Morse Watchmans explains why key control is the ideal solution for organizations to protect both cyber and physical spaces.

The term ‘portal’ generally conjures up two distinct visualizations depending on which side of the security spectrum you fall. For physical security professionals, portal is just another term for a door or entryway. Conversely, cybersecurity professionals think of portals more conceptually – as gateways that provide links and directions to multiple sources of information from a single source.

Both types of portals need to be protected and are also co-dependent in their ability to deliver cyber-physical security. To do so effectively requires an unlikely solution that marries the most basic aspects of physical security with today’s modern digitally driven security protocols. To gain a better understanding on how we’ve evolved new imperatives for cyber-physical security, let’s look at where this trend originated.

A brief history of physical access

Since the dawn of time, our unique species has always possessed the need to keep the things we value most safe. This includes ourselves, loved ones, belongings, property and even the food, water and supplies we need to survive. Initially, this involved rudimentary doors to block the entrances to dwellings and ropes to secure valuables. It wasn’t until almost 4,000 BC in ancient Egypt when the first mechanical locks and keys were made, changing physical access forever.

Not much changed in the world of physical access control for almost 6,000 years. Electronic physical access control systems (PACS) and their accompanying access credentials began popping up around the 1970s and although this introduced a new level of access technology, the ability to gain entry to a facility was still based around the use of a physical credential – including having an access card or proximity device.

New mobile credentials and more highly advanced biometrics have propelled even higher forms of personal identification and authentication for access applications. However, the use of traditional keys and locks still exists and is critical in the event that all else fails. The slow growth of physical access stands in vast contrast to the accelerated growth of logical access.

A brief history of logical access

The protection of logical (digital) assets grew quickly after data and the applications that manage it moved from mainframes to decentralized servers, personal computers, local and wide area networks (LANs and WANs) and now into the cloud. Just as PACS protect physical portals, logical access control systems (LACS) control an individual’s ability to access computer system resources. Examples include user identification systems, password management, network firewalls, digital certificates, etc.

LACS are constantly changing as hackers are frequently enhancing their methods of infiltrating a wide variety of penetration surfaces. One such example is utilizing the principle of localized access, wherein once a user is logged in, they only have access to those resources required to perform their duties. Others include implementing manual account lockout resolution processes, where a system administrator needs to manually unlock a user’s account if a bad password is entered. These examples scratch the surface of how logical access can and should be applied to the physical realm and vice versa.

Cyber-physical security

It’s becoming increasingly clear that physical access and logical access are largely the same, being the first line of defense in protecting portals. However, cyber-physical security can also be taken one step further both literally and practically through better physical access management.

Imagine an on-premises data center located at an enterprise headquarters or large facility like a medical campus or hospital. Much of the attention given to protecting data most likely focuses on cybersecurity without the same consideration being given to physical security. However, gaining physical access to a data center would essentially negate any and all of the logical access control solutions in place meant to protect digital portals.

This type of inappropriate access could have the same or worse destructive consequences experienced from a cyber-attack, including the theft of data, IP theft, extortion, disrupted business operations, costly compliance infractions, etc. Simply stealing a server, laptop or copying data onto a portable drive produces the same damaging results.

Therein lies a significant gap in cyber-physical security diligence and although new physical access technologies can help mitigate physical access to digital assets, many of these products are costly solutions that are difficult to implement. For example, a data center or server room may deploy security cameras and biometric access control readers to help control and deter physical access, but what happens if power to these devices is disrupted, the devices are hacked or they simply malfunction.

A manual access/egress solution still needs to be in place to back-up even the most advanced electronic access solutions. Good old-fashioned keys and locks remain the steadfast manual solution.

The need for key control and management

It is safe to assume that virtually every facility in operation today still employs keys to secure their physical portals including storage rooms, equipment lockers, file cabinets and more. It is also almost a certainty that whether or not new physical security technologies are deployed, many – if not all – of these keys will still be in use. The need to employ a digital solution that controls physical access to physical locking mechanisms is an absolute must to ensure the protection of both physical and logical assets.

Key control offers a proven solution that allows organizations to protect every type of physical and digital access portal. At their most basic level, key control systems securely protect keys in a key cabinet that can only be released to authorized users based on their permission level, job function, time, date and more. Keys can then be tracked throughout a facility 24/7/365 with alerts issued if a key is overdue or out of place. Once the key has been used accordingly, detailed reports are then created allowing for greater oversight and accountability.

Key control applications

The implementation of a key control solution provides another layer of security for myriad cyber-physical security processes and solutions. For example, key control modules can house proximity cards used in access control systems. So, if an individual is looking to gain physical access to a data center, they would need to have the proper permissions (identity, time, role, date, etc.) to physically access a key. This added layer of security allows organizations to better protect all of their assets, people and property.

Key control systems can also be configured to provide unique functionality for data centers. Dual or triple authentication can be implemented on specific keys to more sensitive server cages, requiring that multiple users sign a key out – and back in again – to prevent a single user from simply handing off their key to an unauthorized person.

Automated reports are generated by the system and can be configured for delivery to specific users to keep both data center employees and clients aware of who has accessed a server cage. In addition, the notes feature on a key management system can provide an easy way to access and audit detail about why a key was accessed and what work was done with that access.

Additionally, key control solutions put the logical access principle of localized access into action, which is another example of the convergence between physical and logical access. With key control, users are only granted physical access to the areas required to perform their job for the period of time they will be there and nothing more. In this way, a key intended for use by one department cannot be accessed by an individual from an unrelated department. This type of localized access is similarly ideal for vendors and contractors who need to be on site for just a short period of time.

As PACS continue to become more ubiquitous, the changing economic climate has stopped some organizations from investing in costly, install-intensive access control systems. Furthermore, many organizations, such as historic properties and SMBs, continue to rely heavily on the use of traditional locks and keys.

Key control solutions are ideal for organizations that are looking to increase their physical security without undergoing costly new installations. The latest key control systems also quickly and easily integrate with any new and existing PACS for the ultimate in system interoperability.

Achieving true convergence

Noted cryptographer Stewart Brand once said: “Once a new technology rolls over you, if you’re not part of the steamroller, you’re part of the road.”

In other words, if you are not controlling the technology, then the technology is controlling you. This is important when applying physical access controls to logical assets and conversely, logical controls to protect physical portals. Key control systems are one of the rare security solutions designed to truly deliver cyber-physical security.

Conventional keys are one of the few longstanding physical security solutions that cannot be hacked and with the proper key control system in place, can be controlled with a high degree of accuracy and accountability. So, while key control is not necessarily a new concept, it’s a solution that meets an immediate need for most organizations today. This includes rapid time-to-value, ease of installation and cost-efficiency that has been proven to help organizations protect all of their portals and most valuable assets.

This article was originally published in the March edition of Security Journal Americas. To read your FREE digital edition, click here.