Physical/Logical Access Interoperability Working Group



Similar documents
Quest One Identity Solution. Simplifying Identity and Access Management

Strategic Identity Management for Industrial Control Systems

BUSINESS-DRIVEN, COMPLIANT IDENTITY MANAGEMENT USING SAP NetWeaver IDENTITY MANAGEMENT

Enterprise Digital Identity Architecture Roadmap

The Top 5 Federated Single Sign-On Scenarios

Aurora Hosted Services Hosted AD, Identity Management & ADFS

Government of Canada Directory Services Architecture. Presentation to the Architecture Framework Advisory Committee November 4, 2013

Introduction to SAML

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

Identity and Access Management

Controlling Web Access with BMC Web Access Manager WHITE PAPER

Business-Driven, Compliant Identity Management

identity management in Linux and UNIX environments

Getting Started with Single Sign-On

Creating the Conceptual Design by Gathering and Analyzing Business and Technical Requirements

Password Management Before User Provisioning

Designing Windows Server 2008 Active Directory Infrastructure and Services Course 6436B; 5 Days, Instructor-led

Business-Driven, Compliant Identity Management

Windows Services. Support Windows and mixed-platform workgroups with high-performance, affordable network services. Features

Provide access control with innovative solutions from IBM.

G Cloud 6 CDG Service Definition for Forgerock Software Services

SAP Solution in Detail SAP NetWeaver SAP NetWeaver Identity Management. Business-Driven, Compliant Identity Management

Fairsail. Implementer. Fairsail to Active Directory Synchronization. Version 1.0 FS-PS-FSAD-IG R001.00

White Paper. Anywhere, Any Device File Access with IT in Control. Enterprise File Serving 2.0

Is Liferay Right for Your Organization? Seven Things to Consider When Choosing a Portal Platform

IDENTITY MANAGEMENT AND WEB SECURITY. A Customer s Pragmatic Approach

Leveraging the Synergy between Identity Management and ITIL Processes

Conclusion and Future Directions

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Integrated Identity and Access Management Architectural Patterns

Directory-enabled Lights-Out Management

CA Process Automation for System z 3.1

Active Directory and DirectControl

Oracle Identity Manager, Oracle Internet Directory

managing SSO with shared credentials

Groove Management Server

Open Directory. Apple s standards-based directory and network authentication services architecture. Features

FREEDOM ACCESS CONTROL

Mac OS X and Directory Services Integration

THE QUEST FOR A CLOUD INTEGRATION STRATEGY

How to leverage SAP NetWeaver Identity Management and SAP Access Control combined solutions

Getting Started with Single Sign-On

Web Applications Access Control Single Sign On

Oracle Identity Management: Integration with Windows. An Oracle White Paper December. 2004

Oracle Fusion Middleware 11g Release 1 IDM Suite

WHITEPAPER OpenIDM. Identity lifecycle management for users, devices, & things

EXECUTIVE VIEW. EmpowerID KuppingerCole Report. By Peter Cummings October By Peter Cummings

Documentation. CloudAnywhere. Page 1

secure user IDs and business processes Identity and Access Management solutions Your business technologists. Powering progress

How the Quest One Identity Solution Products Enhance Each Other

INTEGRATING THE TWO WORLDS OF PHYSICAL AND LOGICAL SECURITY

USER GUIDE. Lightweight Directory Access Protocol (LDAP) Schoolwires Centricity

How To Improve Your Business

Realizing True Data Integrity Through Automated Discrepancy Management

Easily Managing User Accounts on Your Cloud Servers. How modern IT and ops teams leverage their existing LDAP/Active Directory for their IaaS

Understanding. Product Exploration

Achieving HIPAA Compliance with Identity and Access Management

Jitterbit Technical Overview : Microsoft Dynamics CRM

A Guide to Hybrid Cloud An inside-out approach for extending your data center to the cloud

RSA Authentication Manager 7.1 Microsoft Active Directory Integration Guide

Entitlements Access Management for Software Developers

Business Partner Program Guide

Seven Steps To A Superior Physical Identity and Access Management Solution. Enterprise-Class Physical Identity and Access Management Software

WHITE PAPER. Active Directory and the Cloud

Interoperate in Cloud with Federation

Red Hat Enterprise ipa

Designing a Windows Server 2008 Active Directory Infrastructure and Services

Windows Server 2003 Active Directory: Perspective

Identity & Access Management new complex so don t start?

