HID - Workforce Identity and Access Management

For many of us, the workplace is more than a single building or facility. That’s what makes workforce IAM so powerful. By managing security through something we all take wherever we go — our identities — it gives users the flexibility they need to stay productive and enables administrators to quickly detect and address risks. HID’s robust, flexible workforce identity and access management solutions provide your workforce with seamless access to the resources they need — no matter where they are.

All Episodes

HID - Workforce Identity and Access Management

PIAM - Manage and Centralize Workforce Access for different locations and resources

February 07, 2022 • HID • Season 1 • Episode 2

PIAM - Manage and Centralize Workforce Access For Different Locations And Resources.

Matthew Lewis Director of Product Marketing at HID IAMS and Donald Campbell, Senior Director of Product Management at HID Global discuss how to manage and centralize workforce access for different locations and resources.

Speaker 1: 0:01

Powering trusted identities of the world's people, places and things. Every day, millions of people in more than 100 countries use our products and services to securely access physical and digital places over 2 billion things that need to be identified, verified, and tracked are connected through HID Global's technology.

Speaker 2: 0:23

Welcome back, Don. How you doing?

Speaker 3: 0:26

Oh, not bad. How have you been

Speaker 2: 0:28

Good. Good. So by the way, did you finish the construction? Cause hammers and, and no guns can get kind of loud. I noticed.

Speaker 3: 0:35

Um, I think so they're not here, here today, so it should be quieter. We'll see, probably be the dog that we serves us this time.

Speaker 2: 0:43

<laugh> such as life in a pandemic. Right. Okay. Yeah. Last time you and I talked about identities and kind of management of those is a really a critical piece of PIAM I being identity. I wanted to chat now about the AM portion of that acronym, the access management portion, and, you know, an observation from some of the conversations I've had is it seems like a lot of the challenges customers are having really center around the concept of, as a, for instance, I have five buildings are, have five offices, each one of those offices, the system to get into them, the physical access system, it's different in each one of those. So I've got inconsistencies across locations or policies and, you know, it feels like as the solution provider, there's something we'd be able to do to help that taking kind of from the, the ITworld, like maybe even an abstraction layer across those that, that really kind of help with, uh, centralization and standardization. Is that a, am I thinking down the right path here with access management and how we alleviate some of the challenges our customers have?

Speaker 3: 1:50

Yeah, for sure. That's going down the right path though. Not only is it trying to manage multiple systems and, and access there, but it's even more about capturing the, the approval process. Like what is the process that we go through to figure out who's meant to have access where why and who authorized it?

Speaker 2: 2:12

Okay. So then if I'm thinking about back to five buildings, five different offices, that's probably done highly manually today, but if I'm thinking about putting it into a system that kind of centralizes that, is this an efficiency quotient, or is it more around accuracy and error reduction?

Speaker 3: 2:31

It's both, you know, again, efficiency is certainly part of it though. At the end of the day, getting faster is good. It makes, it makes life easier for us, and it makes our jobs easier. But it's really the error reduction. If, if you look across what we'll see typically in a system is if you're doing things manually, you, you might introduce errors in maybe, uh, 10% of records, but it's, that rate grows as start to talk about the number of systems and number of places where you're transcribing things. And you, you may introduce a misspelling, you band up. Yeah. Um, leaving off a piece. And it actually, when you start talking about people with 3, 4, 5 systems like HR to it, to a couple of pack systems and with multiple multiple stakeholders, and it's not how many of the identities have errors, it's how many errors you have per identity as they start to accumulate.

Speaker 2: 3:30

Yeah.

Speaker 3: 3:31

So yeah. I mean, some of those are just nuisances. Like, you know, I don't know they spell my name wrong or, or, you know, demote me in my title. They never seem to promote me or, you know, as long as they pay me correctly, I think I don't complain about that too much. But then some of those have consequences. Um, you may see something where a person is duplicated they've they've changed jobs, but we're not really sure is, is this person in the marketing department, the same person who previously was in sales. So maybe we end up with two records, two cards. One of them is actually, you know, an orphaned record that doesn't belong to a person anymore.

Speaker 2: 4:11

Yeah. Yeah. That makes sense. So it's, we'll reduce the burden on, whoever's doing some of this administration air go eliminating some of the errors that come about. I mean, just by human nature, you know, mm-hmm,<affirmative> incidentally happens, but also really capturing what's happening. Who's authorized this, which, you know, being able to track these things, these instances, these transactions, the wrong word, but these records over time allows us to now really focus those compliance efforts, really think about how we're capturing and codifying rules and controls and things like that is codified kind of the right word. Or we like, it feels like there's gotta be some way of doing that. Right.

Speaker 3: 4:56

Yeah. And so it's back to our policy engine again, you know, it's, uh, in this case, policy is typically, uh, considered the workflow. Yeah. But the policy and the, the, the steps it's gonna walk you through in a system like this is capturing, okay. In this area, who's the area owner, is it a one step approval? Or is it two or three steps, perhaps your manager has to authorize before you can request it. The area owner has to grant it. You, you may have different rules for different areas for a, maybe a manufacturing area. You need to have the right safety training in place for another area. It might be about insurance for someplace else. It might be, you know, you're part of this team, or you've gone through the correct approval process. And so you, you would have a series of rules, but it's gathering up the requirements. So that, we're what we're doing is we're making sure we're enforcing the things we've written down. We've, we're enforcing the rules that we've set for ourselves before we allow that to happen. And of course, now if I try to grant access outside of those rules, the system will stop and prevent that and ask if this is something you want to request from that approver rather than allowing you to just, um, accidentally grant access. That's inappropriate.

Speaker 2: 6:17

Yeah. That seems like, um, you know,<laugh> sort of unrelated to the pandemic actually for once, you know, there's been a number of high profile security incidences that have information and physical security teams scrambling really, probably at a global scale. But some of what you're talking about is also interesting, cuz then it's, you know, it's gonna help those individuals comply with any number of governance requirements, internal, external, but also implement something more least privilege oriented, which will probably also help from just a security footing over time. So really interesting to think about how access management's playing that, that sort of role, um, now.

Speaker 3: 6:58

Yeah. And, and, and I think you're right. I mean, we are seeing this coming from, uh, supplier agreements and other types of, of things that as we, we partner with other companies, um, we need to tighten up our rules and make sure that, that we stick with them. I know that that we've been expanding our compliance program really rapidly over the last few years. Um, but I, I do think we've seen things change, you know, before people used to think of security is, is a little static. You know, I'm going to this person in this role has, has these rights. They go to these places and they request they would come in from time to time. But for the most part, you know, a typical person isn't making that many requests. I think in our systems, we would see that maybe 30 to 40% of, of people in a really dynamic company, haven't accessed request at all in any given calendar year. Okay. Well, that's completely flipped. And part of that is, is, um, like you're saying least access permissions, but also because the rules keep changing. So yeah, we're now actually seeing that it's not 30 to 40% of people. It's all people, the process of changes, the data that you want to collect before you grant access has flipped from, you know, safety training or insurance to health questionnaires and, and vaccine records and things like that. And honestly, it's changing every six months. So, um, where it used to be a fraction of employees is it's now everybody.

Speaker 2: 8:32

Yeah. Well, and that brings us to the, maybe a topic for next time, actually a couple of topics for next time. The, the dynamic nature of, of things is an interesting one to just kind of riff on maybe later. But I also think it gets us to, you know, how's that made manifest in the plastic that I use to get into said building or into said cage or something to that effect. So I think let's leave it at that. I appreciate the chat Don as always, um, enjoyed it. So we'll leave it there. Thanks, Don. Great. Yeah. Talk to you soon.