Safely Invisible: The Powerful Security of Cloud-Based Access Control
It’s a dangerous age. Wizard-like hackers lurk in the virtual shadows, ready to pounce. Meanwhile, the confluence of cyber and physical security can leave clients undereducated and confused. They know they need security but suffer from “control issues” about cloud-based solutions for their physical access control programs. As a dealer or integrator, you may be questioned by clients about whether the cloud-based system is safe when the organization’s IT professionals are not in charge of the server where the solution resides. The truth may be that you aren’t sure how to explain why the cloud is a better place for your customers to put their trust. This white paper will provide you with some guidance.
Understanding and addressing the security vulnerabilities of the systems you install is vital. It’s a bigger problem than just losing customers because you’re not cyber-savvy. The sad reality is that if the solution you proffered and integrated is compromised, you may be held liable for damages.
Dedicated Servers Don’t Offer Defense
Until recently, all access control systems had a software component that dwelt in an onsite physical server or the client’s proprietary network. You’ve dealt with these solutions for years—so have your customers and the familiarity gives them a false sense of security. In reality, local hosting on dedicated servers leaves systems vulnerable.
When an access-control solution depends on locally hosted, dedicated servers, vulnerabilities can result from the lax installation of patches and updates, system interruptions from planned and unplanned maintenance, the failure to make regular and secure data backups, a lack of scalability, and poor offsite redundancy during manmade or natural emergencies.
Now enter the hackers, who will take advantage of any exploitable weakness in an organization’s network.
According to Josh Perry, CTO of ProdataKey (PDK) of South Jordan, Utah, “A truism about all computer and software systems of sufficient complexity, including access control systems, is that mathematically or analytically, you can’t guarantee that they’re secure. It’s a foregone conclusion that you will have vulnerabilities. To overcome these vulnerabilities, you must either completely segregate the system from any accessibility, which isn’t an option because you need to manage it. Or, you can make it so that if there is a vulnerability, you can address it as quickly and efficiently as possible.
IPs = Open Doors
The majority of access control solutions are now comprised of IP devices that offer what is tantamount to open doorways into the system, as well as the data and operational systems of connected networks—especially if IOT devices are integrated with security systems outside a company’s firewall.
“If you don’t have a cloud solution, just a traditional IP-based access control system exposed via a port forward, and as an integrator, your employees don’t have the proper network configuration and security training, they could unknowingly leave those servers vulnerable, even if SSL is correctly configured. In fact, anyone with a web browser could get onto an IP-connected access control system that they don’t own right now, probably within 10 minutes, just using a search engine and default usernames and passwords,” says Perry, who adds that integrators need to do a better job of changing default passwords and making sure that all the authentication systems are in place so that only authorized devices and users communicate with the users’ devices.
Surprisingly, a large percentage of devices are compromised through the poor design of their management interfaces. Hackers use automated programs called bots to automatically scan networks for vulnerable devices and attempt to log into them using the default credentials they know. “Even if you’ve changed the username and password and even if you have enabled SSL, there may still be vulnerabilities through the implementation of the system’s login screen or its remote management tool,” Perry explains. The Mirai botnet is a recent example in which vulnerabilities and default configuration of internet-connected devices cost businesses hundreds of millions of dollars in a single incident.
Safe in the Cloud
The benefits brought by genuine cloud-based access control solutions, which have been built from the ground up as a secure cloud service, include connectivity from a client’s network using multiple security standards and protocols with no required configuration changes. In this way, secure access to the system can be provided with no exposure of externally available connection points.
While frequent feature updates and upgrades are a large selling point of any cloud-connected system, these are arguably even more vital to the overall security of the system. In standalone systems, security updates often fall by the wayside to other IT or budget concerns; with a truly cloud-based system these are undertaken automatically and do not require the intervention of onsite staff. They can be pushed out as soon as a vulnerability is detected.
Because data is regularly and securely backed-up and stored, compliance and disaster recovery are made seamless with readily accessible data that does not need to be retrieved from a server-based system.
Interactions with the system take place via a browser or an app, so end users can quickly address security and emergency management incidents. For example, a system administrator can grant or delete the access rights of an employee or temporary contractor remotely from any place and at any time. The same is true for locking and unlocking individual or groups of doors. A cloud-hosted system may also offer greater redundancy during emergency situations than most end users are able to provide.
PDK’s Perry cautions, however, that some solutions claiming to be cloud-based are not what they seem. “They are a response to customer demand that there be some sort of external connectivity. What some have done is take their old products and provide a kind of cloud connection story that leaves out the team of IT experts needed to deploy it securely. In this way, they simulate the experience of what cloud solutions offer. If the dealer isn’t familiar with how the cloud connectivity works or how it should be set up—since the hardware is still there, dressed up to be cloud-connected—they can unintentionally leave the client vulnerable.”
If it’s necessary to open any inbound ports to manage the system from outside the building or facility, it is not a true cloud solution. The same is true if the system uses a “remote desktop”-style connection to the system’s legacy management interface.
Cloud-based system’s users are authenticated against servers that reside in the manufacturer’s cloud infrastructure. The best cloud solutions utilize multi-factor authentication—for example, password, phone app and/or fingerprint—to log into the cloud management interface. They do not use default user names and passwords.
Non-cloud systems handle all authentication on the customer-premise equipment, making it difficult to use advanced authentication technology and leaving the login credentials vulnerable to local attack.
Monthly Fees ≠ More TCO
Cloud-based access control solutions allow your clients to skip the high costs associated with purchasing expensive dedicated servers and software that require ongoing attention by the end users’ IT staffers, if the organization has them. A per-door monthly fee is usually charged instead.
These subscription costs do not, however, translate into an increased total cost of ownership (TCO). With a cloud-based solution, the initial costs are considerably lower, including only installation, customization and training. Ongoing costs, other than the monthly fee, include maintenance, additional configuration and training. That’s it.
With the fee also comes a dedicated team of professionals with decades of experience and training in the hardware, software, networks, and IT security required to properly create and provide a secure but easily accessible solution. These experts can be an invaluable resource as many users and integrators often cannot afford this essential dedicated staff.
Perhaps, most important, is stopping cyber-attacks on your clients that could take down access control as well as compromise data or the IT infrastructure. The losses could be more than these businesses can financially sustain. And the threat is growing: Juniper Research estimates that by 2019, the annual cost of cyber attacks on businesses will top $2 trillion.
Do the Due Diligence
Now that you can explain how a cloud-based solution boosts the security of your clients’ access control programs while also offering a lower TCO, it’s time to search out some of the best solutions for their needs. Be sure to thoroughly vet all cloud-solution manufacturers before recommending their product to your customers. The manufacturers must have proven track records, have built their solutions from scratch to be genuinely cloud-based, have the resources to do the job properly, and possess the stamina to be in business for years to come. Unlike a stand-alone solution, if these manufacturers vanish, so do their systems.
PDK is a team of security integrators with decades of hands-on, in-the-field experience. PDK believes that the best technology is created by professionals who know what it takes to secure a facility properly and provide the end user with a solution that instills confidence and safety.
PDK is passionate about creating technology to enhance the security, safety, and overall experience of both the professionals installing electronic access control and those that live with and use the system. PDK continues to create technology every day to enhance its products and the products of its technology partners.