Improving Security

How PIAM systems help turn the security tide for distributed<br> buildings and facilities

The global economy is changing. Organizations are acquiring new spaces as they expand to cover new territory. Where once the average-sized company might be housed in a single building, today they can operate campuses all over the world. Whether it’s a corporate campus with multiple facilities in a single location or a global operation with offices on every continent, organizations are facing new challenges on a much larger scale.

One growing challenge is access management, particularly concerning visitors. Many organizations have an access control system (ACS) that helps protect environments by securing access through doors. But access control is static in nature and can’t always provide operators with clear policies to follow. Even if the ACS could, there is no guarantee that the policies would be up to date. This is because compliance needs and external regulations change and new processes get added over time. All of which can slow things down or, worse, introduce security gaps.

What can a growing or distributed organization do? First, they can unify their access control system to allow for centralized monitoring. This will enable employees to move easily and securely between environments and locations. Next, they can add a Physical Identity and Access Management (PIAM) system to simplify and improve the process of granting access.

A PIAM solution grants access to buildings and facilities based on attributes assigned to a person by an organization. These attributes, which can include department, location, seniority, and training, are used in relation to an organization’s own security policies to define someone’s access rights. As an individual’s attributes change, like when they receive more training or are assigned to a new department, their access rights also change automatically according to these policies.

Managing Access Rights for Employees

Not every employee needs unfettered access to every environment in an organization at all times. Whether it is an equipment room with expensive machinery or a server room with sensitive data, access to some spaces must be restricted. However, these restrictions do not have to be set in stone. Things can change. An employee might need temporary access for maintenance purposes or might need to access new areas as a result of a promotion.

In the past, the process for granting an employee temporary access to restricted areas was time consuming and led to gaps in security. First, the employee or their supervisor had to determine who to ask. Next, they had to send an email and hope for a timely response. The person responsible then had to grant the access and remember to revoke it once the requested period was over. All too often, this involved an Excel spreadsheet or Post-it Notes.

With a PIAM, the process is streamlined and simplified. The employee requests access to a specific area, and then, based on their attributes, the system either grants, denies, or forwards the request to the area owner. Once approved, the individual will have access for a specific amount of time. The employee’s credentials will be automatically updated to both allow and revoke access for the approved period.

The Challenges around Visitor Management

But what about visitors, contractors, and temporary employees? How can an organization distributed across multiple buildings or around the world manage access rights for these individuals? Here again, a PIAM solution can help by centrally managing rights for everyone who interacts with an organization.

For many, working with a manual system to handle visitor access can cause inefficiencies, errors, and security gaps. Generally speaking, when using a manual system, the appearance of a visitor requires front desk staff to suddenly stop what they’re doing and manage the arrival. The process is compounded if an entire group shows up at once or if more than one person arrives at the same time.

Regardless of how many people arrive, the front desk staff needs to input information and issue credentials. Then they have to quickly notify the host within the organization to ensure that visitors are not kept waiting, as this can have a negative impact. Also, security problems can arise around verifying visitor identities and tracking how long visitors are in buildings and where they went.

How a PIAM Can Help

With a PIAM, hosts can create a visitor request through a portal. The system then grants access and sends the visitor a confirmation email with a QR code for checking in. The visitor can use this email to access designated areas and meet with their host within the organization.

The email can also contain a variety of other information, including parking instructions or an NDA (if required). Today, organizations are also using email confirmation to help manage the spread of COVID-19 by sending a health questionnaire that must be submitted before the visitor’s arrival.

When an organization has added on-site kiosks that print badges once a visitor has scanned their QR code, visitors can check themselves in. In this case, the system takes the visitor’s picture and issues a printed badge. It can also text the host to notify them that their visitor has checked in. And, if an organization wants to add a layer of security, the system can be configured to scan passports or ID cards to validate each visitor’s identity.

Increasingly, organizations are also integrating automatic license plate recognition (ALPR) into their identity management systems. This allows the PIAM to use a visitor’s license plate, for example, as a form of credential.

In this case, access can be granted to a visitor as soon as their license plate is read. This can improve the flow of visitors through a facility while ensuring safety and security.

Simplifying the Auditing Process

When it comes to managing access policies, a PIAM allows organizations to develop their own security protocols and adjust them as needs and regulations change. In the past, security operators were the ones responsible for managing security across campuses. Now, area owners are also involved in determining who can access their environments.

Working together, security operators and area managers implement access policies within the PIAM. These policies indicate which attributes are required for access to a given area. If anything changes, they simply update the system and the new policy can be applied across the entire organization.

The ability to update access policies can be especially important in heavily regulated industries, like hydro, oil and gas, and other utilities, since they can receive heavy fines for failing to keep access rights up to date. This includes anything from not revoking a visitor’s access after they have left the facility to not accurately tracking a contractor’s movements.

The North American Electric Reliability Corporation (NERC) oversees the utility industry. They audit facilities regularly and fine those whose access rights are not up to date. This means that the ability to perform access audits is vital.

When an access audit is done manually, a security operator must run a report and provide an Excel spreadsheet to the area owner who must then go through the sheet line by line to see who must be removed and who needs to have their access rights updated. The spreadsheet is then sent back to the security operator who implements the changes. Then, these changes have to be approved by the owner. Needless to say, the manual process is time consuming and can take months to perform.

With a PIAM, an area owner can check to verify access rights and perform changes or make updates as necessary. For example, if an individual has changed departments or been promoted to a new position, the area owner can immediately and automatically increase or remove their access rights directly in the system.

Today, some PIAMs also allow organizations to schedule access audits according to their own needs. If an organization is audited each quarter, for example, the system can be programmed to perform them every 3 months. Since generating audits is simply a matter of area owners going into the system and approving or denying access rights, it becomes easy to provide auditors with a completed report when they arrive on site.

The increasing complexity of individual campuses as well as the expanding network of distributed facilities means that the challenges around access management will continue to grow. We know that addressing these challenges today as well as in the future is key. Effective employee and visitor management increases security, facilitates compliance, and leads to a better flow of people through places. A PIAM can play an important role in achieving the safe, seamless movement of individuals through our environments.

This article originally appeared in the January February 2021 issue of Campus Security & Life Safety.

Digital Edition

  • Campus Security & Life Safety Magazine - March April 2021

    March / April 2021

    Featuring:

    • Get More from your Solutions
    • High Rates of Self Harm
    • Unlocking Business Intelligence
    • CARES Act 2: Large, but Still Insufficient

    View This Issue