Integrating Security Badges
Business
problem
Security badges are used throughout the enterprise as ID badges
and for door access. Like a system account, each badge should have
only the necessary rights and should be canceled as soon as the
worker is terminated. The badge system should be integrated into
the same process used to manage system users and accounts.
Overcoming
resistance
When the security badge system was first installed, the security
department felt strongly that the security badge system should be
isolated from all other systems to ensure maximum security. None
of the computers server or workstation were added
to the corporate domain, and IT had no role in maintaining the system.
The server was placed in the security office instead of the data
center.
This
isolation had some serious liabilities, which in the end posed greater
risks for the organization than any theoretical risk from having
the system integrated into normal IT workflows.
- Insecure
server
The server was being used as a workstation by security
officers, using the administrator account as the local login.
- No
patching
The server and workstations were not included in the normal
patching process for Windows updates.
- Poor
hardware support
The security hardware fell into a sort of "no-man's
land" because IT didn't support it.
- No
database maintenance
The database lacked an adequate maintenance plan, causing
data loss from lack of proper backups.
- No
source of worker data
Security had no reliable source of data about new workers,
changes in worker roles, or terminated workers.
- Manual,
labor-intensive badge process
For every badge made, all the information about the worker
was typed into the system, and was not validated against other,
"master" sources of employee data.
After
a couple years of observing the new IT team in action, the security
department felt confident enough to let us connect them with the
world and automate their process in a fairly radical way.
Pushing
data
Now that we had solid data about all workers (Who
Works Here?), we felt confident taking over the updating of
the security badge system database. This would have several advantages:
- Eliminating
time spent by security inputting worker information
- Immediate
updating of status and inactivation of badges for terminated workers
- Accurate,
consistent spelling of names, titles and departments
- Eliminating
duplicate badges except where specifically authorized
- Identification
of workers who lack a badge
We
developed an automated process to directly update the security badge
database by:
-
adding new workers;
- updating
titles/departments for current workers; and
- changing
status and inactivating badges for terminated workers.
Now,
when making a badge, security staff
- verify
identity with either a photo ID or a printed copy of the badge
request provided by their supervisor,
- select
the worker from the list in the badge system, and
- take
the photo.
Access
rights for the badge have already been defined and approved with
our Security Badge Request application. If no approved badge request
exists, no badge is made. It couldn't be simpler.
Securing
security
The server and related workstations were upgraded as necessary and
added to the domain. This ensured that
- desktops
are locked down,
-
enterprise security policies are enforced, and
- desktops
are included in routine, enterprise desktop patching.
In
addition, our SQL Server database administrator set up a maintenance
plan for the production databases and ensured that everything was
routinely backed up.
Securing
the server
Until fairly recently, it was impractical to move the security badge
server to the data center because several remote, analog controllers
were hardwired to the server. Now, digital controllers allow connections
to a server anywhere on the network. We are in the process of moving
the security badge server to a virtual machine on the blade frame
in the data center, providing the appropriate level of security
and reliability for a critical system.
Lessons
learned
-
Reliable, current data about the workforce enables an organization
to better manage everything related to that workforce.
- It's
always worth the time and effort required to build trust between
other departments and IT.
- No
critical system, such as security badges, should ever be allowed
to exist in isolation without proper support and management.
Posted
20 March 2008
|