Cloud services can deliver scalable capabilities quickly without the need to purchase, install, or configure any new on-site physical assets
Cloud connectivity can provide a linkage between the mobile users
and the facilities and systems they want to interact with

From enterprise applications to small businesses, schools, health care facilities and beyond, investments in physical security systems provide valuable resources to help protect people, property and assets – and ultimately the financial security and well-being of the organization. As need and demand for better security has dramatically increased over the years, today’s technology is more software and computer driven, enabling systems to be networked internally or managed externally through cloud computing platforms.

Increased Connectivity

 In today’s mobile, connected world, end users expect the ability to view and manage their systems from anywhere at any time, making hosted access control an attractive and economical proposition. Cloud connectivity can provide a linkage between the mobile users and the facilities and systems they want to interact with, whether those systems are in one place or distributed over several locations. And, cloud services can deliver scalable capabilities quickly – often on demand – without the need to purchase, install, or configure any new on-site physical assets, such as servers or work stations.

However, these benefits are not without their drawbacks and potential risks, most notably cybersecurity and the availability of the system and its data. Any system outage, whether the result of a network breach, server failure or other factor, compromises security and could leave an organization vulnerable. The resulting risks could be catastrophic, making it vital that organizations ensure that their access control, video surveillance and other security systems are always up and running. Management concerns over the cybersecurity risks of cloud-based solutions grow with each high-profile data breach that is reported, and with good reason.

Incorporating the cloud services into your operation will continue to take time and resources that will need to be included in your plans
Risks could be catastrophic, making it vital that organizations
ensure that their security systems are always up and running

Maintaining Critical Functions

As companies move forward with IT and physical security planning, here are some factors to consider and incorporate appropriately into the process.

Step 1: Consider the benefits and risks of cloud-based services objectively

Be honest about how your company functions today, how you want it to function in the future, and how cloud-based services might help get you from here to there. But don’t think that cloud services will solve problems magically – when it comes down to it, cloud services are really just renting hardware and software in somebody else’s facility. There are definitely benefits to renting versus owning, but there are also significant risks. And, incorporating the cloud services into your operation, and/or maintaining them, will continue to take time and resources that will need to be included in your plans.

Step 2: Determine which functions must continue, even in the event of cloud system failure.

This should be an extension of your current business strategy, which already evaluated your essential functions, personnel, etc. Remember that the risks are compounded if the cloud is used to store or process important business data – in the event of a failure, that data may not be accessible or under your control. Be very clear about the procedures and steps you will take if your cloud services go down so you can keep your operations up and running.

Step 3: Implement backup processes to ensure critical business continuity.

Once the intended benefits of cloud services are evaluated in the light of foreseeable risks and critical functions are clearly identified, it is time to put the changes into effect, along with backup and contingency plans that will be triggered in the event of service disruptions. For access control, it is essential to quickly be able to re-load your list of authorized users and permissions so that normal operations can resume as soon as possible after an outage or failure.

Both hardware and software technical advancements continue to provide new options for security management across every vertical market application
Data backup and contingency plans are crucial in the event of service disruptions

Security Applications Of Cloud-Based Services

Most firms are realising that physical security systems, including access control and video surveillance, are critical facility functions that need to be maintained 24/7 under any circumstances. Even so, both of these security applications are current offerings from cloud-based service providers that companies can consider to supplement or outsource their internal functions.

Choosing An Approach

As an example, let’s see how the suggestions in the steps above might affect a firm’s planning for access control. Before we start, we should note that different organizations will have varying risk tolerances which will contribute to what type of access control solution they choose, on premise or cloud. There is no single “right” or “wrong” answer for the general question of how to choose the right approach or services; the right answer depends on the specifics of the situation for each firm.

1. Considering Cloud Service Benefits

We would consider the potential benefits of a cloud service for access control, sometimes called ACaaS, for Access Control as a Service. Offerings vary, but might include the provision of a server and software to process access requests, which would interact with the local access controllers via IP connectivity. Thus, it would generally be required for the controllers to support not only IP communications, but also encryption and digital certifications. Older controllers would have to be upgraded if they could not support these functions. Managed access control is a service where the firm pays a third party to administer the access control platform, including such tasks as adding and deleting access rights, printing badges and other credentials, monitoring for doors that are propped open or forced open.

On the upside, up-front capital costs could be reduced by limiting the amount of purchased hardware, and the ongoing management and maintenance of that hardware is done by the supplier. Depending on the supplier, the ongoing service costs might be based on the number of controlled doors, the number of users or credentials, the number of transactions, or some combination thereof.

