Access control has changed markedly in recent years. No longer is it just a way to prevent entry to a building by unauthorised people. As the technology has evolved, it’s playing a far greater role to enhance the operational functioning of buildings so that they’re smarter, greener and more efficient.

A key enabler is the option to transition away from using physical plastic access cards – which utilise RFID technology – to smartphone-based solutions, along with wearables like smart watches. These then leverage virtual credential technology connecting to mobile-enabled door readers to allow people to enter.

All iOS or Android devices are supported, with cloud-based software used to manage the licensing, virtual credentials, access rights, validating or revoking of IDs and dealing with visitors or contractors.

Products that are interoperable and support industry standards are available so commercial real estate (CRE) owners can create an ecosystem of solutions, whilst avoiding vendor lock-in. Deploying mobile access is easy and security maximised as the latest encryption, communications and authentication standards are used.

Mobile has other advantages. People look after their expensive smartphones compared with plastic access cards; research shows a whopping 17% are lost or mislaid every year, creating a huge security risk. If a device is lost, the digital credential can be wirelessly and quickly disabled. Mobile is obviously better for the planet as digital credentials mean PVC cards don’t have to be made, avoiding creation of waste and carbon emissions. This enhances a building owner’s sustainability initiatives and Environmental, Social and Governance (ESG) Index scores.

Many CRE owners today include workplace experience apps as part of services offered. When mobile access is integrated, it makes access control an essential component, driving up app traffic and helping CRE owners boost their net operating income. Happier tenants mean less churn, resulting in greater longer-term revenue generation.

An exciting development with mobile access control is the forthcoming availability of solutions with built-in ‘identity positioning’. This provides real-time information about how people are using the building – based on data about where they are provided by their phones. No personal and private data is collected. Rather, information is anonymised and grouped to provide an overall picture about trends like space utilisation, occupancy and so on.

It moves access control from just being a security solution to one that’s far more important. For example, by providing real-time data to an appropriate heating, ventilation or air-conditioning (HVAC) system, the temperature could be reduced automatically if a group of 20 people gather in a meeting room. Similarly, workplace app developers could take ‘staff location’ to augment the solutions they provide.

Mobile access solutions are evolving to help CRE owners differentiate their buildings, add tenant value and make their operations ever more efficient. Not only that, but they’re cost- effective and quick to install.

www.hidglobal.com

The post Access Control goes mobile and smarter appeared first on City Security Magazine.

Andrew Bull from HID Global explores the implications of GDPR on physical access control systems and how advanced physical identity and access management (PIAM) solutions can help.

GDPR now harmonises data privacy

Beginning 25 May, companies doing business in the European Union are required to comply with the new General Data Protection Regulation (GDPR) standards. This initiative will standardise and harmonise the fragmented data privacy across the European Economic Area to ensure that individuals’ rights are protected in today’s digital world.

GDPR’s primary purpose is to ensure that all organisations operating in Europe obtain consent from individuals to capture and store identity information and remove that information from servers if it is no longer needed. The regulation also sets higher standards for consent, which must be freely given based on clear, easily available information about what an individual is agreeing to. Organisations must also make it as easy for someone to withdraw consent, as it is to provide it.

Implications for physical access control systems

For security teams, this means they must ensure that consent is recorded for all individuals whose information they are storing and managing across all physical access control systems (PACS) and that any personal information is centrally tracked and controlled on all servers for all EU citizens, no matter where in the world that server resides. All information must be auditable and individuals’ personal information must be removed from the relevant PACS servers if they no longer require access or if their authorisation and/or privileges are no longer valid. This means that an EU citizen added to a PACS must be tracked and removed once that entry is no longer relevant, or upon the citizen’s request.

The good news is that organisations will now have a single regulation rather than multiple standards in different regions to comply with, which should significantly decrease compliance costs while improving public perception of data privacy and individual rights.

The bad news is that for many organisations, compliance with GDPR will be challenging, and the complicated and inefficient manual administrative processes often employed to transform policies into practice do nothing to ease the burden. In fact, they are actually more likely to hinder these efforts, which rely heavily on gathering information from a variety of stakeholders – a far less than ideal combination.

Bridging the gap with physical identity and access management (PIAM)

However, there is help available for security departments. Advanced physical identity and access management (PIAM) solutions bridge the gap between policy and process by employing policy-based automation, deep systems integration and strong auditing capabilities to help organisations comply with the main requirements of GDPR more effectively and efficiently, enabling them to do business without fear of incurring fines or other penalties.

Automation to streamline processes

As previously mentioned, the process of implementing GDPR requirements across PACS often relies on the human element in the form of incredibly time-consuming and error-prone manual processes. PIAM solutions remove these impediments by applying policy- and rules-based automation to streamline all processes, from identity enrollment through to the auditing necessary to demonstrate compliance.

PIAM tracks all of the places information has been propagated, making audit and deletion a straightforward process.

