Articles by Alan Davies
Comprehensive and robust security programmes and policies are required for adequate data security Over the last decade, we have entered a new era of physical and logical access control. We are now living in an increasingly mobile world where our phones do more than just make a simple call – employees can now open doors and enter secure areas, as well as access computers, corporate data networks and associated information assets with just a single mobile device. Furthermore, the cloud, and access to cloud-based services is becoming almost a fundamental requirement for businesses. This, combined with advanced personal mobiles such as Near Field Communication (NFC)-enabled ones increasingly being used beyond conventional uses, is naturally driving a change in how organisations view, deliver and manage security, explains Alan Davies VP Sales – EMEA, Identity Assurance, HID Global. A big change pertaining to security management is that identity no longer needs to be restricted to a single plastic card or security token. We often think about identity solely in terms of the card or token that carries it; however with more and more companies placing accessible data in the cloud and allowing employees to use NFC-enabled smartphones for physical access purposes in the workplace, ‘identity’ is now taking many different shapes. For example, a smartphone being used as a ‘digital key’ to open doors and tag-in to work locations eliminates the need for employees to carry any other credentials. Of course, this raises questions about how to ensure that any assigned identities can be trusted. Fortunately, the issue of managing virtualised credentials in the business environment is achievable. Take mobile for example. This can be done by implementing a trusted identity framework that creates a secure boundary within communications between the devices, such as when a smartphone interacts with an NFC reader or NFC enabled end-point device. It acts as a secure vault, which delivers the agreed corporate security policy to the devices in use. If this is accepted, then it is deemed to be trusted and the user is allowed access. Another benefit is that NFC-enabled physical access control makes it easier to track who is entering and exiting monitored access points throughout the workplace. Employers can then be assured that all endpoints and all of the systems in between are valid before allowing entry into the building. Data protection and management in the cloud For organisations investing in the cloud, in order for them to unlock its true value, they need to address exactly where Security strategies should be customised to fit an organisations unique data protection needs sensitive data is stored and consider the user risk factor, including the way in which they wish to access the information. Though the rise of the cloud for enterprise data storage and application-hosting has changed the way IT professionals interact with their users, their networks and their data, the fundamentals of data protection remain the same. What many organisations fail to realise is that a one-size-fits-all approach to data protection is insufficient. Traditionally, enterprises have focused on securing the network perimeter, and relied on static passwords to authenticate users internally, within the firewall or externally via a virtual private network (VPN). However, taking into account the diverse nature of modern threats – from Advanced Persistent Threats (APTs) to ad hoc hacking and the internal risks that come with the mass adoption of BYOD– organisations are increasingly re-evaluating and re-assessing their IT security strategy to adapt to these changing needs. Two-factor authentication measures have typically been confined to physical devices like one-time password (OTP) tokens and display cards, but thanks to a variety of technological advancements these are being replaced by ‘soft tokens’ that can be held directly on the user device such as a mobile phone or tablet, or alternatively as browser-based tokens. Additionally, these mobile tokens can be combined with cloud app single-sign-on capabilities, not only fulfilling the same function of more classic two-factor authentication models but also providing convenient streamlined access to multiple cloud apps – all from one device. Merging management of logical and physical security infrastructure Ultimately, the security landscape is constantly evolving and mobile access control, as well as remote data access to cloud based applications, is growing in significance, making the right security investment a more important decision than ever before. It is critical for enterprises to have an extremely secure mobile and cloud identity environment so that transactions between the employee-owned phones or corporate-issued devices and the door they intend to unlock, or network they access, are conducted in a secure manner. Merging the management of both logical and physical security infrastructures, so that their operations are conducted via one platform, is integral to keeping pace with the paradigm shift that technological advancements such as NFC have made possible in the workplace. Furthermore, by deploying just one security device for both logical and physical access control , enterprises will not only realise cost savings, but will gain greater security control, as there will be a single point of revocation for all access rights. Building security systems that take into account the many routes to confidential data – whether it is at the physical door, on the network or in the cloud – is essential. Only by implementing comprehensive and robust and layered security programmes and policies that cover all three areas, while allowing for new technologies and applications, will organisations be confident that their data is adequately secure.