On the downside, the list of credentialed users will now reside at the supplier’s location, where it could be subject to tampering, loss and/or theft. And, if the host server must be contacted in order to process a transaction (that is, open a door), then the operation of the system now depends on active and successful communication with the supplier’s off-site server at all times. A complete tradeoff can now be evaluated that compares the cost of owning hardware and software, along with necessary maintenance, and expected usage patterns, to the proposed cost from the cloud supplier and various related contract terms.

 2. Potential Risks

It goes without saying that in the event of a cloud-based or premises based access control failure, people within your facility will still need to be able to exit without the risk of being trapped inside. The question is, how important will it be for people to be granted or denied access based upon the configuration in the database prior to the failure? And, how urgent is adding/deleting authorized users, permissions and the other functions that require access to the host access control software? How much impact would there be on the company if the list of authorized users was altered or stolen by hackers?

3. Contingency Plan

An implementation and backup plan is developed and put into action. For the purpose of this example, let’s assume that ACaaS was approved and put into place. One part of the plan might be to capture complete back-ups of the user database periodically and to store them both on-site and off-site. Another part of the solution might be to select access controllers that have the ability to be battery backed up and hold a copy of the user database and device configuration locally so they can continue to function even in the event of a communication breakdown with the cloud supplier’s server or power outage. By taking this approach, the affected facility would be able to continue operating normally in the event of a communication breakdown or power outage, and update authorized changes after network communications were restored.

Implementing The Best Cloud-Based Plan

Both hardware and software technical advancements continue to provide new options for security management across every vertical market application. When changes are being considered that affect organizational physical and IT security, it is important to evaluate the options carefully.

Choosing an equipment supplier that has designed their products for maximum uptime is critical. This criteria will enable more effective and cost-efficient contingency planning, so you can implement the best plans possible for all your operations.

Want to learn more? Read SourceSecurity.com's Cybersecurity White Paper here

Share with LinkedIn Share with Twitter Share with Facebook Share with Facebook
Download PDF version

Author profile

Karen Evans President & Chief Executive Officer, Sielox LLC

In case you missed it

How Can You Be Sure Your Organization Is Protected When It Comes To Cyberphysical Security?
How Can You Be Sure Your Organization Is Protected When It Comes To Cyberphysical Security?

