Visitors Have Identities Too (to manage, use & abuse)

I just got back from a trip to Europe, where I had the opportunity to visit a number of Oracle (including former Sun) IdM customers. During the trip I (quite unintentionally) got some insight into an area of enterprise identity management that I had not considered before – Identity Management for Visitors.

Over the last few years we have been talking a lot about how enterprise identity management deployments have started to expand beyond management of internal users (employees) to external users (partners, contractors, customers) as well. But in that conversation, I had never considered visitors – people who randomly, and often out of the blue, visit enterprise premises for meetings or to just pay someone an unexpected visit. Often (as I have grown accustomed to in the US), the process of getting inside the building takes the form of walking up to reception, telling them who you are meeting, having them call up to confirm that you should be allowed in, getting issued a visitor badge (usually a piece of paper with your name and the floor you are going to), and then getting let in through the security turnstile/gate by the security guard. Sometimes they will ask for ID to confirm that you are who you say you are before calling up to the person you are visiting.

But in Europe, security measures at some of the companies I was visiting are far stricter. And what I came across was a combination of Administrative User Registration with Just-In-Time Provisioning into a Physical Access Control System. Essentially I provided the security personnel at reception some identification (in some cases my passport, in others my US drivers license), observed them enter my details (more on that later!) into a user registration screen, and got provisioned a full-fledged security badge which I could use at the turnstiles to get into the building myself. I could use it inside the elevator to get to the floor I needed to (I didn’t try to get to the floor I wasn’t supposed to go to), and to enter certain rooms. When leaving the building, I had to use the badge at the turnstiles to get out of the building, and hand over the badge (in one case, to get back my drivers license which I had to leave with security as collateral).

Obviously the PAC Systems in place at these enterprises were capable of handling this kind of visitor management. But I wonder if these systems are integrated into the identity management systems of the enterprise at all. What kind of periodic review regarding who was being let into the building is taking place? And it seems quite susceptible to insider abuse. Moreover, the Day 1 type issues regarding time to set up exist at a micro level. The local Oracle teams were aware that this would need to happen, so we had to budget extra time to arrive early to get this done at each place, which with my tight schedule was a bit challenging. The good (and bad!) part was that the account teams that had been there already were already in the system and got their cards provisioned fairly quickly.

Seems like the whole system could be greatly improved by making it a part of a larger Enterprise IdM process. You could incorporate some self-service to have the person being visited pre-register their visitors into the system. This provides you not only audit, but also removes the time issue of data entry at the security desk (by folks who are quite frankly not terribly skilled at this). This would also enable some review processes and integration into monitoring systems. And enable enterprises to add some much needed de-provisioning to the process (see below).

Privacy Problems

With all this, one thing that stood out for me was the privacy issue. Europe is famous for having strong privacy protection (or at least strong privacy protection intentions). Yet my whole trip experience in Europe had me scratching my head a little bit. The amount of sensitive PII getting gathered about me – my name, address, passport/drivers license information, company I work for – at the hotels and office buildings is quite significant (some hotels even photocopy your passport). And there seems to be no mechanism in place to provide me any kind of privacy protection.

From seeing the visitor registration process for my colleagues it was clear that the information entered into the system is retained in case of any future visits, and there was no way for me to ask them to erase it as I left. When I asked if it is automatically removed after some time, all I got was a shrug. And since they didn’t take any contact information for me, they clearly have no way to notify me in case of a breach. Some (limited, I admit) research has not found me a single law/directive that governs how long hotels must keep my information, and how they must destroy it. We’ve heard of identity theft concerns due to PII data encoded into electronic hotel room keys, but not much about the data gathered during registration.

And the fact that these visitor IdM systems (for that is what these are) are not connected to enterprise IdM systems means that it is highly likely they are not being protected, audited, monitored or controlled with the same level of diligence that other systems holding just as sensitive information are. For all I know, all that information of mine is sitting in the clear – in a manila folder in the hotel manager’s office or unencrypted in a database table for the visitor module of the PACS system.

And, of course, there is no way to opt-out of providing this information, as the answer you get is that it is required by law. A little disconcerting to say the least. Does anyone have any insight into this (paging Mr. Robin Wilton)?