Executive Brief · Security Operations

Identity
Bridge

A proposed middleware platform that unifies physical access control (LenelS2 OnGuard) with digital identity (Active Directory / SSO) — enabling real-time identity resolution, automated occupancy reporting, and cross-correlation anomaly detection across all locations.

Prepared by

Angelo Vasquez — Consultant, Systems Engineer

Target platform

LenelS2 OnGuard 8.3 · Active Directory · Microsoft 365

Status

Concept prototype — pending OnGuard 8.3 upgrade

Live demo

angelovasquez.net/identity-bridge

The Problem

Two identity systems. Zero connection.

Every day, SOC analysts receive alerts containing only a username — jsmith — and must manually cross-reference badge systems, HR directories, and AD to answer one basic question: who is this person, and where are they right now?

Simultaneously, the security team spends significant time each week manually exporting badge data into Microsoft Access and Tableau to produce occupancy reports that go to HR and leadership. This process is entirely manual, error-prone, and produces data that is already days old by the time it is read.

~20K

Synchrony employees across all locations

Multi

Office locations across the US with badge readers

Weekly

Manual reporting cycle currently run in Access + Tableau

Hours

Recovered annually by automating manual reporting tasks

Current state

Manual, siloed, reactive

SIEM alert fires with a username → analyst manually looks up OnGuard → cross-references AD → builds context by hand. Badge occupancy data extracted manually into Access → formatted in Tableau → emailed weekly. No real-time visibility. No anomaly detection across physical and digital systems.

With Identity Bridge

Automated, unified, real-time

Alert fires → full identity context delivered automatically in seconds. Occupancy report generated and emailed every Monday morning with zero analyst involvement. Anomalies detected the moment physical and digital events diverge — not days later in a quarterly review.

Capabilities

Six integrated capabilities

Each capability addresses a specific current pain point. They are designed to be deployed incrementally — value is delivered at every phase, not just at full deployment.

🔍

Identity Resolution

Resolve any SSO username, full name, or badge ID to a unified identity record in real time — pulling cardholder data from OnGuard and account data from AD in a single query.

→ Eliminates manual directory lookups during alert triage

⚡

SIEM Alert Enrichment

Every SIEM alert is automatically enriched with physical context before it reaches an analyst — last badge location, access tier, department, and a plain-language recommendation.

→ Reduces triage time per alert significantly

🚨

Anomaly Detection

Cross-correlates physical badge events with digital login events to surface impossible travel, off-hours access, active sessions with no physical presence, and badge/SSO time mismatches.

→ Flags credential misuse in real time vs quarterly review

📊

Automated Occupancy Reporting

Replaces the manual Microsoft Access + Tableau weekly process. Scheduled reports pull badge event data, aggregate by location and headcount, and deliver automatically via email and SharePoint/OneDrive drop.

→ Recovers significant team time spent on manual exports

🪪

Photo Compliance Enforcement

Nightly check of all cardholder records for missing profile photos. Flags incomplete records and alerts administrators before badge renewal — ensuring every cardholder is visually identifiable across all locations.

→ Closes identity verification gap at scale

🏢

Terminated Employee Detection

Monitors for active badge swipes from accounts that have been disabled in AD. The gap between IT offboarding and physical badge deactivation is a known risk — this closes it automatically.

→ Addresses a common audit finding in financial services

Architecture

How it works

Identity Bridge operates as a lightweight middleware layer. No modification to existing OnGuard or SIEM infrastructure is required. It reads from both systems via their existing APIs, resolves identity mappings, and surfaces enriched context to analysts and automated report destinations.

🏢

OnGuard 8.3

OpenAccess API
Cardholder + events

→

⚙️

Identity Bridge

Middleware
Enrichment engine

←

🔑

Active Directory

LDAP / Azure AD
SSO + account data

→

⚙️

Identity Bridge

Anomaly engine
Report scheduler

→

📡

SIEM / SOC

Enriched alerts
Real-time feed

→

📁

SharePoint / Email

Weekly reports
Auto-delivered

Implementation

Phased rollout — value at every step

No big bang deployment. Each phase delivers measurable value independently and builds toward the full platform. The OnGuard 8.3 upgrade is the natural on-ramp for Phase 1.

Phase 0 — Prototype & Validation

Now · No API needed

Build the occupancy dashboard and report automation against a static CSV export of existing badge data. Prove the concept and the value of automation without requiring any API access or infrastructure change. Present findings to stakeholders to build the case for Phase 1.

CSV badge export Occupancy dashboard Automated report prototype Stakeholder presentation

Phase 1 — Identity Resolution + Alert Enrichment

OnGuard 8.3 upgrade

Connect to OnGuard 8.3 OpenAccess REST API and Active Directory. Build the identity mapping layer and SIEM alert enrichment pipeline. SOC analysts get full physical context on every alert automatically. Requires OpenAccess API license as part of the upgrade contract.

OpenAccess API integration AD/LDAP connector Identity resolution engine SIEM enrichment pipeline

Phase 2 — Automated Reporting + Photo Compliance

Post Phase 1

Replace the manual Access/Tableau weekly reports with a fully automated pipeline. Integrate Microsoft Graph API to deliver reports directly to SharePoint and email. Add nightly photo compliance checks across all cardholder records. Eliminates the manual reporting burden entirely.

Microsoft Graph API SharePoint / OneDrive delivery Scheduled report engine Photo compliance alerts

Phase 3 — Anomaly Detection + Full Automation

Full platform

Deploy the cross-correlation anomaly engine — impossible travel, terminated employee detection, tailgating patterns, off-hours access. Real-time alerts pushed to Teams/Outlook. Full platform running continuously with zero manual intervention required from analysts for routine tasks.

Anomaly detection engine Teams / Outlook alerts Terminated employee detection Tailgating pattern detection Full automation

Business Case

Measurable return on investment

The efficiency gains are quantifiable before a single line of production code is written. These estimates are conservative and based on the operational context provided.

Current manual process	Time cost (est.)	Identity Bridge outcome	Annual saving
Weekly Access + Tableau occupancy report	Several hrs/week of manual effort	Fully automated — zero manual time	400–600 hrs/yr
Manual identity lookup per SIEM alert	5–10 min per alert × 20+ alerts/day	Context delivered automatically with alert	800+ hrs/yr
Terminated employee badge audit	Ad hoc, reactive, periodic	Continuous automated monitoring	Risk reduction
Photo compliance checks	Manual, inconsistent	Nightly automated scan of all cardholder records	Full compliance
6-month badge history for HR review	Multi-day manual export process	On-demand query, results in seconds	Days → seconds

Requirements

What is needed to proceed

Phase 0 can begin immediately with no dependencies. Phase 1 onward requires one key decision to be made during the OnGuard 8.3 upgrade negotiation.

Available now

✓Working interactive prototype
✓Documented architecture and implementation plan
✓CSV-based report automation (Phase 0)
✓Microsoft Graph API prototype

Key decision needed

→OpenAccess API license included in OnGuard 8.3 upgrade contract
→Read-only AD/LDAP service account for identity queries
→Azure AD app registration for Microsoft Graph API access
→Security and compliance review of data access scope