Pseudonymisation to protect personal data

One of the benefits of PIAM embraced by GDPR (recital 28) is the ability to use pseudonyms to easily obscure individuals’ personal data, which can go a long way toward easing compliance. With PIAM solutions, organisations can replace first and last names with a unique ID within identity records. Rather than transmit personal data to PACS systems, this anonymous information is then sent from the PIAM solution rather than individual names and other details. This tactic is not only mentioned in the GDPR regulations but is encouraged – and it is something that would be difficult, if not impossible, to do using the PACS alone.

Why is this important? Because organisations are required to report any breach of personal data to individuals within 72 hours of the incident or face fines. However, this requirement only applies to personal information and is waived if the breached data has been anonymised. Therefore, employing pseudonymisation can substantially limit not only risk, but also liability.

Given its power to aid in meeting the requirements of GDPR, the importance of automation cannot be understated, as it serves as the foundation upon which the vast majority of PIAM’s other capabilities are built.

Self-Service enrollment in a physical access control system

In addition to improving security, properly enrolling employees, contractors, visitors and others in a PACS also plays a key role in GDPR compliance. However, there are often delays throughout the process between the initial request and final approval of access privileges – delays that cost productivity and money, while also compromising security. PIAM solutions allow an organisation to create a self-service enrollment process that streamlines the onboarding process.

The self-service function can also be used to meet the consent and purpose mandates of GDPR. During the enrollment process, employees, contractors, visitors and other third parties can be given access to their own profiles where they can view what personal information is being collected for what reason and how that information will be used, and then record each individual’s consent. Capturing this important data at the time of registration or request for access privileges eliminates multiple potentially costly and time-consuming tasks from the GDPR compliance process.

Additionally, a self-service portal can also be used to permit individuals to review data collection and usage policies, and give them a portal to revoke consent to have their information stored and used for access control and other purposes, at which time the system will automatically erase any and all data related to an individual – addressing another important GDPR requirement.

Systems Integration with other security systems

One of the biggest strengths of PIAM solutions is the ability to tie multiple disparate systems together easily to allow information to be aggregated. This encompasses access control, visitor management and other security systems as well as non-security systems like human resources, time and attendance and others. The PIAM solution can serve as the hub for all of these systems, giving organisations a single source for management.

From a security standpoint, the ability to aggregate, sort and analyse data from these disparate systems can prove beneficial in identifying potential behavioural and other patterns that may indicate a potential threat.

There are also numerous operational benefits, including efficiency and cost savings. If manually entering data into a single system is time-consuming and error-prone, imagine the potential headaches of having to do it for multiple systems. By eliminating this need, PIAM enables greater efficiency and decreases or eliminates the potential for human error. Because the same challenges also apply to tracking and removing data, this capability makes it easier for an organisation to ensure GDPR compliance.

Today, an individual’s data is typically stored across multiple systems within the security and/or operational ecosystem. This can become problematic when it is necessary to delete an individual’s information, since simply removing it from a single system does not meet the standard established under GDPR. With PIAM, an organisation can simply remove the data in question from a single solution and know that it will automatically be removed from all integrated systems simultaneously, satisfying requirements for compliance.

Auditing is easier

As with any regulation, demonstrating compliance with GDPR is vital and must be done regularly to avoid penalties. This can be a daunting task that requires demanding and thorough auditing and reporting. Unfortunately, these critical tasks are often performed using costly, time-consuming and error-prone manual processes. However, non-compliance is not an option, as the potential cost and penalties are even more daunting.

PIAM reduces this strain on an organisation’s resources by employing automation that enables efficient auditing of systems and locations, along with the robust reporting capabilities needed to demonstrate compliance. For example, when user consent is recorded or when individual data is automatically deleted from PACS and all other integrated systems when requested in accordance with GDPR, that action is stored within the system. Rather than rely on people to collect and report this information, PIAM allows organisations to generate compliance reports with the click of a button – significantly reducing regulatory reporting costs. This function can also be programmed to be performed at regular intervals to ensure timely reporting and compliance.

In our connected world, privacy has taken on increased significance for everyone, and as a result, governments are enacting regulations and policies to protect individuals’ most valuable commodity – their identity. As GDPR takes effect, organisations wishing to do business in Europe must be actively working to put the policies and practices in place to ensure compliance with this new regulation. This will no doubt be challenging, but advanced PIAM solutions replace the manual processes often used to perform the tasks required under GDPR with automation, strong integration and thorough auditing capabilities.

Organisations can deploy PIAM to effectively and efficiently ensure compliance with the main requirements of GDPR and avoid staggering and potentially catastrophic penalties.

Andrew Bull

Regional Sales Director – UK, HID Global, IAM Solutions

www.hidglobal.com

The post How PIAM can reduce GDPR compliance complexity appeared first on City Security Magazine.

HID GLOBAL

HID Global is the trusted leader in products, services and solutions related to the creation, management, and use of secure identities for millions of customers worldwide. 

E: insidesalesemea@hidglobal.com

W: www.hidglobal.com

ARTICLES FROM HID GLOBAL

Access Control goes mobile and smarter

How PIAM can reduce GDPR compliance complexity

How secure are mobile access solutions?

