Secure Hosted Technology
What you really need to know about cloud-based security management
- By Brian Matthews, Ralph Shillington
- Sep 01, 2015
Cyber security is seemingly in the news every day. From data
breaches to security system compromises, there’s a ‘cloud’ hanging
over hosted environments, labeling them unsafe or subject to
easy compromise.
According to statistics from the “2015 Cost of Data Breach
Study: Global Analysis,” which was conducted by the Ponemon Institute, Traverse
City, Mich., and sponsored by IBM, the average cost of a data breach increased
from $3.52 million in last year’s study to $3.79 million in this year’s research.
Data integrity has been a crucial concern of the electronic security industry for
decades. However, it’s been in the forefront due to numerous breaches in the news
recently, although the majority of those have been the result of weak user names
and passwords.
For the systems integrator, data breaches and compromise result in much more
than dollar loss. Not only is the physical security and life safety of the protected
premises at risk, but critical customer data can be lost. Even more so, data breaches
and system compromise result in dissatisfied customers who will go elsewhere
for service. These episodes have a dire effect on the systems integration community
which prides itself on providing a full-service solution that includes a safe and
secure physical premise, along with data integrity.
The reality of the matter is that the cloud is much safer than non-hosted environments.
In the example of cloud-based access control security management
platforms, there are inherent layers of safeguards and security in the technology as
opposed to local, software-based controllers and servers.
Still, as a security professional, you’ve probably run into many security directors
or other end users who either don’t trust cloud security products or are vehemently
opposed to them. He or she emphatically states that they will not risk their
building security for the convenience, cost-effectiveness and reliability of cloudbased
products. They feel there’s no upside in this method of software delivery,
and the automatic backups, accessibility and cost predictably don’t outweigh perceived
risk. They can’t quite fathom how a cloud-based product might actually be
more secure in addition to providing all these benefits.
Legacy Brings Leg-iron Shackles
It’s actually the connections to the outside world through traditional web browsers,
common in legacy access control security systems, which promote tangible
risk. Another threat is most likely a direct Open Database Connectivity (ODBC)
connection to the database and information being passed “in the clear.” Legacy
systems were not designed this way because of negligence on the part of the manufacturer.
They were simply designed in a different era when network security was
not a rampant concern.
Putting information and processes in the cloud has the connotation that it’s
easier to hack. However, if that were true, why would we continue to do online
banking and expose our finances over the Internet? We expect our financial institution
has taken precautionary measures to protect that environment. Those same requirements should be expected with cloud-based access control solutions, and
here are some critical factors to consider:
- Is the connection secure? Websites use SSL certifications to encrypt the connection,
which are recognized by URL’s starting with ‘https’.
- Can the hardware encrypt the data? Assure that the field hardware has the option
to turn on TLS (Transport Layer Security) capabilities that allows encryption
at the board.
- Does it use IP Client or IP Server? IP Client uses outbound ports at the user’s
site instead of inbound ports, which again, greatly reduces the risks of security
breaches.
- Can it do a secondary authentication? Many people who work or have worked
in a corporate environment have used a dongle or token to log onto the server
for access to email, ERP systems or repositories like SharePoint. It means typing
in a user name, password, then a randomly generated, six-digit number that
changes every 30 seconds. Two-factor authentication should be inherent to all
software platforms.
The Importance of Secondary Authentication
Simple, two-factor authentication could have prevented many a celebrity photo
from being leaked to the web. Passwords can be guessed, recycled, or even written
down; all factors which compromise the security of an access control system.
The cloud actually eradicates traditional security risks with two-factor authentication.
Two-factor authentication comes in many forms from biometrics to apps
like Google Authenticator which is built on RSA (encryption) technology, and
can be downloaded to the smartphone at no extra cost. This would mean that a
perpetrator not only would need to know the user name and password, but would
also have to have control or possession of your device (which has its own PIN and
biometric security).
In addition, using SSL encryption is something that by default almost all cloudbased
solutions provide, as opposed to legacy access control products. Many legacy
manufacturers provide Advanced Encryption Standard (AES) encryption from
the controllers to the server, but it’s rarely implemented because of the complexity
and cost. Not to mention that if you aren’t securing your client/server communications
where users are putting the system at risk through Internet connectivity
and ‘bring your own’ USB devices, you are encrypting the least vulnerable device.
