PhysSecPlus GLOBAL WHITE PAPER
What Is PIAM and Why Is It Necessary?
Introduction
PIAM, what is it? Physical Identity and Access Management. At the root of it, it is an identity management system and workflow process that connects one or more authoritative identity sources to physical access controls systems (PACS), often multiple PACS in one instance, and provisions and manages the identities and their access privileges. This is the root definition, but PIAM is much more.
A PIAM is an advanced, scalable solution that integrates, operationalizes, and manages the data and identities from these systems through the entire identity lifecycle, with a workflow engine that manages organization policies and rules, and provisions cardholders and access privileges to the connected access control systems. All from a single pane of glass. Simply put, it is the concept of “Single Enrollment, Many Uses.” The six key things that most PIAMs on the market do for identity management are:
- Onboarding
- Off-boarding
- Request Access
- Recertify Access
- Audit
- Reporting
With onboarding and off-boarding, in many instances they can be done with an XML integration between the HR system and the access control system. The problem is, doing the rest is extremely difficult. That is why not many companies are doing it in this industry. A PIAM simplifies this entire experience to a single portal, with a workflow engine that manages policies and your rules, on-boards and off-boards, and allows for an easy way for people to request, approve, recertify, audit and report on any access change.
On the following page is a diagram of a general SaaS platform of a PIAM. An on-site deployment looks very similar, with the PIAM placed in a database or server icon instead of a cloud, except for the case of a private cloud deployment. Each manufacturer of PIAM products varies slightly regarding information transferred, protocols and encryption methods. Additionally, the number of connected PACS can be more or less than three and can be nearly infinite in some cases with the correct infrastructure in place.
Diagram of a standard PIAM deployment.
So, why PIAM? The compelling reasons that drive the need and desire for PIAM are:
- Risk
- Cost Savings
- Compliance
The following sections explore more closely these three factors.
Risk Factors
Many organizations do not have enough people to handle the multitude of manual processes, so they put themselves at risk. Risk mitigation and cost savings come in the way of removal of the manual processes, while adding flexibility. Additionally, the potential for errors in these manual processes is great, which could result in someone gaining access who should not. Security breaches can be small or so large that it affects damage to the brand.
By having an automated central point of access privilege revocation, a PIAM significantly reduces risk. For example, if an identity (employee, contractor, vendor, visitor) is terminated in the authoritative identity source, the information is sent to the PIAM, which immediately turns off all physical access to the identity across all connected PACS.
Instituting a PIAM into your enterprise enhances total workforce security and safety. By connecting multiple identity sources to multiple PACS, it converges and addresses access governance and security for employees, contractors, and visitors. Contractors and visitors are a critical security gap for many top Fortune companies.
Cost Factors
At the core of these processes is the individual identity, not the credential. The key to your enterprise is not the credential, it’s the identity! Authoritative identity sources, such as Workplace, PeopleSoft, or other HR systems, digital transformation solutions like ServiceNow and SAP, access control systems, incident management systems, and IT systems within an organization create massive amounts of data. This data is very siloed; these systems don’t often work together. Combined with the complex needs of various lines of business, organizations have the need to do something to fix it and manage it. For the last 60 years, companies have always managed it manually. It has been all about people, paperwork, and processes, and it is an inefficient way to do it.
The reality is most security departments are stuck in the stone age of manual processes with paper forms or excel sheets and email. For one example, a typical manual security onboarding process starts with the HR department creating an email to the security department asking for a badge to be created for the new employee, enter them manually as a cardholder in the access control system and assign specific access control privileges. The security department manually performs these individual tasks, logs the task performed in various spreadsheets, and emails the HR department when completed.
Another process example is the additional access request and approval process, where the employee requests via paper or email access to a specific door or group of doors not normally needed. The employee’s supervisor reviews and, if approved, sends an email to the area owner for approval. The area owner, if approved, logs the employee’s information in various spreadsheets, then sends an email to the employee’s supervisor of the approval. Then the supervisor sends an email to the security department asking them to add access to the system, which the security department does, manually, and logs the information manually as well.
PIAM eliminates the error-prone, time-consuming, and risk-filled manual processes. By automating all the manual processes of physical identity management, a PIAM effectively creates organizational efficiencies that results in significant labor cost savings, sometimes upwards of 60% to 80%. That’s an ROI that can be sold to upper leadership for approval to implement a PIAM solution.
Compliance Factors
More and more regulations are being pushed down on organizations for compliance. There are NERC/CIP, HIPPA, SOX, PCI, GLBA, and the Food Safety Act, just to get started. Depending on the industry, these external organizations are looking at organizations. Response to these regulations, to be in compliance, are more than often done through extensive, laborious manual processes. Manual processes such as back-and-forth email communications, manual reviews of requirements and certifications needed to access sensitive areas, and even completion and management of paper forms.
