Cloud Security

 

 

https://sm.asisonline.org/Pages/On-Premise-vs-the-Cloud.aspxOn-Premise vs the CloudGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652018-05-25T04:00:00Z<p>Facilities across all industries face an increasing number of security threats, from theft and vandalism, to violent crime, to terrorism. Whether a healthcare provider, school, university, or Fortune 500 business, it's critical to constantly seek new and inventive ways to improve security.  </p><p>In recent years, the cloud has transformed how physical security systems are controlled and managed. Storing security data off-site in centralized data centers delivers several advantages, including automatic data backup and redundancy, robust cybersecurity protections, and automatic software updates without significant up-front capital investment. For mission-critical security functions like access control, these advantages alone are extremely attractive on many levels.</p><p>However, while many end users are embracing cloud-based access control solutions, there is a large percentage who still want an on-premise access control solution. What is the difference between a cloud-based and on-premise access control solution? What are the benefits and challenges with each solution? And is there a benefit to implementing some combination of both?</p><p><strong>On-Site Access Control </strong></p><p>Traditionally, access control software platforms are implemented locally, employing on-site servers that are managed daily by internal security, IT personnel, or both. While this option does provide direct control over access control operations in terms of management and control, it does require the internal adoption of the platform as part of the user's responsibility for regular maintenance.</p><p>In many cases, a security integrator will provide scheduled maintenance and updates via on-site visits or remote access to your server, which involves additional costs, but are often well worth the investment. There's no doubt that this traditional on-site access control model is proven to be a highly effective physical security solution and will continue to fulfill a core security objective for users around the world. However, it involves capital investment for software and hardware, as well as third party costs for ad-hoc or contracted services, which can put high performance on-site access control solutions out of reach for many organizations that need it. </p><p><strong>Cloud-Based Access Control</strong></p><p>Deploying access control via the cloud represents an increasingly important alternative to traditional on-premise access control solutions based on its overall cost and performance benefits. It is also flexible in terms of deployment options.</p><p>Option one is an on-site, user-managed, cloud-based system. The customer purchases or leases the equipment from an authorized reseller or integrator who installs the system and provides training. This option also typically includes a service and maintenance contract with the installing reseller or integrator as part of the hardware sale or lease. The end-user's security team is responsible for all programming activity on a dedicated PC (or multiple PCs), including entering, deleting, or modifying names; scheduling; generating reports; and running backup and software updates. The list of functions can also include ID badging as part of the cloud software offering.</p><p>Option two is a remote cloud-based, user-managed integrated system where the equipment is purchased or leased from a reseller or integrator who installs the hardware and provides training. The access control software is in the cloud, and is managed, along with the supporting infrastructure by the installing reseller or integrator. All backup, software upgrades, system monitoring, programming, scheduled door locking and unlocking, report generation, and other vital access control actions are performed remotely by the reseller or integrator around the clock. In this scenario, the user typically only manages the simple day-to-day functions of entering, deleting, or modifying names, and sometimes badging, through a Web portal that can be accessed remotely. </p><p>In option three, the user still purchases or leases the necessary hardware from reseller or integrator who also installs the system and provides training. The software resides in the cloud and is completely administered and managed directly from the access control solution provider or manufacturer who maintains the system remotely. </p><p>Both user-managed options above may work well if the user has limited or no IT personnel, as often is the case with franchise locations, smaller retail stores, K-12 schools, or property management sites. With these user-managed options, each location can handle the day to day functions, but reports, applying patches and updates, backup, and other group functions are all handled in the cloud by the host. These cloud-based solutions can also be accessed at any time and from any device by the user's security team. </p><p>One of the distinct advantages of cloud-based access control is that it requires limited, if any, initial capital investment. When implemented using leased hardware and software, all system costs are amortized over the duration of the contract, which eliminates many of the budgeting obstacles faced by both large and small organizations. Additionally, the low cost of entry allows companies with limited physical security budgets and resources to deploy highly sophisticated access control solutions that would otherwise not be affordable. </p><p><strong>A Hybrid System</strong></p><p>There are many security end users who are embracing a mixture of several solutions, deploying a hybrid access control solution that combines on-premise and cloud-based access control solutions. These solutions can be either remote or user managed and allow the integration of new or legacy hardware. There are several operational and cost benefits with this scenario because a hybrid solution offers the ability to keep costs low while transitioning from legacy systems to new access control solutions. A hybrid access control solution also provides opportunities for integrations with related systems such as alarm monitoring, intrusion detection, elevator control, badging, video verification, time and attendance, and more. </p><p>So which access control option is best for you? There is no one answer. The versatility of these new access control choices means you select what you need based on your terms. </p><p><em>Lukas Le is director of cloud services for Galaxy Control Systems.</em>​</p>

Cloud Security

 

