Archive for October, 2012

Physical Access Control from an IAM / IAG perspective

October 28, 2012 Leave a comment

I was traveling a lot in the last two weeks to deliver two PoC’s on-site at customers being interested in an IAM / IAG solution. One customers facility is totally locked down by Physical Access Control Systems (PACS), that it’s even necessary to have a badge to get to the restroom. During the work on our PoC scenarios and discussions about how to handle some of the upcoming challenges, we also touched the PACS from IAM / IAG perspective.

Just take a look at the onboarding process of an employee:

IAM get’s a new Identity from it’s integration with the HR system. HR does deliver all necessary attributes, so that IAM is able to provision all necessary entitlements based on

  • the location
  • the department
  • the cost center
  • primary or secondary business roles
  • job titles or other attributes. So why not utilize these information also for an integration with the customers PACS? This would enable the IAM system to either interact directly with the PACS to issue necessary “physical access permissions” or to integrate with the PACS in an disconnected way by at least letting the PACS guys know, that there is a new employee to issue a new badge containing a certain amount of access permissions within the dedicated location of the employee.
    By thinking this integration in an wider context, IAM could also offer physical access permissions to other locations (for example meeting places in another building or floor) in form of an access request done by the employee or someone else on behalf of the employee. This would bring audit trail also down to physical access permissions of employees including their request and approval process in an proven way tracked by the IAM system.

Just keeping in mind that theses physical access permission can be issued based on an approved request out of the IAM system, these request could also be only for an limited time for special locations or rooms. But anyways, over time there will be huge number of physical access permissions being issued to all the employees, so how to keep control? Pretty simple by just utilizing the IAG capabilities of an grown IAM suite: Based on dedicated schedules, managers could be asked by the system to recertify their employees physical access permissions as well they would be asked to recertify role or group memberships. For special locations or sensitive rooms like archives or so, their could be also special attestators integrated into the recertification process.

But there are still one and a half challenge left:

Starting with the half challenge: if there is no direct integration with the PACS (disconnected system), there is a bit of an effort to keep track of existing physical access permissions and how to reconcile them. But this could be managed by utilizing data exchange formats.

The full-sized challenge still exists with an deep PACS integration as well as with an integration as an disconnected system stays the same: the physical connection between a human and the access card or badge. As soon as this combination is “broken” and not reported to the instances who can react, this will be a security threat. This could be only taken out of the way by using biometric procedures such as fingerprints or iris scans to identify someone by an system to determine the physical access permissions. But this might lead us to an privacy discussion as well.


Consuming Azure Mobile Services–1st step towards Identity on the Phone?

October 1, 2012 Leave a comment

Over the weekend I read an interesting blog series by Bruno Terkaly, titled “Introduction to Consuming Azure Mobile Services from iOS”. It has five parts, showing some basic principles on consuming Windows Azure Mobile Services with an iOS application on an iPad or iPhone. As a matter of fact, the complete issue of authenticating a user is missing in this blog series, but as Bruno is stating in his comment on the 5th blog post:

The portal will offer direct support for Authentication and Push notification for both ios and android.

So there might be an upcoming series on using authentication on iOS and / or Android, which might open the door a bit for the hot topic “Identity on the Phone” (do we already have IotP defined for that?) as it is completely missing in todays time having a smartphone being nearly everyone’s daily companion.

Here are the five blog posts on the topic:

Part 1 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 2 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 3 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 4 of 5: Introduction to Consuming Azure Mobile Services from iOS

Part 5 of 5: Introduction to Consuming Azure Mobile Services from iOS

So hopefully we do see any updates on his blog regarding the authentication topic, if he’s not already working on that. Looking forward to that.

Categories: Cloud, Identity, Mobility