Securing Your Organization: Advancing Physical Identity and Access Management

Show Notes

Can managing the physical identities of non-employees be the linchpin to your organization's security? Join us for a deep dive into the world of Physical Identity and Access Management (PIM) where Don Campbell, Head of Product at HID Global, provides expert insights. This episode uncovers the complexities of visitor management, from handling one-time guests to long-term contractors, and the critical role of rapid information processing. Discover how establishing risk-based policies and controls can protect your facilities while seamlessly transitioning visitors to contractors.

Listen as we explore the integration of PIM with Physical Access Control Systems (PACS) to streamline security workflows and ensure compliance. Our discussion sheds light on how PIM facilitates transparent and manageable compliance efforts for IT, HR, and audit teams, making rule adherence clear and deviations easily detectable. We also delve into maintaining secure physical records within finance systems and IT environments, particularly during ISO and SOC audits. Learn how formal procedures and detailed documentation can enhance the security of data centers, manufacturing floors, and office spaces, providing comprehensive protection for your organization.

Transcript

Speaker 1: 0:06

Powering trusted identities of the world's people, places and things. Every day, millions of people in more than 100 countries use our products and services to securely access physical and digital places. Over 2 billion things that need to be identified, verified and tracked are connected through HID Global's technology.

Speaker 2: 0:28

Hello again everyone. A new installment for our podcast series. Matthew Lewis back with a special guest today, Don Campbell, our head of product. Don, you haven't done this with me in over a year, I think, so I think we've been long overdue.

Speaker 2: 0:45

Yeah, so good, good. Well, I think what I want to do is do a little compliment to the blog series we've been working on and you've helped with some of it, so thank you. But we've got a blog series what is P? I, a, m, um which actually has its own tag on our blog. So if you go to the blog um, that's an easy way to search for it. But I thought it would be a good compliment to give people a similar kind of setup to that, like what is PIM, discuss some of the basics.

Speaker 2: 1:14

But one thing I've noticed over the last couple of years a lot of times when I'm interacting with prospective customers and partners, is how they come about. Kind of the core problem set of PIM physical identity and access management, and it's often not what are they doing about employees or even contractors, because a lot of companies do something with contractors already in some way, shape or form. I get a question about visitor management and I think that has turned into a catch-all bucket of sorts and I think let's start with that, because I think that is a very competitive space these days and a very interesting space and I think it gives us an interesting I'll say interesting one more time, probably perspective into the core problem set, but I want to start by asking you what is your definition of visitor management?

Speaker 3: 2:20

I guess the basic is just a system to capture the people coming into, just like you said, those non-employees, maybe those maybe non-contractors as well, if we already have them badged, but these temporary people who come and go from our facilities to make sure we know who they are, we know that they're appropriate to be here, you know that they're here with a purpose and that we're controlling where they're going, who they're here to see, and we're keeping our facilities as secure as possible with lots of people coming and going.

Speaker 2: 2:58

And I think the temporary part of that is always the one that I spend a moment on, because temporary can again have a couple of definitions, where it's either that I'm bringing you lunch one time, or maybe it's a package or something like that, or it may be you and I have a recurring meeting or a multi-week, maybe even multi-month, I guess, project week, maybe even multi-month, I guess project. Is there anything that when someone is thinking about visitor management, you automatically want to make sure they are thinking about comprehensively? Is time one of those variables, like you mentioned?

Speaker 3: 3:37

Yeah, time and possibly, like visitor management, tends to be at one side where employee management is very much at the other. When we onboard an employee, we're going through and collecting a lot of information about them and gathering background information, right to work information and so forth. Hr is just kind of automatically doing that as part of the onboarding process, doing that as part of the onboarding process, and the far other extreme, where we are managing people and visitor management, we need to do that really rapidly. Who's the person? Who are they here to see? And possibly expanding that out depending on the type of visit. And, like you said, is this recurring or are they hear, not just for a meeting but to actually do contract work or something else? And that is where, in my mind, that that blend starts to fit into the rest of the PIM landscape.