Cisco Prime Data Center Network Manager Release 7.0: Fabric Management for Cisco Dynamic Fabric Automation

Identity and Access Management Point of View

IBM Customer Experience Suite and Electronic Forms

Designing and Implementing a Server Infrastructure

MICROSOFT HIGHER EDUCATION CUSTOMER SOLUTION

Dynamically Authorized Role-Based Access Control for Secure Distributed Computation

CA Technologies Solutions for Criminal Justice Information Security Compliance

Privileged Access Control

Oracle Identity Manager (OIM) as Enterprise Security Platform - A Real World Implementation Approach for Success

IBM Tivoli Directory Integrator

Identity and Access Management (IAM) Across Cloud and On-premise Environments: Best Practices for Maintaining Security and Control

State of South Carolina Policy Guidance and Training

Extend and Enhance AD FS

Avaya Mailbox Manager and Unimax 2nd Nature A Comparison

Securing the Cloud through Comprehensive Identity Management Solution

Utilizing LDAP for User Profile and Corporate Structure Integration

Technical Brief: Global File Locking

Transcription:

Physical/Logical Access Interoperability Working Group Contents Physical/Logical Access Interoperability... 2 Introduction... 2 Overview & Executive Summary... 3 Business Objective... 3 Technical Objective... 3 Progress... 3 The Next Step... 3 Background... 3 Standards Based Identity Unification... 3 Identity Management... 4 The Need... 4 Workflow... 4 Enhanced Security Functions Needed... 4 More Efficient Physical Security Administration... 5 Security Workflow Scenario... 5 The Project... 6 Conceptual Model Physical/Logical Access Interoperability... 7 Summary... 7 1

Physical/Logical Access Interoperability Executive Summary This document, prepared by the Physical Security Interoperability Alliance (PSIA), discusses the PSIA s plan to develop a specification to unify logical and physical identities using role-based access management (RBAC-RPE). This specification would enable security industry manufacturers, integrators and end users to develop effective, easily administered solutions spanning the physical and logical security domains. Introduction In June 2013, the PSIA Board and Profiles working group met in Seattle. During the meetings, PSIA member Kastle Systems delivered an overview to the group about the current status and opportunities to integrate Role Based Access Control (RBAC) between logical and physical domains. Briefly, RBAC entails creating logical and physical access control policies based on a standard definition of an employee s role in a company. At the conclusion of the meeting, a working group was established to frame an initial document to structure the rationale for developing a new specification. Leveraging the experience of Kastle Systems and its experiences thus far in integrating roles between logical and physical security domains, the PSIA has framed this document. Several other industry sources have also been consulted to discuss the need for such a project. Helpful reading includes that from Security Technology Executive 1 and the Security Industry Association (SIA) Quarterly Technical Update 2 The PSIA will present an overview of the proposed specification on Monday September 23, 2013 in Chicago during the 59 th ASIS Seminar and Exhibits. Registration for this event may be found by clicking here. An additional working meeting during ASIS is being organized. 1 See RBAC for Physical Access Control, Security Technology Executive, April 2012 2 SIA Quarterly Technical Update D Agostino, Engberg and Bernard, December 2005 2

Overview Business Objective Create a technical specification to encourage the creation of standards-based solutions that make logical and physical security more functional and their administration more efficient. Technical Objective Define a PSIA specification using Lightweight Directory Access Protocol (LDAP) to unify logical and physical identities using role-based access management (RBAC). The PSIA is taking an inclusive approach, inviting members and other groups to participate in the specification working group. Progress PSIA members have already created the world s first Area Control specification for physical security, and this specification is being adopted by most of the major access control manufacturers. The specification allows a variety of physical security technologies to interoperate with each other. The Next Step To enable the market to create open solutions for enhanced security functionality and more efficient security administration, a specification needs to be created to allow logical and physical security domains to exchange role-based access profile information between each other in a standardized way. We present the business rationale and use case scenarios for such a specification below. Background Standards-Based Identity Unification The unification of H.R., logical and physical security identities is challenging and expensive. The so-called solutions that exist today show no evidence of being standards-based. These proprietary offerings require vendors and integrators to significantly change the workflow cycles and responsibilities in both the physical and logical/it security domains to create solutions to identity unification. Solutions that lock customers to a particular vendor are usually proprietary and expensive, and cannot be cost effectively integrated with new technologies that security and IT organizations acquire. It is also generally difficult to mesh proprietary nonstandard offerings with an organization s broader technology fabric. 3

