Cloud-Based Access Control: The Cyber Pitch
Customers who need an updated access control solution are often most interested in learning about the proposed system’s features and configurability, but integrators would be wise to make sure the conversation also addresses cybersecurity. Just like any solution that relies on IP devices, today’s access control systems are potential cyber targets.
Fortunately, while it may seem unintuitive, cloud access control is a smart approach to addressing cybersecurity concerns. An integrator’s ability to explain “why” can help gain customer trust, differentiate your offerings, and ultimately close the deal.
Weaknesses of Traditional Systems
Until recently, all access control systems had a software component that dwelled in an on-site physical server or on the client’s proprietary network. Most customers are familiar with this configuration; thus, past exposure gives them a false sense of confidence. In reality, local hosting on dedicated servers is often far from secure.
When an access-control solution depends on locally hosted, dedicated servers, vulnerabilities can result from lax installation of patches and updates, system interruptions from planned and unplanned maintenance, the failure to make regular and secure data backups and poor offsite redundancy during manmade or natural emergencies. These are just some of the ways systems integrators to unknowingly leave customers’ servers vulnerable – potentially opening up liability if that customer’s system is attacked.
Even with proper installation and protocol, access control systems can also be compromised because of the poor design of their management interfaces. Hackers use automated programs called bots to automatically scan networks for vulnerable devices and attempt to log into them using common default credentials. There may also be vulnerabilities through the implementation of the system’s login screen or its remote management tool.
The Mirai botnet is a recent example in which vulnerabilities and default configuration of internet-connected devices cost businesses hundreds of millions of dollars in a single incident.
Cloud access control can offer answers to all these issues, plus more.
The Benefits
The benefits brought by genuine cloud-based access control solutions – which have been built from the ground up as a secure cloud service – include connectivity from a client’s network using multiple security standards and protocols. In this way, secure access to the system can be provided with no exposure of externally available connection points.
Users of a cloud-based system are authenticated against servers that reside in the manufacturer’s cloud infrastructure. The best cloud solutions use multi-factor authentication – for example, password, phone app and/or fingerprint – to log into the cloud management interface. They do not use default user names and passwords. Non-cloud systems handle all authentication on the customer-premise equipment, making it difficult to use advanced authentication technology and leaving the login credentials vulnerable to local attack.
While frequent feature updates and upgrades are a major selling point of any cloud-connected system, these are arguably even more vital to the overall security of the system. In standalone systems, security updates often fall by the wayside to other IT or budget concerns; however, with a truly cloud-based system, these are undertaken automatically and do not require the intervention of onsite staff. They can be pushed out as soon as any vulnerability is detected.
Because data is regularly and securely backed-up and stored, compliance and disaster recovery are made seamless with readily accessible data that does not need to be retrieved from a server-based system. This makes cloud-hosted systems more capable of offering redundancy in an emergency than most on-site solutions.
Threats from employees, or former employees, are also mitigated. Browser-based and mobile app interfaces enable a system administrator to remotely grant, modify or delete access rights of an employee or temporary contractor.
Sales Tactics
When it comes to selling the value of cybersecurity, security integrators will generally be speaking to one of three types of customers: those with robust and knowledgeable IT departments, those with smaller, resource-strapped in-house teams or individuals, and companies who outsource their IT needs to a managed services provider.
For customers with a sophisticated IT staff, the cyber advantages of a cloud solution should be an easy sell; in fact, many such companies are already embracing a cloud strategy in an effort to keep outside vendors and services off of their in-house servers. For these customers, integrators should focus on convincing them that the cloud solution being offered is the right cloud solution for the application.
Customers with understaffed in-house IT departments need as much support as possible. For them, a cloud solution removes a lot of the burden related to administering and maintaining the system; however, they may need some education regarding the cloud and cybersecurity as it pertains to access control. Stories of hacked security cameras and IoT devices are well known, but the similar vulnerabilities of access control systems are less publicized. This is a great chance for an integrator to show off their knowledge and provide valuable guidance.
For the often small business customers who outsource their IT management, integrators may be speaking with a business owner or business manager who has limited IT knowledge. These customers should immediately appreciate that your solution bypasses their IT network and that they can easily control and manage it themselves. Its turnkey nature, combined with some assurance of cybersecurity, will make it highly desirable.
Impact on TCO
By eliminating the need to purchase dedicated servers and software that require ongoing attention by IT staffers, cloud-based access-control solutions have a comparably low total cost of ownership (TCO). They also offer value the integrator, through recurring revenue on the subscription fee. In addition, these systems require minimal ongoing support, as software updates and patches are installed automatically.
But TCO should also consider the high value of thwarting cyber-attacks, because when they happen, financial losses are often more than many businesses can sustain. Verizon reports that 60 percent of breach victims in 2017 were businesses with less than 1,000 employees. Accenture reports that it takes companies an average of 50 days to recover from a malware attack. Costs can end up in the millions – not including loss of reputation and diminished goodwill.
If you are legally responsible for installing the compromised system, you may share in those costs.
Choosing a Vendor
When making an argument for cybersecurity, be sure the solution you offer is truly built for the cloud. Some manufacturers have dressed up older products to simulate the experience of using a cloud solution in response to growing customer demand for at least some level of external connectivity.
If it is necessary to open any inbound ports to manage the system from outside the building or facility, it is not a true cloud solution. The same is true if the system uses a “remote desktop”-style connection to the system’s legacy management interface.
It may be obvious, but be sure to thoroughly vet cloud solution manufacturers before recommending their product. Manufacturers must have proven track records, have the resources to do the job properly, and possess the stamina to be in business for years to come. Unlike a standalone solution, if these manufacturers vanish, so do their systems.
Josh Perry is CTO for ProdataKey, a provider of cloud-based access control products and services. Request more info about the company at www.securityinfowatch.com/12407119.