 

https://sm.asisonline.org/Pages/On-Premise-vs-the-Cloud.aspx2018-05-25T04:00:00ZOn-Premise vs the Cloud
https://sm.asisonline.org/Pages/Book-Review---Mastering-Bitcoin.aspx2018-05-01T04:00:00ZBook Review: Mastering Bitcoin
https://sm.asisonline.org/Pages/The-Problem-with-Data-.aspx2017-09-27T04:00:00ZThe Problem with Data
https://sm.asisonline.org/Pages/An-Education-Connection.aspx2017-09-01T04:00:00ZAn Education Connection
https://sm.asisonline.org/Pages/Book-Review---Network-Interview.aspx2017-08-01T04:00:00ZBook Review: Network Video
https://sm.asisonline.org/Pages/Trump’s-Cybersecurity-Executive-Order-Well-Received-by-Experts.aspx2017-05-12T04:00:00ZTrump’s Cybersecurity Executive Order Well Received by Experts
https://sm.asisonline.org/Pages/Seminar-Sneak-Peek---Moving-to-the-Cloud-Repositions-Security.aspx2016-08-16T04:00:00ZSeminar Sneak Peek: Moving to the Cloud Repositions Security
https://sm.asisonline.org/Pages/New-Data-Rules.aspx2016-08-01T04:00:00ZNew Data Rules
https://sm.asisonline.org/Pages/Operating-Blind.aspx2016-03-01T05:00:00ZOperating Blind
https://sm.asisonline.org/Pages/Privacy-Shield-Is-Here--What-That-Means-For-Your-Company.aspx2016-02-09T05:00:00ZPrivacy Shield Is Here—What This Means For Your Company
https://sm.asisonline.org/Pages/Book-Review---Big-Data.aspx2016-02-01T05:00:00ZBook Review: Big Data
https://sm.asisonline.org/Pages/On-the-Record.aspx2016-01-14T05:00:00ZOn the Record
https://sm.asisonline.org/Pages/Conducir-hacia-el-desastre.aspx2015-07-08T04:00:00ZConducir hacia el desastre
https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspx2015-05-18T04:00:00ZBuilding Cyber Awareness
https://sm.asisonline.org/Pages/Passing-the-Biometrics-Test.aspx2015-03-01T05:00:00ZPassing the Biometrics Test
https://sm.asisonline.org/Pages/Chain-Reaction.aspx2015-01-01T05:00:00ZChain Reaction
https://sm.asisonline.org/Pages/the-password-problem.aspx2014-12-01T05:00:00ZThe Password Problem
https://sm.asisonline.org/Pages/Cyber-Crusaders.aspx2014-11-01T04:00:00ZCyber Crusaders
https://sm.asisonline.org/Pages/QA-What-are-Today's-Biggest-Malware-Challenges.aspx2014-10-01T04:00:00ZQ&A: What Are Today's Biggest Malware Challenges?
https://sm.asisonline.org/Pages/nsas-actions-threaten-us-economy-and-internet-security-new-report-suggests-0013601.aspx2014-07-29T04:00:00ZNSA's Actions Threaten U.S. Economy and Internet Security, New Report Suggests

