classic | mobile
Follow us on:
Follow us on Facebook  Share via Twitter  Share via LinkedIn
 

Search...
Hi-Tech Security Solutions Business Directory
Residential Estate Security Handbook 2018


Managing who, what and why
November 2018, This Week's Editor's Pick, Cyber Security

The access and identity market is no stranger to cybersecurity and all the implications of losing control over your physical and logical assets. However, in the past the physical side of this industry has been a laggard in protecting its customers and products from cyber risks.

This lack has become more of a problem over the past few years as we have seen physical access and time and attendance products using IP communications as well as being integrated with other business systems. Today, allowing strangers to access and control a physical access point can also give them a foot in the door of your organisation’s complete identity management system and, if not properly protected, other sensitive corporate systems.

It is therefore critical for physical security decision-makers to make sure their systems are protected from cyber attack, no matter how unlikely it may seem that something like a simple reader on the door could be used to compromise the company.

Marco della Peruta from Sensor Security, explains that the most vulnerable information in an access installation is the organisation’s database of people, and following that, the time and attendance logs and the payroll information. “Too often we keep payroll information highly confidential, but the path from database to payroll could often be intercepted or investigated by the software installation team, for example.

“The key here would be to ensure that this database, and the ensuing path, are protected and managed correctly. Even the pulling of reports from the system is a possible danger to the access of information.”

Protection can be achieved by ensuring the database is on an independent computer. This should also not have attachments to the existing network infrastructure or Internet. If there is a need for connections, he says encryption of data as well as the connection should be ensured. Additionally, all information, apart from the temporary cache, should exist on a central machine and not on individual devices that are easily accessible.

He adds that people and access permissions are also extremely important as this is where breaches happen in most cases. Limiting access to very few key personnel should, therefore, be standard practice.

Elvey’s Chris Lelicanin adds that at each exposure point there should be technology-driven solutions in place that protect the organisation, users and their data. In a scenario where the user badges on a secure access control device, we should use encrypted secure card credentials, which can take the form of a wearable, smart device, physical access card or similar. The user’s fingerprint can also be used as a secure credential. There are also physical means along the lines of anti-tamper features which erase secure data on edge devices and door controllers.

When looking at the transaction point between device and controller, he says OSDP is a secure protocol to prevent any tapping of information between the device and door controller, as well as to the central server where TCP/IP communication is protected through encryption technologies such as TLS. On the server side, you want a system that has strong user permissions, and from which you can view comprehensive audit logs and easily manage expiration of personal data.

He adds that these technologies also struggle to stand alone, “there is no point in locking the doors of your car but you leave the windows open, a comprehensive system needs to be employed.”

Securing the database

David Corder from Saflec Systems says a good start is to ensure that the permissions on the database are set up sufficiently in order to limit access to only the people who should have access. You then limit the personal data that is captured to what is strictly necessary for the business processes used within the access control setup. This is necessary for parts of the PoPI act anyway, so it is becoming a necessity for database administrators to keep in mind.

SQL Server databases use TDE (Transparent Data Encryption) on the actual data files which protects the data on the hard drive or external backups. In any event, all communications between the database and any software package that reads from or writes to the database needs to be configured to use the highest level of encryption available – this is currently Transport Layer Security (TLS) 1.2 with 256-bit AES encryption. This protects the data in transit between data reader and database, however what is typically done is that there is an additional business layer that ensures that the person looking at the data is only seeing the information that has been made available to them on a user-rights basis.

Making it reality

As can be seen above, effectively securing your access systems is not a simple task, although there are products out there that make the process of securing the full access control chain simpler and automated. As with all security issues, complexity is the enemy of security as most people opt for ease-of-use and convenience to be able to get the job done as fast as possible.

If personal data protection wasn’t a relevant issue for users, we wouldn’t be hearing of class action suits and settlements against major tech companies for user data breaches, says Lelicanin, and regulations and acts such as GDPR and PoPI would be non-existent. One of the big challenges is that so many organisations are of the mindset that we’re ‘not in the firing line’ or ‘it won’t happen to us’, but the reality is that all of us are at risk from cyber threats. It’s a serious issue and there are huge ramifications for organisations willing to play footloose with user data.

Della Peruta says most people will talk the correct language about security, but the implementation does not always exist. “We are sometimes called to do a recovery on a database and find it is often far too easy to get access to it, such as with a TeamViewer link.

“I hear about ransomware that still hits systems, which is indicative of a lack of security and easy access from the Internet, LAN or even a USB. There are a few customers that really do in-depth protection, but many do not. Education about technology and what is happening in the real world, such as IoT and security breaches, should be a key component of the system integrator’s service.”

