Albert Dercksen

Utilising the principals of IT security can help developers create a secure physical system that meets an organisations needs Secure Systems start with secure design and smart planning. In this article, Albert Derckson, Research and Development Director at Nedap, discusses the necessary design elements for building a more secure system based on security principles.  These principles of physical security, many of which can be drawn from proven principles of IT security, support security decision makers to contemplate on how to create a secure environment right from the moment a need for security is identified. Security is often seen as an asset that companies simply ‘just need’. A cost rather than an investment, and for that matter, regularly undervalued and underestimated. Consequently, many companies start to consider the exact security measures that should be implemented within their company too late. The same applies to other facilities within organisations, such as IT. This is why in many fields, principles are developed to guide business decisions. Derived from best practices, principles offer guidelines for decision-makers and installers of a company’s assets. These principles compel stakeholders to formulate objectives and define the project in an early stage. For that matter, principles serve as a foothold during the entire purchase process and implementation of acquirements. With the worlds of IT and security merging and issues like globalisation , new ways of working and technological developments, the ‘security’ of security systems is getting more demanding. Consequently, security principles are getting more important. That’s why proven security principles are derived from IT security. Security principles can be defined as the collection of desirable system properties, behaviors, designs and implementation practices that attempt to reduce the likelihood of threat realization and impact should that threat be realized. Security principles help derive requirements, make architecture and implementation decisions and identify possible weaknesses in systems. They support security decision makers to contemplate on how to create a secure environment right from the moment a need for security is identified. They force procurers to be critical and constantly question the decisions made during the purchase and implementation of security measures. Derived from best practices, principles offer guidelines for decision-makers and installers of a company’s assets Proven IT security principles apt for physical security The following principles from IT security may apply to the selection and implementation of physical security measures,depending on the type of security system under consideration: Apply defense in depth.That is, multiple layered security measures are needed, no-one should rely on a single point of protection, public access to the system should be isolated from its mission-critical resources and physical and logical measures should be combined. Use a positive security model. Instead of using a black list, a white list should be utilised to secure controlled access, in combination with fail-safe defaults and minimized attack surfaces, e.g. the use of pre-defined options rather than free fields to fill for data-entry. Ensure the implementation of a failsafe policy and all components run with least privilege. A system’s components shouldn’t have more functionalities than needed to perform its tasks. For example, any component should be enabled to access tables in its databases needed to function and not all tables or databases in order to preclude unauthorised access.  Avoid security by obscurity. In a well-designed cryptosystem, only the key needs to be secret and the algorithms used must not contain any hidden secrets. For that matter, verifiable and economically healthy mechanisms should be used. And the efforts and investments should offset the obtained levels of security. Detect intrusions. Make sure to log all relevant information to act upon events once they happen. Also, implement procedures for consequent monitoring and responses to events. Don’t trust infrastructure or services. Whereas any external asset or service needs to fit the organisation’s policy it should be verified. Besides, all external systems should be treated with caution using similar standards. Establish secure defaults. Security should never be compromised by usability. By default security measures should be as high as possible. The system should enforce this, whilst specific users are allowed to make exceptions when needed. This should be regulated by the system. Keep it simple. Whilst security can never be compromised by usability, complexity will compromise security. Consequently, security and level of complexity should be in balance, that is, the user-friendliness as well as the system’s architecture and possible integrations. Working with a complex system results in too many dependencies jeopardizing security. The mission of the security system should survive an attack not its different components. That is, the system as a whole should be secure, not each individual component. To ensure that the system meets the specific security challenges of the organisation Applying security principles In order to be useful to select and implement security solutions, security principles should be evaluated, interpreted and applied to address a specific problem. By evaluating and interpreting each principle, many of the threats to a security system are discovered and ultimately a set of protection requirements may be derived. The goal is to end up with a complete list of what is required to offer the service securely. It should be noted that this complete requirement list is specific to the problem which needs to be solved, also referred to as the ‘security target’. Principles for development From a manufacturer’s perspective we found that the use of security principles shouldn’t be confined to the product selection and implementation as they service during the entire product development lifecycle. It’s our task to ensure our customers implement security measures that meet their wishes and requirements as well as local laws and budget constraints. From this perspective, we’ve adopted security principles to enable our customers to meet their ultimate objective: creating a secure environment and tracking and tracing all people that enter their company. The big challenge for the security management product vendors is that they should offer solutions to many- sometimes contradictory- requirements posed by their customers. The call for commercial off the shelf security management products forces the vendors to implement feature-rich, flexible, usable, and adaptable products which can help secure a wide range of security targets and must abide the security principles in the way the customer has evaluated, interpreted, and applied them. The only way to achieve this is to offer products which are highly configurable and adaptive. That’s why manufacturers should inherently abide well defined security principles. Currently, they offer security by design whilst systems should be designed for security.

