Cloud-based access control: A Complete Guide
“The Cloud.” What is it, and how does it integrate with advanced platforms like Protege X, powered by Microsoft Azure?
In today's digital-first world, understanding cloud-based access control systems is more critical than ever to offer scalable, flexible, and cost-effective solutions for modern security needs.
In this guide, we’ll demystify cloud technology, explore the robust security measures of Azure, and highlight why businesses are increasingly turning to cloud-based access control for enhanced safety and efficiency. Let’s dive into how these systems are reshaping access control and building security.
Microsoft Azure and Protege X
One of the largest cloud providers in the world is Azure, Microsoft’s cloud platform. Azure is trusted by 95% of fortune 500 companies and has the largest compliance portfolio in the industry.
That’s why we have decided to use Azure as our host for our cloud-based system Protege X. Protege X is ICT’s next generation cross platform access control and intrusion detection ecosystem, designed for businesses who demand future-proofed flexibility.
What is the Cloud?
As more access control and security companies bring their systems onto the cloud, it’s important to understand what it is and why it matters to you, the installer and the end-user.
You’re probably more familiar with it than you may know. At its most basic, the cloud is just the internet. More specifically, the cloud is a global network of servers that allows you to access the software and databases that make up the internet. Google Drive, Dropbox, and Netflix are all everyday examples of the cloud in action. When you turn on Netflix, the movie isn’t stored on your TV or laptop, it’s stored in the cloud and you are accessing that through the internet.
Internet access is crucial for utilizing cloud services, as it allows security administrators to manage access permissions and monitor logs in real-time from any location.
Cloud cybersecurity
While colloquially, we refer to cloud security as cloud cybersecurity, there is an intrinsic difference between cybersecurity and cloud security.
Cybersecurity is the protection of internet-connected devices – laptops, smartphones, and even ICT devices such as the controller or tSec readers – against cyberattacks, like software supply chain attacks, which annually impact 3 out of 5 US companies.
Cloud security refers to the protection of the data, networks, and infrastructure that make up the cloud-based system. This security is built on the policies, processes, and technologies that are built to safeguard the cloud system and the data within that system against malicious actors.
Cybersecurity is part of cloud security, but cloud security is not always part of cybersecurity.
These types of small differences are often not known by those outside of the cloud security industry and can make understanding the cloud and cloud security more confusing. Therefore, it’s no surprise that the perceived security risks of the cloud is the number one reason holding physical security industry professionals and end-users back from embracing the cloud.
A lack of clear education about the cloud and its security leaves room for distrust to grow. So, let’s clear the air and get to know Microsoft Azure.
Secure network infrastructure: Datacenters
Azure is run through over 100 geographically dispersed worldwide datacenters managed, monitored, and administered by Microsoft operations staff.
The geographic distribution is broken down into 3 sections:
- Regions: A set of datacenters, connected by a massive network. Regions within a geography can talk to one another.
- Availability zones: Physically separate locations, each equipped with independent power, cooling, and networking, ensuring that if one zone goes down, it will not affect the rest of the region.
- Geographies: Geographies or data residency boundaries allow customers to meet compliance, resiliency, and data sovereignty requirements within their country or union.
Azure datacenter physical security
Microsoft has an entire division dedicated to designing, building, and operating the datacenters supporting Azure and requires all employees and the rare visitor to go through several rigorous access control steps.
All requests to enter the datacenter must be validated and access is granted on a need-to-access basis, with strict zone and time limits placed on the credential. Biometrics are required for multi-factor authentication (MFA) and you must pass through metal detectors going in and out of the center. Cameras also watch every angle of every server to ensure hardware is never tampered with or stolen.
The strict rules around entering and exiting mitigate risks to these datacenters and your data.
Outages and disaster recovery
Disaster recovery is built-in thanks to the geographically dispersed datacenter locations. In the instance of an outage or natural disaster, the Azure datacenters have uninterruptible power supplies with vast banks of batteries and emergency generators.
If something were to happen to one of the datacenters your data is kept in, you can rest assured it’ll be safe and sound as your database backup is geo-replicated and stored in separate centers.
Secure network infrastructure: Software and data
Now that we’ve looked at how the datacenters and servers are physically secured, let’s turn our attention to how Microsoft ensures that Azure keeps their software and customer data protected.
Azure Security Policy
Any access control requirements for Azure are vetted against the Azure Security Policy:
- By default, Microsoft operations and support personnel are denied access
- Grant the least privilege required to complete task
- Log and audit access requests
For any Microsoft operations and support personnel, multifactor authentication (MFA) is required, and access is only granted from secure consoles.
Azure Front Door
Azure Front Door sits between the end-user and the application’s content – in this case, Protege X.
