All Identities Matter

Daniel Krantz, CEO, Real-Time Technology Group

Daniel Krantz, CEO, Real-Time Technology Group

Clear and Present Insider Threat

Now more than ever before, risk managers are faced with increasing physical security threats. Irrespective of the political debates, facility owners and operators are forced to implement changes in their security posture to satisfy these new demands. Employed and contracted personnel, as well as visitors, who access sensitive facilities present one of the most significant threats to our nation’s critical infrastructure, public venues, and high-profile American companies. Workplace safety and security programs must evolve to assure that all identities comply with relevant best practices.  

"Now more than ever before, risk managers are faced with increasing physical security threats"

On June 1, 2015, the Department of Homeland Security’s Inspector General issued a report that TSA failed to identify 73 active aviation workers with links to terrorism. These direct security breaches resulted in the exposure of massive, system-wide vulnerabilities that can easily be exploited to execute a large-scale terrorist attack.

The most basic elements of safety and security compliance require that we establish defined zones, limit access to individuals who are essential to operations and economic vitality, and continuously measure all identities against relevant criteria. It seems like a simple concept, yet public and private Risk Managers still struggle to implement effective personnel assurance programs for employed and contracted resources that support construction, maintenance, and daily operations.

This responsibility for safe, secure operations extends beyond traditional corporate and industry boundaries. The most effective programs are based on sharing of critical intelligence among risk managers within a region and/or industry. Yet personal privacy concerns often unnecessarily limit cooperative efforts.

How can we effectively mitigate the insider threat? What improvements to safety and security programs are required to ensure that only trusted resources have access to our nation’s transportation centers, utilities, healthcare facilities, academic institutions, and public venues.? How can disconnected risk managers work together to share the burden and cost of large-scale personnel assurance programs?

Establishing and Maintaining Trust

All too often, disconnected, fragmented systems and operations have prevented Risk Managers from accomplishing their goals using disparate HR, vetting, policy administration, training, badging, access control, and incident management systems. Certifiable ‘trust’ can only be achieved through integrated systems that privately share individuals’ critical identity, compliance, and performance data. An individual whose personal identity has been validated does not necessarily mean that they belong in a particular location. 

A ‘Trust Value Chain’ (see Figure 1 – Trust Value Chain), as utilized by RTTG’s Real-Time Verification technology, links certified ‘attributes' to known (i.e. positively identified) individuals as they are

• Vetted and determined to be ‘secure’;
• Trained and considered to be ‘safe’; and,
• Deemed ‘trustworthy’ through adherence to Standard Operating Guidelines (SOGs) over time.

Identify Trusted Resources and Manage Compliance

One Size Does Not Fit All Risk Profiles

The collection of various, certified attributes results in comprehensive identity profiles that help assure that all personnel continually comply with the most up-to-date safety and security requirements. Unfortunately, it is not a one-size-fits-all equation. This critical information may include, but is not limited to: identity data, background, employment affiliations, medical and fitness exams, professional accreditations, safety and other occupational training, public record alerts (including social media), and past performance and incident histories (see Figure 2–Certifiable Personal Attributes).

Continually Monitor Role- Based Compliance with Relevant Regulatory and Ethical Requirements

Figure 2 – Certified Personal Attributes

Establishing unique definitions of trust for various roles and risk profiles is a critical first step in the successful deployment of safety and security best practices, policies and procedures. Specific, relevant criteria for on-going evaluation must be aligned with duty requirements of diverse job responsibilities and associated access rights.

This consideration of relevancy is critical in meeting the regulatory and ethical demands of personal privacy protection. Failure to consider the relevancy of various due-diligence and vetting initiatives can leave an organization exposed to right-to-work legal action. On the other hand, failure to address common-knowledge vulnerabilities, such as fraudulent employees or contractors, may result in accusations of negligent protection of the workforce and public at a given location. The ability to dynamically specify access requirements at a particular secured location, and actively measure individuals’ compliance with the defined criteria, delivers a purely efficient and effective method for finding a fair and defensible balance between policy demands and privacy rights.

Operational Quality Depends on Affordable Trust

How can we trust that compiled identity profiles accurately represent the integrity, compliance, and on-going performance of an individual? In order to ‘certify’ these critical data elements, we must create trustworthy processes for the assignment of authentic attributes to individuals’ profiles. State-of-the-art personnel assurance and compliance solutions enable risk managers to authorize independent,

3rd-party service providers of specific attributes (e.g. vetting, screening, fitness evaluations) as legitimate ‘Issuing Authorities’, thereby strictly limiting the assign ability of unique certifications of individuals’ integrity. This flexible methodology allows local risk managers to dynamically control access requirements, instantly reacting to credible threats with deliberate tightening of access policies, and optimally controlling resource expenditures to meet budget requirements. 

Substantial operational cost efficiencies can be gained by securely sharing critical intelligence among regional stakeholders, particularly when addressing the threat of contracted, transient workforces. The development of secure online portals and permission-based identity management systems enable otherwise disconnected risk managers to share the expense and operational benefits among many organizations (See Figure 3 – Critical Information Sharing), substantially lowering the per-capita cost of workforce vetting and intelligence programs. The NY-based Secure Worker Access Consortium (‘SWAC’) exemplifies the benefits of sharing critical identity and certification data among regional Authorities. A cooperative effort of Transportation Authorities, Labor Unions, and Contractors; SWAC streamlines and assures the quality of the enrollment, background screening, employment tracking, and public record monitoring of the entire community (over 35k active individuals). The common acceptance of certified personal compliance at all participating facilities eliminates substantial duplication of effort and cost. 

Continually Monitor Role- Based Compliance with Relevant Regulatory and Ethical Requirements

Figure 3 – Critical Information Sharing

Finding Needles in Haystacks

Most often, traditional compliance solutions have limited operational visibility and effectiveness. Data collected in back-office silos may be confirmed upon issuance of access credentials, but rapidly becomes obsolete as required certifications expire or become obsolete. Further, on-going behavior of an individual is rarely considered after prerequisite vetting or training is completed. Optimally, this perishable data must be continuously refreshed and validated to assure on-going compliance with relevant safety and security requirements. New technologies are emerging that help overcome these challenges. Active monitoring of public records now provides continuous validation that individuals effectively maintain their threat-free status after initial background screening is completed. Real-time video feeds from camera systems enable facial recognition technologies that continually search for known offenders, wanted individuals, and persons-of-interest identified by intelligence officers. These innovative features extract optimal value from the data compiled via cooperative efforts. Data analytics and exception reports help regional risk managers find the ‘needles’ rather than spend their time searching the entire haystack.

Read Also

Building a Comprehensive Industrial Cyber Security Program

Building a Comprehensive Industrial Cyber Security Program

Mohamad Mahjoub, CISO, Veolia Middle East
Bolstering Cybersecurity

Bolstering Cybersecurity

Amr Taman, Chief Information Security Officer, Al Ahli Bank of Kuwait
Building Untrusted Networks to Improve Security

Building Untrusted Networks to Improve Security

Earl Duby, Vice President and CISO, Lear
Security challenges that companies face when implementing telehealth and the solutions and best practices for managing the risks

Security challenges that companies face when implementing...

Stefan Richards, Chief Information Security Officer, CorVel Corporation
Building Cyber Resilience during Covid-19

Building Cyber Resilience during Covid-19

Aleksandar Radosavljevic, Global Chief Information Security Officer, STADA
IAM may help secure data, but it needs to be protected as well

IAM may help secure data, but it needs to be protected as well

Marc Ashworth, Chief Information Security Office, First Bank