Many organizations have more than one access control system server, and from more than one manufacturer as well. If the process to pull data from these for compliance reporting is manual, employees must go to each system to pull the data, analyze it, and compile it into a report. This is a lot of labor hours spent on one report.
A PIAM platform automates these manual processes and aggregates all the data from the various access control systems into a single platform, creating a seamless, transparent collation. Additionally, most PIAMs have audit campaign features whereby, on a set interval, defined area owner within the system each are notified to log in to the PIAM and certify for their area of responsibility each identity’s access privileges as either “still good” or “no longer needed.” If an access privilege for a given identity is removed/denied during the audit, it is logged and the PIAM, if it has this capability, automatically removes that access privilege from the identity’s cardholder account in the access control system.
The beauty of these automated auditing features and exercises is that a PIAM will reduce an organization’s compliance efforts significantly, to the point of taking only a couple hours instead of weeks or more with the manual method. Not only will the audit reports be more sound and more accurate with less errors and missing information, but the company will save money in the labor to produce it in much shorter time. This frees up valuable company resources to focus on more important security tasks. Additionally, with new innovations in Generative AI, auditing and reports are simply a question away with results in seconds.
Security Convergence and Digital Transformation Factors
Security Convergence
What is Security Convergence, and why is it important? To some, Security Convergence means the merging of access controls, video, and intrusion detection. However, Security Convergence means more; it is the logical joining of the realms of physical security and IT security. At the core of this is the control and management of the identity. Secure and control the digital identity, and the enterprise is secured. However, Security Convergence means more than just the merging of technologies, more deeply it means the joining of, traditionally, two separate entities within an organization, that were previously often at odds.
In a great 2017 article in Security Today, “The Role of PIAM,” Don Campbell stated:
“The proliferation of networked devices has increasingly brought IT to the table when discussing physical security. In many organizations, IT departments not only have a voice at the table, but are also responsible for deploying and managing physical security systems.”
In an organization that has not undergone a convergence transformation of its IT and Physical Security departments, The CISO’s and CIO’s organizations operated independently, in silos, with limited to no collaboration on enterprise-related projects and risk. These senior leaders and their teams do not have complete insight into each other’s systems or any of their systems that may be interconnected already. Additionally, often these separate organizations are at odds with each other over strategy, policy, techniques, systems administration, and risk mitigation. There is no collaboration between them, which impedes the ability to identify a common risk or threat and either prevent or respond to them.
Conversely, a converged operation sees these security functions converged as well. The formerly separate security organizations function as a team and communicate, coordinate, and collaborate, which creates significant efficiencies in risk mitigation and threat prevention and response. The integrated functions enable a holistic approach that helps ensure that both cyber and physical assets are secured, and more often integrated with enterprise-grade solutions, such as PIAM.
NIST diagram of a Converged Security operation within an organization.
From CISA, SIA, to KPMG and many others, the call for converging physical and cyber security to address today’s sophisticated threats is growing louder. A three-dimensional platform that unifies identity and access governance security across Physical, Digital and OT is the only way to achieve true security convergence.
PIAM fits within this strategy. It unifies the logical (identity management systems) with the physical (PACS) materializes the concept of Security Convergence, thus creating efficiencies, reducing risk significantly, and providing a platform for quicker response to compliance audits far more accurate results.
Digital Transformation and Security as a Business Enabler
Data is the most powerful currency in our digital world. PIAM (especially powered by AI) leverages the goldmine of security data already contained within the systems organizations have by providing insights on workspace access, security, and optimization, especially in the hybrid workforce era. Tenant management and real estate services are enhanced. It aligns security with key digital transformation initiatives through physical-digital convergence (e.g., NFC Wallet mobile credentials) giving security leaders a seat at the corporate table and access to the budgets currently only given to their IT security counterparts.
Summary
Why and how would anyone want to fix these problems? The value proposition of PIAM is that it replaces the manual processes, automates them, and allows organizations to reduce risk by staying in compliance with regulations. Additional benefits include an increase in the overall security posture and leveraging disparate systems by integrating and unifying them.
A PIAM creates efficiencies within the organization, both operationally and in doing more with less. This translates into significant cost savings for the organization, as well as improved security posture. This game-changing solution results in:
- Lower RISK, like having a single point of access revocation.
- Lower COST by way of removal of burdensome manual efforts with a 65%-80% reduction in workforce costs.
- …and streamlining COMPLIANCE by having a complete audit trail of everything performed within the system with convenient, at-the-ready reports, which will greatly reduce the amount of time your staff have to spend on these tasks.
A special Thank You to Willem Ryan of AlertEnterprise for contributions to this document.
