To Build Or Buy A Physical Identity & Access Management (PIAM) Software

Ideal COTS solutions take cost, customization and convenience into account

Physical identity and access management (PIAM) software enables streamlined management of security identities across disparate physical security systems. In this article, Ajay Jain, President and CEO of Quantum Secure, explains that PIAM software can ensure synchronized and policy-based on- and off-boarding of each individual identity by integrating physical with logical systems. It would also ascertain total ongoing control of their physical access levels across multiple security systems. PIAM software is a ready-made solution to upgrade and enhance physical security strategies; to remain compliant with requirements mandated by various regulations, or to integrate and maintain alignment with security policies during and after a corporate consolidation. The decision to build or buy a PIAM software solution should be based on the 3Cs of cost, convenience and customization. 

With the growing recognition of the importance of PIAM comes a need for each user to decide whether the software should be developed internally, or whether it should be purchased as a commercial off-the-shelf (COTS) solution. 

The appeal of building an in-house custom application is often founded on the belief that company processes, business challenges and unique needs are better understood within the organization and that the solution can be developed more accurately and less expensively this way. Conversely, many identity management issues and requirements are similar in nature and it may save time, and potentially money, to purchase a COTS package developed by a more specialized software developer. 

Understanding the differences between the build or buy approach can yield significant benefits. There are three key areas that should be considered when making the choice between an in-house developed solution and a COTS package − cost, customization and convenience. 

Cost of the software

Unlike an in-house developed software program, costs for COTS solutions can be negotiated and determined up front. Any additions or custom development can be quantified prior to the start of the project and a schedule for incremental upgrades or changes can be identified for budgeting purposes. In addition, COTS solutions usually provide a better ROI over the long term based on more robust features, greater reliability and ability to scale at a lower cost than an in-house solution. 

PIAM software is a ready-made solution to upgrade and enhance physical security strategies

When considering an in-house developed solution, costs must include the time-intensive process of developing the outline/application, assigning personnel and determining charge-back costs for development, testing and support. Because of the nature and complexity of the PIAM application, the development must take into consideration workflow that integrates a variety of business system processes, as well as the integration between existing hardware and/or software systems. For example, when one set of privileges changes, whether physical or logical, that alteration must trigger automatic, complementary revisions in other sets. 

With regards to the development team, assignment of personnel is dependent upon the technology resource pool and their experience with this platform. The team may also have to be expanded to include personnel with expertise in specific business processes. 

Given these pros and cons, recent trends indicate that organizations are more frequently turning to external professional resources that offer application-targeted solutions built on best practices and with a proven track record. 

Customizing the Software Solution

In many organizations and vertical industries, state and federal regulatory compliance is the impetus for instituting an identity management program – whether it is Sarbanes-Oxley, CFATS, NERC/FERC, HIPAA or one of many others. Government agencies perhaps face the greatest need for compliance including FIPS 201/HSPD-12 credentialing requirements and TSA regulations for airports. 

Custom solutions that are in compliance with access control requirements mandated by any of the various agencies or regulations are more readily available from vendors who understand the requirements both from the business/regulation side and from the technical side. The work is done and built into the application and in most instances the software program will meet the customer’s requirements out of the box. 

Convenience

Operation and use of PIAM software must easily and readily include the capability to manage all types of identities including permanent and temporary employees, contractors, service providers and vendors. It should be an easy and straightforward process to manage details of a physical identity, such as biographic and biometric information as well as results of security checks and historical usage. In addition to aggregating access level information from various systems, PIAM software should encompass details such as risk level, area owner, multiple approvers and prerequisites for access. The system must also provide audit trails of all transactions. These features and other proven system amenities make implementation and use of COTS software more convenient than a home-grown solution.  

The ideal COTS solution will take cost, customization and convenience into account. It should fully integrate data from disparate physical security and IT and operational systems, automate manual security processes around contractors and reduce both costs and risks. The host of applications provided to automate physical security system functions must include physical identity management, role-based access, self-service administration, identity/event correlation and reporting. Control should be provided through a single Web-based interface that is easy to manage and use. 

A properly designed and engineered COTS solution for physical access and identity management will be your most cost effective solution.