Secure Hosted Technology

Secure Hosted Technology

What you really need to know about cloud-based security management

Cyber security is seemingly in the news every day. From data breaches to security system compromises, there’s a ‘cloud’ hanging over hosted environments, labeling them unsafe or subject to easy compromise.

According to statistics from the “2015 Cost of Data Breach Study: Global Analysis,” which was conducted by the Ponemon Institute, Traverse City, Mich., and sponsored by IBM, the average cost of a data breach increased from $3.52 million in last year’s study to $3.79 million in this year’s research.

Data integrity has been a crucial concern of the electronic security industry for decades. However, it’s been in the forefront due to numerous breaches in the news recently, although the majority of those have been the result of weak user names and passwords.

For the systems integrator, data breaches and compromise result in much more than dollar loss. Not only is the physical security and life safety of the protected premises at risk, but critical customer data can be lost. Even more so, data breaches and system compromise result in dissatisfied customers who will go elsewhere for service. These episodes have a dire effect on the systems integration community which prides itself on providing a full-service solution that includes a safe and secure physical premise, along with data integrity.

The reality of the matter is that the cloud is much safer than non-hosted environments. In the example of cloud-based access control security management platforms, there are inherent layers of safeguards and security in the technology as opposed to local, software-based controllers and servers.

Still, as a security professional, you’ve probably run into many security directors or other end users who either don’t trust cloud security products or are vehemently opposed to them. He or she emphatically states that they will not risk their building security for the convenience, cost-effectiveness and reliability of cloudbased products. They feel there’s no upside in this method of software delivery, and the automatic backups, accessibility and cost predictably don’t outweigh perceived risk. They can’t quite fathom how a cloud-based product might actually be more secure in addition to providing all these benefits.

Legacy Brings Leg-iron Shackles

It’s actually the connections to the outside world through traditional web browsers, common in legacy access control security systems, which promote tangible risk. Another threat is most likely a direct Open Database Connectivity (ODBC) connection to the database and information being passed “in the clear.” Legacy systems were not designed this way because of negligence on the part of the manufacturer. They were simply designed in a different era when network security was not a rampant concern.

Putting information and processes in the cloud has the connotation that it’s easier to hack. However, if that were true, why would we continue to do online banking and expose our finances over the Internet? We expect our financial institution has taken precautionary measures to protect that environment. Those same requirements should be expected with cloud-based access control solutions, and here are some critical factors to consider:

  • Is the connection secure? Websites use SSL certifications to encrypt the connection, which are recognized by URL’s starting with ‘https’.
  • Can the hardware encrypt the data? Assure that the field hardware has the option to turn on TLS (Transport Layer Security) capabilities that allows encryption at the board.
  • Does it use IP Client or IP Server? IP Client uses outbound ports at the user’s site instead of inbound ports, which again, greatly reduces the risks of security breaches.
  • Can it do a secondary authentication? Many people who work or have worked in a corporate environment have used a dongle or token to log onto the server for access to email, ERP systems or repositories like SharePoint. It means typing in a user name, password, then a randomly generated, six-digit number that changes every 30 seconds. Two-factor authentication should be inherent to all software platforms.

The Importance of Secondary Authentication

Simple, two-factor authentication could have prevented many a celebrity photo from being leaked to the web. Passwords can be guessed, recycled, or even written down; all factors which compromise the security of an access control system. The cloud actually eradicates traditional security risks with two-factor authentication. Two-factor authentication comes in many forms from biometrics to apps like Google Authenticator which is built on RSA (encryption) technology, and can be downloaded to the smartphone at no extra cost. This would mean that a perpetrator not only would need to know the user name and password, but would also have to have control or possession of your device (which has its own PIN and biometric security).

In addition, using SSL encryption is something that by default almost all cloudbased solutions provide, as opposed to legacy access control products. Many legacy manufacturers provide Advanced Encryption Standard (AES) encryption from the controllers to the server, but it’s rarely implemented because of the complexity and cost. Not to mention that if you aren’t securing your client/server communications where users are putting the system at risk through Internet connectivity and ‘bring your own’ USB devices, you are encrypting the least vulnerable device.

Some hardware providers enable Transport Layer Security (TLS) with a simple check box and cloud-based products auto-negotiate the encryption with the boards as they initiate contact with the server. The server already knows information about the board entered into it such as the MAC address and other information, so it’s a known caller. The board is programmed to only talk over an outbound port, so IT staff does not have to enable any inbound network ports or set up port forwarding. This helps keep the network secure and lowers the workload on IT. When encryption from the board to the server is just a check box and the server automatically negotiates it as is the case with TLS, it’s much more likely to be enabled.

