Welcome to the KuppingerCole Analyst Chat. I'm your host, my name is Matthias Reinwarth. I'm Analyst and Advisor with KuppingerCole Analysts. My guest today is again, one of the founders of KuppingerCole and the Principal Analyst, Martin Kuppinger. Hi Martin, good to have you.
Hi Matthias, pleasure to be back here and talk to you.
Great to have you. And in the first place, if you look at our today's topic, it's a bit strange because we are looking at identity and access management and cybersecurity, but we want to talk about physical access control. So really getting into buildings, having access to a room. Can you explain why and how that is an important component still in this context, IAM and cybersecurity, when it comes to safeguarding infrastructure?
Yeah, so I think physical logical convergence is not a new theme. That has been around for probably two decades almost, where we discussed about how these things can converge. I think back in the age of smart cards, we have seen some approaches, which looked at a combined approach. And at the end, we have a couple of layers. And even in the age of remote work, people go into buildings, people need to enter sensitive areas such as data centers or the offices of the board and others. So we need a protection. Basically there are three layers, which is the physical access, which is the logical access to the system, which is authentication and which is authorization as the third layer. So we have three levels. And if we want to have a comprehensive control, we need to care about all three of them. Plus, I think this is something which then is more looking at, if we do that right, what can we do beyond that? We also see that there's an increasing tendency. So in, so to speak, logical access, we are frequently using our smartphones as an authentication factor. But we also see the tendency in the physical access area to use the smartphone as a device that is used to provide you physical access and not only that, but also to give you way more options like payment in the canteen when you're going for lunch. So there's a logic in looking at these topics from an integrated perspective, but there also are regulations.
Right, you've mentioned that. And regulations are driving currently also a development that integrates these three layers with each other. And I think one of the important regulations that is currently really looming behind many financial organizations is the Digital Operations Resilience Act, so DORA. And that has at least indirectly or maybe even directly impact on the requirements for this physical security. So the question is how... which are the requirements and how can organizations tackle that?
Yeah, so DORA is the, so to speak, the 800 pound gorilla in the European room, at least, which adds this perspective. For Germany, it's interesting to see that already two years, already almost three years back, the BAIT as part of the MaRisk, so the German financial regulator, introduced the term of, in German it's "Zutritt", which means physical access versus "Zugang" for logical access. It just added this nice word. So not much more, but instead of saying, okay, you need to care for, to have a proper governance in place for logical access and authorizations or entitlements and all that stuff, they just added physical access as well. And the same in DORA. So DORA looks at all three. That not necessarily means you need to have a single unified integrated solution, but it's in scope of the governance processes of the things you do around governance. And you need to look at it. DORA also introduces a lot of other interesting aspects, very worth it to thoroughly read through that regulation when you're in the finance industry. But this is one of the elements. And Sometimes a few words can have a huge impact. And in that case, it means you need, what you do in governance, you need a process for properly assigning entitlements for physical access. So at the end of the day, we talk about access request, access approval. We talk about recertification. So we have principles like least privilege that apply to this as well. And then the question is, how do you do that? So the one level is look at it from a governance perspective. So the more the second line of defense, where the policies that etc come from, and then the question is, how do you do it technically?
Right, and technically could mean that we integrate that into an overall administrative system. As you said, this is not necessarily required, but we as identity and access people stemming from that area and extending towards cybersecurity, we would in the first place think of integrating that into the identity management systems. We're having entitlements, as you said, that make sure that you have access to a specific building, room, or even a device in an on-premises area. But that would then be assigned just like any other role that you can have or as an attribute that is assigned to a person to make access decisions. Is this how we expect that to turn out? Or there are specialist enterprises that provide these access systems and these are typically separate systems.
