Seasonal workers could be a security challenge


Retail environments take on a decidedly different feel during the holiday shopping season: crowds of customers, truckloads of seasonal merchandise and scores of new faces, many of whom are interim workers hired to see companies through the busy holiday season.

Lending assistance during the feverish weeks from early November through the beginning of the new year, holiday workers provide an essential service but also present significant challenges for human resources and security. Long after they depart, valid login information or other sensitive material may remain in their possession.

Integration eases access

Retail associates — even seasonal workers — increasingly use a variety of online apps to perform their jobs.

Tools such as Vend, used for mobile point-of-sale via an iPad, and Scanner by Vend for inventory processing, plus Microsoft Outlook, LinkedIn, Twitter and Facebook for engaging with customers, can have widely divergent log-in and internal security protocols.

Temporary employees are also stationed across various departments both on the sales floor and in the back of the house, requiring measures to restrict their access only to apps and systems for which they are authorized.

Companies must implement an effective identity- and access-management program throughout the organization to centralize and automate onboarding and offboarding tasks in real time.

This huge wave of interim workers in areas governed by different computer systems may result in inadequate onboarding and offboarding provisions. Companies must implement an effective identity- and access-management program throughout the organization to centralize and automate these tasks in real time. Gartner Research calls such a program “the security discipline that enables the right individuals to access the right resources at the right times for the right reasons.”

Although many stores still use divergent systems, technological progress in recent years has enabled the integration of programs and apps relevant to many companies’ operations, several of which operate via the Internet.

For example, the point of sale may be linked to enterprise resource planning via an online link; updates to POS software can be done online; even devices limiting physical access (such as key-card readers that lock and unlock doors) are controlled from elsewhere via an Internet connection.

“The name of the game is integration,” says Alvaro Hoyos, chief information security officer for identity access management software provider OneLogin. “Systems should be integrated as much as possible. When they are, management will have an easier time provisioning users.”

OneLogin’s program helps retailers centralize control over various disparate systems, he says, and give approved users access to each system.

Eliminating separate logins

This new level of capability represents a significant advance and capitalizes on the increasing level of sophistication of other technologies. But despite this level of sophistication, challenges can arise. “Not everything will work flawlessly right out of the box since some web-based applications don’t lend themselves to integration,” Hoyos says. “That’s where we come in.”

OneLogin’s foundation is its Single Sign On portal. When hired, employees are given one set of login credentials that engage the system’s role-based mapping and provide the employee immediate access to all internal systems and online apps they are authorized to use. The system eliminates the need to perform separate logins for individual apps.

The intricacy of Single Sign On can be tailored to each employee’s level of authorization. For higher-level employees, access to especially sensitive data is controlled through multifactor authentication. This requires the use of both a password and a security code obtained through a text message. Multifactor authentication can also be used on the sales floor to require greater security for certain employees, such as those empowered to process returns and issue credits.

OneLogin’s Cloud Directory, an optional add-on, serves as a gatekeeper that backs up Single Sign On. Cloud Directory is an intuitive web-based interface that allows companies to manage users, their manager relationship, authentication policies and access control. Put simply, it’s a real-time master directory of all employees in the organization that resides in the cloud.

The benefits of centralized control include reduced possibility for error, less administrative work and the advantage of real-time implementation.

When a new employee is hired, their identifying information is entered and credentials assigned. Using Microsoft Active Directory as its data source, OneLogin inputs the information in customized fields. The data are instantly synced with all systems and apps, regardless of physical location.

The employee then has full use of the tools and applications necessary to perform their job. When offboarding (or “deprovisioning”) occurs, a few simple keystrokes will terminate the employee’s access to those programs and apps, rendering their passwords invalid.

Real-time implementation

OneLogin is compatible with directory services other than Active Directory, such as HRS, UltiPro or Bamboo. By pulling Active Directory attributes into OneLogin as custom fields, it can provide mappings to capture that business logic to automate the process of assigning users to the downstream applications.

The benefits of centralized control include reduced possibility for error, less administrative work and the advantage of real-time implementation. When a change is made in Active Directory, all downstream changes occur in seconds, offering what the company calls “an effective kill switch to help minimize exposure.”

Offboarding temporary associates also can be set up in advance so that when a predetermined date arrives, the given employee’s sign-on credentials will automatically become inactive.

OneLogin offers several other optional modules that can enhance the performance of the core product. These include Mobile Identity and Access Management, which enables employees to access web-based apps on tablets or smartphones. An additional module uses machine learning to weigh several factors in deciding if a user should be required to go through multifactor authentication. These include variables like devices, time and geography, which are used to build a user profile and score the risks.

OneLogin Desktop, or Unified Endpoint Management, allows a laptop or desktop computer to be linked to the Cloud Directory and set up a secure profile. By working from the profile, the authorized user can access web and desktop apps without having to re-enter login credentials.

While OneLogin can be used in operations of any size, it’s especially valuable in a larger company. The ability to seamlessly control who can do what, anywhere in the organization, offers a whole new level of control.

Detroit-based Paul Vachon writes for various trade publications in addition to feature stories for consumer magazines and books on Michigan history and travel.


Comments are closed.