Who is trusted to do what—when, where and under what circumstances? This has always been a challenge for security, human resources and management.
We make business and personal decisions based upon what we know about the people we know, and what we surmise or infer about new people we meet. When the pace of business was slower—before e-mail, fax, and pennies-per-minute long distance—identity and trust could be established over a period of time based upon a series of personal interactions. Before computerization and business automation, well-run businesses developed policies to guide identity and trust decision makers at various levels in the organization.
Today, electronic documents often replace paper documents. Electronic signatures and biometrics replace the physical signatures, approval stamps and ink thumbprints of an earlier day. Electronic systems make decisions and engage in transactions internal and external to the organization, based upon rules and policies coded into programs and maintained in databases.
Web-based services make it possible for companies of practically any size to engage in large-scale business, so it’s vital to have an automated means of identifying transaction participants and securely managing employee and customer access to critical business systems and data. Little wonder that terminology like “identity management” and “circles of trust” shows up regularly in IT industry magazines and on IT vendor Web sites.
Ten years ago, the term identity management would generally have been applied to ID badge management and physical access control systems. Today it relates not just to identification of people but of companies, information systems, documents, and physical objects.
So what is identity management today, and what does it have to do with corporate security management and with our ID badging and access control systems?
The white paper “Biometric Identity Management in Large-Scale Enterprises” by Daon, a biometric identity management software provider, defines identity management as the secure, efficient and cost-effective registration, storage, protection, issuance and assurance of a user’s personal identifiers and privileges in an electronic environment.
Typically an identity management system identifies individuals in a system and controls their access to resources within that system by associating user rights and restrictions with each identified individual. U.S. driver’s licensing systems are a simple example of identity management: Drivers are identified by their driver’s license numbers and photo ID, and specific user privileges (such as a motorcycle endorsement) or restrictions (such as “corrective lenses required”) are linked to the identifying number. A typical physical access control system is also an identity management system.
Today, however, the term identity management system most commonly refers to corporate IT systems that span the full scope of an enterprise’s identity management needs. Identity management related to physical access control is a small part of that larger picture. Access is not an all-or-nothing proposition, and some enterprises have hundreds of databases, the access to which will vary depending upon individual information needs.
Who Should Integrate With Whom?
The number of applications, databases and data records, intranet sites, and Web sites to which a person requires access will typically far exceed the number of doors and gates to which he or she requires access, and network access needs will change much more frequently than physical access needs. In addition, due to data privacy and regulatory compliance requirements, enterprise identity management systems must contain extensive audit capabilities. Thus an identity management system designed for network and information access control will be more complex, dynamic, flexible and scalable than a physical access control system.