Nedap is the first to offer digital protection for its access control AEOS Nedap knows that risks change, new security requirements are introduced, but business continuity must never be put at risk. That's why its security platform AEOS is designed to minimise risks and ensure a state-of-the art system that secures a long-term investment. They will show this by demonstrating the possibilities and full integration capabilities at Security Essen (booth D12 in Hall 3) from 27 to 30 September 2016.Truly open platformIt is in Nedap's DNA to offer open solutions. That’s why they allow customers to integrate hardware and software systems of their own choice in AEOS and preserve previous investments. At Nedap's booth, they will showcase live integrations with AEOS software and KABA hardware.Nedap is also the co-founder of Open Security Standard (OSS) Association, together with for example ASSA ABLOY, Uhlman&Zacher, DormaKaba and Deister. Jeroen Harmsen, Technology Partner Manager at Nedap Security Management said: “The standardisation allows customers to use the electronic offline locking solution of their own choice in AEOS. This is user friendly for those who have to manage the authorisations and convenient for the card user.” "Integrated solutions based ontrue open platform technologyare a very important focus areafor us, and the value they bringto our mutual customers" Last June, Nedap entered a strategic partnership with Milestone. By means of this partnership, they commit to a deep integration between the Milestone XProtect VMS and AEOS Access Control from Nedap, as well as a close cooperation in their mutual goal markets. “Integrated solutions based on true open platform technology are a very important focus area for us, and the value they bring to our mutual customers. This value is more than the sum of the parts, the integration in itself provides added value. The days of proprietary solutions are gone, today interoperability and community focus is the key to success ” says Thomas Lausten, Vice President of EMEA at Milestone Systems. “Initiatives like this is a clear benefit to our ever growing partner community, as the community gains new possibilities for delivering quality solutions based on true open platform technology.”AEOS end-to-end security Nedap responds to the widespread risk of digital attacks on access control systems and is the first to offer digital protection for its access control AEOS. Albert Dercksen, Head of R&D at Nedap, explains why AEOS end-to-end security is needed: “IT and physical security have been following different rules to protect systems. But modern access control systems are, in fact, IT systems connected to corporate networks and should be treated as such.” Taking a forward-thinking new approach, Nedap and its Technology Partner AET Europe combined the best practices of both IT and physical security – resulting in AEOS end-to-end security. "Modern access controlsystems are, in fact, ITsystems connected tocorporate networks andshould be treated as such" Added value of Channel PartnersCustomers who choose for AEOS choose for complete freedom of choice in third party products and solutions. They benefit not only from our developments, but also from Nedap's Channel Partners. Thanks to the open nature of AEOS, our Channel Partners can offer their own solutions based on AEOS. Alliance Partner nTp, for example, uses AEOS as the basis of their security solutions, while offering industry specific functionality such as workflow and dangerous goods control. Nedap is a manufacturer of intelligent technological solutions for the themes facing society today. Enough food for a growing population, clean drinking water across the globe, and smart networks for sustainable energy are just a few examples of issues Nedap is working to address, always with a focus on technology that matters.The world of security is constantly changing. Organisations must deal with changing technologies, increasing regulations and tighter budgets. With AEOS, the first software-based platform for security management, Nedap provides the answer to these challenges, so organisations can use their budgets efficiently and effectively and the security system can grow with these changes. Save

