Public vs. Private Cloud Access Control Security

Public vs. Private Cloud Access Control Security

Organizations are rapidly moving away from traditional physical access control systems and toward cloud-based access control systems.

What is Cloud-Based Access Control?

Cloud computing is a model for enabling ubiquitous, convenient, and on-demand access to a shared pool of configurable computing resources without any user interaction. Cloud-based access control is a physical security system that leverages the cloud to provide a better user experience on the back end for getting in and out of your buildings.

This technology solution enables companies to manage their security system from a single centralized location, thereby reducing the need for additional resources. It also enables security teams to remotely manage their physical security functions, such as door access, while receiving real-time video verification alarms and events.  

Public vs. private cloud security presents a critical decision point for businesses navigating the digital landscape. When considering the optimal security solution, weighing the merits of public and private cloud environments is paramount. Public cloud security offers scalability and cost-effectiveness but entails shared infrastructure risks. In contrast, private cloud security provides dedicated resources, which is ideal for organizations with stringent compliance requirements or sensitive data. 

Key Takeaways

·        Advantages of cloud-based access control: lower upfront costs, enhanced flexibility, and remote management capabilities.

·        Enterprises and large corporation use cases: a cloud-based access control solution allows for centralized security management and scalability across multiple locations.

·        Key features of cloud-based access control systems: integrations with other security solutions, real-time alerts, and biometric authentication.

·        Necessity of training: Training is essential for your team to effectively manage, operate, and maintain data privacy and security.

What is Public Cloud Security?

Public cloud security involves cloud service providers (CSPs) implementing practices, technologies, and policies to protect data, applications, and infrastructure in their shared public cloud environments. These environments are accessible to multiple organizations over the internet, emphasizing the importance of implementing robust security measures, which is crucial for preventing unauthorized access and data breaches.

Key Takeaways of Public Cloud Security

1.   Data Encryption: Encrypting data both during transit and at rest is vital for safeguarding sensitive information against unauthorized access. Public cloud providers often offer data storage and transmission encryption services, ensuring heightened security measures.

2.   Identity and Access Management (IAM): Implementing robust IAM policies ensures that only authorized users and services can access resources within the cloud environment. This process involves employing techniques such as multi-factor authentication (MFA), role-based access control (RBAC), and adhering to the principle of least privilege.

3.   Network Security: Configuring firewalls, network segmentation, and virtual private networks (VPNs) helps control traffic flow and prevent unauthorized access to cloud resources. Additionally, intrusion detection and prevention systems (IDPS) actively monitor network traffic for suspicious activity, enhancing overall security measures.

4.   Compliance: Public cloud providers adhere to industry standards and regulations regarding data privacy and security, including HIPAA, PCI DSS, and GDPR. This entails implementing robust compliance measures to ensure regulatory requirements and best practices handle customer data.

 

Benefits of Public Cloud Security

1.   Cost-Effectiveness: Public cloud providers heavily invest in security infrastructure and expertise, enabling customers to leverage these resources without requiring significant upfront investment. This approach ensures cost-effectiveness for customers, who can access top-tier security measures without bearing the entire burden of upfront costs.

2.   Automated Security Features: Many providers incorporate automated security features that handle tasks such as patching vulnerabilities and detecting suspicious activity. This streamlines security management for users by automating crucial processes.

3.   Scalability: Public cloud security automatically scales with your requirements, removing the necessity for manual infrastructure provisioning and management. This simplifies the process of maintaining security measures as your needs evolve.

4.   Expertise: Public cloud providers maintain dedicated security teams that continually monitor and update their infrastructure, providing users access to advanced security expertise. This ensures users benefit from ongoing security enhancements and support from experienced professionals.

 

Challenges of Public Cloud Security

1.   Shared Responsibility: Customers must comprehend their security responsibilities and actively implement suitable controls within the cloud environment. This ensures that users actively contribute to securing their data and resources in the cloud.

2.   Compliance Concerns: Depending on the industry and regulations, public cloud storage may not suit susceptible data due to compliance concerns. This implies that users must carefully assess regulatory requirements and industry standards when storing sensitive information in the public cloud.

3.   Limited Control: Customers rely on the provider’s security measures and have less control over the underlying infrastructure than a private cloud. This means that users depend on the provider’s security protocols rather than having direct control over the infrastructure.

4.   Vendor Lock-In: Complex data portability challenges and integration complexities make switching to a different provider difficult, leading to vendor lock-in. This means that users may need help migrating their data and systems to another provider due to various technical hurdles and dependencies.

 

What is Private Cloud Security?

Private cloud security involves implementing practices, technologies, and policies to protect data, applications, and infrastructure within a dedicated environment exclusive to a single organization. Unlike public clouds, private clouds are not shared with other entities, ensuring higher control and customization over security measures to meet specific organizational needs and compliance requirements.

Key Takeaways of Private Cloud Security

1.   Access Control: Within the private cloud, ensure stringent access controls are in place to prevent unauthorized entry, utilizing authentication methods like passwords, multi-factor authentication, and role-based access control (RBAC) to uphold the principle of least privilege. Only authorized individuals can access resources by implementing these measures, lowering the risk of data breaches.

2.   Encryption: To ensure data security within the private cloud, utilize encryption techniques for data both in transit and at rest. Utilize Transport Layer Security (TLS) or Secure Sockets Layer (SSL) protocols to safeguard data while it is being transmitted. For data at rest, implement encryption algorithms like AES to maintain confidentiality and integrity, bolstering overall data protection measures.

3.   Logging and Monitoring: Activate logging and monitoring functions to oversee user actions, system events, and security issues in the private cloud. Employ real-time alerts and log analysis to identify and address security threats promptly.

4.   Compliance and Auditing: Ensure adherence to applicable data privacy and security regulations like GDPR, HIPAA, or PCI DSS in the private cloud. Regularly perform security audits and assessments to confirm compliance and pinpoint opportunities for enhancement.

 

Benefits of Private Cloud Security

1.   Enhanced Control: Organizations can exercise full control over security configurations in the private cloud, customizing them to meet unique needs and compliance mandates. This allows for precise alignment with organizational requirements and regulatory standards.

2.   Compliance: Meeting industry regulations and compliance needs are simplified by increasing control over the environment in the private cloud. This facilitates tailored adjustments to ensure alignment with specific regulatory standards and industry requirements.

3.   Improved Security: Dedicated infrastructure lowers the likelihood of unauthorized access and data breaches compared to public clouds, enhancing overall security posture.

4.   Customization: Organizations can tailor security controls and implement solutions that align precisely with their environment, enhancing security effectiveness. This flexibility allows for optimal adaptation to unique requirements and threat landscapes.

 

Challenges of Private Cloud Security

1.   Increased Expenses: Managing and maintaining secure infrastructure demands substantial hardware, software, and personnel investments, resulting in higher costs. This financial commitment is necessary to ensure the ongoing security and integrity of the infrastructure.

2.   Management Burden: Smaller organizations may find it challenging to manage and maintain infrastructure securely due to the specialized expertise required. This requires dedicated personnel to handle the management burden effectively and uphold robust security practices.

3.   Less Scalability: Scaling resources in the private cloud may entail slower and more intricate processes than in the public cloud, necessitating extra planning and investment. This complexity can impede rapid scalability and requires careful consideration for smooth resource allocation.

4.   Lack of Expertise and Skills: The absence of necessary knowledge and varying skill levels among team members can hinder efficient operations and pose challenges in managing the infrastructure effectively. This underscores the significance of continuous training and knowledge sharing to address skill disparities and uphold operational excellence.

Public vs. Private Cloud Security

Basis	Public Cloud Security	Private Cloud Security
Infrastructure	Shared with other organizations	Dedicated to a single organization
Security Features	Built-in security features provided by CSP	Requires implementing and managing own security controls
Control	Limited control over underlying infrastructure	Full control over infrastructure and configuration
Scalability	Highly scalable	Less scalable
Cost	lower cost	Higher cost

 

Which Cloud is Best For Your Business?

When selecting the right cloud security approach, assess your business’s unique needs, risk tolerance, and compliance mandates. Public Cloud offers cost-effective scalability and agility, robust security measures, and shared environment risks. The private cloud caters to stringent security and compliance demands, providing greater control and customization. Opting for a hybrid cloud strategy combines both advantages, ensuring cost-effectiveness and scalability while maintaining heightened security for sensitive data. Ultimately, the choice hinges on your specific requirements, emphasizing the importance of a tailored approach to cloud security.

How to Update to Cloud-Based Access Control

When security teams are ready to make the switch to cloud-based access control, it’s important to research different providers and weigh the pros and cons of each one. Once a provider has been selected, it is important to develop a migration plan. The plan should include inventorying existing hardware and software, developing an installation timeline, budgeting for new equipment and installation costs, and training employees on how to use the new system.

Why Move to Cloud-Based Access Control?

