Key management in 2018
November 2017, Access Control & Identity Management, Security Services & Risk Management
Key management ranges from sticking a few hooks on the wall to complex cabinets that track and manage the issuing and returning of keys. You wouldn’t think there were advanced technical solutions for keeping an eye on who has what key and when they took it, but in today’s high-crime society companies need to ensure they know who has access to corporate resources.
Hi-Tech Security Solutions asked three key management specialists for their insight into the key management market in South Africa and beyond, and asked what they will be coming up with in the near future. We approached:
• Lars Jensen from Morse Systems Africa.
• Steve Masingi from Zonke Monitoring Systems.
• Clint Willemse from Traka Africa.
Hi-Tech Security Solutions: What are the latest trends when it comes to using technology to manage keys in large organisations?
Willemse: Key and asset management control can and should also be applied to businesses of all sizes because of the measurable benefits of enhanced security, process control and convenience, as well as increased staff productivity, morale and accountability.
Intelligent systems allow administrators to manage users in real time with software that is accessible from almost any device that can run a browser, including phones, tablets and PCs.
Current trends in the market we see are:
• De-centralised ‘self serve’ key management cabinets to reduce downtime in the key vending/collection process, with centralised administration and reporting from a browser-based software application.
• Place keys local to where they are needed to increase efficiency and reduce risk of personnel carrying sensitive keys for longer than necessary. For example, for a corporate campus or university, smaller, distributed key cabinets in each facility building connected to the corporate network for centralised management.
• Curfew utilisation to ensure key sets are returned within a pre-determined period of time.
• Email notifications sent to holders and supervisors for keys not returned to the cabinet within the designated time-frame.
• Standard operating processes (SOP) in place for following up and holding individuals accountable. It is critical to have ‘teeth in your policies’ to hold users accountable for using the system properly. Policies must be defined upfront during the deployment planning process.
Jensen: Recent high profile and very damaging cyber attacks have once again focused attention on security infrastructure vulnerabilities. As part of the trend in addressing these issues, many organisations are also identifying possible exposure in the management of facility keys and are taking preventive measures against potential future issues. These may include a policy review to help ensure that keys are better managed and controlled, and implementing an electronic key control system to ensure compliance.
Key control and management systems are designed to secure keys in a tamper-proof cabinet and access to the cabinets and to individual keys are controlled at all times, with every key accounted for. Additional safety measures may include requiring multiple user authorisations at the removal and return of the most important keys, email or SMS alerts if valuable keys are not returned as scheduled, and integration with broader security systems to streamline processes and reduce the potential for human error.
Masingi: The key management system is cost-effective and easy-to-use and the software licence is, in most cases, included in the package. Most companies can easily integrate their existing access control software with the key management software and it provides reports that are easy to use. Large businesses with massive offices can control the access period and also track other valuable assets.
Hi-Tech Security Solutions: Do key management systems have their own management software that allows organisations to limit who can take which keys, as well as to alert the appropriate people if keys are missing or not returned? What about integration to other platforms?
Willemse: In recent years, software applications have moved on from a thick client to a thin client (browser-based). This simplifies installation and maintenance and makes the application accessible from any modern browser. A specific focus on information security is critical to ensure the application is not vulnerable to cyber attacks. It’s a very real problem and can have a devastating impact on a business and its employees.
Integration means many things to many people. To some, it can simply mean using the same credential for the key management system as used for access control, however, true integration means being able to leverage an existing security platform to grant/revoke access to keys in the same way you administer access to online openings. In addition, key management events/alarms are monitored from a common user interface at the SOC (security operations centre). Policy and procedure can be driven by denying exit from a sensitive facility (e.g. a data centre) if a key is not returned to the system, for example.
It’s also critical that integration must not be for integration sake (‘bells and whistles’), it must solve a real world problem, delivering efficiency, increasing safety while providing a measurable impact to the bottom line (a return on investment). Ultimately, the solution ties back to the overarching risk strategy for the business.
Jensen: Dedicated PC-based key management software allows management of all programming, authorisations, remote functions and reports for the key control system. Notifications and events can be automatically sent to authorised personnel and built-in schedulers can be programmed to automatically download all data.