Nedap and AET Europe announce a strategic partnership to offer end-to-end security based on Nedap’s access control platform AEOS. By embedding AET’s electronic identity products in AEOS door controllers, a converged solution with best of breed technology has become available to the market. The partnership enables companies to meet the highest applicable security standards and raise their protection levels against both physical and digital threats. Collaboration between physical security & ICT security AET and Nedap developed a strong relationship after collaborating on several defence projects in Europe. Both have great expertise in high security projects but from different perspectives – Nedap from a physical security background and AET from an ICT security stance. Their collaborations highlighted that, by combining these two perspectives, an even greater level of security can be achieved. “It’s worrying that ICT and physical security are different worlds following different rules to protect systems,” says Albert Dercksen, Head of R&D at Nedap. “Modern access control systems are, in fact, ICT systems connected to corporate networks. So the methods for strong authentication and secure communication already used as best practice in ICT systems should be applied to physical security.” To address this, Nedap and AET’s new end-to-end solution combines digital certificate management and card key management in one system. As a consequence, the joint solution meets today’s high security requirements for vital infrastructure projects and is the most advanced system for physical access control currently available in the market. “Understandably, European national governments are demanding. They constantly need to be several steps ahead in terms of security to defend their countries’ vital infrastructures,” explains Reinoud Weijman, Managing Director at AET. “The experience we and Nedap gained while working on defence projects is so valuable. It is now enabling us to help other organisations and companies to meet the highest security requirements for both physical and digital assets.” CSPN and ANSSI certification Nedap and AET’s joint solution meets a wide variety of security requirements across Europe, and is already being used to protect vital infrastructure in several countries. The fact that card keys are stored securely, for example, meets the Rijkspas requirements for physical access to Dutch government buildings. In France, this new end-to-end security solution has gained CSPN certification from the French information security agency, ANSSI. Such certification will give companies the assurance that it’s a proven solution that’s undergone robust testing, and will contribute to a much more secure corporate workplace.

Nedap introduces the new AEOS Blue hardware line. This new generation of controllers builds on the successful AEOS Security Management Platform, the first software-based platform for security management. While other security manufacturers pursue growth through acquisitions, Nedap maintains its focus on ongoing investment in this platform. Now on the sixth generation of controller, with AEOS Blue Nedap once again unlocks a new realm of software-driven functionality. The AEOS Blue has the simplicity and elegance you expect, and will also deliver cost savings for both the installer and the customer. With AEOS Blue, Nedap launches an energy-efficient, powerful hardware line consisting of door controller, door interface and power, for a self-contained solution that can handle the simplest to the most complex security needs. Aside from the hardware, another new feature of the AEOS Blue is the completely redesigned and simplified software licensing model, which makes the price of AEOS Blue more competitive than ever for its range of functionalities, such as the control of air locks and revolving gates. The new AEOS Blue software licensing model makes the calculation and design of security systems perfect and correct every time. Most powerful controller in security market Once installed, additional security features can be added to the AEOS Blue at any time. For example, the comprehensive selection of AEOS software components allow secure doors to be customised easily for holding areas and camera surveillance. And no additional investments in new access control hardware are required: Nedap has also made the most powerful controller in the security industry compatible with PoE+. Even power is provided through the existing network infrastructure, saving on installation costs and eliminating the need for installation of separate power feeds. “Nedap believes that the best security systems are designed as IT systems. That’s why 15 years ago, we decided to separate software and hardware on the controller. That means we can not only define the functionality of the hardware through the software, but can also easily adapt that functionality to changing requirements and needs. Just like you would expect from your computer,” says Albert Dercksen, Manager Research & Development of Nedap. “Of course, the hardware determines how much you can get out of your software. Our new cost-effective hardware line, AEOS Blue, puts all the functionality of the AEOS software in your hands.”