Cloud access control and the fear of hacking
Source: Spica International
There are many advantages of access control in the cloud
. The main objection however, has been internet security, or simply put the fear of hacking. To be able to properly weigh the benefits against the risks, we need to address security concerns specific to cloud access control.
In the cloud, internet security is a natural concern. For security applications such as access control, the security of the cloud platform is paramount. So, let's explore what the specific security risks of cloud-based access control are.
What we can realize very quickly is that most security risks are not specific to access control, such as hacking into or disrupting cloud servers. Or hacking
into mobile devices, stealing digital security credentials through software vulnerabilities and social engineering. All these risks are well known and apply to online security in general, in a similar way to online banking. And if it is good enough for them, it should be good enough for us, right? So far so good!
Device security is critical
What is not the same however, and applies specifically to access control, is device security. Cloud managed access controllers are connected security devices and as such require secure online authentication, encrypted communications and remote management. So, for cloud access control, we need a new generation of cloud access controllers, which are considered secure by design. There is no technical reason to assume otherwise.
The new generation of "cloud access controllers" are based on hardware platforms that are capable of supporting industry-standard algorithms for encryption, and making them safe is just a matter of implementing them properly by following the rules of "security by design".
It is worth stressing that this is not something that can be done using traditional controllers designed for closed, local area networks. There are at least two reasons for this. The most obvious reason is that these controllers as a hardware platform were not designed to be capable of performing standard, state-of-the-art encryption
required by modern network security protocols. The second reason is that most of them are not even programmable to the extent that would allow rewriting of the core authentication, encrypted communication and remote management code.
Local is long gone
So the key component of cloud access control is the cloud access controller. Paired with OSDP readers, it is the critical link delivering encrypted security down to the individual card reader at the door, end-to-end.
And this is exactly the point where cloud access control security becomes superior to its traditional on-premise counterpart. There is no practical way of ensuring end-to-end security with traditional controllers without keeping the system strictly local. And even if strictly local, traditional access control provides much easier attack vectors for a modern hacker. Old-school security is often too dependent on corporate IT security policies and practices, which are all over the place. Or let's say they are not always up to the task of providing the IT security required for the security management.
But local is long gone. This day and age nobody wants to baby-sit their system at the premise in order to keep it safe. What is happening right now is that many on-premise systems are being connected to the internet either intentionally by some kind of remote access or even by accident, because they reside on server infrastructure which sooner or later gets some kind of internet connection. Such systems are significantly more vulnerable to hacking because they have not been designed to cope with that kind of a threat. From configuring firewall rules, to updating the operating system, server hardening and patching vulnerabilities in the application layer, such systems need constant care, expert knowledge and extra measures to be kept secure. That makes them automatically either less secure or rather costly to operate and maintain.
As surprising as it may be, the closer we look tells us that cloud access control is less hackable than the traditional on-premise systems. That brings us to the conclusion that at the end of the day, we can consider the security to be one of the important advantages of cloud access control.
We can consider cloud access controllers to be IoT devices and consequently we could talk about IoT security. However, access controllers are complex devices holding sensitive data and autonomously carrying sensitive operations in real-time. They are considerably more complex and critical then a typical IoT
node, such as a lightbulb or a temperature sensor. With time, access control may move more into the IoT domain through development of lower level online components, such as autonomous door locks, card readers, door sensors and other access control paraphernalia – these are now normally connected through the controller.