We here at Virtual Badge are obvious vocal proponents of technological innovation. The continuing emergence of new technologies (and their ramifications) can be captivating for those of us who forecast change and seek out continual improvement. The business, media, governance, and nonprofit worlds are always buzzing with talk about innovation. In many ways, it is the dominant spirit of our age.
It’s not simply technology itself that our team appreciates. It’s good design. It’s crafting intelligent systems that guide people and processes into the right outcomes. It’s architecture and structure that bring about results and behaviors with minimal effort.
We’re believers in the tech-design-system whole, and we’ll continue to create unique systems for the market. But we don’t pretend that technology is the only part of a successful equation. When we provide an identity management software solution to a user, we want them to know that any successful system requires knowledgeable, committed operators. Just as a train requires a conductor, crew, and schedulers to ensure that the machinery is put to optimal use, so digital ID systems need reliable users, protocols, and cultures to be maximally effective.
Let’s call this user fitness.
There’s been a rising consensus over the past few years that user fitness is an essential component of successful tech implementations. While its been laid out for other technologies, we want to bring light on the importance of user fitness for digital ID badges and identity access management.
Implementation as a unified front
When first implementing an identity and access management system, managers must take stock of the current state of the workforce and its projects. Is there time and energy for a proper implementation? Do the manager and his or her teams have the mental and workload bandwidth to implement a new identity management process, or will the implementation be rushed and cursory? While it may seem obvious to some, everyone must understand that some time and energy must exist (or be made) for identity and access management solutions to be laid in place.
Decision makers, buyers, innovation directors, managers, and other stakeholders should have goals and expectations aligned for the new system. The main decision makers in the purchase must communicate effectively with managers who are implementing a digital ID badge system. Some areas of alignment might include:
- Is the buyer aware of workforce’s current workload and the capacity for installing new solutions?
- Do the implementation officers understand why the solution and its effects are important to the decision makers, and to the operation as a whole?
- Are decision makers open to trusting the vision of innovation directors, and do the latter respect the former’s concern for cost-effective solutions?
A company culture of misalignment and miscommunication is just as defeating as old solutions and defunct tech. If the various players have “siloed” themselves through poor communication, the organization will have trouble implementing an identity management system as a unified front. The new project will proceed in fits and starts, reflecting the disorganized priorities of its participants. Control over identity may become weak, and holes in access management can form.
Speaking of company culture, change management must ensure the creation of a support system for the new identity management solution. This means fostering a culture of proper identity security protocols, and ensuring that all operators will be correctly trained in the use of digital ID badges. Stake-holders, managers and employees need to understand the full implications of identity verification security, both to the individual and to the company as a whole.
Some basic points of education for digital ID use may include, but not be limited to:
- The need for workers to bring their assigned smart device with them to the job site.
- The need for managers or guards access point scan, or spot scan, digital ID badges.
- The need for system administrators to verify that all identity requirements are fulfilled before approving ID badges.
- The futility of coworkers swapping identities with each other.
- The understanding that identity and access will be remotely revoked should certain requirements fail to be kept.
The company culture must also include awareness of the security risks and vulnerabilities that the organization faces. Primary threats that are particular to the organization’s identity management security must be communicated to all employees, so that they can be identified and defeated by the entire workforce.
Proactive tools for proactive administrators
Beyond culture, education, and training, there is a suite of techniques that can enhance an organization’s overall success with digital ID badges.
Management may create incentives and disincentives for the correct use of the identity and access management system. Rewards can be offered if certain monthly IAM metrics are met. Penalties for circumventing or neglecting security policies, or not using the assigned employee ID, can also be put in place. Mobile workforces are especially important to manage correctly, as their distance from the core or center of the operation can cause them to have lax attitudes toward company policies. In order to ensure compliance for the mobile workforce, specific metric goal requirements- involving scans, location tracking, or form submittals- are advised.
Managers should have contingency plans in the event that employees or users lose their devices. At the least, management should ensure that employee IDs are deactivated from the specific worker until another secure device can be obtained. If the company has issued its own smart devices, remote data wipes can be performed on the lost asset.
While personnel may be recognizable by face in smaller organizations, large organizations or geographically distributed workforces run into anonymity problems. For the large or spread out workforce, random mobile identity checks are advised. Although access control points are always important, random identity checks are a backstop in the event that those access points were bypassed. Security redundancies are important with even the tightest of access control management; the real world has outliers, and access breach anomalies and rare occurrences should not be treated as impossible or theoretical. Simple random and mobile scans of digital ID badges can add an entire extra layer of identity security with little cost in time.
Personnel in charge of access control checkpoints should, in addition to performing QR scans or facial recognition scans, personally verify the match between the user and the ID badge. At this stage of technology, facial recognition scans are still capable of (rare) false positives. And once again, identity check redundancies are always correct procedure.
If the project is segmented into various roles or spatial zones, digital ID’s and access privilege should be divided up according to role (clearance level) and assigned location. With checkpoint personnel correctly incentivized into following access procedure, employees and others will not be end up in unassigned areas or zones due to negligence, ignorance or personal favors. Digital ID badges clearance can be easily assigned, and reassigned, by trusted administrators in the backend should the need for flexibility arise.
Parsing through user behavior analytics can help administrators shed light on ongoing security issues, or even potentially anticipate incidents before they occur. Clock-in rates per user, logs of who has accessed what areas, time spent in areas (including sensitive areas), work submittal statistics, and other analytic measures in the backend can support administrators in isolating variables and potential problem actors. If geofencing and location tracking are enabled, the ability to isolate activity by user becomes incredibly granular. Indices of key variables can be set to automatically flag administrators if important thresholds are crossed (e.g. the system alerts administrators when a location has been accessed by a badge holder with no clearance to be there). In this manner, managers can passively and proactively monitor unusual action. Finally, the activity of potential problem employees, those whose risk level has been elevated (there is an indication that they are acting erratically or are anticipating quitting, for example), can be actively tracked.
We began this post by saying that we encourage user fitness in operating digital ID systems. But just as each digital ID is part of a complete IAM system, so the user is more than just individual people. The user scales up to the team, the workforce, management, leadership, and to the company as a whole. As the organization combines all of its teams to become one superorganism, it must have the fitness at the macro-scale to operate its identity and access management systems well.
Planning for implementation, alignment and communication amongst senior members, effective training in system use and protocols, education in company security issues, and fostering a culture to support the new solution are all excellent ways to ensure the success of the digital ID and IAM systems. Some examples of specific tools that can further enhance effectiveness include: incentives and disincentives for personnel, contingency plans for lost badges, identity check protocols, separation of users by clearance, employing user behavior analytics, and creating automatic flagging for suspicious behavior.
If change management and leadership can remember that a technology is as good as the people operating it, they can set the right tone for implementation and lay in place a bulletproof identity and access management system. The Virtual Badge team is always standing by to advise companies on implementation best practices, and to help set them up for digital ID successes.