May 14, 2018
By Kevin Elle, Director and Architect, Edgile
Imagine your enterprise’s physical access management married to IAMG, allowing seamless access to secure locations for employees with the proper access authority.
But badge management technology hasn’t kept up with modern IAMG and this can lead to different problems ranging from too much access, too little access or untimely access assignment. There has historically been a security gap, where managers are quick to update new access needs when an employee changes roles, but rarely do they bother to delete no-longer-needed access privileges leading to access accumulation.
We fixed this and deployed at scale for a Fortune 100 client.
The problem is easy enough to see. When an employee, for example, gets a promotion or gets transferred to a different position, that employee's manager will shout the first time the employee can't get access to a sensitive room or building that the employee needs to use to complete tasks. Under the squeaky wheel school of corporate management, those additional points of access will materialize quickly.
That said, there's no urgent need for anyone to delete no-longer-needed points of access, so they tend to hang around. Managers will often have a vague intention of deleting those access privileges later, but because it's not disrupting any work requirements, it is often forgotten.
Accumulated physical access is the same problem as entitlement access, which happens when a project ends and the workgroup is disbanded and the employee retains the access. Old data—sometimes with ultra-sensitive payment or personally identifiable data (PII)—is typically forgotten as it's no one's specific responsibility any more. That's often how prohibited data can be found in system sweeps.
Integrating badge management with IAMG allows a manager to review an employee’s physical access during periodic access reviews. For speed and convenience, it will allow for a one-click deletion of any clearances that existed for a prior position.
Layers of physical access controls are a critical part of many companies' security protocols. Two types of access are typical — location and privileged.
Location-based: All users based at the Austin, TX, headquarters will be granted access to the main building and have an RFID tag on their cars allowing secured garage parking.
Privileged: Consider a locked room with printers delivering ultra-sensitive documents. Then for the most sensitive documents—for example, slides detailing secret acquisition negotiations for a board meeting—some printers will require a temporary PIN to be entered before printing the document, to make sure that the intended recipient is in front of the printer at that time, before the papers print.
Now, what about contingent privilege? Physical locations restricted to users with proper training. What happens when training expires? How about restricting what access may be requested based on completed training? Integrating badge management with an identity solution allows for seamlessly adding and revoking employee access to a location based on required training and may provide ample warning to the employee and manager prior to training expiration to allow the employee to get recertified.
Our client had been using Lenel's Picture Perfect badging and on-premises package, integrated with a legacy Oracle product (Oracle Lighthouse Identity), which allowed users to request and manage badges within Lighthouse. The client was simultaneously upgrading their badge management to Lenel’s OnGuard platform and end of lifeing the Lighthouse install in favor of SailPoint’s IdentityIQ (IIQ). Edgile was brought in to make all of that happen.
Developing the Lenel OnGuard integration required:
- Developing a custom SailPoint IdentityIQ (IIQ) connector that leveraged the open connector framework
- Building a badge management/photo management module within IIQ; leveraging IIQ’s workflow framework and forms-based UI
The Lenel OnGuard connector integration provides the following functionality:
- Create new user account
- Create and add new badges to users – photo getting stale? Update your photo
- Disable/enable badges
- Update badges metadata, e.g. identification data, address, etc.
- Modify access levels assigned to a badge– i.e. physical locations
- Update user account
- Disable/enable user account
- Aggregate users, badges, and access levels – detect native changes, unauthorized updates
Integrating badge management into Identity Management requires the identity platform to support uploading and management of user photos. IIQ supports the photo management component via an integration to an external photo database, which allows IIQ to maintain and report on historical photos and photo approvals.
The badge management module allows end-users, their managers or badge administrators to request new badges, leveraging IIQ’s access request framework. When requesting a badge, the module prompts the requestor to provide supporting information, including the request reason, preferred name format and context-based business options as well as pre-populated selection fields based on identity attributes such as job code. Additionally, the module may infer badge fields based on identity data. All of the information submitted and the requestee’s attributes are used to determine the proper badge template selected for the requestee.
The module may determine that a user requires a new photo (e.g. the photo has expired, the user has changed jobs) and will prompt the user to upload a new photo. And given that badge requests require an approval (sometimes two levels of approvals), it's unlikely interlopers could submit their own photos and get past a manager’s approval. In the event that were to happen, the photo badge history module would provide a visual record of the change for an employee’s physical appearance.
The system also allows administrator to view the details and history of any specific user's badge as well as the ability to mark badges as lost or retrieved and the system automates disabling access to those badges.
Badge management is often neglected as a security component, but with the right partner, it now can support stronger security and better compliance, and it can sharply advance functionality.