printer friendly version

The three Ps of identity management

Marius Coetzee, COO, Ideco Biometric Security Solutions says an effective identity and access management solution must involve people, possessions and processes.

Marius Coetzee, COO, Ideco Biometric Security Solutions

The many access and identity management solutions implemented in organisations today incorporate different technologies, best practices and skills. Some are based on access control solutions that have been expanded into broader identity solutions; others are based on high-level identity management solutions that drill down into multiple aspects of physical and logical access control.

According to Marius Coetzee, COO of Ideco Biometric Security Solutions, any successful identity and access management (IAM) solution must be based on the three Ps of effective identity management:

1. People.

2. Possessions.

3. Processes.

Traditionally, organisations focus on possessions, using access control and surveillance technologies to protect their assets and premises. These assets are perceived as valuable and are often the easiest to protect. People and processes can be complex entities to manage, requiring time, effort and expertise to successfully control.

The reality, according to Coetzee, is that any effective IAM solution must be built on the foundation of the three Ps if it is to offer the security and reliability organisations require. If any area is neglected, the result will be vulnerabilities that can lead to security breaches.

People

When dealing with people, it is crucial to determine the level of risk each person entering the organisation poses, whether employee or visitor. Once determined, there needs to be a set of processes that define how the person is handled, how the engagement with the individual or group takes place, the business relationship and the final disengagement when they leave.

Employees

As far as staff are concerned, Coetzee recommends screening new hires to confirm their background, criminal and credit records to ensure you have selected the right person for the job. This can be a complex process which must be scaled up to more intense screening for those people who will have access to more sensitive resources and facilities within the organisation and require, for example, specific governance and compliance skills, as well as higher training levels.

All these issues need to be clearly defined in the engagement process before an ongoing relationship is started. If done correctly, each individual will create an identity chain as they go about their daily work, clearly showing who did what, when; this identity chain will be auditable and non-repudiable, meaning there can be no mistake as to who is responsible for every action.

At the end of the relationship, when the individual disengages from the company, there must be a process in place to completely remove his/her access rights. Far too many companies have old employees that can still access the premises and IT resources because their disengagement was not properly handled. This is obviously a serious security breach.

Visitors

When it comes to allowing visitors in, screening is not possible as their stays are usually short and the information they provide about themselves sparse. Coetzee recommends that each company defines what risk level is acceptable with respect to visitors and confines these guests to the access permissions relative to that level.

This decision is not an easy one. Many companies have experienced the consequences of allowing people claiming to be Telkom technicians or air conditioner maintenance crews free access to their premises. Defining a workable relationship and a manner of identifying those that should be allowed greater unaccompanied access must be developed and strictly implemented.

Possessions

South African companies are of necessity experienced in protecting their physical possessions, but are not all that well prepared when it comes to protecting their logical assets. Logical security is a relatively new concept in IAM (we exclude common issues such as malware and spam protection) and there have been a number of initiatives to address this topic. Some of these include single sign-on, password replacement technologies and policies to manage the identities of people on cor-porate systems.

As with people, the process of asset management follows a path of acquisition, maintenance and use, and finally disengagement in the form of scrapping or selling the item. Coetzee says corporations must ensure they purchase the right access solutions to provide their company with a level of risk mitigation required due to the sensitivity of the access granted. Once again an audit trail must be maintained throughout the process to accurately verify who did what, when.

When the item is disposed of, Coetzee says it needs to be wiped clean. In other words, any sensitive data or access codes need to be removed, leaving a 'blank slate' that will be of no use to anyone trying to gain unauthorised access to the firm’s logical resources or information. There have been many cases of companies giving old computers away, for example, without removing databases of customer information. Not only does this put you at risk of legal action, your brand’s reputation could also suffer.

Processes

When it comes to processes, it all boils down to the trust associated with the level of access each one requires. Coetzee says there are two categories of processes, transactional and operational.

Operational processes

Operational processes deal with who does what and the associated authorisations each individual has to do their work.

Transactional processes

Transactional processes deal with issues such as approving transactions and customer credit limits, as well as the authorisation of transactions completed by other employees. These are sensitive responsibilities and the processes need to ensure only authorised people are able to carry them out and that there is a complete identity chain linking all actions to a verified identity (in other words, a person).

Both types need to be driven by a process lifecycle which is divided into four phases:

1. The request phase in which the employee asks to gain access to a resource to perform a function.

2. The authorisation phase in which the IAM solution authenticates the user and determines if he/she has permission to perform the requested action.

3. The execution phase which allows the function to run, having determined that the user is who they claim to be and is authorised to do this type of transaction.

4. The audit phase, based on the identity chain, which provides a full history should any queries be raised about the transaction.

There is an IAM lifecycle for each of the three Ps that ensures people, possessions and processes within a company are properly secured and accessible only to authorised individuals. Moreover, IAM solutions based on these principles ensure a full identity chain is created no matter what employees or visitors are doing. However, leaving one of the Ps out of the equation results in gaps in a company’s security posture, which in effect means it is vulnerable to attacks from without and within.

Share this article:

Further reading: