Start small and business buy-in will follow

When it comes to employing an access control management solution, it is best to build up slowly.
Read time 4min 20sec

The definition of access control management can cover a broad number of disciplines across the IT realm. The one I will focus on for the purpose of this Industry Insight ties together the physical and logical aspects of a user in an organisation, their location and their right to access systems and resources in a prescribed area.

As organisations become more mature in their adoption of information systems, users are also becoming increasingly literate. With this comes the challenge of how to govern and control a user's access to and use of systems and resources across the organisation. This becomes especially difficult for larger organisations as the role and function of users may span several areas of the business with varying levels of access to different systems.

This problem screams 'identity management', a solution every IT salesman will jump at! However, consideration needs to be given to identifying where the actual risk is to the business, how it can be resolved in bite-size chunks, or whether to throw the entire budget at the problem.

Typically when an organisation makes a decision to go down the identity management route, it becomes a laborious task as it feels it has to provide service and control to everyone. This inevitably results in steering committees, working groups and huge project management offices being set up, with little short-term delivery of any value.

Creating a foundation

The best approach to take is to identify a part of the business (typically a critical business process) and carry out an identification and classification exercise on each of the assets intimately involved in the process. By doing this, the company now has a foundation from which to define the varying levels of control to these assets and the personnel authorised to make use of these resources.

Although there may be 30 or 40 business processes in an organisation, the scope will have been narrowed to the most critical from which the access control management strategy can grow. Effectively start small, demonstrate fast turnaround in value of spend, and the business will support the growth of the service. Clearly, key to this is to make the appropriate technology decision to support the strategy; the most appropriate element to look for in technology is the scalability and interoperability with the systems the organisation runs.

Having identified and classified assets, companies will now be in a position to profile these with the appropriate business, system owners, physical locations of these assets, and the people that use these systems. This will enable the company to effectively define and build secure computing enclaves where physical access and logical access are discreetly tied to one another. This will be physical access to the systems and resources - whether in a data centre or secure work environment, as well as the graded physical access the user is required to go through from their initial access to the building through to access to floors, offices and ultimately, the machine used to gain access to the precious IT resources.

The granularity of the control of the user will once again depend on the technology choice in access management. In this case, it should be an integrated physical security access system and a logical authentication and authorisation system.

Process flow

The granularity of the control of the user will once again depend on the technology choice in access management.

Logan Hill is a certified information systems security professional at Faritec.

The business or risk owner will always define the granularity of the level - or levels - of physical and logical access a user must entertain to access and use systems. Generally, the more sensitivity the data or the nature of work, the more physical and logical controls are required.

Take the following scenario as an example. I have a team of people that carry out in excess of R30 million in transactions every day with 300-plus different suppliers. Yet this team only amounts to eight of my 600-strong workforce. Do I deploy a company-wide access control management system? No, I deploy what is required to control and govern the eight users where the majority of risk resides.

This is effectively achieved by integrating the physical and logical access systems through a common identity repository to ensure the person accessing the secure finance enclave is authorised. Thereafter, the logical access and authorisation is tied to the physical person via biometric authentication.

This simple process will provide for several measurable controls that can effectively be monitored and reported on in real-time, providing a proven audit trail of who accessed what area using which resources, when, where and how.

Remember! Start small, prove the value, and the business will buy in.

* Logan Hill is a certified information systems security professional at Faritec.

Logan Hill

Business unit executive for security and availability at Faritec.

Logan Hill is a certified information systems security professional and was recently appointed as business unit executive for security and availability at Faritec. He has been at Faritec for three years, where he is responsible for business solutions development within the security offering. Hill recently specialised in the public sector, designing multiple security functions for the protection of critical information systems, information availability, retention and redundancy.

See also