Corder’s experience is that traditionally the people in charge of the access control have been more worried about ensuring that people have access to the building than locking down the areas where people are given access. It tends to be when there is an issue of theft that they then start trying to work out who has been given access where and by whom.

“This trend is starting to change and as time goes by people are more concerned with ensuring that the data is accurate and security auditors are starting to push for proof that the system is secure (only authorised people are being given access to certain areas),” Corder notes. “As for cyber risks like hacking, I think that the industry is starting to care more, but it’s considered an ‘outside risk’.”

Should we all OSDP?

While it is easy to place physical access control products and installers/integrators in the box of not being aware of cybersecurity, that is not really true. One of the solutions devised to improve the security of data transferred in access control transactions is Open Supervised Device Protocol (OSDP), an access control communications standard developed by the Security Industry Association to improve interoperability among access control and security products (see more at www.securityindustry.org/industry-standards/open-supervised-device-protocol ). OSDP is touted as a Wiegand replacement because of the additional security built into the protocol.

Adding to the conversation, Lelicanin states, “Wiegand has been around for close on 35 years and is a standard in the industry; the problem is it hasn’t kept up with user and organisational data security needs. Weigand is unmonitored, easy to hack and suffers from interference and cable length is limited, to name a few disadvantages. OSDP is an open standard so there is interoperability between hardware of different manufacturers. It also has greater support for biometrics due to the increased bandwidth and supports bi-directional communication. “

Corder explains that OSDP has several advantages over Wiegand: “generally fewer wiring cores, longer run distances, multi-drop rather than star, multiple different devices on one network line, less hard-coded ways of interpreting the data and bi-directional communications immediately come to mind”. (See more in the article: The advantages of OSDP, www.securitysa.com/60145n).

However, he says the greatest advantage is the Secure Channel, which is the encryption between third-party devices and controllers. Unfortunately, even some of the big players out there have only basic implementations of OSDP and don’t support Secure Channel yet. “We are working with various companies to try and increase the up-take of the protocol, especially the optional cybersecurity.”

The benefits of OSDP are installation and security related, says Della Peruta. “Cybersecurity is not always espionage over the Internet, but any stage where electronic information is intercepted and understood. OSDP becomes important here as the communication medium might still be accessible, but the high levels of data encryption remove the risk of listening or talking down the line.”

Lelicanin adds that the good news is that forward thinking manufacturers have incorporated and integrated both technologies into their products, this lets legacy sites stagger their security requirements and balance them with their existing upgrade budgets.

Integrating to everything?

Controlling who or what has access to who or what is what access control is all about, whether in the physical or logical world. As we move into the age of the Internet of Things (IoT), the question of controlling access between millions or even billions of devices will become something the access industry needs to take note of and prepare for. In this scenario, the question of why also becomes an issue. There may be acceptable access to or from a device or server, but we need to know why the access is happening, is it a legitimate exchange of data or has someone hijacked a device and is trying to install malware on a server? Is the access control industry ready and are the management capabilities for such dispersed systems available?

There is no question that we are moving towards a more inclusive integrated environment, according to Della Peruta. The past of discrete packages where access, intrusion, video and building management are different brands and disconnected are over.

“I believe there are a few directions on this the industry needs to become comfortable with, such as threat management, business efficiency management and marketing ­analysis. We are not just using the individual components anymore, but collectively for much greater functionality. We no longer purchase devices for a simple function, but the devices exist as a means to a greater solution.”

Some examples he provides include:

• Monitor water usage and linking that with access control and video.

• Have a more accurate understanding of hotel guests to cater better and improve on food and maintenance costs while simultaneously making the venue more appealing.

• Collective security information to understand if a high security site could have a vulner­ability through a perimeter system fault.

“Naturally, such a level of integration does become dangerous in terms of all the equipment that needs to interact with a common platform. Who operates and configures such a platform? Are they experienced in the type of industry and technology? Are they an ethical moral group? The realm of integration such as this goes beyond ONVIF, and more the direction of PSIM software systems.”

Accessing the IoT

Access control can already be considered part of the IoT, most systems already connect to the Internet and many are pioneers in IoT, says Corder. IT networks themselves are becoming more secure and are starting to require authentication to the network itself, using something like 802.1x. Access control products will soon have to support this in order to be allowed on the networks themselves – and this is a good thing in that it provides an extra layer of security.

“I think the way the industry is heading will be that all access control devices will be Internet-enabled devices that are configured using IT systems like Active Directory. Personal mobile devices are also increasingly being used as the access token using Bluetooth Low Energy, NFC or similar technologies with the ability to report back or do biometric authentication using Internet or LAN services.”

Similarly, Lelicanin also believes we are there already. “Personally, I think the most successful platforms will be ones that offer cloud services, are modular and scale to address the client’s specific needs, have integrated and complete solutions that incorporate your access, CCTV, fire and intrusion and take the hassle out of security.