Yeah, so it's not easy, very clearly. So the gold standard for me as an identity management person clearly would be to say I have an IGA, and then the governance administration solution, that where I can go, or maybe I even go through my IT service catalog, and I say I need this. And then my IT service catalog and the IT service management goes to my IGA system, the IGA system provisions my logical access into various applications or works with the policy-based access solution even better. And it also ensures that I have the right physical access entitlements on my badge, my phone, whatever is used. That would be the gold standard. On the other hand, as you've mentioned, there's an entire market of solutions that... in the physical access space. And basically, there are two layers again. The one layer is that really sort of builds the connection to the physical access readers like the gate, etc., or the room. That is the one layer. And the other layer is then the identity management layer on top of this. And there also are specifics. So there are clearly these processes of how do you assign the entitlements and then... lower layer bring them on onto the batch. But there's also, for instance, visitor management as a very specific requirement. So visitor management is nothing and a typical IGA tool is built for, let's phrase it like that. So there are specific solutions. And on the other hand, many of these typical identity management solutions coming from physical access are not built that much from a governance aspect. So that is a bit of a challenge. So reporting is one thing, but recertification processes and sort of very well structured reconciliation, recertification, other types of governance processes not necessarily in the DNA of the solution, so to speak. And that means you have probably a bit of a gap currently in the market you need to fill in. What you must not underestimate is... Physical security usually is in a different organizational unit than IAM is. So sometimes it both is part of what the CISO is in charge of. So several CISOs are in charge of physical security, others are not. IAM mostly is right now in the domain of the CISO, but you also may, will have at least at the operational level, you will have different departments, different solutions in place because you don't start greenfield with physical access. So it's something which needs to be analyzed very thoroughly for what can I do now with DORA coming in fact on I think January 17th 2025. So the clock is ticking. So what can you do now? And where should you be heading?
Right, and I think we just talked about a very narrow, although there are lots of organizations already involved, a very narrow area. So it would be EU, it would be finance, but this is only half of the truth. I think this physical access has been around quite some while. If you look at ISO 27001, there is the demand for physical management, for the management of physical access already in there. And that of course from there it laps over to many other regulations and requirements that are arrived.
NIS2 and all the critical infrastructure regulations. Yes, exactly.
Right, right. It's NIS2 is coming up. TISAX is something that is around for the automotive industry for quite a while and it's also getting much, much more strict when it comes to its enforcement and to the requirements that you have. So it's not only the financial industry, but there are any critical infrastructure. Many of those now implement... under NIS2, which is a growing group of organizations and a really growing group of organizations, and the automotive industry as an example as well. So this is something that not only finance needs to prepare for, so this will be a current topic for the future, right?
Yeah, I think it's time to rethink the way we look at physical and logical access and the convergence. So we see it in every industry and I think in Germany alone, a number, just recently read is that I think 30,000 enterprises fall under NIS2, which is quite a considerable number. So we have a lot of enterprises across all industries and yes, at the end of the day, it comes in directly like in DORA, or indirectly into all the higher regulated organizations. So that's, I think simply said, yes, we need to look at it. We need to implement governance and we need to look at the convergence and how to do it. We should do that. If we do it, we should do it right. Doing right means we not should try to add a bit of governance on top of what I have in physical access. That might be the interim. Absolutely. It must not be even limited to how can I integrate the two worlds. It must go beyond because, as I've mentioned at the beginning, also the way we provide physical access, the types of devices we use, et cetera, the sort of, like I've said, integrations, payments to canteens, et cetera, all these things come together. And we should think about what is the right way to do that for the future to remain flexible as well but also to move forward in an integrated manner. And yes, that is something we must do due to regulations but also I believe because there are a lot of opportunities to do things better in a more modern manner.
I think it's a good story to tell. So if we look at the "Sicherheit" aspect of security, not the cybersecurity aspect that we currently, or that we usually think of, I think it's a good story to tell also to customers, to citizens, that there is a restriction of access, when you think of a pharmaceutical company, you don't want to have anybody in their plants. The same is true for the energy sector and the same is true for the financial sector, that really the number of... people is only limited to those who need access, the least privileged principle. I think this is a good story to tell apart from cybersecurity.
Yeah, which is not new. So that is what is done. We need to be very clear on that fact. Organizations usually are relatively good in controlling physical access. What is new is the governance perspective, so adding a stronger governance layer for that, which then inevitably leads to the discussion about convergence again. But I think, yes, a lot of things to do interesting things to do and a new field, which is also, I have to admit, in parts, relatively new to me. So in the past couple of months, I learned a lot about things I didn't dig into that deep so far, but it's a very interesting domain.
So convergence is - the summary for today - so really combining physical, logical access into one combined security concept. I think that is a good starting point, might have influences on security organizations. So I think that is an interesting point. Thank you very much Martin for being my guest today and for highlighting that really important topic and to those who are subject to DORA.
Yeah.
There is something to do right now, if you have not yet implemented recertification for physical access.
Thank you, Matthias.
Thank you for being my guest today. Looking forward to having you soon.
