The New Heart of Security
Security Convergence and Identity become the foundation of digital transformation while COVID-19 transforms access governance
A Multitude of Industries
Organizations from all walks of life across a multitude of industries —banking, financial services, manufacturing, energy and utilities, transportation, life sciences and many more have realized the importance of bringing information from the operational aspects of the company to front of the house.
Security experts now agree that the most important aspects of security start with the identity of the people accessing applications and information related to the enterprise. Are they authorized? Do their privileges extend to transactional data? How long should access be granted? Who else can see the data? Are their connections secure from attack? And how can their access be turned off when they leave the organization? What about loT devices?
At the center of converged security is people, identity and trust. And in these unprecedented times, we need to know exactly where employees were, at what time and who they were with. The changing threat landscape, now with a contagion a constant, requires a new approach relying on health and safety access intelligence—all of which comes from a common identity platform.
Extending a single digital identity that can be authenticated across logical and physical environments at the enterprise has ramifications far beyond physical security. For users, it means unified cyber-physical security, greater productivity and the ability to focus on and leverage high-value tasks rather than time-consuming manual processing traditionally associated with identity access governance.
Instead of separate siloed departments simply coexisting and not interacting, security convergence brings together technologies from security, HR, IT and Operational Technology (OT), capturing and correlating threats and risk and addressing compliance and policy automatically. It creates a common identity across people and things, which also makes it easier and faster to engage customers and the workforce, create amazing experiences and offerings and level-up operations. It co-mingles with cyber controls, facilities technologies and even behavior analytics and risk profiles to mitigate risk holistically.
Data Says Users Want Convergence
said that convergence has smoothed the way to create a shared set of practices and goals across physical security, cybersecurity and business continuity teams.
convergence has “clearly enhanced communication and cooperation.”
acknowledge that convergence would strengthen their overall security function.
cited the desire to better align security strategy with corporate goals as the main catalyst for convergence.
Security convergence and digital transformation aren’t some pie-in-the-sky concepts anymore. C-Suite and facility executives who have been moving in this direction now know it’s imperative to embrace it as we respond and recover from COVID-19.
According to The State of Security Convergence in the United States, Europe and India, an ASIS Foundation Convergence Report published in fall 2019, some 35 percent of respondents said that convergence has smoothed the way to create a shared set of practices and goals across physical security, cybersecurity and business continuity teams. In 39 percent of cases, convergence has “clearly enhanced communication and cooperation.”
Prior to COVID-19 we also saw the following data points from the ASIS study: almost 80 percent of non-converged organizations acknowledge that convergence would strengthen their overall security function and 40 percent cited the desire to better align security strategy with corporate goals as the main catalyst for convergence. It’s likely those numbers are even higher today. Those who were already converging functions and digitally transforming probably find themselves much more prepared to respond to the pandemic and all the new facets now part of identity management and compliance. Businesses already down the path of digital transformation have been able to pivot, survive, thrive and serve customers and protect their workforce during these disruptive times.
Enterprise security leaders now understand that the effects of a cyber breach, physical attack, manufacturing loss, or contagion on site far outweigh the costs of a holistic and converged system. Those who embrace the digital transformation will enable cohesiveness of systems and data, with the end result delivering proactive threat detection and prevention— a unified threat response to mitigate risk and greater situational awareness.
Identity Management With Muscles
Identity management software platforms integrate with HR programs and processes to bring together the human side of security, working in tandem to create a better and safer enterprise. Identity management with Identity Intelligence technology that incorporates artificial intelligence and machine learning can set risk scores, adding filters and exceptions to flag, escalate and detect anomalies in access and even production processes. Active policy enforcement rules-based engines automatically identify policy violations and unauthorized access as well as operational and procedural issues. In addition, identification credentials automatically expire and are taken offline when access is no longer granted, reducing risk from a disgruntled employee in-house.
The power of security convergence is most evident when it automates and detects seamlessly across more than one domain, like IT and physical security. Consider this real-world scenario: a utilities company employee enters the company through the main lobby, takes the elevator to his floor and badges in to gain access through that level’s main door. He proceeds to his desk and signs into the company network to access his email. At the same time someone is using the identical access credentials remotely via the VPN. Obviously he can’t be physically present locally and remotely. A converged platform detects the external intrusion by automatically identifying the access anomaly and allows security to immediately disable access, preventing a potential threat.
Here’s an example: An employee completes the self-reporting health and travel questionnaire, which triggers workflow based on answers. These health questionnaires collect data and document employee activity during lockdown, including infection, symptoms or exposure. The request routes to the manager for action and the workflow can be configured to specific needs. Once the manager reviews the request, it is determined that based on the answers the employee is high risk and per policy his access will be revoked for 14 days while in quarantine. Enterprises administer the self-service process to view, edit and approve health exposure risks of the workforce and disable access based on policy.
When the quarantine period is over, the employee receives an automated notification to request reinstatement and the self-attestation questionnaire. The employee is cleared and requests to be reinstated, following work flows to provide supporting documentation, such as a medical discharge or physician’s letter. Access is reenabled and the employee is notified with instructions to come to work.
Health and Safety access governance and intelligence provides support for prescreening of the workforce during site entry with automated policy enforcements. Pre-registered and onsite visitors/contractors check-in/check-out with prescreening, watch list and other checks prior to access. In the production or distribution facility, Health and Safety analytics track confirmed or potentially exposed COVID-19 workers, identify exposed areas for lockdown and/or sanitization, social distancing violation, location heat map and other actionable health and safety analytics.
Identity management also allows you to automate your communications and deliver clear expectations and procedures to your workforce, visitors and contractors pre-visit and onsite—adding to a seamless experience.
Real-time Active Enforcement
Technology like Identity Intelligence and the active policy enforcement rules-based engine automatically identify policy violations and unauthorized access. This allows security managers to proactively monitor and respond to security violations as well as operational and procedural issues. During the COVID-19 outbreak, this could include travel history to restricted countries or regions. Integration with travel and HR applications can detect when and where a person booked travel and has badged in, providing the enterprise the ability to build a solid risk profile of activity. If someone in the workforce recently visited a restricted location, security and HR teams can be automatically notified to disable badge access to help avoid exposure and potential transmission. In the scenario where someone in the workforce becomes sick they would be considered a high risk. Any requests for physical access to a facility would require special approval according to company and local or federal health authority policies.
With an outbreak, modification to the visitor experience is also required. It is the first point of contact and along with lobby and security staff is part of the front lines for safety. Enterprises can configure their Visitor Identity Management (VIM) system to provide clear communication of current policies during the outbreak, reinforcing WHO best practices. VIM can easily be configured to prompt guests to answer specific screening questions related to recent travel and sign off on legal documents.
Security is no longer simply about keeping bad guys out. Security has become the business enabler during the digital transformation. It’s now the fundamental component of protecting people and workspaces and identity stands at the center.
The digital transformation and its impact on physical security are clear. It takes a new approach, focusing on bringing people, processes, data and technology together safely and securely. The future is here and organizations are now empowered to do more with less, create engaging employee experiences, increase compliance and reduce risk – all from a single, trusted digital identity platform.