HID - Workforce Identity and Access Management

Best Practices for adding PIAM to Access Control

HID Season 1 Episode 17

Best Practices for adding PIAM to Access Control – Janette Sherman, Matthew Lewis, and Darwin Rivera share best practices for integrating PIAM with Access Control Systems.


Speaker 1:

Powering trusted identities of the world's people, places, and things every day . Millions of people in more than 100 countries use our products and services to securely access physical and digital Places over 2 billion things that need to be identified, verified, and tracked are connected through HID Global's Technology.

Speaker 2:

Hello again, everyone. Welcome back. We have a new contestant today in Janette Darwin's with me again. We're doing our Lunch a nd Learn series. U h, this time we're gonna focus on visitor management a little bit with Janette. We're gonna spend about 10, 15 minutes with her. U m, and let's just dive right into it. What do you think? Team? Good

Speaker 3:

Morning.

Speaker 2:

Let's start out. Um, PIM for us visitor management is part of a broader PIM kind of umbrella to set a series and processes, tools, people, all of those fun things. Um, at the heart of it though is who , uh, everything keys off of who identity is crucial to physical and cybersecurity. But for us, obviously we're talking about physical security. Um, and today we're gonna spend a little bit of time down on that lower left corner with visitors. Um, in fact, I've added a couple of examples of who some types of identities that are in an organization might be. Um , but we're gonna spend a little bit of time on visitors today with Janette. Um , thank you, man . Topics, topics for today. So Janette, you're, you're gonna walk us through a little bit of what you're hearing from the market and how people you're talking to are getting started with their journey on PIM. We're gonna spend a little time , uh, talking with Dr. Rivera about, are all visitors the same , uh, sneak peek ? They're not. And then is there a way you're gonna move beyond just visitors? So again, they are a single identity amongst a veritable tapestry of identities. Um, so what would you might maybe look for on expanding that? Uh, but we're gonna get started. Um, Janette, I want to hear from you, What are you hearing right now in your experience in the conversations you're having? Um, you said the other day when we were prepping for this, a lot of companies start with visitors. When they're starting that conversation with you, why is that? Tell me a little about what's, what's in their head when they come to share . Sure,

Speaker 3:

Sure. Absolutely. Um, well, obviously, you know, during the pandemic, more and more organizations have learned and realize that they need to have new practices in place to secure their facilities , um, with everything that transpired during that. Um, wanting to know who's in your building, who they came in contact with , um, but from an everyday perspective, just more security overall. Um, so as you know, again, this can encompass a visitor could be just a guest coming in for a meeting. Mm-Hmm , <affirmative> . Um, it could be a delivery person coming in. And we also find, you know, sometimes a large organization could be using visitor management for managing some of their employees that don't typically come to that facility. But, you know, they could be housed in , uh, Texas and be traveling to Chicago for the first time. And it's about what type of experience do you want for that employee coming into the building for the first time to be , um, do you want them to be treated as a visitor or do you want them to be treated as an employee? So I might be getting ahead of myself here, but those are some of the questions that I get into with my clients because they might be labeling all of these as a visitor. And that's kind of the fine line sometimes between visitor and a full identity access management solution that could encompass employees, contractors, vendors, any type of servicing company, or is it the traditional, those coming in off the street to have a meeting with one of the employees? Um, so again, back to your question of, you know, what am I hearing from my clients? Um, they wanna be able to know who's coming into the building potentially ahead of time and be able to vet that visitor in advance. Um, and as you know, we can do that with our products. Um, and we could do it in a number of different ways. It depends on whether an organization is looking for , um, a touchless experience coming in and utilizing the kiosk, or whether they have security guards or visitor management officer sitting at a reception desk that's gonna be checking them in. Um, so that's kind of where it starts, is what do they want that visitor's experience to be?

