Cyber Security for Access Control as a Service: 5 Criteria for Choosing the Best ACaaS Vendor

Cybersecurity is one of our customers’ most common concerns when choosing a cloud access control system, and with good reason. There were more than 1,800 data breaches in 2018 in the United States alone, affecting close to 450 million records. The average ransomware attack costs a company $5 million. According to the F.B.I., U.S. companies lose billions of dollars per year to cybercrime.

As a reseller, you need to feel confident that the cloud access control systems you recommend to your customers are cyber-secure. Here are five things to look for when choosing a cyber-secure cloud access control system vendor.

Physical Security

Cloud access control vendors should restrict physical access to their data centers, backup storage, and server areas. Servers and other equipment should be stored in secure locations and monitored by on-site personnel 24/7 via indoor and outdoor video surveillance. Vendors should require anyone who wants to access the data center to sign in at a staffed security desk and should enforce cryptographic key management for racks and cabinets.

ACaaS Network Security

When evaluating cloud access control systems for cybersecurity you should look for vendors who have strong network security practices that protect data confidentiality.  Network security architecture should include Next-Generation Firewalls (NGFW), IPS, and network address translation (NAT), and should segment database servers so they are not visible to the public.

Data sent between data centers, web browsers, and control panels should be encrypted using 256-bit encryption, whether they are connected via ethernet, wifi, or cellular. This is the same level of encryption used by banks and financial institutions.

Network environments should be separate from the vendor’s corporate office network, and the vendor should control, log, and monitor access to its production and disaster recovery networks. This keeps corporate employees from accessing the data center either accidentally or on purpose and prevents problems on the vendor’s internal corporate network from “spreading” to the access control system’s operational network.

Redundancy and Disaster Recovery

Cyber-secure cloud access vendors should have an infrastructure with no single point of failure. This means that every part of the system should have a redundant counterpart, including firewalls, load balancers, web servers, application servers, and database servers. The data center hosting provider should have redundant power supplies, dual management cards in each switch, redundant ethernet, redundant gigabit fiber aggregators, and redundant routers. In case of disaster, the vendor should maintain disaster recovery services in multiple locations besides its primary data center.

Access Control Hardware

Most devices “listen” to network traffic to receive commands, broadcast messages, network management interactions, and other communications intended for them. Networked devices that allow unsolicited external communications are vulnerable to hacking, so the panels of a cyber-secure access control system should not accept unsolicited inbound connections.

Cyber-secure control panels use non-routable IP addresses, which can’t be transported over the internet. Because the panels are not exposed to the internet, they can be shielded by corporate routers and firewalls configured to use Network Address Translation (NAT).  

Audits and Testing

Cloud access control vendors should not rely on their cloud provider to certify that their data is safe from attack. Instead, the best vendors hire third parties to conduct audits to verify data security. These vendors also periodically conduct vulnerability tests on their software, hardware, and processes to find and fix security problems.

Download our Cybersecurity Survival Guide to learn more about the relationship between cybersecurity and physical security, and to understand how your customers are evaluating the potential for cybersecurity breaches of their organization’s physical security applications.