At ISC West this year, emerging technologies will be on display to help organizations manage their environments, from the building itself to who’s on the premises and what’s going on at any given moment. Top of mind this year is cybersecurity, compliance and management of security assets as threats rise and governing bodies put regulations in place that businesses need to react to. The good news is that the shift in approach to holistic monitoring of cyber and physical assets can move enterprises to a place of digital transformation and proactive management rather than reactive practices based on threats and changing regulations. The show provides an opportunity for both vendors and potential customers to learn from each other about what’s out there and what’s needed in terms of future solutions as the industry evolves. Are you in cyber and physical security compliance? At this year’s show, we’ll continue to see developments focused on integration of cyber physical security that will lead to deeper understanding of the relationship between devices, device monitoring and spaces in which all devices physically reside. Digital solutions help achieve a digital transformation which stitches the data relationships together to provide better threat vector impact and overall understanding of risk. The technologies in smart buildings are subject to cyberattacks, which pose not just a threat to data and privacy but can compromise the physical space as well. Think of the locked door in a smart building that now is opened with access control via key cards or mobile devices given only to certain members of staff. These integrations increase safety and restrict access across the enterprise, but a bad actor can access and duplicate the necessary data to open the door with a copycat device while hiding the event from the surveillance system. By having a comprehensive cyber whitelist of installed devices, potential rouge devices are prevented from transmitting on the network, therefore providing an automated guard against internal and external attacks. When systems are compromised due to a hack or physical intervention, it puts what’s behind the door at risk, whether it’s money in a bank or information in a sensitive work environment, such as a laboratory. Digital solutions help achieve a digital transformation which stitches the data relationships together It’s increasingly important to highlight the relationship between cyber and physical security. A great illustration of this is the digital twin. A digital twin is a replica of a physical space that uses both informational and operational technology to give real-time information about what’s going on in a space.  These can include things like floor plans for the building as well as real-time sensor data from the building management system, HVAC systems, lighting, fire, security, and more. By getting a complete picture of the physical and digital assets of an organization, it becomes possible to monitor all systems from one central location to see how they’re working together and act on the insights they provide. So, in the example of a breach from before, it’s possible to flag that hack, isolate its exact location and devices involved, and resolve it quickly while maintaining preservation of evidence. Compliance: how to get there safely, efficiently and effectively As these threats evolve, governing bodies are taking action to ensure that data is protected to minimize these kinds of threats and ensure that organizations feel confident in the security of their data. Norms and compliance measures are emerging quickly, such as General Data Protection Regulation (GDPR) which began to be enforced in March 2018, and the California Cybersecurity Law, which went into effect in the US just this past January. The regulations of what can be done with data mean that companies need to react or face penalties such as fines, which can be as high as 4% of worldwide annual revenue of the previous year. These are also fluid and can change rapidly, meaning flexibility is important in compliance solutions. However, this presents an opportunity for companies to invest in innovation to ensure they’re prepared for those changes and to protect the safety of not just employees, customers and target markets, but of the larger organization. Getting to a place of compliance can seem costly and time consuming at the beginning Getting to a place of compliance can seem costly and time consuming at the beginning, especially for larger organizations. They may have thousands of security assets (cameras and sensors, for example) and might not even be fully aware of what they have, where they are, and whether those assets are functional, never mind compliant with data protection legislation. The right solution takes all the steps to becoming safe and compliant into account, beginning with inventory and mapping of all assets to get a complete picture of where things stand and where changes need to be made. One large financial institution, upon embarking on this journey, identified an additional 10% of assets that they didn’t know they had, and additional ones that were nonfunctioning and needed to be repaired or replaced for compliance and safety. Monitoring: centralized and remote for rapid response Once assets and data are centralized and a complete inventory is taken, it’s much easier to effectively monitor the complete enterprise. At this year’s show, smart technologies will be on display that reduce cybersecurity risks and monitor assets for compliance. If something changes, that can be flagged, and appropriate parties can be quickly notified to act and neutralize security threats or avoid the expensive penalties that come with noncompliance. Since all these components are centralized in one location, it becomes possible to monitor much more effectively and fix issues remotely in minutes rather than scheduling a trip to a location that may not happen for days or even weeks. A security camera for a large chain enterprise such as a retail store or bank in a small-town location deserves service just as quickly as one in a major city, since the threat that each non-functional device poses is the same to who and what it is there to protect. Keeping it up: a proactive approach to service and maintenance One of the ways that emerging technologies can be a game changer is when it comes to the cost and approach One of the ways that emerging technologies can be a game changer is when it comes to the cost and approach to systems maintenance and operation. In addition to performance and compliance, other types of data, such as historical events, can also be monitored centrally. This gives context to security events and can move organizations from a reactive to a proactive approach to their security as well as operations. If small problems are identified and resolved before they become larger problems, it means that security events can be mitigated more quickly or prevented entirely due to early intervention. On the operations side, early insights into asset performance means that fewer resources are expended on noncompliance fees and large-scale, emergency repairs. These resources can take the form of money, but also of time spent by employees and enforcement agencies to ensure continued compliance. Staff can spend time engaged in active monitoring rather than generating reports, since that can now be automated. In the new decade, it’s time to use the technological resources available to better protect systems for smarter, safer and more sustainable environments. On every level, compliance is important not just for its own sake, but so are the other benefits associated with intelligent management. The show presents an educational opportunity for vendors and customers alike. Walking around the show floor and talking to everyone is a unique way to see what’s out there and evaluate what is and isn’t working for a business while getting information from all the industry experts. Even if they’re not ready for a complete overhaul, taking stock of what’s available, where things are heading and how their operations and mission can be better served by implementing one or more of the solutions showcased is more important than ever. On our end, those conversations about needs and concerns are invaluable in driving innovation.

Q&A: How The ‘Secret Service Of Hollywood’ Protects Celebrities
Q&A: How The ‘Secret Service Of Hollywood’ Protects Celebrities

