Close

Virtual Concierge: Security Management and Technical Architecture

May 10, 2019


I have always been fascinated with Architecture, in fact, I seriously considered making it my career.  On a recent trip to Italy, I visited the Pantheon. The Pantheon is one of Rome’s best preserved ancient monuments and a testament to their architectural skill and engineering. Emperor Hadrian built the Roman temple in 126 AD.

This building has lasted for almost 2000 years, and it is a remarkable example of Roman architecture.  It reflects their commitment to excellence in design disciplines, infrastructure, and the process of construction. It is also one of the most remarkable examples of the use of concrete. It contains a self-supporting roof that has a diameter of 43 meters (142 ft.).

IT systems architecture has historically not been developed with the same level of discipline, and as a result, we have security leaks in most systems that demand continuous patching and maintenance.

Criminals are no longer just thugs that wait in alleyways for unsuspecting people to come by. They now include extensive cybercrime networks that span the globe and spend vast amounts of time and money looking for how to exploit any weakness in an IT system architecture. In fact, a new Ransom as a service offering has just come on the market. This advancement in Cybercrime has further reinforced why Security Management has become the top issue facing the IT industry today. One new study estimates that cybercriminal revenues hit $1.5 TRILLION annually.

To address this reality, the architecture of a Virtual Concierge system must be developed with great discipline.  A virtual concierge security system’s goal is to make residents feel secure to and sleep better at night. A crucial component of achieving this goal is to ensure the system itself cannot be hacked or compromised.

Virtual Concierge: Security Management and Technical Architecture

Virtual Concierge Technical Architecture Overview

A Virtual Concierge solution is built on three fundamental architecture components. They are:

  • Software Architecture
  • Infrastructure Architecture
  • Security Architecture

The functions that this system must support drive the decisions of the components of the architecture.  My last blog covers examples of Virtual Concierge functions. In this blog, we will discuss a basic Virtual Concierge security system architecture. More advanced IoT solutions such as audio response, scene recognition, facial recognition, and gunshot detection features can be added to this architecture but are not be covered in this blog.

Fig 1. Virtual Concierge Technical Architecture outlines the critical components of the overall architecture.

Virtual Concierge Technical Architecture outlines the critical components of the overall architecture

Software Architecture

The software stack consists of four categories of functions. They are:

  • Card Key reading
  • Access granting
  • Remote monitoring
  • Video data capture and monitoring

The software stack consists of several software products, some of these are embedded in infrastructure devices such as Card Key readers, Card Key controllers, a Video Recorder appliance others are resident on servers located in the cloud.

The main software components are:

  • Card Key reading (embedded in Card Key reader: Reads the card keys data and encrypts the data before passing it to the Card Key controller. This supports always encrypted security architecture.
  • Card key data consolidation (embedded in the Card Key controller): Consolidates the data in a building and passes the data to the LAN and on to the Card Key Gateway application located in the cloud via the centrally managed distributed firewall appliance.
  • Card Key Gateway application (located on a cloud server): The Card Gateway is an external interface where the customer will be able to make additions, modifications, and deletions to the card database. The Card Gateway also creates a real-time, mirror copy of the card databases (card, card group, and card type and badge tables) in the database.
  • Entry Controller Application (located on a cloud server): This is the heart of the Virtual concierge system.  It facilities the following tasks
    • Provides access to doors with a one-time unlock command
    • Communicates with access controllers
    • Supports users at workstations and controls hundreds of thousands of entries
    • Import/synchronize operators and users (cardholders) with a Federated ID [i] for centralized management
    • Facilities a virtual alarm system, anti-passback, guard tours, and muster reporting
    • Integrates with a mobile app for security on the go
    • Integrates with remote user platform to manage access control, IP video, telephone entry and/or intrusion security assets
    • Integrates with video management systems
  • Video capture (embedded in Video Recorder appliance): Capture and records images from all cameras and keeps a local copy of the data for easy access by security agents and the Entry Controller Application for a defined period.

