A subtle qualitative change has occurred in security: how far risk has evolved. Site security can no longer focus only on physical perimeters and access credentials. Even hacking and skimming risks doesn’t account for the newest factors appearing. Mobile access has begun compounding the challenges site owners and integrators face, introducing cyber security as an unavoidable factor in access control.
Some of you have recently asked how we factor cyber security and its associated risks into our design and development of products and services. Of course, we recognized that a deeper awareness of these risks could strengthen our customers’ cyber-security policies while also helping them better inform their own prospective customers about their proposed project’s implications.
For example, it’s a given that the digital keys securing user data over air interfaces also create unavoidable responsibilities for you and your customers. However, deciding where those keys will be archived, stored, managed and encode new tags, cards or readers, is merely one issue. Upon what platform, application and behind what encryption will they be stored? Is the key management system itself adequately protected from unauthorized users? Are the number of storage platforms for keys kept to a minimum, whether offsite or onsite?
More to the point, it is vital to know who has any access to your data. That data can be personal data, such as users’ mobile phone numbers or IDs, or critical system data such as a site’s DESFire keys. That is why we ask customers, “Do you truly know how your partners, your service providers handle your most sensitive data?”
We also emphasize that integrators must ask their own customers the same question. Admittedly, hosting sensitive data unavoidably creates risk, whether it resides locally, onsite, with the integrator, or is outsourced to a service provider. Nevertheless, the best assessments of risk, be it perimeter, data or cyber, must always begin by answering that question.