Who is trusted to do what—when, where and under what circumstances? This has always been a challenge for security, human resources and management.
We make business and personal decisions based upon what we know about the people we know, and what we surmise or infer about new people we meet. When the pace of business was slower—before e-mail, fax, and pennies-per-minute long distance—identity and trust could be established over a period of time based upon a series of personal interactions. Before computerization and business automation, well-run businesses developed policies to guide identity and trust decision makers at various levels in the organization.
Today, electronic documents often replace paper documents. Electronic signatures and biometrics replace the physical signatures, approval stamps and ink thumbprints of an earlier day. Electronic systems make decisions and engage in transactions internal and external to the organization, based upon rules and policies coded into programs and maintained in databases.
Web-based services make it possible for companies of practically any size to engage in large-scale business, so it’s vital to have an automated means of identifying transaction participants and securely managing employee and customer access to critical business systems and data. Little wonder that terminology like “identity management” and “circles of trust” shows up regularly in IT industry magazines and on IT vendor Web sites.
Ten years ago, the term identity management would generally have been applied to ID badge management and physical access control systems. Today it relates not just to identification of people but of companies, information systems, documents, and physical objects.
So what is identity management today, and what does it have to do with corporate security management and with our ID badging and access control systems?
The white paper “Biometric Identity Management in Large-Scale Enterprises” by Daon, a biometric identity management software provider, defines identity management as the secure, efficient and cost-effective registration, storage, protection, issuance and assurance of a user’s personal identifiers and privileges in an electronic environment.
Typically an identity management system identifies individuals in a system and controls their access to resources within that system by associating user rights and restrictions with each identified individual. U.S. driver’s licensing systems are a simple example of identity management: Drivers are identified by their driver’s license numbers and photo ID, and specific user privileges (such as a motorcycle endorsement) or restrictions (such as “corrective lenses required”) are linked to the identifying number. A typical physical access control system is also an identity management system.
Today, however, the term identity management system most commonly refers to corporate IT systems that span the full scope of an enterprise’s identity management needs. Identity management related to physical access control is a small part of that larger picture. Access is not an all-or-nothing proposition, and some enterprises have hundreds of databases, the access to which will vary depending upon individual information needs.
Who Should Integrate With Whom?
The number of applications, databases and data records, intranet sites, and Web sites to which a person requires access will typically far exceed the number of doors and gates to which he or she requires access, and network access needs will change much more frequently than physical access needs. In addition, due to data privacy and regulatory compliance requirements, enterprise identity management systems must contain extensive audit capabilities. Thus an identity management system designed for network and information access control will be more complex, dynamic, flexible and scalable than a physical access control system.
This means that an enterprise identity management system could easily provide management of identity and access privilege information for a physical access control system, but not vice versa. Physical access control systems should integrate to and be driven by enterprise identity management systems, at least with regard to the identification information.
Waking a Giant
Is the general corporate adoption of identity management systems far in the future? Not according to Jonathan Penn of Forrester Research. In his report “What’s Ahead For Identity Management in 2005,” Penn writes, “In 2005, as in 2004, compliance will be the primary driver for enterprise investment in identity management. But new challenges are emerging: the rise in fraud and identity theft, the increasing consumer demand for privacy protections, and the drive by companies to partner with other businesses to interconnect their online services. The pressures behind these new market forces are welling, and attention to (them) will start to fundamentally shift the direction of the identity management market in 2005.”
Other research supports Penn’s assertion. TheInfoPro (TIP) is an independent research network and leading supplier of market intelligence for the IT industry created by alumni of Gartner, EMC, Giga and Bell Labs. In 2004 TIP interviewed 175 Fortune 1000 companies about their purchasing plans for nearly 40 IT security products and services. The top three items on the list were:
- Identity Management
- User Provisioning (establishing security access privileges)
- Single Sign-On (accessing multiple information systems using a single logon)
Typically these capabilities are offered together in an integrated solution whose components may be provided by different manufacturers. ActivCard offers a white paper titled “Secure Identity Management” at www.activcard.com, which explains how leading vendors have teamed up to offer complete, integrated and secure identity management for an organization’s physical and logical access, authentication and identification requirements. There are more than 100 flavors of identity management systems available to meet varying business needs. Definitions and uses of identity management system terminology vary considerably, so as you read articles and vendor materials, always note the context and source of the terminology. For example, “badge” and “credential” usually have the same meaning in physical access control. However, one identity management system’s literature states that it “supports a wide variety of credentials including passwords, ID cards, digital certificates, and biometrics.”
Although the terminology and technology used by each vendor varies, their products share the same basic functionality. Siemens Communications Inc., an IT systems integrator, partners with Siemens Building Technologies Inc., a physical security systems integrator, to provide a single-card solution.
