One of the greatest challenges for many modern day security executives is proving the value of security to those in senior management positions. Long gone are the days when organizations could just make large capital investments into security systems. It’s not that security isn’t important to these decision makers, but they want to get a return on their investment – a security system that can not only safeguard their company’s people and assets, but one that can also improve business operations.
The development of physical identity access management or PIAM technology offers organizations one solution to this dilemma. However, PIAM is a relatively new concept and there’s still some confusion in the market as to what exactly constitutes a PIAM solution. According to Ajay Jain, president and CEO of Quantum Secure, an identity essentially has two personas in security – digital and physical.
“The identity management concept of the digital world has been very well established by several companies in the market such as Oracle and IBM. They are the people who are managing the digital identity of a person and its lifecycle – on-boarding of that digital identity, entitlement management, privileges management, and termination of that particular identity across their network,” he explained. “There is also a parallel world where if I get hired by General Motors, I get a digital identity which is managed by the Oracles of the world, but I also get an access card to get into the building where I work.”
Jain said that’s where companies like Quantum Secure come into play with the on-boarding of a physical identity and creating entitlements and the privileges for that particular identity across an organization. However, Jain said that PIAM does not physically control doors, but rather works in conjunction with physical access control systems (PACS). “We manage the entire process,” Jain said. “Who is authorized? Who is authenticated? Who is entitled to what? Who gets privileges and when do they need to be terminated?”
Prior to PIAM, Jain said that this process was managed through a Microsoft Excel spreadsheet or in someone’s head, but now organizations can automate that process. Obviously, the ability to automate the identity management process presents huge potential for organizations that have a large footprint. Jain said that one of his company’s customers, which use seven or eight different access control brands in their facilities, has leveraged their PIAM solution to manage more than 300,000 identities.
“They had a bunch of people doing manual work. Suppose I needed access into a particular location, I would fill out a form which would then travel to someone in their operational center who would look at it and say ‘in order to get approval into this restricted area I need to call this person,’” Jain said. “We automated this complete approval hierarchy and created one, central portal.”
According to Todd Vigneault, senior manager for corporate security and safety at Symantec, PIAM has paid huge dividends for the anti-virus software developer. Vigneault said that his company was presented with a huge identity management challenge following a large acquisition, which doubled the company’s size.
“That put us in a position where we had two enterprise-level access control systems and we needed something to bring them together,” Vigneault explained. “At that point, identity management basically became our governance and compliance tool and helped us ensure that people were put into our system in an accurate manner. PIAM gave us one, homogenous system to manage security identity and automate some of our business processes, as well as security rules and processes that we already had in place.”
According to Vigneault, PIAM is really about lifecycle management of identities within an organization and how it can help streamline that process to make is simpler and more efficient.
“If I can enter that information one time and have it flow to downstream systems and if it can flow into my system the way HR entered it, why do I need a security or IT employee to enter that same exact data another time?,” Vigneault asked. “In my view, identity management eliminates keystrokes and it creates resource opportunities to have those people do something else.”
In addition, implementing a PIAM solution has also helped Symantec, which has facilities in over 50 countries, standardize how physical access rights are provisioned in different regions. “Today we’re very standardized and everybody’s directed to do things in the same manner,” he said.
Of course, one of the key's to implementing a new security solution like PIAM is getting buy-in from C-suite executives. Vigneault said he was able to sell PIAM to senior managers at his company as a compliance need.
“The business that I’m in, compliance is very high on the totem pole. I think everybody could kind of sell it as a compliance issue, but it is not an inexpensive proposition,” he said. “What I would identify is how many people do I have doing this type of job and what could I have those people doing if I can help them be more efficient? Many people base things solely on how many positions they can eliminate, but from my experience, we never had the intent to eliminate a position. Significantly more important, in my view, is we sit and house data that could valuable throughout the organization.”