Key control systems can usually be integrated with the existing networked physical security systems without costly upgrades or overhauls. Employees can be entered into the access control system, for example, with their credentials profile information, access group, etc. instantly transferred to other systems. The system can also pass data about transactions and alarms back to the access control system for greater integration.
Masingi: Yes, these systems can be integrated into general management platforms, such as access control or intrusion etc.
Hi-Tech Security Solutions: As electronic locks that don’t require keys become more popular, do key management vendors see this as a threat? Can key management be extended to other areas of security?
Willemse: The mechanical lock industry is reducing about 5% year-on-year. However, security managers are tasked with delivering a solution for many different types of openings. Most organisations either put online access control on an opening or do nothing at all and leave it to chance.
This is a major risk when typically only 10% of openings have online access control in a corporate facility. Key and asset management systems extend the reach of your current security platform to all other offline openings and assets, while ensuring they can be administered in the same way as online access control openings.
It is also highly cost-effective over other potential solutions, for example as another layer of a PSIM solution. In addition, a key and asset management system can extend the value of the security function to many other areas of the business to better account for not only keys, but any piece of equipment that needs to be managed, with full reporting visibility and operational transparency making decisions and KPI (key performance indicator) adherence much easier to manage.
Jensen: Today’s automated key management systems bear little, if any resemblance to key control systems of the past. The technology has evolved and kept pace with industry trends to offer unique time-saving and integration capabilities that help ensure increased security and operational efficiencies.
Recorded data from a key management system provides a wide range of business intelligence that can be analysed for identifying security vulnerabilities. Trends that could take weeks or months to detect manually can be seen almost instantly when relevant queries are programmed into the reporting software. This highly specific intelligence allows root causes of problems to be identified rather than symptoms, and enables management to enact countermeasures that will help prevent incidents before they occur.
Masingi: Yes. Electronic locks will always pose a threat as it eats into the existing and saturated key management market. Hence there is a need to improve the technology, but still maintain competitive prices.
Hi-Tech Security Solutions: What are the latest advances in key management that your company has made in terms of technology, integration and so forth?
Willemse: Traka continually invests in R&D to ensure the solutions provided are of real tangible value and address the needs of every customer regardless of the market sector they operate in. Every solution designed and developed provides value, useful presented data on which to make operational decisions, seamlessly integrated to third-party systems for added value. Ease-of-use and scalability from 1 to over 2000 systems are reasons why Traka solutions are in over 26 000 systems worldwide.
Other successful advances for Traka include:
• Integration with the leading access control OEMs like Lenel.
• Web services API/SDK to allow OEMs, system integrators and professional end-users to build custom integrations to the Traka Web platform.
• Enterprise scalability to accommodate thousands of key cabinets and/or asset lockers managed throughout large enterprises.
• Information security focus – penetration testing (to OWASP standard).
• Advanced data capture features through the touch screen at the point of key/asset remove and return – for improved compliance and auditing.
• Advanced RFID monitoring and charging of physical assets in intelligent asset lockers.
Jensen: Morse Watchmans has developed a range of key control and asset management products that continue to evolve along with our customers’ needs. Most recently, we introduced an RFID-based AssetWatcher System that uses non-contact wireless radio links to recognise and track tagged assets placed in or removed from lockers. It is compatible with multiple types of RFID tags and different types of assets, including electronics and metal objects, and offers three different modes of operation.
The latest version of our KeyWatcher Touch system allows multiple systems to be synced at once for faster and more efficient management. We’ve also added a desktop fingerprint reader and updated the database design to boost speed for storing and retrieving data. Our open architecture platform makes a variety of innovative integration solutions possible to meet demanding security needs.
Masingi: Zonke Monitoring Systems has introduced the tracking of movable assets (such as trucks). We have also introduced card systems which are also used in the mining industries.
For more information, contact:
Morse Systems Africa, +27 (0)11 326 1450, firstname.lastname@example.org, www.keywatcher.co.za
Traka Africa, +27 (0)11 761 5000, email@example.com, www.traka.co.za
Zonke Monitoring Systems, +27 (0)11 880 1000, firstname.lastname@example.org, www.zonkems.co.za