Speaker 2:

Okay. That's very interesting. I , I like the experience uncle so often. Um , if we don't consider that experience and how that's gonna impact security, you know, we might put some things in place that we end up just not using. They end up as shelfware. Um, Darwin, I know you, you , you know that from you and I have talked about that on the , on the cybersecurity side, a lot of , a lot of tools end up at shelfware because maybe they're a little too much, a little , a little overbearing in their controls that get put in place. So I think experience is crucial to any of this , um, especially when people are involved, are all visitors the same? Um , you kind of answered that really. Um , and , and , and Darwin, I wanna kick it over to you for a second. From what you've seen when you're talking with customers, talking with prospects and internal people, like what are some ways to think about different types of visitors that way we're not just using WA word too broadly.

Speaker 4:

So when, when you are looking at, at , at visitors, you , you get , you know, you step back, you gotta look at, you know, what, what's your relationship to that person? Come through the board . You know, is this something that you know somebody, that you're gonna have a long-term relationship that you want to , uh, maintain that identity within your system so that you can, you know, make sure that the experience of that person is, is what you are aiming for. So , uh, har hurry back to that, that experience part. You know, once you enter a lobby or you enter a a guard gate, that's gonna be your first interaction with a , with an organization. And, and, you know, first impressions are , are , are , are , are , are , are key to differentiate, you know, in the market. Because if , if you , I , I show up and , and my badge is ready and , and I was being expected and, and I'm ushered in and my visit is, it flows , uh, with, with ease. And , you know, there's not a lot of friction when, you know, when you reduce that friction, you improve the user experience. Now, on the other side, the security side, the advantage of having that experience for your visitors is that now you have data that you can act upon. Uh, one of the things with the areas that that often comes up , especially in international settings, would be diverting of third party , uh, uh, visitors. So that is persons that might be subject to sanctions. So if you are an international company, you wanna make sure that you have those connections so that you know who's coming through the door, you know , uh, and also in some other settings, other markets you have, you know, you know, persons of interest, you wanna know who's coming in, you know, and , and you know, maybe a disgruntled employee or maybe somebody that it's, it's , it's , it's on a watch list that you , you know, it's not supposed to be allowed on premises. You have that data on hand to equip your receptionist, your lobby people, your guards to say, Hey, you know, this person is a person's interest. They should not be allowed on premises. Or in the case of, say, a person that is subject to sanctions, you can, you know, have reporting, Hey, you know, this person tried to access , uh, our premises or , or have interaction with with our company, but we denied it. And you can provide some audit trails, you know, so that you have the proper controls so that unauthorized people don't gain access to, to your premises or your people.

Speaker 2:

Yeah, I think that's a re really good set of controls that you're talking about there, or different types of identities. And, and Janette, you mentioned traveling employees. Yeah . Let's go back to that one for a second. Sure . 'cause I think that one's really interesting. You used Chicago and Texas, that being where each of us are respectively, <laugh>. Um , but I, I do think that's important, especially with a lot of larger customers. We have a lot of larger organizations. There might be kind of this multiple business unit, multiple companies set up. I mean, it's not uncommon and they may be housed in different spots, maybe domiciled in different spots. And so I think that adds to some of the complexities that, that you're highlighting. I bet a lot of your accounts are , are coming to, 'cause you have some sizable accounts under your belt. Um, what are they asking about there when they're thinking about employees? What's kind of mm-Hmm . <affirmative> driving some of that? Is it just visiting?

Speaker 3:

Um, well, well, no , um, it could be , uh, I have, for example, I have a large organization that I'm dealing with that has global offices, and they are treating their employee as a visitor. So today, someone coming from California , uh, to Texas, they also have different naming con conventions of the organization. So let's just say I, I'm going , uh, you know, to to Texas from California, and I'm one of those employees and I arrived there. The person at the visitor management desk is asking them, who are they here to see? But they're not asking them if they're from X, Y, or Z, which are different naming conventions of their organization. So they're treating them as a normal business visitor, and in turn they are going through, let's say a watch list or background check where if they were using a system that's a true identity access management solution to manage employees, they wouldn't have to be, they wouldn't be getting vetted ahead of time. They would've been given their access before they ever left California, and they could be representing themselves different from, you know, moment one of that visit and stating I'm X, Y, Z employee. And they're just kind of passing through with their access control without having to do that. Um, so I get a mix , um, you know, of clients. I work with all vertical markets, as you know, for covering about 15 different states. So I get a little bit of everything. Um, so there's, you know, sometimes you've gotta dig in a little bit deeper to understand how you're gonna help each organization solve some of the challenges that they're having and make sure that you're putting the right solution in place for them.

