,
introduce security gaps.
What can a growing or distributed organization
do? First, they can unify their
access control system to allow for centralized
monitoring. This will enable employees
to move easily and securely between environments
and locations. Next, they can add
a Physical Identity and Access Management
(PIAM) system to simplify and improve the
process of granting access.
A PIAM solution grants access to buildings
and facilities based on attributes
assigned to a person by an organization.
These attributes, which can include department,
location, seniority, and training, are
used in relation to an organization’s own
security policies to define someone’s access
rights. As an individual’s attributes change,
like when they receive more training or are
assigned to a new department, their access
rights also change automatically according
to these policies.
Managing Access Rights for Employees
Not every employee needs unfettered access
to every environment in an organization at
all times. Whether it is an equipment room
with expensive machinery or a server room
with sensitive data, access to some spaces
must be restricted. However, these restrictions
do not have to be set in stone. Things
can change. An employee might need temporary
access for maintenance purposes or
might need to access new areas as a result of
a promotion.
In the past, the process for granting an
employee temporary access to restricted
areas was time consuming and led to gaps
in security. First, the employee or their
supervisor had to determine who to ask.
Next, they had to send an email and hope
for a timely response. The person responsible
then had to grant the access and remember
to revoke it once the requested period
was over. All too often, this involved an
Excel spreadsheet or Post-it Notes.
With a PIAM, the process is streamlined
and simplified. The employee requests
access to a specific area, and then, based on
their attributes, the system either grants,
denies, or forwards the request to the area
owner. Once approved, the individual will
have access for a specific amount of time.
The employee’s credentials will be automatically
updated to both allow and revoke
access for the approved period.
The Challenges around Visitor Management
But what about visitors, contractors, and
temporary employees? How can an organization
distributed across multiple buildings
or around the world manage access rights
for these individuals? Here again, a PIAM
solution can help by centrally managing
rights for everyone who interacts with an
organization.
For many, working with a manual system
to handle visitor access can cause inefficiencies,
errors, and security gaps. Generally
speaking, when using a manual system, the
appearance of a visitor requires front desk
staff to suddenly stop what they’re doing
and manage the arrival. The process is compounded
if an entire group shows up at
once or if more than one person arrives at
the same time.
Regardless of how many people arrive, the
front desk staff needs to input information
and issue credentials. Then they have to
quickly notify the host within the organization
to ensure that visitors are not kept waiting,
as this can have a negative impact. Also,
security problems can arise around verifying
visitor identities and tracking how long visitors
are in buildings and where they went.
How a PIAM Can Help
With a PIAM, hosts can create a visitor
request through a portal. The system then
grants access and sends the visitor a confirmation
email with a QR code for checking
in. The visitor can use this email to access
designated areas and meet with their host
within the organization.
The email can also contain a variety of
other information, including parking
instructions or an NDA (if required). Today,
organizations are also using email confirmation
to help manage the spread of
COVID-19 by sending a health questionnaire
that must be submitted before the
visitor’s arrival.
When an organization has added on-site
kiosks that print badges once a visitor has
scanned their QR code, visitors can check
themselves in. In this case, the system takes
the visitor’s picture and issues a printed
badge. It can also text the host to notify
them that their visitor has checked in. And,
if an organization wants to add a layer of
security, the system can be configured to
scan passports or ID cards to validate each
visitor’s identity.
Increasingly, organizations are also integrating
automatic license plate recognition
(ALPR) into their identity management systems.
This allows the PIAM to use a visitor’s license plate, for example, as a form of credential.
In this case, access can be granted to
a visitor as soon as their license plate is read.
This can improve the flow of visitors through
a facility while ensuring safety and security.
Simplifying the Auditing Process
When it comes to managing access policies,
a PIAM allows organizations to develop
their own security protocols and adjust
them as needs and regulations change. In
the past, security operators were the ones
responsible for managing security across
campuses. Now, area owners are also
involved in determining who can access
their environments.
Working together, security operators and
area managers implement access policies
within the PIAM. These policies indicate
which attributes are required for access to a
given area. If anything changes, they simply
update the system and the new policy can
be applied across the entire organization.
The ability to update access policies can
be especially important in heavily regulated
industries, like hydro, oil and gas, and other
utilities, since they can receive heavy fines
for failing to keep access rights up to date.
This includes anything from not revoking a
visitor’s access after they have left the facility
to not accurately tracking a contractor’s
movements.
The North American Electric Reliability
Corporation (NERC) oversees the utility
industry. They audit facilities regularly and
fine those whose access rights are not up to
date. This means that the ability to perform
access audits is vital.
When an access audit is done manually, a
security operator must run a report and
provide an Excel spreadsheet to the area
owner who must then go through the sheet
line by line to see who must be removed and
who needs to have their access rights updated.
The spreadsheet is then sent back to the
security operator who implements the
changes. Then, these changes have to be
approved by the owner. Needless to say, the
manual process is time consuming and can
take months to perform.
With a PIAM, an area owner can check to
verify access rights and perform changes or
make updates as necessary. For example, if
an individual has changed departments or
been promoted to a new position, the area
owner can immediately and automatically
increase or remove their access rights
directly in the system.
Today, some PIAMs also allow organizations
to schedule access audits according to
their own needs. If an organization is audited
each quarter, for example, the system can
be programmed to perform them every 3
months. Since generating audits is simply a
matter of area owners going into the system
and approving or denying access rights, it
becomes easy to provide auditors with a
completed report when they arrive on site.
The increasing complexity of individual
campuses as well as the expanding network
of distributed facilities means that the challenges
around access management will continue
to grow. We know that addressing
these challenges today as well as in the
future is key. Effective employee and visitor
management increases security, facilitates
compliance, and leads to a better flow of
people through places. A PIAM can play an
important role in achieving the safe, seamless
movement of individuals through our
environments.
This article originally appeared in the January February 2021 issue of Campus Security Today.