Identity management can include the use of smart cards and chips, authentication devices and systems, access control systems, directory software, and card and credential management software.
Sounds simple enough, although the physical security industry and IT historically perform this privilege management quite independently. In physical security, the corporate security office registers new employees and distributes ID badges, keys and key cards. In IT, new employees are granted “keys†such as passwords to networks, computers and applications. And, while the two systems sound similar, the two groups have found very different ways of performing identity management.
IT departments commonly centralize all identities and privileges in special computer software called a directory. The central repository saves a company thousands of dollars – sometimes millions – by allowing all identity and access systems related to the computer network to share information. Employees are added to the system quickly; privileges are modified easily; and individuals may be removed from all systems instantly.
That sort of streamlined data sharing is not common at all in physical security. To get anywhere close to the same functionality, companies have to standardize on proprietary products from a single manufacturer. Most companies tend to think of such restrictions as heavy handed and undesirable.
Purchasing trends and budgets at hundreds of companies indicate that the end is near for proprietary identity and access management systems. Instead, companies are looking to buy – or sometimes build by themselves – identity management architectures that combine privilege management of both logical and physical assets.
Bringing the solutions together
One chief financial officer told my company that in one month he received two purchase order requests that he could not approve. One came from the security department for a $1 million upgrade to the access control infrastructure to manage people and their privileges to corporate assets. The second was a request for a $1 million identity management solution from the IT department. It too was designed to manage people and their privileges to corporate assets. One system managed physical privileges and the other data, but that subtle difference was lost on the CFO who declared the expense redundant, demanding that the two groups work together to save costs.Bringing the two solutions together into one integrated approach is complex, but quite achievable. One large pharmaceutical company in Europe assembled a prototype solution that was later adopted by one of Europe’s largest systems integrators. The company started with a new ID badge incorporating a standard employee photo, an embedded smart card chip, and radio frequency technology compliant with the existing electronic door controls. Card management software encoded the cards, and provisioning software managed all of the approvals by all of the system owners and managers.
Inefficient event management
What’s happening, how important it is, and whether it changes the company’s risk profile are the basic questions on the minds of every executive considering event management technologies such as cameras, digital video recorders, video analytics or alarms.Corporate security and IT fail to solve problems and create unnecessary costs related to event management from the point of view of executives. So why can’t the two systems become one?
The answer is, they can. In fact software is available off-the-shelf today that would streamline response management for all incidents – logical or physical. Today, several major physical security manufacturers are forming relationships with software companies, search engines and communications providers to produce next generation consolidated event management and response systems.