There are several reasons why teams should consider moving to the cloud. The main benefits of cloud-based access control include improved scalability and flexibility, enhanced security, cost savings, and easier management. Below, we'll dive into six key reasons why cloud-based solutions may be the right choice for your organization:

·        Unified security

·        Scalable & flexible

·        Ease of use

·        Integrations

·        Cost-effectiveness & maintenance

·        Risk reduction

Cloud-Based Access Control VS. Traditional Access Control

Cloud-based access control systems offer several advantages over traditional systems, including lower upfront costs, ease of use, and remote monitoring capabilities. However, it’s important to consider all factors when deciding which type of system is best for the business. Below, we'll highlight five key differences between cloud-based and traditional access control systems to help guide your decision-making process:

·        Cost

·        User experience

·        Remote monitoring

·        Cybersecurity

·        Centralized location

 Source: Internet

3 Cybersecurity Steps to Reduce Threats to your Electrical System

 3 Cybersecurity Steps to Reduce Threats to your Electrical System

When anyone mentions cybersecurity, you may automatically think they are referring to IT systems. That is because protecting IT networks – and their associated personal, financial, and other proprietary data – has been the responsibility of IT professionals for an exceptionally long time. But what about your operational technology (OT) infrastructures? Are they also at risk from cyberattacks? How can you protect them? In this post, we’ll discuss these questions, and three specific recommendations for protecting your electrical systems.

The electricity subsector cybersecurity Risk Management Process (RMP) guideline was developed by the Department of Energy (DOE), in collaboration with the National Institute of Standards and Technology (NIST) and the North American Electric Reliability Corporation (NERC).

OT Cyberattacks: An Increasing Threat

The Ponemon Institute emphatically states that, “Cyberattacks are relentless and continuous against OT environments.” In a survey of over 700 organizations from six countries they found that 50 percent had experienced a cyberattack against their OT infrastructure within the last two years that resulted in downtime. For large and critical operations, this can be devastating.

All you need to do is follow the news to see frequent examples of such attacks. For example, in early 2021, the fast action of a technician narrowly avoided the risk of thousands of people being poisoned due to a hacker gaining access to a Florida city’s water treatment plant. Going back a few years, a breach that came through the HVAC system caused international retailer Target to have 40 million credit and debit card accounts compromised, costing them $290 million.

 

The latter example is just one of many that show why building systems are now widely recognized as OT attack targets. The evolution toward smarter buildings is causing an explosion in the numbers of connected devices – already an estimated 200+ million in commercial buildings alone. With more devices comes more data that needs to be protected, but for facility and business management teams to extract the maximum value, data must be aggregated and shared across OT and IT systems.

This OT/IT interconnection means that a cyberattack on an OT system can:

·        Compromise operational safety or the health of building occupants

·        Impact productivity by taking down production lines or other equipment and processes; more about the relationship between Cybersecurity and Productivity.

·        Ultimately cause an IT threat by passing malware or a virus from the OT to IT infrastructure

The Attack Surface is Now Larger

Essentially, connected OT infrastructures have increased the ‘attack surface’ for hackers and, in many cases, have acted as an organization’s Achilles heel. Clearly, it is not enough anymore to focus attention only on protecting IT and data systems integrity. All organizations must ensure strong OT cybersecurity is in place.

But what OT systems are we talking about? Depending on your type of operation, these can include industrial automation systems (e.g. SCADA) and smart building systems like a building management system (BMS), building security, lighting systems, and the energy and power management system (EPMS) overseeing your facility’s electrical distribution. Navigant Research notes, “Cybersecurity issues are expected to grow in tandem with the digital transformation of real estate through intelligent building technologies.”

In this post, we will consider cybersecurity specifically for your EPMS and electrical distribution system. However, these recommendations and practices equally apply to other OT systems.

Connected Power Means Greater Vulnerability

Energy and power management systems are helping organizations boost efficiency and sustainability, optimize operating costs, maximize uptime, and get better performance and longevity from electrical assets. When combined with BMS, an EPMS can also help make the work environment healthier and more productive for occupants.

Enabling these EPMS benefits is a connected network of smart metering, analysis, control, and protection devices that share data continuously with onsite and/or cloud-based EPMS applications. The application provides extensive monitoring and analytics while providing mobile access to data and alerts to all facility stakeholders. Connection to the cloud also opens the door to expert power and asset advisory support that can augment a facility’s onsite team with 24/7 monitoring, predictive maintenance, energy management, and other services.

All these onsite, cloud, and mobile connections offer a potential target and entry for hackers so you can read our facility managers guide to building systems and cybersecurity.