Some hardware providers enable Transport Layer Security (TLS) with a simple
check box and cloud-based products auto-negotiate the encryption with the
boards as they initiate contact with the server. The server already knows information
about the board entered into it such as the MAC address and other information,
so it’s a known caller. The board is programmed to only talk over an outbound
port, so IT staff does not have to enable any inbound network ports or set
up port forwarding. This helps keep the network secure and lowers the workload
on IT. When encryption from the board to the server is just a check box and the
server automatically negotiates it as is the case with TLS, it’s much more likely to
be enabled.
Disaster Recovery
What’s more is that Software as a Service (SaaS) products typically mean the database
is sitting in a cloud like Amazon Web Services (AWS) or Microsoft Azure,
which can bring superior economies of scale. An AWS or similar provider has
redundant Internet connections, automatic data backup and recovery, months of
backup power generation, cyber security experts and of course world-class premise
security.
A SaaS based access control solution can eliminate the threat of the user losing
data due to negligence or being too busy to regularly backup the database. A reliable
product will also provide Elastic Block Storage, meaning that multiple ‘write’ transactions are provided and in case the primary database goes down, that data
would exist at another location and brought back online. A second layer of data
recovery would be a point in time recovery.
If the user accidentally deletes records, then it shouldn’t take much more than
a quick tech support call to roll the system back to a few moments before the error
happened. With most legacy systems, it is unlikely than anyone is even doing a
monthly backup and even more unlikely that there is some sort of disaster recovery
plan in place.
Evolution of Cloud-hosted Access Control
The question that was always asked when intelligent control panels were first put
on the network was, ‘what happens if I lose my network?’ This question is still
asked and the answer is still the same: the panel continues to make all access grant
and deny decisions as it normally would and all transactions are buffered and
downloaded when the connection is restored. The cardholder should experience
no system degradation.
In cloud systems, the question changes slightly to ‘what happens if I lose my Internet
connection?’ and the answer remains the same. For customers with multiple
sites over a large geographic area a cloud solution should in fact offer more system
uptime. In the traditional premise-based server system, if the Internet connection
is lost at the server location, the rest of the sites lose the ability to monitor and
make changes. In a cloud-based solution, data centers typically have at least two
different Internet Service Providers in case one goes offline.
Very few businesses can afford to or opt to pay for redundant Internet connections,
but can benefit by using a product hosted in a data center.
The cloud-hosted environment brings other distinct advantages to the user.
While upfront costs are much lower because there is no need to purchase and
install software on a server, the long-term total cost of ownership (TCO) is also
often lower. The high upfront costs are replaced with smaller monthly payments
that businesses can leverage as an ongoing operating expense. From the financial
perspective, this is a lower risk model since the company won’t have any surprise
costs from the loss of a server or having to rebuild a system. Lower TCO is also
driving the growth of SaaS products and the data center building boom.
For customers who want to upgrade to SaaS solutions, but fear being locked in,
they should do their due diligence and seek a solution built on open hardware such
as authentic Mercury boards and/or HID VertX panels, Edge and Edge Evo controllers.
It’s fair to say that Mercury was the first company to push for panels that
could be used with multiple software companies and now both HID and Mercury
panels each work with more than 20 OEM software products. Integrators should
be wary of companies who advertise support for open architectures but try to sell
their own proprietary hardware, claiming greater functionality and lower cost.
In the end, cloud-hosted security management platforms deliver the customer
cost predictability that incentivizes the growth of their system across the enterprise.
It keeps their data backed up and in a secure location. It’s readily accessible
and provides secure access from home, the neighborhood coffee shop, or office.
The software is always up-to-date and delivered on demand. It never takes network
security for granted, because security is inherent in its design and not an
afterthought. Secure cloud solutions provide a better customer experience and
lower TCO designed with the customer’s day to day operations in mind.
The cloud provides enhanced services along with inherent risk reduction. It
gives users choices over hardware and the ability to integrate legacy equipment
without extensive upgrades. It’s easy to scale up when users need to add services or
locations. It has an open architecture that lends itself to simple, comprehensive security
system integration and the move away from proprietary hardware. It’s safe,
secure and the future of the successful delivery
of security management services.
This article originally appeared in the September 2015 issue of Security Today.