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Building-Cyber-Awareness.aspxBuilding Cyber Awareness<p>​<span style="line-height:1.5em;">Early in 2009, while working the night shift as a contract security guard, Jesse William McGraw infiltrated more than 14 computers at the North Central Medical Plaza in Dallas, Texas. McGraw, who is the self-proclaimed leader of the hacking group Electronik Tribulation Army, installed a program on the computers that would allow him to remotely access them to launch DDoS (distributed denial of service) attacks on rival hacking organizations’ websites.</span></p><p>Among the computers McGraw hacked into were a nurses’ station computer—which had access to patient information protected by the Health Insurance Portability and Accountability Act (HIPAA)—and a heating, ventilation, and air conditioning computer that controlled the airflow to floors used by the hospital’s surgery center. Over several months in 2009, McGraw further compromised the hospital’s network by installing malicious code and removing security features, making the network even more vulnerable to cyberattacks.</p><p>To document his work, McGraw made a video and audio recording of his “botnet infiltration.” Set to the theme of Mission Impossible, McGraw described his actions: accessing an office and a computer without authorization, inserting a CD containing the 0phcrack program into the computer to bypass security, and inserting a removable storage device, which he claimed contained a malicious code or program. McGraw then posted the video to the Internet, asking other hackers to aid him in conducting a “massive DDoS” on July 4, 2009. </p><p>His online actions attracted the attention of the FBI, which, five days before his planned attack, arrested him on two charges of transmitting malicious code. McGraw pled guilty to the charges and was sentenced to 110 months in federal prison in 2011.</p><p>An attack similar to McGraw’s is even more worrisome now as companies are increasingly using building systems and access control systems that are connected to computers. Between 2011 and 2014, the number of cyber incidents reported to the U.S. Department of Homeland Security (DHS) that involved industrial control systems grew from 140 to 243 incidents—an increase of 74 percent. </p><p>Yet many private and public entities aren’t addressing the cyber risks associated with these systems. In fact, according to a Government Accountability Office (GAO) report, DHS is not assessing or addressing cyber risks to building and access control systems at the nearly 9,000 federal facilities protected by the Federal Protective Service (FPS) at all.</p><p>“DHS has not developed a strategy, in part, because cyber threats involving these systems are an emerging issue,” the GAO found in its recent report. “By not developing a strategy document for assessing cyber risk to facility and security systems, DHS and, in particular, [the National Protection and Programs Directorate] have not effectively articulated a vision for organizing and prioritizing efforts to address the cyber risk facing federal facilities that DHS is responsible for protecting.”</p><p>Within most federal facilities there are building control systems that monitor and control building operations such as elevators, electrical power, heating, ventilation, and air conditioning. Many of these systems are connected to each other and to the Internet, making them extremely vulnerable to cyberattacks that could compromise security measures, hamper agencies’ ability to carry out their missions, or cause physical harm to the facilities or occupants, the GAO reports. For instance, a cyberattack could allow people to gain unauthorized access to facilities, damage temperature-sensitive equipment, and provide access to information systems.</p><p>And perpetrators aren’t just limited to outside actors; they can also come from insider threats. “Insider threats—which can include disgruntled employees, contractors, or other persons abusing their positions of trust—also represent a significant threat to building and access control systems, given their access to and knowledge of these systems,” the report explains.</p><p>Under the Homeland Security Act of 2002, DHS is required to protect federal facilities as well as people inside those facilities. As part of that responsibility, DHS’s National Protection and Programs Directorate (NPPD) is in charge of strengthening the security and resilience of U.S. physical and cyber-critical infrastructure against terrorist attacks, cyber events, natural disaster, or other catastrophic incidents.</p><p>Yet as a department, DHS lacks a strategy that defines the problem and identifies the roles and responsibilities for cyber risk to building and access control systems, according to the GAO. Also, the report notes that DHS has failed to analyze the necessary resources or identify a methodology for assessing such risk. </p><p>Additionally, the Interagency Security Committee (ISC), the body responsible for developing physical security standards for nonmilitary federal facilities, has not incorporated cyberthreats to building and access control systems into its Design-Basis Threat report. The report aims to set standards based on leading security practices for all nonmilitary federal facilities to “ensure that agencies have effective physical security programs in place.”</p><p>However, cybersecurity has not been added to the report because “recent active shooter and workplace violence incidents have caused ISC to focus its efforts on policies in those areas first,” according to the GAO report. But the office has reported that “incorporating the cyber threat to building and access control systems in ISC’s Design-Basis Threat report will inform agencies about this threat so they can begin to assess its risk.”</p><p>Furthermore, the General Services Administration (GSA) has not “fully assessed” the risk of a cyberattack on building control systems consistent with the Federal Information Security Management Act of 2002 (FISMA) or its implementation guidelines. According to the GAO’s report, GSA has assessed security controls of building control systems, but has not fully assessed the elements of risk, such as threats, vulnerabilities, and consequences.</p><p>“For example, five of the 20 reports [GAO] reviewed showed that GSA assessed the building control device to determine if a user’s identity and password were required for login, but did not assess the system to determine if password complexity rules were enforced,” the GAO reports. “This could potentially lead to weak or insecure passwords being used to secure building control systems.”</p><p>Coleman Wolf, CPP, security lead for global engineering consulting firm ESD, said he was not surprised by the office’s overall findings. “The part that does surprise me is that some of the assessment that is supposed to go on is not going on, or the plans are not in place to conduct those assessments,” says Wolf, who is also the chair of the ASIS International IT Security Council. “I would expect that on the private sector side, but I just thought there were more stringent plans in place on the federal side.” </p><p>However, Wolf says he doesn’t think there will be a big drive for changes in assessing cyber risk of building systems until it begins to impact people at a personal level in their own homes. “As people start to see these kinds of potential consequences, I think people will start to demand more be done to assess and rectify these kinds of threats,” he predicts.</p><p>While the private sector begins to focus on building control systems, the public sector is complying with GAO’s recommendation that the appropriate government agencies should take steps to assess cyber risks. </p><p>“We [at DHS] are working to develop a strategy for addressing cyber risk to building and access control systems,” says S.Y. Lee, a DHS spokesman. “This strategy will utilize best practices and lessons learned from the private sector experiences of the DHS National Cybersecurity and Communications Integration Center’s Industrial Control systems Cyber Emergency Response Team (CERT).”</p><p>The ISC is also working with DHS’s US-CERT and ISC-CERT to incorporate potential cyber risks to buildings and access control systems into the Design-Basis Threat Report and Countermeasures Appendix. As the next step of the process, ISC will meet with GSA and other agencies to plan a comprehensive review of cyber risks to building access control systems. </p><p>It will then issue additional guidance to its federal partners on appropriate countermeasures in the next annual review of its Design-Basis Threat Report, which is scheduled for release in October 2015, according to a DHS official.</p><p>GSA also agreed with the findings of the report and said it will take “appropriate action” to make sure its assessments of cyber risks to building control systems are compliant with FISMA and implementing guidelines, according to a letter included in the report by Dan Tangherlini, a GSA administrator. </p><p>However, GSA did not respond to requests for comment before press time on what specific actions it planned to take to address cyber risks.</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465