Guest may be a vendor or an auditor or a repetitive visiting personnel, who is not an employee of the organisation needs to be given similar level of attention. Though IT professionals find it really difficult in terming exclusive access control which an organisation might want to define for them and what kind of security controls needs to be implemented for them.
Designing an effective access management for the corporate visitors needs to be going through an effective brainstroming session and excessive planning, which will again would call for understanding what we have and what we want to implement, in order to derive at the goal. In every sense, we have to decide how much flexibility and stringancy needs to be implemented for a visitor.
There are different approach to tackle this problem, but the main mantra for this is to have utmost accountability placed in the system so that any loopholes can be patched before it turns out to be a threat to the organisation. The intend should be to understand how much access and reveleation needs to be given. Effectively, lets simplify this cumbersome process by identifying certain important parameters
1. who will connect? and
2. what will connect?
now lets design an accoutability architecture
Like the questions asked above there are certain basic things, which needs to be thought and noted. In general, when a access is made, first a machine initiates a connection. A machine can be a laptop or a mobile device like cell phones. But in every case, an device based authentication is initiated over a network protocol like TCP and hence we have to first, authenticate and authorise the same on the trustworthiness of the device which is connecting to the network and for the same, and layer 2 accountability is important, which will be on ARP and MAC address.
Second thing would be, who is connecting ? In normal instances, we generally look into the user profiles, which only involves the rights given to a specific user but here this is not important here. visitiors are never given a pro-active right and hence it is very important to have to have a seperate authentcator than what an internal employee would have an hence an local authentication mechanism would be ideal in this case.
if we try to combine the both the above cases, then a unique technology is evolved, which everyone knows as "Network Access Control (NAC)", which is an unique combination of device based and user based authentication mechanisms, which gives a solid ground to provide maximum accountability of the incoming access request.
Hence, it is very important that we think on the both cost and comfort in management where cost is an important component to think and decide on right solutions and technologies which fits the best in your organisation.