Part 1: What Is Physical Identity and Access Management (PIAM)?
PIAM is a framework of business processes, policies and technologies that orchestrate the management of identities and their physical access to facilities.
In this article, we’re going to discuss:
- Basics of PIAM
- Identity management
- Core identities – permanent employees
- Extended identities – visitors / temporary employees
- Access orchestration
- Visitor management
- Credential management
- Identity management
- Understanding PIAM’s role in an integrated security system
- Physical security
- Information technology and security
Basics of PIAM
Identity Management
Identity management is a fundamental part of PIAM. It is the process of creating, maintaining and governing the identities of individuals that need access to physical locations. This includes managing their identity attributes, such as name, job title, department and access permissions. For those familiar with identity management or governance concepts from cybersecurity, most if not all of this will be familiar.
Core identities are the most common type of identity in PIAM. These are the people that need access to an organization’s facilities to perform their jobs every working day. They are most often an organization’s full-time employees.
Extended identities are not part of the core set of identities, but still need to be managed to ensure the security of your organization’s facilities. They can include contractors, vendors, delivery services, business guests and basically any other visitors that need regular or occasional access. They can also include identities that need daily access but aren’t directly employed by the organization itself. Some of these individuals may need daily access or reoccurring access to sensitive areas, in which case they could also require complex prerequisites to establish the right to work.
Access Orchestration
Access orchestration is the automation of the access management process, which involves the use of software to automate the tasks involved in managing access to physical facilities.
This can include the following procedures:
- Create, review, update and delete (CRUD) — Access permissions for individuals based on their role, need and risk level. For example, a PIAM solution like HID SAFE™ can automatically revoke access to a person's badge as soon as their employment status changes. This ensures that there are no gaps in access control, even if an individual is out sick or on vacation.
- Tracking access activity — This can be used to identify suspicious activity such as unauthorized access or attempts to access restricted areas. This information can be used to improve security by identifying and addressing potential threats.
- Enforcement and demonstration of adherence to compliance controls — Access orchestration can be used to generate reports that help to substantiate an organization's compliance with regulations. This can be important for organizations that are subject to regulations such as HIPAA or PCI DSS.
Access orchestration can be a valuable tool for organizations that want to improve the security of their physical facilities. By automating the access management process, access orchestration can help to reduce errors, boost efficiency and improve compliance with regulations.
Visitor Management
An important aspect when it comes to extended identities is remembering that all visitors are not the same. This is why PIAM is so crucial when a facility manages a range of different identities and can help to answer specific questions that may arise.
How do you manage people who need reoccurring weekly access vs. once-a-month access?
How do you manage people who need permanent day-to-day access, but who are not permanent full-time employees, like contractors?
How do you make sure an employee who has left the organization no longer has access into the building?
Visitor Management Resources:
Spearhead Organizational Security With Visitor Management (hidglobal.com)
How Safe Is Your Visitor Management Policy? (hidglobal.com)
What Do These Identity Sets Have in Common?
Both identity sets, the core and the extended set of identities, can have gaps in their management, especially if they are being managed manually.
Let’s Look at a Real-Life Scenario
Greg is a permanent employee at a large organization in Atlanta. He decides to accept a new job offer and leave his tenure at the organization, finishing his last day. HR is also experiencing turnover and is prioritizing onboarding Greg’s replacement over offboarding Greg, due to their limited resources. Greg forgets to return his badge, and while the local security manager removes his access anyway, he is not aware that Greg is also on another access system in another building. Now we run into two common errors:
- Greg is only taken off one of the two access systems he had access to during his time with the company
- Another badge has been issued, so while one has been returned, there is still another that’s active under another name
Either scenario would leave an active badge that can open at least some doors. This is bad.
Without proper workflows, Greg’s access to digital assets may be terminated while physical access remains. This means that Greg could still have access to the building, even though he is no longer an employee. This is a security risk and a task that should be automated in large infrastructures.
Credential Management
Smart cards, mobile wallet and app virtual cards, electronic keys and metal keys are all types of credentials used to verify that a person has the correct permission to access a physical space. Sometimes that is simply the mere possession of a credential as is the case with metal or basic plastic badges.
Credential management is the process of creating, issuing, managing and revoking credentials for the purpose of providing oversight and controls.
A few different examples of credential management:
- Enrolling new identities — creating a new identity in the system and issuing a credential
- Updating a credential — when an employee changes jobs or locations, the act of changing their access rights based on these changes is important to capture. This may also extend to scenarios where a person requires licenses, tests, insurance or other documentation to work. The credential can be suspended until the necessary conditions have been met.
- Revoking a credential — when an identity ends employment with an organization or has lost their credential, the credential must be revoked to prevent unauthorized access
- Auditing credential usage — the system should track when and where users are using their credentials so that any suspicious activity can be detected and investigated. A strong tie into identity management is key here, as is the ability to individually identify access to an event, i.e., leveraging a uniquely identifiable credential that is linked to a single individual.
With a physical access control system (PACS), a door will open based on a valid credential with appropriate access rights. This means that if a valid card or credential is presented, access will be given. PIAM provides the who, what, where, when and why of access to give organizations better insight and more efficient control of their security processes.
This is a fairly simple process for employees after the initial onboarding. It becomes more complicated with extended identities. There must be a simple and automated way to input the right rules and establish that all information is correct before giving out trust. We’ll dive deeper into this in part two of our series.
[Preview] What is PIAM? Part II
Understanding PIAM’s Role in an Integrated Security System
Physical access and identity management (PIAM) plays a critical role in bringing a robust identity layer that can be overlaid across physical access. It is complementary to other physical security tools that allow for a strong physical security program. Physical security and information security should not work against one another — they should not compete. Rather, they should be thought of as complementary. Both are required to elevate the security of an organization at large to reduce their attack surface and eliminate potential threat factors.
Physical Security
- Provides a seamless way to manage physical access and is specifically helpful in complicated infrastructures
- Can automate tasks
- Helps organizations comply with regulations
- Can be integrated with other systems and technologies
Information Technology and Security
PIAM goes beyond just physical access. By providing a way to manage physical access to facilities, PIAM directly improves the security of information technology by:
- Identifying and authenticating users
- Controlling access to resources
- Tracking access activity
- Generating reports
PIAM is a crucial part of any integrated security system, ensuring that only authorized identities have access to what they should have access to — physical locations and digital assets. PIAM helps detect and respond to security threats more quickly and efficiently.
Next, we will dive deeper and explore some of the more advanced topics of PIAM and how organizations can use a PIAM solution to improve their overall security posture.
Stay tuned for part two of our “What is PIAM” series where we will take a deeper dive and discuss:
- Advanced topics of PIAM
- Compliance
- Audit attestation
- Locations
- Top PIAM questions
- Why do I need PIAM if I have PACS?
- Vertical-focused topics
Samantha Friedman is the Content Marketing Manager for HID helping drive content initiatives and brand positioning for the Workforce solutions within the Identity and Access Management division. She has extensive experience in content strategy and implementation across a variety of industries including advertising technology, media + entertainment, data privacy and global packaging.