1. Most RFID access cards and fobs are not secure
The 13.56MHz MIFARE Classic and older 125kHz technologies in common use today are not secure. ‘Common Criteria’ certifications, based on evaluation and testing, can help to assess the level of security of various card technologies. In general, secure card technologies support:
- Mutual authentication between card and reader to prevent card information from being shared with any reader.
- Strong encryption of data communication with the card to prevent ‘eavesdropping’.
- Protected access to memory areas to secure information stored on the card.
Avoid proprietary card technologies that rely on security by obscurity rather than rigorously tested standards. Such technologies can lock organisations in to limited supplier choice and may prohibit integration with other identity based controls that would allow just one ID-card to be used for all identity and access needs with reduced costs.
2. Biometrics and smart phone credential limitations
Controlling busy entrance and exit points demands fast and reliable verification of each person’s identity as they pass through. Mobile phone based credentials that are readable over long ranges introduce uncertainty over whose credentials within the vicinity are actually being checked, while for biometrics the time taken for accurate validation generally makes them unsuitable for rapid throughput applications.
Photo ID-cards that include a secure RFID technology for physical access, along with other strong authentication technologies for IT access control, provide a more widely applicable solution that is cost effective, convenient for staff, and strengthens overall security.
Biometrics are best applied as an additional layer of security for specific critical areas.
The speed of biometric verification can be improved using an ID-card that securely stores the holder’s biometric signature information; this can then be compared quickly with a biometric scan taken by a suitable reader at the door, before proceeding with secure validation of door access permissions.
Currently smart phone credentials are relatively costly and are not widely supported across other identity and access applications, which means that separate credentials, or additional ID formats, may also need to be carried by staff.
Having one ID-card for IT access, opening doors, releasing documents from printers, etc., naturally compels staff to always carry their ID with them. IT access is secured because PCs can automatically lock when a user removes their card to go somewhere else, and physical access controls benefit from staff being unlikely to lend their ID credentials to others, as that would prevent them from using their computer.
3. Needless exposure to third party vulnerability
If you ask an IT Manager how many suppliers they have given their firewall password to, the answer is almost certainly going to be zero. However it is highly likely that several third-parties know the critical information needed to make or obtain an access card that will allow physical entry.
Organisation should ensure they have control over the information required to encode the secure RFID cards that work with their access control system. Suppliers and installers often fail to make customers aware that this is even an option, for the sake of their own convenience or financial interest, but at the expense of their customer’s security.
Card encoding tools are available that allow organisations to encode secure access cards with their own unique keys, so avoiding any reliance on suppliers or installers to protect that critical information. Alternatively, secure standard cards can be pre-encoded with a configuration known only to a client organisation and a trusted card manufacturer.
4. Multi-site access management complexities
Door access control systems tend to be site-centric, therefore manging permissions across multiple sites requires the addition of dedicated synchronisation appliances to share data between each location on a time-scheduled basis, which adds both cost and complexity.
In contrast to this, IT access control systems are typically designed to support any number of users across any number of networked sites. It is possible to leverage existing standard IT access control infrastructure to manage physical access as well; delivering the same high levels of scalability for both physical and IT controls and simplifying access management across all sites.
Unlike any other physical access control solution EdgeConnector makes managing and monitoring physical access controls over multiple sites easy and doesn’t require any additional dedicated network infrastructure. Through its use of Microsoft Active Directory, EdgeConnector provides physical access control through single or multiple network domains, whether hosted in-house, cloud-based or across a hybrid architecture.
5. Delays to updates taking effect at doors
‘Offline’ systems only periodically update doors with changes to who is allowed access.
‘Online’ systems make access permission changes effective in real-time, providing instant control over physical access rights.
Standard IP data network communications allows access requests from across the whole network to be processed within a fraction of a second. Different network architectures, including cloud based designs, can also be accommodated without any degradation in speed or reliability.
Making use of standard and existing network cabling makes installing online systems straightforward, while wirelessly controlled door locks remove the need to run any cables at all to the doors.