The post HID GLOBAL appeared first on City Security Magazine.

Today’s employees are increasingly carrying smartphones or wearables with them at all times. In fact, Gartner recently predicted that worldwide mobile phone shipments could exceed 2.5 billion units by 2016, and UK communications regulator Ofcom has observed that 66 per cent of adults in the UK now own a smartphone.

The physical access control industry has witnessed some major technological developments in recent years, with a shift from being product-centric to developing comprehensive solutions for end users. In the light of increased interest in cloud-based solutions and mobile-enabled platforms, more and more security managers are considering the possibilities that a mobile access system can provide for their physical security. Rarely misplaced and consistently in hand, the mobile device has become the most valued technology we own.

However, as a recent trend report by IFSEC Global revealed, almost 80% of security managers surveyed feared that integrating mobile access solutions into their physical access control architecture might actually increase system vulnerability.

So what are the major concerns for security managers? There are multiple aspects for them to consider, such as, is the digital credential as safe as a physical badge? Can it be copied easily or could an employee manipulate the data on their private phone within a BYOD strategy? How secure is the wireless transmission of the keys? Can the communication path between a phone and reader be captured and used for fraudulent purposes? Security managers rightfully ask these questions, as they would like to know how protected their buildings and on-site premises will be if they opt for mobile access? The overarching question is whether we are sacrificing security for convenience?

This article addresses these questions, demonstrating that mobile access systems are more often than not more secure than legacy building access cards, so concerns over whether mobile access is secure are unfounded.

Mobile credentials are based on the latest technology advancements

It is paramount that encryption methods have met stringent security criteria. A secure mobile access system will typically have security protocols that are certified by credible independent institutions. For example, Suite B Cryptography algorithms, Advanced Encryption Standards (AES), namely, AES-128 and Secure Hash Algorithm (SHA) by the National Institute of Science and Technology (NIST). A mobile access system that is standards-based and complies with these rigid security protocols, incorporating secure messaging and a strong authentication, will result in providing peace of mind to security managers that their employees’ data will remain confidential.

Mobile IDs cannot be manipulated

Mobile identities must be signed and encrypted to prevent manipulation. All mobile identities and user information should therefore be protected in a secure vault provided by hardware security modules, where all encryption keys are stored and used in cryptographic operations. Looking at mobile IDs, they are stored in the app operating sandbox, an area within the device, which has been designed for the storage of sensitive information. The information that is stored is encrypted, so it cannot be cloned or stolen via unauthorised access to the phone. Mobile IDs are not transferrable, but specific to the device they have been issued to. All cryptographic keys are device diversified so no master keys are stored on device. Each Mobile ID is unique per device.

Transmission between a mobile device and the access control reader

When access is granted to an employee to enter a building or an on-site premises the transaction between the mobile app on the mobile device and the access control reader is independent of the communication protocol in use. Transmission over-the-air via NFC or Bluetooth Smart to issue the key is protected by the latest technology and cannot be stolen when authorising access over-the-air. The device and reader both use high-security cryptographic communication techniques to prove to the other that it is trustworthy.  Furthermore, no Bluetooth pairing is required between reader and device, as only eligible devices can interact. Each slot in the vault is protected by an authentication key and none of the slots rely on NFC or Bluetooth Smart security. In fact, the mobile access app can be configured so that the Mobile ID is only active when the screen is unlocked to prevent relay attacks.

Mobile access control systems also create a culture of security even if your employees do not realise it. With a card or token access to buildings and on-site premises, staff are effectively burdened with the responsibility of constantly carrying an additional item, one they would not carry normally. As such, if their card is lost or stolen they are less likely to notice it and hence slower to report it. This leaves your physical infrastructure vulnerable, with a valid card potentially falling into the wrong hands. Conversely, an employee instantly feels more attached to their mobile devices, so if a phone is lost or stolen, it is reported right away and the mobile ID can be immediately revoked, thus preventing unauthorised access.

Mobile architectural access technologies have significant scope for development and expansion. One such advantage of mobile devices is the ability to dynamically update the security software, whereas updating data on cards takes more time and involves additional costs. As a consequence, the mobile environment allows quick response to security issues.

Furthermore, mobile handset providers are increasingly offering advanced security technology such as biometrics – fingerprint recognition, facial recognition and even voice recognition, resulting in more robust security of mobile devices. Hence a stolen phone is useless for gaining unauthorised access as the application is secured via protective software on the phone, making the phone even more secure than physical credentials.

As demonstrated, while security managers are right to question the security of mobile access systems, this technology has proven itself very capable of standing up to security threats to buildings. Being able to offer multiple security layers, dynamically responding to security issues, inspiring employees to better protect physical architecture and being on the cusp of new security developments, mobile access is a secure choice for any business’s building access control system.

Jaroslav Barton

Segment Director Physical Access Control, EMEA, HID Global www.hidglobal.com

The post How secure are mobile access solutions? appeared first on City Security Magazine.