So, while we still focus on securing readers, devices, data and servers within our organisations, the future security concerns of the access industry will have to include far more ‘things’ that are requesting and sending access or data. Even though most of these are simple sensors that deal in small bits of data that are generally necessary for analysis, but not a security threat, unfortunately the data pathways will be a tempting target for those intent on getting into your network. Access administrators will therefore need to make sure they secure their networks from direct and indirect attack. If it is not already, cybersecurity will soon be a core component of the access control industry.

For more information contact:

Elvey, +27 11 401 6700, marketing@elvey.co.za, www.elvey.co.za

Saflec Systems, +27 11 477 4760, info@saflec.com, www.safsys.co.za

Sensor Security, +27 11 314 9419, info@sensorsecurity.co.za, www.sensorsecurity.co.za


Credit(s)
  Share via Twitter   Share via LinkedIn      

Further reading:

  • From the editor’s desk: Converging access control
    November 2018, Technews Publishing, News
    Welcome to the Access & Identity Management Handbook 2019. We’re publishing this in January as opposed to our traditional end-of-year publishing schedule to make sure you have some bed-time reading for ...
  • Trust but continually verify
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions, IT infrastructure
    Hi-Tech Security Solutions looks at access and identity management and asks some industry players what ‘zero trust’ and ‘least privilege’ access means.
  • Physical/logical convergence
    November 2018, Technews Publishing, This Week's Editor's Pick, Cyber Security, Integrated Solutions, IT infrastructure
    The convergence between physical and logical (or cyber) security will be a game-changer because it will change the way we do everything, from planning to design and all the way to installation and maintenance.
  • Physical and logical convergence is a fact
    November 2018, This Week's Editor's Pick, Integrated Solutions, IT infrastructure
    Convergence, the next buzzword? A dated buzzword? Is convergence ­merely ­integration on steroids? What is convergence?
  • The expanding role of IT in access control
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, IT infrastructure
    What role is IT playing in the world of physical access control and how far will its role expand in future?
  • Taking augmented identity to the world
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions
    Hi-Tech Security Solutions spoke to Gary Jones, VP Global Channel and Marketing biometric access and time solutions) at IDEMIA (formerly Morpho) about his career with the company and its new vision of Augmented Identity.
  • A scan of fingerprint biometrics
    November 2018, Technews Publishing, Access Control & Identity Management
    Given the increase in the use of fingerprint technology in public and private organisations, as well as some recent announcements on the reliability or lack or reliability of certain types of sensors and algorithms in the fingerprint biometric market, Hi-Tech Security Solutions spoke to some of the leading fingerprint biometric vendors in the market to find out more about the state of this market.
  • BIMS set to change identity ­management
    November 2018, Technews Publishing, Access Control & Identity Management, Integrated Solutions, IT infrastructure
    Local biometrics integrator, Ideco Biometric Security Solutions, has announced that its Biometric Identity Management System (BIMS) has been launched to market.
  • Tracking biometrics into a brave new digital world
    November 2018, This Week's Editor's Pick, Access Control & Identity Management, Integrated Solutions
    The industry is increasingly transitioning from unimodal to more integrated multimodal biometric solutions for more accurate identity verification and faster real-time results.
  • A better approach to fingerprint biometrics
    November 2018, This Week's Editor's Pick, Access Control & Identity Management
    Not all optical biometric fingerprint scanners are created equal. The type of sensor used has a powerful impact on speed, accuracy, reliability and portability.
  • Your face tells a story
    November 2018, Technews Publishing, Access Control & Identity Management, CCTV, Surveillance & Remote Monitoring, Government and Parastatal (Industry)
    Facial recognition has advanced to the point where it can be rolled out over large areas and accuracy is no longer a hit-and-miss affair.
  • The right access decisions
    November 2018, Technews Publishing, This Week's Editor's Pick, Access Control & Identity Management
    Making the right access control decision depends on what you want secured and how secure it should be.

 
 
         
Contact:
Technews Publishing (Pty) Ltd
1st Floor, Stabilitas House
265 Kent Ave, Randburg, 2194
South Africa
Publications by Technews
Dataweek Electronics & Communications Technology
Electronic Buyers Guide (EBG)

Hi-Tech Security Solutions
Hi-Tech Security Business Directory (HSBD)

Motion Control in Southern Africa
Motion Control Buyers’ Guide (MCBG)

South African Instrumentation & Control
South African Instrumentation & Control Buyers’ Guide (IBG)
Other
Terms & conditions of use, including privacy policy
PAIA Manual
         
    Mobile | Classic

Copyright © Technews Publishing (Pty) Ltd. All rights reserved.