Azure Front Door provides a secure entry point for content delivery, with built-in web application firewall (WAF), bot protection, and distributed-denial-of-service (DDoS) protection. This stops malicious actors from flooding the application causing the system to crash.
Multi-factor authentication
Protege X is secured following the best practices in cybersecurity with multi-factor authentication (MFA).
MFA requires that a user take multiple steps to login to their account, such as using a password and a PIN generated by an authentication app on their smartphone.
MFA is used to log into any applications connected to the Protege X system to mitigate malicious actors gaining access to the system and is managed by Azure Active Directory B2C.
Asymmetric encryption is used to set up the connection between the applications and uses two related keys – one public and one secret. One of the keys is used to encrypt the data, which can then be decrypted by the related key. If the public key is used to encrypt, then the secret key is used to decrypt and vice versa.
Symmetric encryption is used for all the data that is transmitted between the applications and uses one secret key. This can be a password or randomly generated PIN code and is used to encrypt and decrypt data. This method scrambles the data as it’s encrypted, and it can only be decrypted and understood by those with the secret key. Symmetric encryption is used to encrypt and decrypt large amounts of data quickly.
Data encryption and cloud access control systems
Whether it’s in transit or at rest, all customer data is encrypted.
Data encryption in transit
Microsoft follows international standards enabling ‘encryption by default’ for all data in transit between Azure datacenters. Further, Protege X uses Transport Layer Security (TLS) for encryption in transit. TLS is a cryptographic protocol for communications security that uses session-specific asymmetric and symmetric ciphers to encrypt the connection.
TLS provides a secure, reliable, and confidential connection between two applications, while ensuring that the connection is authentic, meaning you’re connecting to a legitimate site and not a malicious actor.
It may surprise you, but you already use TLS every day. It’s an integral part of the internet, as it’s foundational to HTTPS. You may recognize these as that appear at the front of web pages which tell you that your connection is trustworthy and secure, such as: https://ict.co/.
Data encryption at rest
When your data is at rest, it’s stored in an Azure SQL Database. The SQL Database has built in encryption at rest with symmetric encryption.
Further, Azure uses best practices like Trusted Execution Environments (TEEs) to store customer data. TEEs are separated from the system's main operating system, creating a secure environment that can only be accessed by systems. Malicious actors cannot gain access to customer data as it’s invisible to external parties.
Encryption at rest is a further mitigation step to stop malicious actors from accessing unencrypted data – if the actor gains access to the hard drive they will be unable to access the data without the key.
Data segregation
When any data is at rest, Azure uses segregated networks.
Managed and customer networks are segregated from each other in Azure, with Microsoft managed networks only available for administrators to connect to Azure. When administrators do want to connect, just-in-time-access and privileged access workstations limit accessibility. Just-in-time-access is a foundational aspect of Microsoft’s cybersecurity, ensuring that staff are only able to access the system for a predetermined period. Having segregated networks ensures customer networks are protected against attacks targeting managed networks.
To ensure customers can’t access each other’s networks, they’re further segregated using network virtualization methods. Network virtualization consists of separating the software from the hardware so that the network can run independently from the physical equipment supporting them. Each virtual network exists independently while still able to be managed from a centralized point.
By virtualizing the network, Microsoft can ensure that a breach or incident with one customers’ network doesn’t impact the rest of the server, as well as dynamically balance network capacities to ensure more efficient and resilient networks that are easier and faster to deploy functions to.
Secure network infrastructure: Testing and monitoring
Now that we’ve looked at how the software and data in Azure are secured, we’ll be looking at how they ensure it stays secure with continuous monitoring and testing.
Cybersecurity experts
Microsoft invests over a billion dollars annually in their cybersecurity frameworks and teams, with over 3500 dedicated cybersecurity experts working 24/7, 365 days a year. Part of these 3500 experts are 200 professionals who continuously run through penetration exercises to identify potential vulnerabilities in the Azure system.
The amount of cybersecurity experts employed by Microsoft
24 hours a day, 7 days a week, 365 days a year, Microsoft's security experts are protecting Azure.
The amount of experts continuously running penetration exercises to identify potential vulnerabilities in Azure
Virus scans
Testing the code is a foundational part of adding components to Azure and every software component of an Azure build must be tested using an Endpoint Protection anti-virus tool.
Every virus scan creates a log, detailing what was scanned and the results. Code is only moved to production when it gives a clean virus scan – if any issues or bugs are found, the build is frozen and moved to the cybersecurity experts to identify where the bad code was entered.
These tests stop the risks from malicious code and malware before they can even enter the system.
Experience Counts
Still not fully convinced? Well, let’s consider Microsoft’s experience in cloud and cyber security.