 

Securing Your Electrical System: A Holistic Approach

A hacker only needs to find one ‘hole’ in one system, at one point of time, to be successful. What you need is a holistic approach to ensure that all potential vulnerabilities are secured. For new buildings, cybersecurity best practices should be a part of the design of all OT systems. For existing buildings, cybersecurity should be addressed when OT systems are starting to be digitized. For both scenarios, the following are three key considerations:

1. Seek Specialized, Expert Assistance

The priorities for IT systems are confidentiality, integrity, and availability. For OT, the top priorities are safety, resilience, and confidentiality. This means that OT security upgrades or problems need to be addressed in a different way from IT, with careful planning and procedures. For these reasons, you need to choose a cybersecurity partner who has proper OT experience, to help you comply with all relevant cybersecurity standards and best practices.

OT systems also use different communication protocols compared to IT systems, such as BACNet, Modbus, etc. If you had your IT team attempt to perform OT security system scans, those scanning tools might cause serious conflicts, risking an OT system shutdown.

Cyberthreats are also constantly evolving, so you should seek a partner who offers ongoing OT monitoring services, updates, system maintenance, and incident response. All of these should be available remotely.

2. Put the Right Controls in Place

An OT cybersecurity specialist will help audit your EPMS and electrical systems to assess the current vulnerabilities and risks, including the gaps in any procedures and protocols.

You and the specialist must determine how secure your electrical system needs to be. The IEC 62443 standard helps protect IoT-enabled OT systems by defining seven foundational requirements (e.g. access control, use control, availability, response, etc.), each of which are designated a security level. Increased security levels offer greater protection against more sophisticated attacks. Your cybersecurity partner will help you determine the level of security you need for each requirement.

An example of one technique for securing networked systems is to break up systems into ‘zones,’ with each secured individually. OT will be separated from IT, and within OT there may be further segregation. A special ‘demilitarized’ zone is typically included, which is a perimeter subnetwork that sits between the public and private networks for an added layer of security. This makes it harder for hackers to find a way in from one system or zone to another. Where required, connections between networks are provided by specially secured data ‘conduits.’

Your electrical system should also be physically secured, with no access by unauthorized personnel. This same strategy applies to EPMS communications network security by means of controlled, multi-tiered permission-based access.

3. Train your Staff

Many cyberattacks are successful because employees have caused unintended errors. It is important that your people become aware of, and vigilant against, cyberthreats. This includes giving your operations team specialized OT cybersecurity training.

This training will typically include multiple steps, including training all individuals to spot social engineering cues, such as phishing attempts or attempts to access protected areas using pretexting (i.e. someone pretending to be a vendor to gain access). This will also include establishing protocols around the use of passwords, multi-factor authorization, policies around WiFi access (e.g., guest network that remains isolated from OT networks), regular auditing of user accounts and permissions, etc.

While the horizontal cybersecurity framework provides a solid basis, specific characteristics of the energy sector such as the need for fast reaction, risks of cascading effects and the need to combine new digital technology with older technologies necessitate specific legislation.

Thanks to Felix Ramos & Khaled Fakhuri to write this article.

AI, Cloud and Cybersecurity Open New Opportunities for Integrators

AI, Cloud and Cybersecurity Open New Opportunities for Integrators 

I was recently asked which technologies are going to have the most significant impact on the physical security industry in the next few years. With the rapid pace of change in technology today, there is no simple answer to this question.

One thing that is certain is that companies are under pressure to become more efficient, secure and operationally aware. That, in turn, is driving the need for real-time data capturing and processing from every part of their business, including security.

We are just beginning to see how emerging technologies and concepts such as artificial intelligence (AI), Cloud computing and cybersecurity are impacting our industry. As companies plan for the future, budgets are increasingly focused on innovative solutions that can help to process the growing amount of data being captured and consumed.

Manufacturers and systems integrators that understand this shift have been quick to identify opportunities to win new business through the introduction of value-added applications or new services capable of generating recurring monthly revenue.

We explore some of those technologies and opportunities below.

Artificial intelligence and analytics

AI analytics is the product of automating data analysis—a traditionally time-consuming and people-intensive task—using the power of today's artificial intelligence and machine learning technologies.

AI analytics refers to a subset of business intelligence that uses machine learning techniques to discover insights, find new patterns and discover relationships in the data. In practice, AI analytics is the process of automating much of the work that a data analyst would normally perform.

