Universities, schools and hospitals often face many challenges related to the physical access and management of identities across multiple disparate systems that may be deployed across a campus. Among these challenges is the management of a large number of identities requiring differing levels of physical access to campus facilities, classrooms, services (i.e. bookstore, library, cafeteria, etc.), as well as ensuring safe and secure dormitory access.
Campus’ security and/or IT departments typically develop a number of teams, systems and internal policies to manage these identities, badging and access privileges. The business processes involved tend to be partly managed through loosely connected systems and are often dependent on manual steps of the IT department and administrative teams to process, record and periodically audit.
Because of the intricacies involved – and also because of the inherent security concerns – many campuses are looking for a better way to manage these increasingly complex procedures using policy-based automation tools. In today’s education and healthcare environments these tools can increase consistency, reduce manpower related costs, provide better assurance of compliance and ultimately provide a more streamlined process along with an enhanced security environment.
Related Article: Why Biometrics Is Good for Everyone’s Health
The question then becomes: is it more advantageous for the organization to build or buy the physical identity and access management (PIAM) software?
Establishing the Framework
The appeal of building an in-house custom application is often founded on the belief that processes, challenges and unique needs of the institution are better understood within the organization than by an outside vendor and that the solution can be developed more accurately and less expensively internally. However, many identity management issues and requirements in a campus application are similar in nature and it will save time, and potentially costs, to purchase a commercial off-the-shelf (COTS) package developed specifically for hospitals, schools or universities by a more specialized software developer. In either case, a well-designed solution should include the following:
- Easy Central Management – Web-based platform to centrally manage all physical identities, their access details, results of security checks and access history. Automates the on/off boarding of identities with rules-based access provisioning, and allows for the creation of virtual access zones and access profiles.
- Reporting − Capability for out-of-the-box and custom tabular and graphical reports, including options for sorting, grouping and filtering of data. Scheduling report delivery via automated email or file upload should be allowed.
- Watch Lists − Development and management of watch lists of physical identities that are potential threats to the organization, complete with associated risk profiles and historical details.
- Badging − Automated process that is independent of locations or physical access control systems (PACS). Allows rule-based production and assignment of one or more badges to a cardholder; enables printing and encoding into different card types as a single process.
- Audits – Automates periodic reviews/audits of identities and their access by the area owners. Enables users to define and configure audits and allows automatic creation of access audit tasks for area owner’s review.
- Visitor Identity Management – Web-based control for visitor/event pre-registration, security check against watch lists, visitor check-in/check-out, badge printing and centralized reporting functions.
- Asset Management – Allows central management, issuance and audit of one or more physical security assets (i.e. vehicles, cell phones, etc.) that are provisioned to identities managed within PIAM.
In addition to the above PIAM system functionalities, there are three key areas that should be considered when making the choice between an in-house developed solution and a COTS package – cost, customization and convenience.
Related Articles: HHS: Hospitals Will Be Held Accountable for Small HIPAA Breaches
Cost
If considering an in-house developed solution, costs must include the time-intensive process of developing the outline/application, assigning personnel and determining charge-back costs for development, testing and support. Because of the nature and complexity of the PIAM application, the development must take into consideration workflow that integrates a variety of business system processes as well as the integration between existing hardware and/or software systems. For example, when one set of privileges changes, whether physical or logical, that alteration must trigger automatic, complementary revisions in other sets.