Home > Access Management, IAG, IAM, Identity, Security > Physical Access Control from an IAM / IAG perspective

Physical Access Control from an IAM / IAG perspective

I was traveling a lot in the last two weeks to deliver two PoC’s on-site at customers being interested in an IAM / IAG solution. One customers facility is totally locked down by Physical Access Control Systems (PACS), that it’s even necessary to have a badge to get to the restroom. During the work on our PoC scenarios and discussions about how to handle some of the upcoming challenges, we also touched the PACS from IAM / IAG perspective.

Just take a look at the onboarding process of an employee:

IAM get’s a new Identity from it’s integration with the HR system. HR does deliver all necessary attributes, so that IAM is able to provision all necessary entitlements based on

  • the location
  • the department
  • the cost center
  • primary or secondary business roles
  • job titles or other attributes. So why not utilize these information also for an integration with the customers PACS? This would enable the IAM system to either interact directly with the PACS to issue necessary “physical access permissions” or to integrate with the PACS in an disconnected way by at least letting the PACS guys know, that there is a new employee to issue a new badge containing a certain amount of access permissions within the dedicated location of the employee.
    By thinking this integration in an wider context, IAM could also offer physical access permissions to other locations (for example meeting places in another building or floor) in form of an access request done by the employee or someone else on behalf of the employee. This would bring audit trail also down to physical access permissions of employees including their request and approval process in an proven way tracked by the IAM system.

Just keeping in mind that theses physical access permission can be issued based on an approved request out of the IAM system, these request could also be only for an limited time for special locations or rooms. But anyways, over time there will be huge number of physical access permissions being issued to all the employees, so how to keep control? Pretty simple by just utilizing the IAG capabilities of an grown IAM suite: Based on dedicated schedules, managers could be asked by the system to recertify their employees physical access permissions as well they would be asked to recertify role or group memberships. For special locations or sensitive rooms like archives or so, their could be also special attestators integrated into the recertification process.

But there are still one and a half challenge left:

Starting with the half challenge: if there is no direct integration with the PACS (disconnected system), there is a bit of an effort to keep track of existing physical access permissions and how to reconcile them. But this could be managed by utilizing data exchange formats.

The full-sized challenge still exists with an deep PACS integration as well as with an integration as an disconnected system stays the same: the physical connection between a human and the access card or badge. As soon as this combination is “broken” and not reported to the instances who can react, this will be a security threat. This could be only taken out of the way by using biometric procedures such as fingerprints or iris scans to identify someone by an system to determine the physical access permissions. But this might lead us to an privacy discussion as well.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: