Reality Check: Critical Info Transmitted via Simple Bit Data?

Trusted Info

What Information Should We Trust?

In business meetings recently, the issue of data encryption arose and it jolted me back to reality. Most physical security professionals seem to think Information Security (InfoSec) – IS ONLY – IP Security (IPSec). Everyone wants to discuss data security issues related to IP Infrastructure. That is the MORE secure data infrastructure associated with Physical Protection Systems today and needs only minor attention.

In Wiegand We Trust?

Too many professionals today think only in terms of secure data transmission from the controller to the server, but the greatest vulnerability is actually from the reader to the controller! Two copper conductors (+ground) carry bit format identity data (Wiegand) from the reader to the controller in what must be over 90% of the installed private sector systems currently installed. When I explain this to security engineers, they look at me like I am from another galaxy, far, far away (are the Star Wars references getting old?)… but then for some it dawns on them… and I get the question: what are my options?

Encrypted IP Data from the Card Reader?

Several companies already have products offering IP Data solutions, but the breadth of the available product is limited. As a result, all the major security software developers are moving toward an encrypted serial data protocol that I have mentioned on this blog before: Open Supervised Device Protocol (OSDP). It definitely has its advantages over Wiegand… but I must ask, what the heck is the industry doing? 

Encrypted Serial Data Preferred Over Encrypted IP?

Do we in the security industry truly believe we are doing the end-user community a service by introducing a decades old technology that will need to be replaced in 5-10 years? Yes, I understand the idea of isolating data AWAY  from the vulnerabilities of the LAN/WAN infrastructure, but do we really believe system specific serial networks will be the future of security systems?

Information & Data Security FINALLY Addressed in Physical Security

OK, I am very happy to see Physical Security equipment manufacturers finally understanding the horror seen in an I.T. Director’s eyes when they are first told your IP Controllers will be installed on THEIR network. None of us can afford to be disengaged from this discussion. Card Access and Intrusion design must express as much concern for data security, as physical deterrence features. OSDP is being introduced to address this concern.

SMART  Technology Investment

Security Directors consider this topic carefully, especially those of you collaborating with I.T. Directors… If we all agree that data vulnerabilities should be addressed and funding has been allocated to mitigate the risk, shouldn’t you be investing in the latest technologies? IP Data via LAN/WAN Infrastructure CAN be secure, if it is designed properly. If your technology partners do not offer solutions that can provide this, apply pressure for them to develop it. IP-Based Technology AND Solutions have been available for years now.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be his personal professional blog. The content reflects personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect personal viewpoints/ideas and do not in any way represent the position of any other person, organization or company.

Advertisements

About Doug Levin

Doug is a certified (PSP, AHC, LEED AP), experienced business development professional with a focus on the physical security industry. With a diverse background that includes delivering products & services through multiple channels (manufacturing, distribution, specialty & general contracting), he brings a broad industry perspective that adds greater value for his clients. Having decades of experience with sales engineering and design-build of low-voltage automated systems, he also offers a strong emphasis on technical knowledge and consulting services. His career has included responsibility for: profit & loss, operations and sales management with front-line experience in estimating, sales/marketing, project management and developing security design documents & spec writing.
This entry was posted in Data Security, Physical Security, Technology and tagged , , , , , , , , , , , , , , . Bookmark the permalink.

One Response to Reality Check: Critical Info Transmitted via Simple Bit Data?

  1. Doug Levin says:

    I had a Physical Security Pro comment that I was not giving certified pros enough credit for data security knowledge in this piece. That was definitely NOT my intent. So, I wanted to include this response:
    **I don’t think the issue is so much education, per se. Every certified consultant I have worked with has been extremely professional and knowledgeable. I think what may be missing is the idea of managing converging technologies. How to facilitate the transition to IP and provide a consistent InfoSec plan that both Security AND I.T. Directors can support. I recently had a discussion with a CISSP certified pro and he was dismissive of our side of the security world, saying we don’t ensure our application source code is secure. I did some research and he has a point… In my opinion, end-users are looking for InfoSec, IPSec and Physical Security pros to work together and recommend forward thinking solutions.**

    Like

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s