The 5 Ws of PIAM
The 5 Ws of the Physical Identity and Access Management (PIAM) Processes
For security professionals, managing an organization’s Physical Identity and Access Management (PIAM) is critical to protecting people, data, and company assets. Achieving and maintaining the highest level of physical security is dependent on the facility’s ability to manage physical security processes effectively and efficiently in order to establish accountability, ensure compliance, and analyze current processes and procedures.
Data collected through a robust visitor management system can help your organization develop a thorough understanding of its physical identity and access management (PIAM) needs. Every organization—regardless of size or industry—must consider the 5 Ws of PIAM: The Who, What, When, Where and Why.
When your organization is ready to review its physical identity and access management processes, the following questions need to be asked and addressed:
WHO is authorized access to your facility or areas within?
The crucial first step toward understanding your organization’s PIAM process is identifying who is authorized to access your facilities or specific areas within your facilities. Question to ask in determining access authorization include:
1. What, if any, employees outside IT department staff need access to the data center?
2. What visitors, if any, should be granted access to R&D labs?
Your response to these questions will help you set the policy framework for your organization’s PIAM program.
WHAT types of identities should you designate?
The next step is to classify them into groups, such as employees, visitors, vendors, contractors, etc. This step is important because identity establishes the level of trust and therefore access rights they should be granted. For instance, a person identified as an employee should be given a much higher trust level than a visitor.
WHEN are individuals granted access, and how long should credentials remain valid?
Establish limits for each identity type’s access—that is, the times they can access your facilities and how long their credentials should remain valid. Not only is it important to establish limits for employees, it is critical to establish limits for visitors, contractors, and vendors.
WHERE are individuals allowed to enter a facility, and where are they at any given moment?
When reviewing your PIAM program, make sure to analyze data regarding identity lifecycles to establish where individuals enter and where they are within your facility at any given time
WHY have individuals been given access privileges—who approved these privileges?
Organizations should establish a “least access privilege” policy, which means giving people access to only the areas needed for their roles. Create approval process workflows that include “required access guidelines” and “designated area owners” to approve access requests. This establishes a clear set of requirements for access and clearly delegates responsibilities for approving that access.
Once your organization has answered the 5Ws of PIAM, you will be better able to provide consistent control and management of everyone who enters your facility.