October 3, 2019 By George Platsis 4 min read

Where does digital security end and tangible, or physical, security begin? In today’s cybersecurity ecosystem, I’d argue that it’s all just security. In fact, if you are handling these domains in discrete silos, your cyber resilience is already taking a hit.

If your identity and access management (IAM) and physical security initiatives are not working as one, your organization may be suffering from unnecessary grief — and increasing risk.

When Physical and Digital Security Became One

Pinpointing exactly when these two previously discrete functions became one is up for discussion, and some may not even agree that they have become one at all. Regardless, it will be hard to envision them as discrete issues for much longer, particularly as the industry pushes the digital transformation envelope.

At the most basic level, IAM is a username/password credentialing system that gives one layer of authentication. Best practices say to have some second or multifactor authentication (MFA) procedure as part of the process. But this is a more basic question: Even if you’re using MFA, ask yourself, with today’s deceptions, has an identity truly been authenticated?

Not exactly, because in the scenario described, we are only authenticating credentials, not identity. Similar to physical identity and access management (PIAM), which unifies your physical and IT security systems, there is something called dynamic identity management, a next-gen solution gaining some support from major industry players that makes an effort to address the identity issue.

To best explain dynamic identity management, think of a mishmash of facial recognition, internet of things (IoT) sensors and monitors, and risk profiling. You walk into your workplace, a facial recognition system verifies your identity and, based on the risk profile assigned to you, you are allowed access to certain areas, both physical and digital, of the enterprise’s assets.

This certainly sounds like a combined solution that addresses both IAM issues and physical security challenges. From a security perspective, this approach looks fantastic.

But it’s also a brewing privacy nightmare.

Where Security Meets Privacy at the Workplace

Employers and employees generally expect some oversight and monitoring of behavior to occur in the workplace. But when the combination of identity and access management and physical security turns into a form of continuous monitoring that captures what time you get up from your desk and which bathroom in the office you’re using, it’s only a matter of time before privacy is violated.

Furthermore, if the security restrictions become too strict, you end up impacting workflow. Can you imagine what hospital operations would look like in the ER if a doctor or nurse were slowed down due to some IoT sensor failing?

With all the new technological innovations happening right now, it’s a short hop, skip and jump from robust security to behavior control in the workplace — something that, paradoxically, can kill the innovation of organizations. Building out your combined solution will always go back to your risk tolerance. The IBM Institute for Business Value (IBV)’s executive report, “Digital Transformation: Creating New Business Models Where Digital Meets Physical,” captures the essence of this security challenge: “The challenge for business is how fast and how far to go on the path to digital transformation.”

Put differently, before an enterprise makes a decision about which digital transformation path it will take, it should have a relatively good sense of what its security posture should look like post-transformation. Not defining the expected end state can create a huge blind spot that will not only impact security posture, but will also impact business operations as a whole. What’s more, you need to ensure your transformation is trusted by your users, otherwise you’re increasing the likelihood of legal challenges and ethical dilemmas coming toward your enterprise.

Don’t Be Afraid of Low Tech

For the reasons outlined above, there’s a case to be made for some more “archaic” solutions. These include sound human intelligence, situational awareness, and good old-fashioned holistic assessments and education campaigns. For all the gadgetry you integrate into your enterprise, at least in 2019, there is no replacing the gut instinct and human innovation. After all, it is human innovation — albeit sometimes with technical assistance — that circumvents security measures.

The “human touch” needs to be a critical part of identity and access management and physical security systems. The human is where these two issues meet, and trying to move all human security interaction to something more passive will ultimately raise your risk profile, not lower it.

Which is better positioned to see if something is amiss: an IoT sensor, or an employee who knows Johnny shouldn’t be in that part of the building? These are the small vulnerabilities we need to be sensitive to, because for all the wonder and benefit that things like artificial intelligence bring to cybersecurity, we still want to ensure that we are using this great technology as a tool and not a crutch.

Looking further into the future, as you consider which digital transformation strategy will best meet your security needs, remember that there is a technological wildcard waiting to play in the big leagues: quantum computing. Quantum computing has the capability to obliterate credentialing systems as we know them today. We’re not dealing with apples-to-oranges comparisons here — it’s more like apples to locomotives. When quantum computing takes hold, we will not be talking about digital transformation anymore, but instead, quantum transformation.

Key Digital Transformation Takeaways

Because there is so much going on in this space today, it’s worth summarizing some key takeaways.

First, identity and access management and physical security tasks need to be dealt with as one joint task, not two separate ones. Treating them as separate may be a sign that your teams are not aligned internally.

Second, next-gen identity and access management systems, such as those that integrate biometrics and IoT sensors, have incredible potential, but also come with intangible concerns, such as privacy issues. These issues need to be addressed concurrently as part of any digital transformation effort.

Third, before any digital transformation undertaking, make sure you know what the end state is supposed to look like. Not only might you be building more risk and fragility into your system than you bargained for, but new technologies on the horizon may completely alter the expected return on your investment.

Lastly, don’t overlook the human component when facing the digital/physical security challenge. Humans are the glue that connect these two realms — and a critical part of successful digital transformation.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today