Disaster Recovery

What’s more is that Software as a Service (SaaS) products typically mean the database is sitting in a cloud like Amazon Web Services (AWS) or Microsoft Azure, which can bring superior economies of scale. An AWS or similar provider has redundant Internet connections, automatic data backup and recovery, months of backup power generation, cyber security experts and of course world-class premise security.

A SaaS based access control solution can eliminate the threat of the user losing data due to negligence or being too busy to regularly backup the database. A reliable product will also provide Elastic Block Storage, meaning that multiple ‘write’ transactions are provided and in case the primary database goes down, that data would exist at another location and brought back online. A second layer of data recovery would be a point in time recovery.

If the user accidentally deletes records, then it shouldn’t take much more than a quick tech support call to roll the system back to a few moments before the error happened. With most legacy systems, it is unlikely than anyone is even doing a monthly backup and even more unlikely that there is some sort of disaster recovery plan in place.

Evolution of Cloud-hosted Access Control

The question that was always asked when intelligent control panels were first put on the network was, ‘what happens if I lose my network?’ This question is still asked and the answer is still the same: the panel continues to make all access grant and deny decisions as it normally would and all transactions are buffered and downloaded when the connection is restored. The cardholder should experience no system degradation.

In cloud systems, the question changes slightly to ‘what happens if I lose my Internet connection?’ and the answer remains the same. For customers with multiple sites over a large geographic area a cloud solution should in fact offer more system uptime. In the traditional premise-based server system, if the Internet connection is lost at the server location, the rest of the sites lose the ability to monitor and make changes. In a cloud-based solution, data centers typically have at least two different Internet Service Providers in case one goes offline.

Very few businesses can afford to or opt to pay for redundant Internet connections, but can benefit by using a product hosted in a data center.

The cloud-hosted environment brings other distinct advantages to the user. While upfront costs are much lower because there is no need to purchase and install software on a server, the long-term total cost of ownership (TCO) is also often lower. The high upfront costs are replaced with smaller monthly payments that businesses can leverage as an ongoing operating expense. From the financial perspective, this is a lower risk model since the company won’t have any surprise costs from the loss of a server or having to rebuild a system. Lower TCO is also driving the growth of SaaS products and the data center building boom.

For customers who want to upgrade to SaaS solutions, but fear being locked in, they should do their due diligence and seek a solution built on open hardware such as authentic Mercury boards and/or HID VertX panels, Edge and Edge Evo controllers. It’s fair to say that Mercury was the first company to push for panels that could be used with multiple software companies and now both HID and Mercury panels each work with more than 20 OEM software products. Integrators should be wary of companies who advertise support for open architectures but try to sell their own proprietary hardware, claiming greater functionality and lower cost.

In the end, cloud-hosted security management platforms deliver the customer cost predictability that incentivizes the growth of their system across the enterprise. It keeps their data backed up and in a secure location. It’s readily accessible and provides secure access from home, the neighborhood coffee shop, or office. The software is always up-to-date and delivered on demand. It never takes network security for granted, because security is inherent in its design and not an afterthought. Secure cloud solutions provide a better customer experience and lower TCO designed with the customer’s day to day operations in mind.

The cloud provides enhanced services along with inherent risk reduction. It gives users choices over hardware and the ability to integrate legacy equipment without extensive upgrades. It’s easy to scale up when users need to add services or locations. It has an open architecture that lends itself to simple, comprehensive security system integration and the move away from proprietary hardware. It’s safe, secure and the future of the successful delivery of security management services.

This article originally appeared in the September 2015 issue of Security Today.

Featured

Featured Cybersecurity

Webinars

New Products

  • FEP GameChanger

    FEP GameChanger

    Paige Datacom Solutions Introduces Important and Innovative Cabling Products GameChanger Cable, a proven and patented solution that significantly exceeds the reach of traditional category cable will now have a FEP/FEP construction. 3

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • PE80 Series

    PE80 Series by SARGENT / ED4000/PED5000 Series by Corbin Russwin

    ASSA ABLOY, a global leader in access solutions, has announced the launch of two next generation exit devices from long-standing leaders in the premium exit device market: the PE80 Series by SARGENT and the PED4000/PED5000 Series by Corbin Russwin. These new exit devices boast industry-first features that are specifically designed to provide enhanced safety, security and convenience, setting new standards for exit solutions. The SARGENT PE80 and Corbin Russwin PED4000/PED5000 Series exit devices are engineered to meet the ever-evolving needs of modern buildings. Featuring the high strength, security and durability that ASSA ABLOY is known for, the new exit devices deliver several innovative, industry-first features in addition to elegant design finishes for every opening. 3