Customers are looking to AI and data analytics to gain better insight into their operations. These offerings can enable security-related intelligence or operational and customer insights. The key to AI is self-learning algorithms that, over time, get better at identifying certain targeted behaviors or transactions and reducing false positives.

We have also begun to see several chip manufacturers introduce next generation processors with AI built into the core firmware. As a result, systems integrators can expect to see many product innovations in 2018 focused on advanced video analytics, data integrations and application software.

The challenge for their customers will be clearly defining which data is most valuable to them, who will have access to it, and how to best manage it. Systems integrators can play a key role in this process by having those discussions with customers up front and encouraging a proof-of-concept phase before fully rollouts are undertaken.

 

Cloud-based services

Cloud based services provide information technology (IT) as a service over the Internet or dedicated network, with delivery on demand, and payment based on usage. Cloud based services range from full applications and development platforms, to servers, storage, and virtual desktops.

In addition to AI and data analytics capabilities, we are seeing demand from customers for Security-as-a-Service (SaaS) offerings. The combination of low, upfront capital costs and outsourced services has made Cloud-based video and access control popular, especially in the hospitality and small-to-medium enterprise markets. Examples of SaaS cloud service providers include Dropbox, G Suite, Microsoft Office 365, and Slack. In each of these applications, users can access, share, store, and secure information in “the cloud.”

As technology providers add more sophisticated applications and services to further drive customer insight and efficiencies, expect enterprise retail customers to begin moving to this model as well in 2018. For systems integrators, SaaS solutions can represent a recurring revenue stream and a great opportunity to generate new business.

 

Cybersecurity impacts

Cyber attacks can cause electrical blackouts, failure of military equipment, and breaches of national security secrets. They can result in the theft of valuable, sensitive data like medical records. They can disrupt phone and computer networks or paralyze systems, making data unavailable.

Cybersecurity is crucial because it safeguards all types of data against theft and loss. Sensitive data, protected health information (PHI), personally identifiable information (PII), intellectual property, personal information, data, and government and business information systems are all included.

The sheer scope and size of the data breaches we saw in 2017 – Equifax being one of the most notable – has heightened concerns over cyber-preparedness. Increasingly, customers are evaluating their own level of cybersecurity preparedness, as well as that of their suppliers.

There’s no doubt that our industry is taking cybersecurity seriously, however there is still work to be done, and both systems integrators and their manufacturer partners need to be prepared. Information technology (IT) departments will continue to play an expanded role in approving products for deployment on corporate networks. The use of third-party cybersecurity audits will also become more commonplace, which will significantly impact how products are developed and deployed.

In addition to ensuring that their products are secure, manufacturers and system integrators will also need to improve their own organizational security. For video solution providers, that could mean demonstrating how they protect their software code and architect their software, and how compliant their solutions are with data privacy standards in North America and globally.

The need to bolster cyber defenses will also create demand for new equipment and software upgrades as the vulnerabilities of customers’ legacy equipment are exposed.

Cybersecurity will be a challenge for some systems integrators, but a great business opportunity for others. Customers will increasingly look for integrators that can meet their cybersecurity standards and possibly pass a cyber audit. If there’s a weak link in the chain – from product design to installation or service – then everyone loses. System Integrators know major China manufacturers like Dahua, Hikvision, Uniview are not impacted, from everything we have seen. We executed the proof of concept code from the disclosure on multiple devices and were unable to gain access using the backdoor. The backdoor primarily impacts devices using HiSilicon SOC with Xiongmai software, which is dozens of small OEM manufacturers, using minimally modified OEM firmware, Open Source OS and drivers, and enabling telnet on port 9530.

So it’s important that integrators and manufacturers work closely together and ensure that they share the same high cybersecurity standards. Integrators should also demand that their manufacturer partners be diligent about educating them on products and keeping software up to date to reduce potential vulnerabilities.

 

Knowing your market

Many of today’s leading system integrators have begun investing in the additional resources needed to educate staff and align their organizations so they can successfully adopt and provide these new capabilities to their customers.

It’s important that your organization have conversations with both your end user customers and your technology providers so you can take advantage of new opportunities while also helping to clarify what’s possible today and what’s still on the horizon.

As integrators move from equipment sales to consultative solution sales, it is important to understand the unique business problems of the customers in your target market. While this concept is not new, a growing number of integrators are putting vertical market initiatives in place to concentrate their expertise.

The top five business challenges of yesterday may no longer be the top five challenges of tomorrow. Integrators need to understand what those unique challenges are for each vertical they play in, and work with manufacturers that can provide proven solutions for specific markets.