Editorial 020 8295 8304 | Sales 020 8295 8307

Securing Critical Assets

Posted On 15 Apr 2018
Comment: Off

Access control systems have come a long way since the invention of the lock and key. Advancements in technology have realised solutions to be integrated with web-based systems, allowing for traceability and time management within mechanical keys. Here, Pip Courcoux discusses integrated access control and why the protection regime enacted for physical assets is just as important as that imparted with data security in mind.

The technological evolution in access control has created passkeys, cryptographic keys and encryption keys. Although all of these new access control products are available, cyber security often remains the focus of many organisations’ security concerns, with physical security an afterthought. For example, you know to change your e-mail password and web logins every three months in order to keep your online information secure, but how often do you change your keys?

Data and cyber security vigilance is important, but it’s a futile exercise if someone can attack your assets through the use of your keys. In short, organisations shouldn’t become so focused on cyber security that they’re failing to protect their premises effectively.

Keys provide physical access to critical assets, including areas that house servers holding customer data, and to offices where customers’ accounts are managed. Despite this, we often see organisations unsure of how many keys they have in circulation, or where they are at any given moment in time.

One of the issues faced by large organisations, and especially those residing in the Critical National Infrastructure (CNI) sphere, is the vast number of key holders accessing disparate sites. This presents major difficulties in controlling those keys. Key holders can range from full-time employees through to temporary staff members and on to contractors. All of these key holders will have different and individual access control requirements, with various levels of authorisation and needing access to specific locations at certain times.

Compliance is key

Take contractors as an example. If you have a data processing contract, they would require access to data for a period of time to complete their work, but there would be defined steps in place to make sure that, once the contract has finished, they no longer have access to (or any visibility of) the data involved. If the contractor has a physical key it’s much harder to restrict their future access to the system.

When it comes to temporary staff, you may have new employees joining an organisation, people moving to different departments and also members of staff leaving. Once an employee moves departments, electronic access to software and systems can be easily controlled, but physical access restriction is far trickier. It’s easy to wipe someone’s phone or laptop if they lose it or leave the business, but you cannot do this with a mechanical key.

With regards to permanent staff, compliance is vital. Do they have the permits to work in a given area and can you control it? Any business changes such as mergers and acquisitions can alter a person’s responsibility. In this instance, data access may be controlled electronically with ease, but it’s difficult to be so flexible on physical access with mechanical keys.

Taking control

What, then, is the solution to this issue of key control to protect critical assets and information? Electronic key solutions that feature web-based management can be integrated with existing telemetry systems to help control and manage operations. This offers a high level of both physical and data protection, given that they only use accredited software and infrastructure providers. For example, some systems boast an electronic key system where all the power is retained by the key or locks themselves. This means no wiring is required, whether the system uses door cylinders, cabinet locks or padlocks.

End users have secure access to an online management application from anywhere in the world and can change key access permissions, profiles, schedules and validity, even revoking their use virtually at the click of a button. Keys may be validated daily, weekly or monthly for continuous security. Users are required to change their password every three months.

This enables an organisation to comprehensively track and audit who has access to which locations, when they had access and on how many occasions. Access can be granted only at the exact moment it’s required, thereby mitigating the risks associated with lost or stolen keys.

Bluetooth 4.0 technology

What’s more, certain advanced systems take advantage of the latest Bluetooth 4.0 technology, meaning that keys can be activated through a smart phone and access rights granted to the user ‘on site’. This revolutionises remote access control by bringing it firmly and squarely into the mobile era, subsequently offering flexibility and time savings as well as enhancing ease of use.

This offers a solution to the issue of key control and being able to effectively manage access rights in organisations where there’s staff fluidity. If a key should happen to be lost, or if a contractor or temporary member of staff needs access revoking, this can all be done centrally by an administrator, minimising the risk of a physical security breach.

In addition, if access rights need to be altered, with a permanent employee being given permission to enter more areas, this can be done both quickly and easily, even with the use of a smart phone.

Operational efficiency

In the case of CNI operations, security is vital to the continuity of essential services. As well as minimising the vulnerability of an organisation, there are many additional benefits to be gained when installing a solution such as this and integrating it with other ‘smart’ systems.

Financial savings, CO2 emissions reduction and, most importantly, time savings can all be made with smart infrastructure integration. For example, access control can be linked with ‘Enterprise Resource Planning’ systems to identify key holders on shift. ‘Permit to Work’ systems can be linked to ensure that they’re still compliant for the job at hand and with telemetry and SCADA systems to ascertain where they need to be.

The hybrid between mechanical and electronic technologies is the ‘key’ to success in this arena, maintaining the strict standards required for security while also enhancing operational efficiencies for the future.

Many organisations in the power generation, water supply, telecoms, financial and healthcare sectors have witnessed improved operational control and efficiency when moving to an integrated web-based access control system. One institution even saw a return on investment of 600% in the first 12 months following installation. Most importantly for any host organisation, when the data’s secure and managed effectively, the service continuity and resilience is guaranteed.

Supply chain data

When integrating an access control solution with other cloud-based systems, it’s inevitable that the issue of data security does come into play. Although implementing an access control system such as the one previously mentioned offers high security and operational efficiencies, data security in the supply chain needs to be considered in detail as well.

Resilience is a key factor. Ensuring a safe supply chain environment can seem like an impossible task, but there are ways to minimise risk. Ask yourself: “How ‘stable’ are my suppliers?”…“From where do they source their products?”…”How safe and protected are their assets?”… and “How robust are their own relationships with their suppliers?”

To mitigate risk, it’s crucial to identify dependencies and vulnerabilities that can impact supply chains. Increasing the visibility of these areas allows organisations to anticipate their impact and plan ahead for contingencies.

In a similar vein, in order to ensure the highest level of access control security, the in-house security or risk-focused professional must select a supplier who uses accredited software and infrastructure providers that provide enterprise level Software as a Service solutions compliant with European and national standards for physically secure key systems.

Three-factor authentications

Three-factor authentications are also desirable, including standard 256-bit encryption, advanced encryption and industry standard SHA-2 SSL certificates.

When it comes to integrated access control, then, it’s important for security professionals not to focus all of their attentions solely on the safety of data. It’s just as important to guarantee the physical security of assets. Covering all bases will ensure resilience and continuity of essential services, while organisations can reap the additional benefits of improved operational control and efficiency.

 

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.