Why the word 'portals' should be eliminated from mobile access discussions

Feb. 21, 2019
As data rich targets, portals make PACS vulnerable to hackers and regulatory compliance issues

For the past several years, there’s been a focus by integrators and customers to assure that their card-based access control systems are secure. To give businesses an extra incentive to meet their cybersecurity threats, the United States Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don't. For instance, the FTC filed a lawsuit against D-Link and its U.S. subsidiary in 2017, alleging that it used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers.

Likewise, in Canada, data protection and cybersecurity are governed by a complex legal and regulatory framework. Failure to understand this framework and take active steps to reduce risks, or the impact of such risks when they materialize, can have serious legal and financial consequences for an organization.

In Europe, the "Network and Information Security Directive" (NISC) is the main strategy taken to harmonize continent-wide provisions on cybersecurity. As such, the European Union Agency for Network and Information Security (ENISA) is its center of expertise. The main goal is to set high standards of cybersecurity to be respected by each European Union (EU) member state.

Now, as leading international companies are learning how to protect card-based electronic access control systems within these relatively new standards, along comes mobile access credentials and their companion readers which use smart phones instead of cards as the vehicle for carrying identification information. While many companies still incorrectly perceive that they are safer with a traditional access card, when done properly, mobile can be a far more secure option with many more features to be leveraged. They deliver biometric security, powerful encryption, location services, as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth Low Energy (BLE) and NFC.

Nonetheless, there exists a major caveat emptor with upgrading to mobile access control.

The Problem Is Portals

A special word of caution needs to be emphasized when changing over to mobile systems. Many mobile credential solutions require the use of back-end portals.

For hackers, portals can be rich targets, often containing sensitive end-user data. These types of mobile solution often force the users to register themselves, and sometimes their integrators, for every application. Add a door reader – register. Add a parking reader – register again. Add a new credential – register again, and with each registration requiring the disclosure of sensitive personal information.

The bookkeeping to onboard alone can be confusing. Who signs up? The integrator? The end-user? Both? Who’s responsible for security? The data center? The portal provider? The OEM? The integrator? Does the end-user have responsibilities? And who actually owns the end-user’s sensitive private data?

These portals may include long-term contracts and hidden fees. What are these? Do they guarantee the portal’s up and running? Have the contracts been approved by legal?  Who’s bound?  For how long?  And for the fees, one-time, annual or usage based? Are they fixed through the life of the system? Who’s responsible for paying? This is proving a real challenge for professional OEM access control system manufacturers, integrators and end users alike.

There Is a Resolution

Newer answers provide an easier way to distribute credentials with features that allow the user to register their handset only once and need no portal accounts, activation features or hidden fees. Users don't need to fill out several different forms. Today, all that should be needed to activate newer systems is the phone number of the smart phone.

And, smartphone access credentials are best sold in the same manner as traditional 125-kHz proximity or 13.56-MHz smart cards - from the existing OEM to the integrator to the end users. In this distribution model, integrators will find smartphone credentials will be more convenient, less expensive and more secure. They can be delivered in person or electronically. They are quicker to bill with nothing to inventory or be stolen. End-users will find, in most cases, soft credentials can be integrated into their existing access control system, operating equally well in cloud-based, networked or stand-alone electronic access system environments.

When mobile credentials are sold from OEM to integrator to end user, which is often referred to as the “true channel," it avoids the hassle of back-end on-boarding portals and minimizes the risks of hacking. By removing these and additional intrusive information disclosures, vendors have also lessened end-user privacy concerns, as well as wisely protecting themselves from the wrath of governmental standards organizations.

About the Author

Tom Piston | U.S. Eastern Regional Manager, Farpointe Data

Tom Piston is U.S. Eastern Regional Manager at Farpointe Data.