What safeguards can avoid unauthorised retrieval of access control data?

All modern access control solutions should be designed with cybersecurity top of mind, providing encrypted communication so users can be sure their data is thoroughly protected from unauthorised parties at all times. A simple way to ensure a safeguarded system is by implementing an end-to-end access control solution that includes all the required components, from the software managed by the operator to the credentials carried by the end user. For example, software that uses TLS encryption to communicate with the door controller, door controllers that possess a Secure Element to provide secure storage and use of encryption keys for reader communication such as SCP, and finally readers with a Secure Element to store keys for reading MIFARE DESFire EV3 encrypted credentials. Additionally, those with either end-to-end or standalone systems must keep up with any device updates to avoid issues linked to outdated tech.  

Access control systems must protect against the unauthorised retrieval of private information both within the system and at the credential level. Within the solution, data encryption at the database level and implementation of roles can limit access to information to only those with proper authorisation. Likewise, granular privileges, strong authentication (password), partitioning of the system, and certificate-based authentication between the client and server are good cybersecurity hygiene tactics. At the credential level, depending on the sensitivity of the site, certain credentials are more suitable than others but require some backend management for the security keys. Customers may choose to have the manufacturer handle that task by asking for custom keys or managing those themselves. 

As we look to 2024, establishing safeguards to avoid unauthorised retrieval of access control data will continue to grow in importance. According to "The Impact of Technology in 2024 and Beyond: an IEEE Global Study," data vulnerability will remain a top cybersecurity concern as we move into the new year. To protect against unauthorised data access there are a few safeguards to put in place. For one, security teams should establish the organisational responsibility for information and technical security management within a specific role. Secondly, organisations should limit access to access control data to only the minimum necessary individuals and accounts who need such access to perform their job responsibilities. Lastly, access and changes to access control data should be logged accordingly. Teams should not allow the access control management personnel to have access to view logs, but should establish monitoring to a separate independent team, such as (internal auditors and security officers) that can determine when access is unauthorised, unnecessary, or otherwise raises a red flag. 

Safeguards that are top-of-mind for me include process security and company culture. After a breach, there is frequent finger-pointing at holes in the code built by engineers and faults assigned to the architecture of the cybersecurity technology. However, this is not always the case; flaws in process security, the workflows to stop and prevent a cyberattack, and a company culture that places excessive responsibilities on employees often lead to the cyber insecurity of access control data. Good security policy starts from the top down, with policy reflecting the values of the organisation. As an example of this policy, lateral movement can be restricted with policies that prevent any one individual from having unnecessary access. Cybersecurity should be front-of-mind for everyone, rather than consolidated under a few individuals. As with most security, safeguards must be driven from an overall organisational philosophy in concert with practical, technical safeguards.

It is important to consider the data-security practices of vendors and their software products. This includes reviewing their cybersecurity practices and receiving a record of their latest third-party audits such as a penetration test into their software offerings. It also includes reviewing the security of the data centres they use to host customer data.