At a major music festival, a fan in the crowd aggressively leapt over a barricade to approach a famous artist. Personnel from Force Protection Agency immediately implemented extrication protocol to shield the artist from physical harm, quickly reversed course and calmly led the client away from the threat. Force Protection Agency (FPA) personnel intentionally did not engage the threatening fan in any way, as local venue security personnel were present and tasked with apprehending the rogue fan. FPA’s efforts were directed expressly toward the protection of the client, avoiding unnecessary escalation or complications and minimizing physical, visual, and legal exposure. Dedicated to the safety of clients Force Protection Agency is a unique, elite-level agency inspired by a vision for excellence and innovation Specializing in protecting celebrities and high-net-worth individuals, Force Protection Agency is a unique, elite-level agency inspired by a vision for excellence and innovation, and dedicated to the safety and success of clients. The agency was formed in 2017 by Russell Stuart, a California State Guard officer and security and entertainment industry veteran. The agency is the culmination of 20 years of experience in the fields of security, military, emergency management, logistics and technology, media and entertainment, and celebrity management. We interviewed Russell Stuart, Founder and CEO of Force Protection Agency (FPA), which has been called “the Secret Service of Hollywood,” for his insights into providing security for celebrities. Q: What unique need in the marketplace do you seek to serve, and how are you qualified to serve it? Stuart: The needs of celebrity and high-net-worth clients are complex and constantly changing. When dealing with a high-profile individual, discretion is paramount, extensive communication is required, and adaptation is ongoing. A critical objective is anticipating and planning for all types of potential negative scenarios and preventing them from even starting, all while not disrupting the normal course of operation of the client's day or their business. Force Protection Agency is poised to serve these needs by innovating and intelligently managing the planning, procedures, and personnel used in every facet of protecting the client’s interests and achieving their objectives. Q: What is the typical level of "professionalism" among bodyguards and security professionals that protect celebrities? Why does professionalism matter, and how do you differentiate yourself on this point? Stuart: Professionalism is an overall way of approaching everything to do with the business, from recruiting, to training, to making sure the right agent is with the right client. Nothing matters more; polish and precision are not only critical to mission success, but also support the comprehensive best interest of the client while preventing costly collateral damage and additional negative consequences. True “professional protective services" is intelligent strength and proper execution, not emotional or reactionary violence. Unfortunately, the latter is frequent among many celebrity bodyguards, and often incurs extremely expensive and even dangerous repercussions. Q: Your company has been described as "the Secret Service of Hollywood." How true is that comparison, and how does your work differ from (e.g.) protecting the President? Force Protection Agency prides itself on providing its services with discretion, precision, and poise Stuart: Totally true, and for this reason: the keys to success in protection are prioritization, and planning. Most people fail to even recognize the first, negating any level of effort given to the second. Establishing the true needs and the correct priority of objectives for each individual client and situation, and firmly committing to these without deviation, are what distinguishes both government secret services and Force Protection Agency from the vast majority of general security firms. Also, the term “secret service” implies an inconspicuous yet professional approach, and Force Protection Agency prides itself on providing its services with discretion, precision, and poise. Q: What is the biggest challenge of protecting celebrities? Stuart: The very nature of celebrity is visibility and access, which always increases risk. The challenge of protecting a high-profile individual is facilitating that accessibility in a strategic and controlled manner while mitigating risk factors. A client’s personal desires and preferences can often conflict with a lowest risk scenario, so careful consideration and thorough preparation are essential, along with continual communication. Q: How does the approach to protection change from one celebrity (client) to another? What variables impact how you do your job? Stuart: The approach is largely determined by the client’s specific needs, requests and objectives. The circumstances of a client's activities, location, and other associated entities can vastly disrupt operation activities. A client may prefer a more or less obvious security presence, which can impact the quantity and proximity of personnel. Force Protection Agency coordinates extensively with numerous federal, state, and municipal government agencies, which also have a variety of influence depending on the particular locations involved and the specific client activities being engaged in.  Q: Are all your clients celebrities or what other types of "executives" do you protect – and, if so, how are those jobs different? Stuart: Force Protection Agency provides protective services for a wide range of clients, from the world’s most notable superstars to corporate executives and government representatives. We also provide private investigation services for a vast variety of clientele. Force Protection Agency creates customized solutions that surpass each individual client’s needs and circumstances. The differences between protecting a major celebrity or top business executive can be quite different or exactly the same. Although potentially not as well known in popular culture, some top CEOs have a net worth well above many famous celebrities and their security needs must reflect their success. Q: What is the role of technology in protecting famous people (including drones)? Technology is crucial to the success of security operations Stuart: Technology is crucial to the success of security operations and brings a tremendous advantage to those equipped with the best technological resources and the skills required to maximize their capabilities. It affects equipment such as communication and surveillance devices like drones, cameras, radios, detection/tracking devices, GPS, defensive weapons, protective equipment, and more. Technology also brings immense capabilities to strategic planning and logistical operations through the power of data management and is another aspect of Force Protection Agency operation that sets us apart from the competition. Q: What additional technology tools would be helpful in your work (i.e., a “technology wish list”)? Stuart: The rapidly growing and evolving realm of social media is a massive digital battlefield littered with current and potential future threats and adversaries. Most mass shooters as of late have left a trail of disturbing posts and comments across social media platforms and chat rooms that telegraphed their disturbing mindset and future attacks. A tool that could manage an intelligent search for such threats and generate additional intel through a continuous scan of all available relevant data from social media sources would be extremely useful and could potentially save many lives. Q: Anything you wish to add? Stuart: Delivering consistent excellence in protection and security is both a vital need and a tremendous responsibility. Force Protection Agency is proud of their unwavering commitment to “Defend, Enforce, Assist” and stands ready to secure and satisfy each and every client, and to preserve the life and liberty of our nation and the world.

What are the Security Challenges of Protecting Utilities?
What are the Security Challenges of Protecting Utilities?

Utilities are an important element of critical infrastructure and, as such, must be protected to ensure that the daily lives of millions of people continue without disruption. Protecting utilities presents a unique range of challenges, whether one considers the electrical grid or telecommunications networks, the local water supply or oil and gas lines. Security technologies contribute to protecting these diverse components, but it’s not an easy job. We asked this week’s Expert Panel Roundtable: What are the security challenges of protecting utilities?