Working Within the Organization
“The most important part of an identity management initiative is the organizational preparation,” explained David Hawkins, a senior systems engineer at Thor Technologies Inc., a leading provider of identity management solutions. “Where in the organization will card issuance be done, and which system will be used for that? Will the identity management system be used to provision both logical and physical access, or will it simply provide identity information to the physical access system, and let the assignment of privileges take place in the physical system? These are the kinds of questions that must be answered, and the answer will depend more upon the organization’s objectives in terms of security management, processes and procedures than it will the technical details of the integration.”
The larger the enterprise, the greater the challenge to the departments that must work together to figure out who is trusted to do what and when. Centrally assigning all individual access privileges in large organizations is not feasible from either the security or management perspective. So how can security policies be established and applied uniformly to both IT and physical security in large enterprises, especially for organizations with privacy and other regulatory issues to deal with? How can security cards be issued by corporate security or human resources, while allowing individual departments to manage access to their own physical and IT assets? How can access management be driven by security policy?
Role-Based Access Control
Access control privileges are often based upon the roles individual users assume within the organization. In a hospital, for example, roles may include doctor, nurse, pharmacist, anesthesiologist, and administrator. Role-based access control (RBAC) bases access control privilege assignments on the functions that a user is allowed to perform within the organization.
RBAC allows companies to specify and enforce security policies that map naturally to the organization’s structure. RBAC can be enforced automatically by an access control system that supports it, and it can still be implemented by design for systems that don’t. In the latter case, security guidelines can be enforced by an audit process.
People often have multiple roles. For example, a surgeon may have the roles of employee, doctor, and surgeon. Employee access would establish basic privileges, and the additional roles would expand the privileges from there. Although it is possible to assign multiple roles to a single person, it is more scalable to build a single role, such as surgeon, that contains sub-roles, such as employee and doctor. The practice of assigning users a single role (with or without sub-roles) simplifies access management, because the collections of sub-roles exist only in one place—role definitions—instead of existing in both role definitions and user records.
RBAC provides a means to articulate and enforce enterprise-specific security policies, while at the same time streamlining the typically burdensome process of access privilege management. RBAC, which is not well known in the physical security world, was introduced in 1992 by David Ferraiolo and Rick Kuhn of the National Institute of Standards and Technology. In the IT world RBAC has become the predominant model for advanced access control. In April of 2004 the American National Standards Institute approved Standard 359-2004: American National Standard for Information Technology—Role Based Access Control. NIST maintains a Web site dedicated to RBAC at http://csrc.nist.gov/rbac. Case studies, presentation materials, and even task force work regarding RBAC and Sarbanes Oxley compliance are among the information available at the site.
Key principles of role-based access control are:
- A user has access based on the assigned role.
- Roles are defined based on job functions.
- Permissions are defined based on job authority and responsibilities within a job function.
- Permissions are grouped by role name.
- Access is granted and transactions are allowed based on the permissions.
- Granting of access is concerned with the user’s role rather than his or her individual identity.
RBAC + IM
RBAC provides a means of synchronizing physical and logical access control by using common roles for both. Thus physical and logical access can be uniformly administered according to security policy even where the physical and logical access systems are not integrated and do not exchange information. Of course, the management of both is simplified and strengthened by integration with an identity management system.
Integration with an enterprise identity management system provides a way to unify user and privilege management, based upon RBAC, for differing brands of physical access control systems. For organizations with differing system brands that are not near their end of life, this can be a viable alternative to the wide-scale rip-and-replace approach to obtaining enterprise-level access control management.
Tips for Success
Frederick Subala is badge product manager for Boeing Security & Fire Protection’s SecureBadge initiative, a single-card initiative for both logical and physical security. He offered us some important tips physical security managers should keep in mind regarding enterprise identity management projects:
- Get involved early in the dialog with IT—not only concerning the technical details, but also the higher-level organizational issues.
- Clearly document the high-level planning and each decision that is made along the way.
- When identity management ROI is being calculated, be sure physical security is included in the calculations before IT submits for budgetary approval.
- The information systems aspect of the initiative could be much larger than the physical access control aspect, so plan to synchronize your schedule with the IT efforts. This means it will likely take longer than you ordinarily would expect.
The Bottom Line: Improved Security Management
An enterprise identity management system provides a means for security policies to be applied to logical and physical access privilege assignments as part of the standard workflow process of the organization. Although IT industry pundits predict a 10-year evolution in identity management systems with radical changes to come, this should not be alarming news for security managers. The evolution of the enterprise itself—not the evolution of identity management technology—will be the most important factor going forward. Sound security policies coupled with sound access management approaches, like role-based access control, will enable managers to fit the technology solutions to their enterprise instead of the other way around. That helps to keep security management in the driver’s seat, and in an ever-improving position with regard to managing security.
Editor’s Note: Check back soon for an extended version of this article.
Ray Bernard, PSP is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides high-security consulting services for public and private facilities. Ray is a technical consultant and writer who has provided pivotal direction and technical advice in the security and building automation industries for more than 17 years. This article is based upon material in Ray’s upcoming book, Shifting Sands: The Convergence of Physical Security and IT. For more information about Ray Bernard and RBCS go to www.go-rbcs.com or call 949-831-6788.