Microsoft has decades of experience in ensuring their systems are secure and in investing at scale in infrastructure, hardware, and experts. The Xbox gaming console remains a top ranked system, while the Microsoft 365 suite – including Teams, OneDrive, Word, Excel and many more – has nearly half a billion active users.
These are either cloud-based applications, like Teams and OneDrive, or have cloud saving capabilities to allow you to access them anywhere, such as Xbox or Word. Securing cloud applications is not only something Microsoft has decades of experience in, it’s an integral part of their business.
All of these policies and frameworks – from how Microsoft protects their data centers and the way your data is encrypted when in those centers or travelling between, to the intentional continuous investment in monitoring and testing that Microsoft undergoes – are designed to keep Protege X and therefore, your data, safe and secure.
As you gain a deeper understanding of the cloud and its security, we hope that you’re starting to feel more comfortable with it and trusting your security and access control to cloud based systems. New technology can be hard to trust, but the cloud means you can truly access your things – like tv shows, word documents, or even Protege controller information – from anywhere, at any time.
TL;DR:
- The cloud is a global network of servers that allow you to access the internet.
- Microsoft has an entire division dedicated to designing, building, and operating the Azure data centers.
- Your data has built in disaster recovery in case of outages or failures as it’s stored in at least two geographically dispersed data centers.
- Protege X, ICT’s cloud system, employs best practices like Zero Trust and multi-factor authentication (MFA) to verify and control access.
- Data at rest is segregated through network virtualization, ensuring breaches in one network don’t affect others.
- Microsoft invests over a billion dollars annually in cybersecurity, with over 3,500 experts monitoring and running penetration tests continuously to identify and mitigate risks.
- Every code component undergoes rigorous testing to ensure security before deployment to Azure.
- Microsoft’s extensive experience in cloud and cybersecurity supports the reliability of systems like Xbox and the Microsoft 365 suite, keeping them safe and secure.
Introduction to Cloud-Based Access Control
Cloud-based access control is a revolutionary technology that enables organizations to manage physical access security systems remotely, from anywhere in the world. This innovative solution integrates seamlessly with existing security systems through the cloud, providing consistent and reliable service. By leveraging cloud-based access control solutions, businesses can improve the delivery of their access control systems, offering new, more flexible service subscription models. This not only reduces costs but also increases operational efficiency, making it an ideal choice for modern enterprises looking to enhance their security infrastructure.
Benefits of Cloud-Based Access Control Systems
Cloud-based access control systems offer numerous benefits for any sized business. Some of the key advantages include:
Scalability and Flexibility
One of the standout features of cloud-based access control systems is their scalability and flexibility. Unlike some access control systems, which can be cumbersome to expand, cloud-based systems can easily grow with your business. Whether you’re managing a single office or multiple locations across the globe, cloud-based access control systems allow you to seamlessly integrate new sites and users. This adaptability ensures that your security infrastructure can evolve with your changing needs, providing a robust solution that can be tailored to your specific requirements. Additionally, these systems can be integrated with other security systems, such as video surveillance or wireless sensors, creating a comprehensive security ecosystem that enhances overall safety and control.
Cost-Effectiveness
Cost-effectiveness is another significant advantage of cloud-based access control systems. Generally, access control systems often require substantial upfront investments in on-site servers and hardware, not to mention the ongoing costs of maintenance and upgrades. In contrast, cloud-based access control systems eliminate the need for expensive physical components. Instead, they operate on a subscription-based model, allowing businesses to spread out costs over time and optimize cash flow. This model not only reduces initial expenditures but also minimizes the financial burden of maintaining and upgrading the system, making it a more economical choice for businesses of all sizes.
Enhanced Security
Security is paramount when it comes to access control, and cloud-based systems excel in this area. These systems offer enhanced security features such as data encryption ensuring that sensitive information is protected both in transit and at rest. Multi-factor authentication adds an extra layer of security, requiring users to verify their identity through multiple methods before gaining access. Regular security updates ensure that the system is always protected against the latest threats.
Manage from anywhere
One of the key benefits of cloud-based access control is the ability to manage physical access security systems from anywhere, at any time. With a cloud-based system, administrators can remotely enroll and manage access control appliances, monitor events and activities, and activate threat levels or lockdowns from a distance. This level of remote management enables organizations to respond quickly to security incidents and ensure the safety of their employees, visitors, and assets. The convenience and efficiency of remote management make cloud-based access control an invaluable tool for modern security operations.
Now that we have taken a deep dive into cloud-based access control, how Azure secures their hardware and software using best practices in the industry, as well as how Azure and ICT ensure the system is continuously monitored and tested. All of these frameworks and policies help to support and protect Protege X, our future-proof, scalable cloud-based solution. Want to know more, speak to an ICT solutions expert to discuss the right cloud-based solution for your business.
Originally published April 13, 2023
