One Key, Many Doors

Businesses need to protect access to restricted areas just as they need to protect access to endpoint devices and sensitive internal data. State of the art token solutions meet both requirements at the same time, saving time and money.

Two developments are exacerbating the problem of industrial espionage that has plagued companies throughout history: first, inadequate or outdated IT security solutions open (back-)doors for attackers to enter company networks; second, some nations maintain, or at least support, specialized organizations whose only job it is to find gaps in foreign IT infrastructures and exploit them with cyberattacks.

Dramatic cases of blackmail via malicious file encryption (ransomware) find their way into headlines on an almost daily basis. But much more frequently, cybercriminals will simply steal data. This may serve blackmail purposes as well, but usually will be aimed at industrial espionage. And if personal information is compromised, this induces additional risks, such as being fined for GDPR violations in Europe.

However, attackers have more ways to compromise sensitive information than just via the internet. That's why not only the company network needs robust security controls, but so does physical access to a company's sensitive data.

If you visit a modern bank branch today, you will notice that the traditional counter with bulletproof glass has become obsolete. The bank welcomes customers in a friendly, open space. But as you advance deeper into the building, security measures such as segmentation and authentication apply: you will only be able to enter administrative offices when accompanied by an employee with a security token. And access to critical areas such as the deposit boxes is blocked by a vault door weighing several tons which can only be opened during business hours using dual access codes in a double-verification procedure.

Businesses with robust security take a similar approach: here, too, proceeding from the lobby requires security tokens, and so does entering areas such as financial accounting or R&D. Ideally, these tokens are centrally managed and monitored so that unusual access attempts will immediately trigger alarms.

At the office, on the factory floor, and in the R&D lab, data is protected by yet another safeguard: endpoint log-in. For this, user name and password will no longer suffice – multifactor authentication (MFA), ideally hardware-based, is the state of the art. Each user has their own security token and can only access the computer when the token is inserted and the user is authenticated via PIN or touch-point.

Hardware tokens offer several significant advantages over software tokens: as hardened security devices, they are extremely difficult to compromise, whereas software tokens are always dependent on the level of protection provided by the smartphone OS and authentication app. Also, most businesses don’t provide all of their employees with company smartphones. Security tokens on private consumer devices, however, would be any security officer's nightmare, especially in sensitive sectors.

What's more, a smartphone that is constantly in use will often be forgotten, lost, or stolen, exacerbating its overall risk exposure. The risk of loss and theft is considerably lower with a hardware token attached to a key ring or worn on the wrist as a bracelet. Although hardware tokens increase the initial administrative workload for the IT department, their security benefit is considerable – not to mention the expenditure of time and effort necessitated by a security incident.

Today, all hardware tokens from major manufacturers support the FIDO 2 standard. This means that employees only need a single token to log on to their computer and to hundreds of cloud services that support FIDO 2, from Microsoft Azure to Workday and many more business applications. This is user-friendly and saves time.

However, when selecting hardware tokens, businesses should choose solutions that not only support FIDO 2 but also additional standards such as NXP MIFARE. This way, the same tokens can be used as door-openers to access the building, as well as for numerous other purposes, such as checking out vehicles from the company car pool, paying for coffee at the company cafeteria, or for tracking work time. This is not only more convenient. When comparing it to separate token solutions, it also cuts procurement and administration costs in half for IT and facility management. In product selection, it is always good advice to look for a robust design and a renowned manufacturer. This prevents downtime and mitigates supply chain uncertainties.

To summarize: flexible security tokens secure access to buildings and areas, while also protecting end devices and data. Compared to point solutions, this reduces procurement and administration costs while saving time and effort. In addition, end users have a single “door opener” for convenient MFA-protected access to hundreds of cloud services. This way, emails and files are as secure in the cloud as they would be in a bank safe-deposit box.