Identity Management Today, it is common practice to populate logical and physical identities using the H.R. Management System (HRMS) as the authoritative data source. Integration to populate either the physical or logical security system using HRMS was solved some time ago and is not the focus of this document. The Need Workflow Logical and physical identities are rarely and efficiently reconciled between each other, without significant expense and duplication. The typical security workflow is: HRMS Logical Physical and usually involves manual processes which add cost, the potential for error and delay workflows. Achieving better Enterprise Security Risk Management (ESRM) by enhancing security functionality using the identity assets in both the logical and physical security domains has been a topic of popular conversation but has not been widely adopted. There are several reasons for this, including that often, one domain is forced to change its core functions to suit the other, or because the vendor solution is proprietary and expensive. There are two apparent reasons that reconciliation between physical and logical security are desired: 1) the need for enhanced security functions; and 2) more efficient physical security administration. Enhanced Security Functions Needed o Examples of enhanced security achieved through unified physical and logical identities: A user cannot authenticate to a logical security environment (login to a computer system) in a particular physical location without first having been determined to be physically present, using physical access control. Remote access to logical assets could be questioned when a user is physically present in the location in which those assets exist, and so has no apparent reason for remote access. These authentication and access solutions are especially relevant given that solving ongoing cyber-related intrusions in organizations is a clear and urgent priority. 4

More Efficient Physical Security Administration Access control systems today lack uniformity of approach to administration, and automated privilege management functions. This means that the cost of administration becomes a burden as the system is more actively used or scales upward. o Examples: Business activity that creates the need to carry out administration to enact different access privileges: Organizational restructuring Changes to contracts Acquisition or divestment of business units or companies within a group that may then require: Integration of different logical access control systems Integration of different physical access control systems Employees who travel between locations and require temporary access In discussions with one Fortune 50 organization, its Security Managers cited the case of managing nearly 200,000 existing physical identities. Of these, at any given time, several thousand are being administrated to create temporary privilege for workers to access locations while traveling. They state that about 20% of the activity of the 1,200 administrators is to create temporary access for the traveling worker. Automated Privilege Management would allow temporary access to be created by utilizing a travel record to create and then revoke temporary access in a defined physical boundary. The efficiencies gained would be significant. Security Workflow Scenario for Identities Discussion among PSIA members reveals that one possible identity unification workflow scenario is to use the privilege structure defined in the logical security domain to organize and manage physical security privileges. The PSIA specifically is considering developing a specification that would enable the migration of RBAC (specifically RPE RBAC Policy Enhanced Standard) from the logical domain to the physical security domain. 5

RBAC-RPE is a standards-based approach to defining the business roles of employees within an organization. Once functional roles are defined, each role is then assigned logical (applications and data) and physical access privileges (or policies). Roles are then assigned to employees, in contrast to assigning physical and/or logical access privileges directly to an individual. 3 The PSIA specification would thus augment physical security functionality by providing a mechanism for greater connectivity between both domains, and a standardized, more efficient mechanism for physical security administration through the use of RBAC. Providing a standard method for the physical security community to gain such connectivity to logical RBAC will enable the creation of interoperable tools by the market that address the security and business needs described in this document. These needs and the benefits of addressing them are not new, but end users and integrators have only rarely tried to address them because no standardized, industrywide mechanism to implement has existed. The Project The proposal is to establish a formal PSIA working group for Physical-Logical Access Interoperability that will define a new specification to address the identify unification problem. This specification will enable the creation of solutions that allow logical and physical identities to be mapped relevant to each other. The PSIA specification will likely utilize the existing standard LDAP at its core, because LDAP is a published, widely adopted directory standard. The benefits of the PSIA specification will include more efficient management of identities without altering the existing logical identity ecosystem, and delivery of an overall lower cost structure, making it easier to develop and articulate a more compelling ROI. More specifically, logical identities and roles could be imported and mapped in a physical security ecosystem without removing the value and features that a physical security solution provides to manage devices in the physical security domain. 3 http://csrc.nist.gov/groups/sns/rbac/, accessed 8/27/13 6

Conceptual Model Physical/Logical Access Interoperability Figure One 4 : Physical/Logical Access Interoperability (Conceptual). Figure One above shows how roles, utilized in the logical security domain, may be replicated to the physical security domain to create synchronicity between domains. The PSIA Working Group would develop a comprehensive definition of the required functionality as the foundation for a detailed specification. Summary Creating a specification that enables solutions to be created to map the same identity and role in logical and physical security environments using RBAC will provide significant cost and functional benefits for Enterprise Security Risk Management, and lay the groundwork for automating privilege management. 4 Thank you to Ray Bernard for providing a base graphic which was adapted to represent the concept. 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information