What every Information Security Officer needs to know…

… about physical access control systems

Acceptance is growing that it’s not a case of if an organisation will suffer a data breach, but when such an event will occur. An organisation that can effectively manage a data breach due to some new form of attack is likely to be treated more sympathetically by customers and regulators than one that suffers a breach because it failed to cover the security basics.

GETTING THE BASICS RIGHT IS CRUCIAL

With the punitive penalties that data protection legislation is able to impose on companies for failing to protect the personal data of UK and European citizens, it’s essential that organisations can demonstrate they have established the policies and put in place the necessary measures to protect such data. Yet the most recent data breach reports tell us that the majority of issues still stem from poor basic security hygiene.

ISO 27001 is the international standard for information security management systems, with accompanying guidelines that cover physical access controls given in ISO 27002. This cites the need to prevent unauthorized physical access to IT equipment and supporting utilities such as power and air conditioning. Electronic access controls for doors and server racks, using RFID cards or fobs, are usually installed to meet these requirements and provide access audit trails. However, within an ever changing threat landscape, the security of such systems should not be assumed to be adequate just because they bear an established brand. Access control systems can help, or hinder, information security and compliance requirements, as described below.

INFORMATION SECURITY RISKS

Insecure

Insecure RFID technologies are still sold today, and are in widespread use, even though such cards and tags can be cloned in seconds using low-cost handheld devices available on eBay. Door access controls need to make use of up-to-date, secure contactless smart card technology standards, such as iCLASS and DESFire, which can prevent unwanted reading and copying of the identity information they store.

Additionally, organisations should ensure that they understand the risks involved in relying on suppliers to pre-encode their RFID cards, or better still make ensure they have sole control over the security keys and systems required to encode the cards themselves, so as to only work with their access control system.

Vulnerable

Vulnerability to cyber-attack must also be considered for physical access control systems, just as for any other IT connected system. The high profile ‘denial of service’ attack in September 2016, which was launched from hacked cameras and DVRs, demonstrated the weakness of some physical security devices.

Non-compliant

Compliance to GDPR requires that any EU citizen’s personal data that is stored in their employer’s physical access control system must be protected in accordance with the regulations, including access to that data being auditable and appropriately managed.

CYBER-PHYSICAL BENEFITS

While physical access controls are a fundamental part of basic security hygiene, they also have the potential to contribute more widely to cyber security and data protection. Companies are increasingly considering physical access as an integral part of identity driven security controls across the organisation. The CISO of Barclays, Troels Oerting – former director of Europol’s cyber-crime unit, has merged separate IT and physical security teams to better address security as a whole, using the combined skills of physical and logical security professionals.

Although historically the proprietary nature of many physical access control systems has obstructed organisations from taking a holistic approach, modern IP connected and standards-based, integrated solutions now make it easier to achieve wider security benefits, such as:

Process

Process breakdowns that arise from the traditional siloed approach to managing physical and IT security separately can be avoided.  For example, surveys have shown that over a third of desk-based workers have been left with continued access to the systems and data of former employers.  Properly combining the management of physical and logical access permissions makes procedures for staff on-boarding and off-boarding simpler and more robust.

People

People in organisations tend to find the most expedient ways of getting their work done, even though this may result in security vulnerabilities. For example, the benefits of smart card based two-factor authentication for securing IT access can be negated by users leaving these cards in workstations while they’re away from their desks.  Issuing each staff member with a single ID-card for IT-access, opening doors and releasing documents from printers, naturally compels personnel to always carry these ID-cards with them. IT access is then secured because PCs are automatically locked when a user removes their card to go elsewhere – to pick-up a coffee or collect a document from a printer perhaps.

Technology

Technology standards and open APIs facilitate the integration of different systems to provide joined-up security solutions such as: Security Information & Event Management (SIEM), Physical Identity & Access Management (PIAM/IAM) and Physical Security Information Management (PSIM).  It is not difficult to actually go beyond integration and truly unify physical and logical access control decision making, which allows critical applications and sensitive data access to be restricted to known users within prescribed secure access zones. Identity has become the new security perimeter- critical to enabling organisations to control who has access to what, where and when.

EDGECONNECTOR

EdgeConnector radically simplifies and strengthens access management by adding physical access control capabilities to an organisation’s existing IT access management system (typically based on Microsoft Active Directory). This unified approach simplifies processes for administering access permissions across any number of sites, and makes it is easy to implement user-location based restrictions on access to IT resources and data.

Developed by IT security professionals, EdgeConnector was designed from the outset to be an integral part of a secure network infrastructure, rather than linking in separate physical access control systems. EdgeConnector works in real time together with IP-connected wireless locks from Assa Abloy’s Aperio range and IP door controllers from Axis Communications and HID Global, together with an extensive range of credential readers that includes highly secure RFID, biometric and NFC/BLE phone readers from STid and HID.