Speaker 2:

Yeah. And I think that's important for internal purposes. Back to the experience. Um , you don't want those traveling employees to be late for a meeting, especially if it's important. And then you don't want the other side of that meeting to be held up also. Uh , absolutely. Especially if you can avoid it. Uh , you may not get the business , um, or, or that partner may, you know, we're all, we're all emotional animals. Maybe the bid just went up a little bit. Uh , so, you know, every little bit can make a difference from an , uh, uh, an experiential standpoint. Uh ,

Speaker 3:

Yeah. And to your point with that, I mean, you know, I would wanna know if I had a vp, you know, traveling to my site and , uh, to your point of making sure that they're checked in on time and that they have the most positive experience ever. Yeah. So knowing that ahead of time would be, would be key.

Speaker 2:

Yeah, that makes sense. Darwin, let's , um, let's broaden our scope beyond a visitor. You've mentioned contractors, you've mentioned , uh, we've talked about employees a little bit. Um , what might be a trigger for you? Because again, you can start small with a visitor and it makes sense, but you might also want to consider future scenarios to understand, am I getting the solution that will grow with me over time versus getting something and then having to get something else in a few years or something like that? What comes to mind when you're thinking about how to move beyond just visitors? And we've talked a little bit about it, I think, but what's, what's top of mind for you ,

Speaker 4:

For , for me, when, when you know, it , it , again, it goes back, back to experience and , and how you want to, you know, usher that identity of that employee, of that visitor, that contractor. It's a , you know, organizations that focus on the hire to retire , uh, uh, kind of mindset need or can benefit from a solution that will grow and evolve as the needs of that, that identity evolves . So, like, for example, if I had, I had started, say in manufacturing in Austin, then I, I move into someone operational role and then I move to it, the type of access that I'm gonna need goes beyond what normally would be the scope of, of visitor. 'cause a visitor, you know, by definition, will have a limited set of permissions to access, you know, OOO of that is granted for that visitor. Now, my, my role as a, like a machine operator , uh, the access I'm gonna need is gonna be different from me working in , in a , in an operational capacity saying in supply chain or moving into it. Those are three different roles that will have different access profiles. By moving, expanding my visitor management platform and leveraging the physical identity and access management capabilities, now I can empower that user or automate most of those, those tasks because I could imagine this. So my, my job role changes in the HR system. The , this, this information can flow down to the physical identity access management system, and I , new access profile can be assigned to my, my user. So my, my identity now has the, the proper access, and there's, there's no, you know, basically there can be no human intervention needed for me to get my access. And if there is any additional access needed, the solution has self-service capabilities that I can go, okay, you know what , I, I beyond the basic, you know, it access profile, I'm gonna need also , uh, entitlements to access this com closets because I'm gonna be in charge of supporting the maintenance of those, those assets. So now on the backend, you can, you can, you can log on something , a sales service portal and request that access, and you can have, in the backend, you can have other controls that ensure that only authorized personnel are getting access to those, those sensitive areas if needed. Yeah. And you know, the ones that can be automated, it can be automated not only because the challenge sometimes is that at with time, you, you add , keep adding access to, to folks, to the different physical access control systems, but you know , the access is granted, but often, more often than not , one of the challenges is that it doesn't get revoked when it's no longer needed. Yeah . Yeah . A solution like the , you know, physical identity access management allows the organization to put a lot of automation behind it. And so, you know, you've reduced the data entry errors. You, you improve your security posture because people get the access that they need when they need it without, you know, basically sometimes without even , even human intervention, while still having control and focusing on those areas that really need, okay, I need a second set of eyes before granting access to this com closet or access this , this , this , you know, data center asset.

