The Best of Both Worlds: Combining IAM and PIAM for Comprehensive Identity Management

March 23, 2015
Integrating best practices can help reduce workload and spending, while increasing security

Given the potential for threats and exposure to risk that can result from security breaches, as well as the accompanying range of damaging outcomes, it is critical for all organizations to maintain strict control over who can access both physical and network resources. In order to ensure the highest possible level of security for these valuable assets, organizations must make identity management and access control the primary goal for their security operations, both physical and logical.

 Strong security has to begin with strong identity management, which is imperative for ensuring the integrity of the identities used to access these potentially sensitive resources and reduce the risk of breaches. However, implementing the processes and practices necessary to achieve these security goals can pose a number of challenges, which can all too often inhibit an organization’s ability to ensure the security of its physical and logical assets – and increase the possibility of a security breach.

 In most cases, separate teams are responsible for maintaining physical and logical security. For physical security staff, the primary objective is to manage individuals’ access to buildings and critical areas within them. A main challenge or concern these professionals face in effectively and efficiently performing this function is the need to collaborate with their organization’s human resources departments, which are charged with the critical tasks of verifying and authenticating identities and performing background checks. This can be – and often is – a time-consuming and error-prone process that could cause delays in granting or removing access privileges, while introducing the very types of risks and security breaches identity management is supposed to prevent. Preventing the growing risk of insider threats, as well as threats from outside an organization is another key responsibility of physical security teams. On the logical and network security side, IT departments also face a similar concern with regard to relying on HR to vet and authenticate identities prior to granting access to networks and systems. As a result, physical and IT security teams often duplicate each other’s processes, leading to operations that are highly inefficient while increasing the probability for errors and additional risks and liabilities.

 In addition, many organizations are subject to compliance with corporate, industry and/or government regulations and requirements, which can be a burden to maintain and document.  Organizations are also often forced to invest significant time and financial resources to complete these tasks and avoid penalties which can be costly and/or reduce productivity. Unfortunately these necessary compliance processes take staff away from their primary functions of maintaining the highest possible levels of security.

 To manage and control employee, visitor and other identities, organizations will typically deploy identity access management (IAM) or physical identity access management (PIAM) solutions independently or in some combination. For managing logical identities, IAM solutions perform a number of functions, including: the creation, management and deletion of identities independent of access or entitlements; user log-on function; delivery of personalized role-based, online, on-demand, presence-based services to users and their devices; and security compliance audits.

 The basic goal of a PIAM solution, on the other hand, is to ensure that the right physical access is granted to the right identity at the right time and for the right duration. These advanced solutions integrate with other operational systems to enable synchronized, policy-based management of the access granted to areas, systems and functions. Among their myriad identity management functions, PIAM solutions enable: self-service access requests and approvals; area ownership audits, visitor management, contractor management; and asset management.

 Because IAM and PIAM solutions are designed to accomplish the specific objectives of very different areas of security, they often operate independent of one another with very little overlap, meaning that the task of addressing the challenges listed above must be addressed twice – once for each system.

 There are, however, similarities between IAM and PIAM, including overlying terminology and similar capabilities. Among these are: allowing users to request access, performing access audits and generating compliance reports. On the other hand, each solution has limited domain expertise outside of its core area. For example, an IAM is capable of managing passwords to logical systems, but lacks knowledge of the badging process, while PIAM can integrate with financial systems but lacks the deep domain knowledge to provide complex accounting controls. 

 Both IAM and PIAM are tailored for use by different departments within an organization, and each department has different requirements. These differences stretch the limitations of whichever system is used to manage both logical and physical security management. In the end, this single-system approach to identity management is not only expensive, but falls short of meeting all security objectives, making it extremely unsatisfying for end users.

 Integrating these systems provides benefits for IT and physical owners as well as the organization as a whole. PIAM adds unique information about contractors and visitors. IAM brings logical system access. The combination allows for more detailed risk analysis, threat and fraud prevention as it pertains to all identities in the organization (i.e. contractors, visitors and of course employees).

 The combination of IAM and PIAM systems delivers a number of benefits, the first of which is practicality. By eliminating duplicate processes, a combined solution creates less work for both physical and IT security teams, which reduces the costs associated with having each team “reinvent wheels”. Background information is a prime example. This expensive but necessary process includes verifying that individuals are indeed who they claim, and that they can be trusted with the required level of access. When only one system is tasked with this job, an organization can cut those costs in half.

 The second main benefit of sharing identities between systems is functionality. The combination of IAM and PIAM provides a 360-degree view of each identity on both the physical and logical security sides, helping to reduce risk and provide tighter controls for access to certain physical or network assets.

 A third benefit is efficiency in the form of a single, authoritative source of identity data for employees, contractors and visitors, contributing to reduced organizational risk.  An integrated system allows users to easily correlate disparate sources of data needed for more efficient operations and risk prevention for both IT and physical security. In addition, the data and documentation both systems provide makes compliance reporting easy and more uniform.

 As a result of these combined functionalities, end users benefit from greater overall efficiencies with the solution. Additionally, with IAM systems optimized for IT processes and PIAM optimized for Physical processes, system users require less training and show higher rates of satisfaction. This integrated approach allows users to continue working on the systems they are already comfortable with and eliminate the need for them to learn how to use a second solution.

 Implementing an integrated two-system approach has proven to be less expensive, lowers risk, and is more responsive to business needs of all parties with faster return on investment than single system efforts.  Whereas adding custom capabilities to an existing system is an expensive, time-consuming process that in the end will still lack the advanced capabilities of an integrated off-the-shelf solution.

 Below are three best practices that will help ensure successful integration between IAM and PIAM systems and maximize the advanced strengths of each system. 

 Meet at the Identity -- Before any integration can take place, it’s crucial to make sure that the IAM and PIAM systems meet at the identity by designating which system will be the authoritative source. This decision can be based on organizational requirements and history, and it is also possible to vary the authoritative source based on identity type (IAM for employees, PIAM for visitors, etc.). Regardless, the chosen authoritative source must be used consistently throughout your organization.

 Identify Business Functions and Workflows -- Organizations should investigate each group’s business functions and determine which department has primary use and the role of each system. For example, if visitors are primarily managed by the security department, then visitor management is better managed by PIAM.

 Determine the Appropriate Level of Integration -- One organization may be satisfied with identity-only integration, while another may require more advanced integration, or vice versa. As such, it’s important to ensure that the necessary disparate systems are integrated and effectively share data as required.

 For maintaining the integrity of identities and ensuring a high level of security, integrating IAM and PIAM solutions to form an advanced identity management solution is by far the most effective approach. Each system has clearly defined roles and responsibilities, which eliminate duplicate processes to reduce work for both teams. Using these best practices for integrating IAM and PIAM, organizations can reduce workloads, improve overall security and reduce spending by issuing one identity per individual – and ensure that the right individuals are accessing the right resources where and when they are supposed to.

 About the Author:

Don Campbell is the Director of Product Management for Quantum Secure