All Access: Implementing a Comprehensive, Layered Security Plan

access control

A comprehensive approach is needed to provide physical and digital access control

Mark Duato
Mark Duato, executive vice president, aftermarket solutions, ASSA ABLOY Door Security Solutions

Controlling access no longer simply means deploying a secure lock and tightly controlled keys. It is not that traditional mechanical locks and high security keys are not still an effective form of security – they have been an important element of good security planning for many years and will most certainly remain critical components of a sound access control strategy – but the rapidly changing nature of threats in today’s world, coupled with the blistering pace of technological advancement, means traditional solutions have evolved significantly, as well.

Technological change and emerging security threats are not unrelated. As new devices and capabilities become available, bad actors find new ways to exploit weaknesses, and the perpetual counterbalance will assuredly go on. The industry, as a whole, needs to continue to break down operational silos and view various elements of enterprise security as part of a unified, harmonious strategy.

With the accelerating growth of electronic access control solutions, including wireless technologies and biometric elements of identity management, enterprise security practice and data management are fully entwined. What has traditionally been thought of as physical security, such as perimeter deterrents and door locking systems, often depend on network infrastructure to effectively carry out their purposes. Physical security and cybersecurity objectives must, therefore, be viewed cohesively and addressed comprehensively to deliver an optimal return on investment.

This means, for example, that the traditional locksmith or security professional can no longer think only about mechanical locks and keys, and similarly, the IT professional can no longer think only about the network infrastructure; both must be able to understand the priorities and needs of the other so that their respective remits work seamlessly together. Minimum skillsets are evolving quickly across the services spectrum. Certainly, not every security specialist needs to know how to program, deploy or repair a mechanical or electrified access control opening, but a high degree of collaboration must exist between the physical and digital infrastructure domains to execute effective security policies.

The more closely security professionals work with other facility stakeholders, the more detailed and effective the layers of security become. A comprehensive, layered security plan is about hardening potential weaknesses and implementing deterrence factors at every point of risk in the system in an intelligent way. That means physical, logistical and virtual perimeter barriers must be analyzed, identified as effective or problematic, and measured for risk and/or investment. This ensures to the greatest degree possible that people, intellectual property and related assets are prioritized and safeguarded.

It is vital to bring all these stakeholders together early and often on any project, even if it is a year or two before breaking ground on a new site or many months prior to putting a construction or retrofit aftermarket project out to bid. Doing so encourages comprehensive, systemwide thinking from the beginning. The result is a much smoother process when designing and implementing solutions and working with partners for comprehensive security management and access control. It also allows for optimizing resources by shifting to more value-oriented operational systems.

By addressing the relationship between physical and digital security early in the planning phase, risk mitigation objectives and contingency investments can be identified before weaknesses are exploited. These solutions then need to remain vested and top of mind after the infrastructure is deployed. This type of proactive, integrated, comprehensive approach results in a multi-layered formula where obstacles – both physical and digital – stand between potential bad actors and the people, data and assets in an enterprise.

Fence Line to Frontline

The confluence of physical and network security features is important for all commercial enterprises, but particularly in environments representing critical infrastructure – communications, power and utility, transportation and traffic control, water resources such as dams, and other sites that are vital to public safety or the economy.

Secure fence lines and perimeter gate control are crucial deterrents but are often expensive and difficult to deploy. The technology must be able to withstand possibly harsh outdoor conditions. Padlocks and mechanical or electromechanical locks can utilize “intelligent” physical keys electronically programmed with access control rights without the expense of the traditional network infrastructure that is typically required to actively communicate access control transactions. Intelligent keys cannot be hacked since they are not actively connected to a security network, making them a cost-effective step forward in protecting layered critical infrastructure sites, and for that matter, any type of offline secure opening.

The Critical Link Between Cybersecurity and Physical Security

Whether through RFID cards, mobile credentials or biometrics, access control systems increasingly, if not exclusively, rely on data passing from a credential to a reader to a controller on a network. And, as with all networks, an access control system can be hacked and its data stolen.

When access control data is compromised, an unauthorized person can use it to gain access to a network or facility, just as if he or she had stolen a password or physical key. Beyond that, hackers can use access control data to break deeper into Wi-Fi networks and steal other types of secure data. These events happen far too often at major finance, retail and telecommunications firms, where stolen identities and credentials allow hackers to install malware that, for example, can unlock phones.