Speaker 2:

Yeah, I think that's good. Um, Darwin, I'm gonna flip over to our final kind of recap slide. Maybe you can bring up , um, software in the background. I think there's a couple things you wanted to talk through, Janette, I'll kind of summarize what I've heard and then you can maybe add your 2 cents to, to finish it off. But I mean, really what I, what I heard from both of you, a lot of our organizations that either come to us , um, or have been customers for a while , they start often with visitors because it's a very obvious area to start with. Um, employees are often, we feel like employees are often handled , um, but visitors, we need something there to control them , um, from an access standpoint, not control them in a weird way. Um, but what I'm really hearing then from both of you is it's not just one definition of a visitor. Visitor is just, it , it's the tip of the iceberg for the people that are entering a facility and all the controls that may need to come with that. So thinking about a visitor as one identity, not this big broad one, I think it's important for , for anyone we're talking to, especially our customers , uh, you know, what are the needs of Janette versus what are the needs of Darwin versus what are the needs of Matthew as the type of individual they are, how are they related to the organization? Um, and then what are some of the controls we need to be able to instantiate out into the wild that ensure that Darwin's not coming back in six months after his contract expired. Uh, and, you know, taking some of our servers off the rack , um, or Janette's not, you know, stealing mangoes when she delivers fruit on Tuesday. Uh , something like that. Any, any, any kind of parting thoughts on your side while Darwin brings up some little bit of software for us?

Speaker 3:

No, you're , you, you're spot on, Matthew. Um, I appreciate all of the collaboration and, and feedback on that. Um, you know, again, it encompasses a lot of different types of identities and then obviously a lot of thought needs to go into , um, where they want the solution to evolve, what type of experience that they want for each of these types of identities and , um, you know, what type of access that they're gonna need while they're there. Um, and making sure, as Darwin indicated earlier, that you have all those mechanisms in place to be able to look at a dashboard and at any time see who's in your building and be able to provide , um, reporting back. Because as we kind of started this , um, you know, it's, it's key today to have that secured , uh, visitor secured parameters and be able to access that information. Um , fortunately we won't experience another pandemic like we did a few years ago. <laugh>

Speaker 4:

Yeah . On that , you know, like you guys were mentioning, you know, data is key. Being able to report and have that situational awareness, not only as far as like utilization of your real estate, but also to make sure that you are properly manning those entries entry points to make sure that you, you , you , you avoid stove piping. So like, you know, a dashboard, like, like the ones that we are looking at on the screen gives you a high , you know , high level idea. You know, how many people are, are coming in today, at what time they're coming, what , what, what are my, my rush hours, you know, during the day when I'm gonna be expecting the bulk of the visitors. So make sure, you know, I can make sure that I have properly man stations that, you know, we are aware of, of what's coming in. And once the use the , the user comes in, you know, I can , I can handle, you know, VIP visitors, I can handle, you know, you know, somebody that, that hits up a, a , a a watch list , you know, and , and , and follow the , the procedures that are, are the instructions that are to , for that, that watch list hits. You know, somebody that didn't show up, you know, that, that , that , that they might , you know , that , that they were supposed to be here. Uh , and , and that, that allows you to, you know, to have that single pane of view of, of who's in the building. It can be , uh, uh, augmented with , uh, notification features where, where if you have, you know, if you know who's on the building and there's, there's a , you know, either , uh, a , a a , a medical emergency or there's some type of, you know, an earthquake or, or, or a , uh, of other, you know, natural , natural disaster, you can disseminate data quickly because you know who is in the building and you can, you know , either use email or SMS to, to notify those users. I given instructions of, you know, because they, you know, by being visitors, they , they're not, might maybe familiar with the local procedures in case of an emergency. And you can communicate by knowing who's in there and now how, how to communicate with them either with SMS or, or , or through email and, you know, the check-in process. You can, you can, you can have walk-in check-in process for, you know, somebody that, you know, you can schedule a visit and you know, you can, you can, you know, do it from the desk or employees through self-service. Derek also capable of making that invitations. You know, think about, you know, hr , uh, uh, you know, sending an invite for an interview, an in-person interview or thinking a , you know, a service call where , where you have somebody come servicing a piece of machinery, you know, the copier, you know, some, some , uh, machine on, on the production line that, you know, we have somebody waiting in. So you can, you can have that cell service capabilities. Now, once you grow out of your needs for visitors, then you can add , uh, cell service features like a adding, you know, requesting access to a specific area, or if you need a different credential of higher , uh, a level of assurance credential, you can also request it from, from the self service portal, the, the system. You know , as far as the visitors, you , you can, you can say like, like say for example, if this person has a mobility issues and they require additional assistance, or they need to have a parking spot reserved for them closer to the entrance to, to, to a system , uh, is this a recurring visit? You know, you have the ability of making that visitor a recurring visit, let's say, that you're gonna have , uh, uh, for training, you know? Yeah . And , and , and this , this , you know, 1, 1, 1 part that, that we, we , we hadn't really touched up on is that sometimes your visitors might be here for training. Let , let's say that you have a , you know, a group of customers that are here for certification training. So, like, for example, HID, the HID academy, we, we'd have an offering of, in-person training, they can be treated as visitors. So you can, you know, load them up on a, you know, a CSB file or an Excel spreadsheet and load them up as visitors. And, you know, that could be a , you know, a , a recurring visit over the , you know, however long the training is. So the watch list , you know, can have, you know, positive or, or , or, or, or, or, or, you know, more , uh, uh, critical , uh, meaning in this case, because like, it could be something like, okay, you are on the watch list because you know, you have to have some special treatment like a VIP or if you're somebody that needs to , uh, uh, be denied access to the premises. So that is, you know, how the power of the data, of knowing who's, who's in your, in your environment, who's , um, visiting, who's coming and going. That's that type of power that you can get, you know, when , when you know when you implementing visitor management. And I'll, I'll send it back to you guys .

Speaker 2:

No, that was awesome. There are a couple of things I even wanted to touch on quickly because as you're bringing it up, one of your dropdowns for building, was it data center? Well, that means that then visitor management can be an extension of those, you know, your enterprise risk, your , your compliance regimes. 'cause you wanna know who's going to that data center, <laugh>. Yeah . You know, back to who it is. Um , and then I've completely forgotten the other thing I was gonna bring up, but here we are. Oh , um, auditors everyone's favorite. There's a good example of, you know, who might be on premises and you want to know when they're there. Uh , we love auditors. Thank you for doing what you do. Anyway , um, well cool. Well, Janette, I appreciate the time. I'll let you get back to , uh, helping our customers out and , uh, finding some new ones. Darwin, always a pleasure, my friend. We'll do , uh, round two and three of this soon. Um , this one was on visitor management. Next one, we're gonna talk a little bit about how PIM compliments access control systems. Uh, and then we've got a kind of a round robin hot topic , uh, as session three. So we're gonna keep these going. Um, you will see these three bright shiny faces again soon. Um, for everyone that's joining us, thank you very much. And , uh, if you ever have any questions, send them to Janette. Send them to Darwin <laugh> . We'd love for love for feedback write ins , and , uh, you know , maybe we can address those questions later. Thank you both have lovely days and everyone have a wonderful week.

Speaker 3:

Thank you, Matt. Darwin, thanks for inviting us. Thank

Speaker 4:

You folks to care

Speaker 3:

That have a great day. We look forward to , uh, talking with you next time.

Speaker 2:

Sounds good, Bye.