Speaker 2: 4:39

Yeah, what is the rest of that PIM landscape? That's a great pivot point. What is the rest of that PIML landscape? That's a great pivot point.

Speaker 3: 4:46

So for me it's the entire definition and the thing I would think of extended identities and going from employers and contractors to visitors at the other end and all these people in between that we have different relationships with. When do we switch controls from the visitor control to a contractor control? Is it at a 30-day visit or is it at a six-month visit? When do I want to go to stronger background information, gather right to work information and make sure that we stay in compliance with our rules? We stay in compliance with the wider process, and so to me it's collect up the tools that you have and either set policy or align with the policy that you already have and use whether it's more complex onboarding tools or use that really rapid check-in of the visitor system and just making sure you're doing it appropriately and consistently throughout the organization.

Speaker 2: 5:57

So if I let's see if I can paraphrase that and what I heard with some different words added in would be depending on the needs.

Speaker 2: 6:09

Those needs need to be risk-based in nature. So you're making some sort of assessment based on the physical locations, the sensitivity of those locations, what happens there and who's accessing them, to establish a series of policies, procedures, controls, kind of, when you aggregate those all together, codified into some sort of tool that helps you make decisions, document decisions, and then establish a rule set to kind of govern against across the spectrum of identities you've talked about across the spectrum of places, spaces, talked about across the spectrum of places, spaces, I guess, um, that you're talking about, and then the other one, being those external, could be internal too, but external and internal compliance factors yeah, getting consistency with, yeah, um, your policies, for which would be internal compliance, I guess, but uh, um, also with any regulations that you have to have to meet, any if you have audits, um, whether it's part of finance or part of operations, um, or part of it making sure that the process that's being used is being used appropriately.

Speaker 3: 7:28

We see things where, for instance, a worker needs to come in and work in manufacturing has to go through a certain set of tests, or a contractor who comes in there.

Speaker 3: 7:39

It might just be safety, it might be skills-based safety, it might be skills-based that kind of thing and if this contractor doesn't have all the paperwork up to date, what they might do is just, well, we just need him for an hour, let's just check him in through the visitor process.

Speaker 3: 7:57

However, if you have that person coming back and if they're not working directly in the manufacturing floor, then that might actually be completely consistent with policy and okay. But if you have somebody who's coming back week after week, month after month, did we just try to shortcut to bringing in a new contractor? We don't have all the right training in place and we're trying to bypass the contractor, onboarding and the correct process, so keeping all of these systems connected and keeping all of these policies in a single system where they're all aware of each other lets you set nice rules that help you spot that, and I think there's also a usability piece to this too. I mean, why would I work around that system? Well, maybe it's really difficult to use, and so if I make it easy to find the rules and easy to follow the rules, then you get a lot more compliance just out of that as well, then you get a lot more compliance just out of that as well.

Speaker 2: 9:09

Well, and you actually bring up what is a really interesting point. Because if, what are the reasons someone wouldn't do this? Well, one of the ones that comes to my mind immediately is I need this thing done. The person is standing in front of me to go accomplish some task. Maybe they're there for an emergency maintenance at the manufacturing facility you just mentioned. I don't have time, and the company does not have time, for me to wait for X and Y and Z approvals oh boy, I said Z, not Z X and Y and Z approvals to take place. That could be ours. And so then there you go To your point.

Speaker 2: 9:52

The usability, I think, becomes a big issue there. You also talked about it in a way that implies this is compliments and interacts with a lot of those other systems. What are some of those systems and what are some of those interactions? Because you I guess you kind of just alluded to one a second ago, or even said it the access control system. So is this a complement, a supplement, a complete rip and replace? I mean, we're not doing access management, so I guess it's a compliment.

Speaker 3: 10:25

Yes, definitely a compliment.