Situations like these are precisely why physical security and cybersecurity objectives must be aligned. As a result, the ubiquitous Wiegand protocol, the standard of access control communication infrastructure for decades, is being phased out, and security industry professionals would be wise to support and hasten this process because of the protocol’s vulnerabilities.

The Wiegand protocol, for example, is plain-text code, so once the signal between the reader and the controller is hacked, it is relatively simple to copy the code and gain access to a particular credential. This was demonstrated at a 2007 conference by a hacker who installed a PIC chip in a reader and showed how easily he could steal access control data and manipulate the system to gather and capture data about other authorized users. The hacker even tricked the system into locking out everyone but him, despite the other users having authorized credentials.

Fortunately, the security industry has awakened to these threats, and the cross-collaborative Open Supervised Device Protocol (OSDP) is now available in many devices for access control solutions. This protocol involves two-way communication between the reader and the controller, and the wiring system is far more sophisticated than that found in Wiegand communication structures.

For security professionals involved in new construction projects, using OSDP should be a no-brainer. When tackling a retrofit project or legacy infrastructure, however, the investment in changing from Wiegand to OSDP can present some obstacles, which is why IT and network professionals need to work closely and collaboratively with security professionals. All parties can understand the value of improving access control security and are vested in getting greater stakeholder buy-in early in the process. Over time, the security enterprise is stronger, and costs of ownership will decrease dramatically.

The upfront cost of security installation can be further lessened by leveraging cloud-based data storage, as well as Wi-Fi and/or Power over Ethernet (PoE) infrastructure at the access control opening, which can remove many of the limitations of traditional systems.

Ultimately, the cost of data breaches can far exceed that of installing updated access control systems, and the idea of “doing things how they have always been done” is no longer an acceptable approach to enterprise security. It is incumbent on security professionals to have a unified view of the system and point out where weaknesses lie so that new layers, from encryption to smart locks and beyond, can be implemented to stay ahead of evolving threats while lowering the total cost of ownership in the long term.

The Value of Data

The need for comprehensive security and a multi-layered approach is just as important within the facility itself, as exemplified by the deployment of access control solutions at server cabinets and network closets. Actively controlling traffic to and through server cabinets, which house the most sensitive data infrastructure, is vital. Once again, there is a confluence of physical and digital security at play: maintaining the physical integrity of network assets prevents unauthorized users from damaging or tampering with the infrastructure that stores data, and thus, the data itself. Of course, like any other card reader or access control component, the physical system using intelligent locks and keys must be grounded in encrypted, secure data.

In addition to protecting an organization’s proprietary data, servers also contain identity data for staff and/or customers. With breaches becoming a near daily occurrence, it should go without saying that data must be safeguarded to the highest degree possible.

As seen with the Wiegand codes being easily hacked, it is not just hardware that needs to be robust when preventing identity theft. It is also imperative to use sophisticated encryption to prevent unauthorized users from accessing networks, just as deadbolts and locks are utilized to keep people out of restricted spaces. Hackers will not become less capable over time, so security professionals must implement defenses that will keep enterprises at least one step ahead. Doing so requires not just vigilance to watch for new threats, but also an openness to continual education and solution updates as more robust options become available.

The Future of Security

Both threats and technology are constantly evolving. It is no longer possible to view enterprise security functions in isolation, and indeed, it is no longer desirable since security encompasses everything from perimeter fences to encrypted identities. Innovations such as high-security physical keys, which can be programmed and managed through the cloud, are breaking down the barriers between physical security and cybersecurity. As the technology evolves, though, so too will the threats to the way openings are secured.

It is vital for security and IT professionals to not only stay abreast of technological changes, both in physical components and cybersecurity, but also to work together from the earliest planning phases through project implementation and maintenance. This can ensure that enterprises have a multi-faceted, multi-layered system of security measures in place. From a remote perimeter to the closets containing data servers, access control systems play a key role in securing enterprises. Intelligent keys, the OSDP standard, cabinet locks – these are just a sampling of the access control technologies available to create as many barriers as possible to unauthorized entry or access, whether physical or digital, onsite or virtual. And by working in tandem from the very beginning of a project, security and IT professionals can implement solutions that secure an enterprise while lowering the total cost of ownership over time. Physical assets and data are no longer separated, so the approaches to securing them cannot be separated either.