6. Mind the gap between physical and IT access security
Maintaining separate physical and IT access control systems exposes organisations to potential risks. For example, surveys have shown gaps in processes have left over a third of desk-based workers with continued access to the systems and data of former employers.
Removing the need to maintain separate physical and logical access systems streamlines critical processes for staff enrolment and off-boarding.
The two approaches to combining physical and logical access controls are the synchronisation of separate systems, or the unification of identities and all permissions into a single system. Synchronisation involves configuring frequent data transfers through either a one-way or two-way process and ensuring that duplicated personal data is properly protected. Unifying all access permissions within a single system avoids all these complications.
7. Integration limitations hamper security
Proprietary physical access systems can make sharing information with broader security systems expensive or even impossible.
Physical access control systems need to support open standards and provide open API’s to facilitate joined-up security solutions, such as: Behavioural Analytics, Security Information & Event Management (SIEM), Physical Identity & Access Management (PIAM/IAM) and Physical Security Information Management (PSIM).
It is not difficult to actually go beyond integration and truly unify physical and logical access control decision making in real-time; this means security exception events, such as remote IT log-in apparently by a user who is known to be on-site, can be prevented automatically rather than just reported-on after the event. Knowledge of identity and location combined allows organisations to fully control who has access to what information, where and when.
8. Cyber-security risk
The vulnerability of physical security devices to cyber-threat was demonstrated in September 2016 by a high profile and widespread ‘denial of service’ attack across the Internet, which was launched from a large number of network connected security cameras and DVRs that had been hacked.
Modern access control systems connect to an enterprise’s network and need to be given the same consideration as any other IT-connected system from a cyber security perspective.
The IT infrastructure hosting a physical access control system needs to be properly supported, with regular maintenance to apply security updates against new threats along with provision for data back-up and power supply resilience.
IP network connected devices, such as door controllers, should be well supported by manufacturers with timely security updates that can be applied easily to installed hardware.
9. Data privacy compliance
While IT departments are ensuring their systems are compliant with the new General Data Protection Regulation (GDPR), to avoid the enormous potential financial penalties that can come from not protecting the information they hold on UK and EU citizens, physical access control systems may not be getting the level of attention required.
Most physical access systems store personal information that falls within the scope of GDPR, (names, email addresses, photographs etc.) and so need to be compliant, even if only to satisfy potential data privacy queries from disgruntled employees exercising their rights.
Compliance to GDPR requires that any UK or EU citizen’s personal data that is stored in their employer’s physical access control system must be protected in accordance with the regulations, including access to that data being auditable and appropriately managed, consent being obtained to store a person’s data and the right of the person to have their data removed when it is no longer required.
A unified and centralised access management architecture covering both physical and IT access permissions avoids having to ensure that separate systems, including physical access control systems at different sites, are all compliant.
10. Building safety compliance
Common installation practices may not satisfy new regulations. In Europe the standards for newly installed controls on panic and emergency exits are being combined and updated; magnetic locks will not normally satisfy these latest standards, although they would typically have been used in the past.
Emergency escape routes from buildings need to be defined in accordance with local building code and safety regulations. Controls installed on critical exits points for buildings in the EU should now be “fail-secure” with single-point operation of a mechanical door release to allow straight forward egress in an emergency
In Europe the new prEN 13637 standard for electrically controlled exit systems on escape routes is replacing EN 179 and EN 1125.
In the US, the 2015 edition of the International Building Code (IBC) changed the title of the “Access-Controlled Egress Doors” section to “Sensor Release of Electromagnetically Locked Egress Doors” in order to more clearly differentiate it from the section currently named “Electromagnetically Locked Egress Doors” (which is being renamed from the 2018 edition to “Door Hardware Release of Electrically Locked Egress Doors”) and applies to electrified locks released for egress by a switch rather than a sensor. As of 2012, both these sections of the IBC require the door locking system to be listed in accordance with UL 294. It is possible that an electrified lock need not comply with either of these model code sections, as long as it allows egress by turning a lever or pushing a panic device just as would be the case for an exit door without any access control.