Speaker 3: 10:38

You might be using this process to decide what access is appropriate. But you're then going to want to this visit or to this long-term person who's now been at it as a six-month contractor, whatever it is. You still want that ability to track and to have the connection. Be able to turn that off when it's complete that the work is complete. Connection, be able to turn that off when it's complete that the work is complete. And all of that already exists in that access control system. So you think of the PIM process as a method of making sure all the process steps are followed, making sure all the approvals have been done, making sure the workflow is completed, and then say, hey, take this badge, associate with this person and with these areas and allow them to work in those areas. So the PIM side is more about the workflow and the process and that's an integration into the PAC system.

Speaker 2: 11:43

I think that's an interesting way to think about it, because then what you're talking about is a set of tools, or a tool, specifically in this case maybe, that the peers of security maybe find particularly interesting, because we've talked about compliance a little bit. The fact that we're capturing all of this information on an ongoing and consistent basis means, I'm assuming, there's some auditability of this Risk is involved. So your risk teams, it is going to be involved, so there's a lot of, I guess, key stakeholders that may not be in a purchasing decision or may not be in the management of an access control system that will find this tool a valuable member of their, I guess toolkit, so to speak. Is that a fair assessment, based on your interactions with our customers and prospects over the years, of who else?

Speaker 3: 12:43

might benefit.

Speaker 3: 12:45

Yeah, absolutely Certainly. It is at the core of physical security. This tends to be where process and policy decisions are being enforced in the real world, and often those may be coming from IT or coming from conversations IT is having with compliance and the audit side to make sure the rules are right. Sometimes those are being developed within security or facilities. Often it's those groups coming together and then it touches HR. It touches that compliance team. It provides benefits out to each of those groups. So, yeah, I think it tends to be an area where you can really get a lot of project support and momentum out of looking at how can we make life easier for that auditor, how can we make life easier for HR, for IT, in these different situations.

Speaker 2: 13:50

Switching gears just a little. We've covered some of the basics here. I want to spend a little more time on the compliance and I'm using that in a very broad bucket here. One question I've seen asked it actually came from outside of the company and you'll recall the question in our response but I think it's worth starting the next discussion on.

Speaker 3: 14:24

Does this guarantee compliance? No, it doesn't guarantee compliance, but it's a good way to organize and coordinate compliance so you can make compliance easy and easy to see and easy to audit and track. It doesn't guarantee that people will follow the rules, but it makes it easy to make the rules visible and it makes it an easy way to see if somebody is trying to bypass the rules or skip a step, makes that really visible. So it makes it easy for people who are trying to contribute to a compliant process to do so.

Speaker 2: 15:07

Well, and what you just said is that also assumes there's a set of rules. So the creation of those rules, if it's a new compliance or maintaining an existing one, are a set of things that would be done outside of this system and then pulled into the system as it's appropriate. So I think that's important too.

Speaker 3: 15:27

I think it's also good to step back and think about. When we're talking about compliance, what do we mean? Yeah, good point Usually, and we look at a lot of different frameworks and talk to customers in areas from manufacturing to IT to finance, and we're not going to cover the entire gamut of financial audit. To me, that's going to be mostly in the finance systems. We go through our own ISO and SOC and other IT related audits, and PIM doesn't cover the entirety of those either, but all of them have a common piece where they say, on top of making sure that you collect these records, you secure this area, this system, or secure these areas, they also require you to have control of and records for, the physical space.

Speaker 3: 16:22

It's really difficult to secure your finance records. If you know, just anyone can walk in, same with IT. Everyone's got a subset that focuses on the physical area, and the key with any of this is making sure that you have a formal way to record who owns the area, who owns the decisions about it, who's been granted access, who did that, making sure you have a clear record of the question and the response to that, and being able to keep that record so you can tie it back to every door, every person, every decision is all then collected in a single system and PIM. By doing that, by keeping all of that information and keeping it organized for you, makes it easy to answer any of the audit questions that come up about a data center manufacturing floor, your fifth floor office of the office building where finance sits. It makes it easy for you to go in and review that and see that you did follow the policy and that you do have the right controls in place.