Infrastructure Architecture

  • Card Key reading (embedded in Card Key reader: Reads the card keys data and encrypts the data before passing it to the Card Key controller. This supports an always encrypted security architecture
  • Card key data consolidation (embedded in the Card Key controller): Consolidates the data in a building and passes the data to the LAN and on to the Card Key Gateway application located in the cloud via the centrally managed distributed firewall appliance.
  • Card Key Gateway application (located on a cloud server): The Card Gateway is an external interface where the customer will be able to make additions, modifications, and deletions to the card database. The Card Gateway also creates a real-time, mirror copy of the card databases (card, card group, and card type and badge tables) in the database.
  • Entry Controller Application (located on a cloud server): This is the heart of the Virtual concierge system.  It facilities the following tasks
    • Provides access to doors with a one-time unlock command
    • Communicates with access controllers
    • Supports users at workstations and controls hundreds of thousands of entries
    • Import/synchronize operators and users (cardholders) with a Federated ID [i] for centralized management
    • Facilities a virtual alarm system, anti-passback, guard tours, and muster reporting
    • Integrates with a mobile app for security on the go
    • Integrates with remote user platform to manage access control, IP video, telephone entry and/or intrusion security assets
    • Integrates with video management systems
    • Video capture (embedded in Video Recorder appliance): Capture and records images from all cameras and keeps a local copy of the data for easy access by security agents and the Entry Controller Application for a defined period.

Infrastructure Architecture

Door control 

The physical infrastructure of Door control consists of the following items at each door:

  • Card key reader
  • Magnetic door Lock within and out readers
  • Exit Detector

Card Key Controllers

The door lock modules are integrated into Card Key controllers in each building which facilitate the movement of data from the LAN to the door lock module components.

Video Monitoring

Each building’s main doors are monitored by a video camera. All video camera data for the complex is stored on the Video Recorder appliance.  The Video Recorder appliance is connected to the Entry Controller software. Security may need to be able to remotely open any door based on visual authentication.  The video monitoring system must be able to provide immediate real-time access to every camera.

Video capture is critical to ensure that all at-risk locations are monitored well. This includes hallways, outside door entries, and parking lots.  However video monitoring is expensive and determining the right number of cameras to deploy takes time, and it is recommended that in addition to the camera locations mentioned above that you review where security incidents have happened before, and ensure these areas are well covered.

Visual recognition and scene recognition software is the next component to be considered for this system. This software is centrally located and provides a control center the ability to see issues faster than an agent can see them.  Scene recognition technology raises a flag when something unusual is occurring.  Facial recognition software is also available to provide more in-depth protection.

Gateway application, Entry Controller application, and Print Servers

These applications run on dedicated servers and provide centralized data management functions.

Security Architecture

Security is a critical component to the architecture, and are several crucial security areas that need to be considered in your Technical architecture.

Card Key scanner 

Security starts at the Card Key reader. Old Card Key readers only read the cards and did not encrypt the data. As a result, they can be easily compromised using BLEKey technology.  To address this issue, your Card Key readers must have an encryption strategy.

Centrally Managed Distributed Smart Firewall

The data from the card keys are consolidated and presented through the firewall. The Smart firewall ensures that there is no unauthorized access to the LAN from the outside and also provides that no unauthorized access to the central control system happens as a result of one of the Card Keys readers or the local area network being compromised. The Centrally Managed Distributed Smart Firewall monitors all data and identifies transactions that are not what is expected from a Card Key Controller and shuts it down if detected.

Network

The entire Card Key controller and video monitoring LAN must be on their own Virtual LAN and designed to be separate from any other LANs in the complex.

Data Center

Security systems have failed in the past because they were placed on local servers and backup and patch management disciplines were not consistently implemented. Also, physical access to these servers was often limited to just a locked closet. Both of these weaknesses must be addressed, and it is recommended that all servers be located in a class four data center that with professional managed services will ensure that all the servers, storage, and network technologies are well maintained, kept up to date, and the data is consistently backed up.

Close

A robust technical architecture is mandatory to demonstrate to residents that security is much more than Card key management. It’s a commitment to excellence regarding all your resident’s safety and data.

About the Author

Bill Dupley is the Digital Strategist for FoxNet Solutions. Formerly the Cloud Chief Technologist for Hewlett-Packard Enterprise Canada, Bill has provided Hybrid IT and IoT Strategic Planning advisory and planning services to over fifty Private and Public sector clients to help them migrate to a Hybrid IT Cloud Operating model. These transformation plans have helped both government and industry reduce the cost of IT, re-engineer their IT governance models, and reduce the overall complexity of IT. Bill is also a member of the Open Alliance for Cloud Adoption Team and has co-authored several documents on Cloud Maturity and Hybrid IT implementation.

There are no comments on this post.


Previous:
"Virtual Concierge System Pilot Project Plan"
Next:
"Windows 7 End of Life, Hospital Cyber Attacks, & Mobile Security Issues : The FoxNet Solutions Tech Round Up" »

Useful Tips, Smart Articles, Cool Events & Industry News

Get the FoxNet eNewsletter

Get actionable insights fast
with our IT Health Check.

An in-depth analysis of your IT with detailed recommendations on:

  • Improving security & preventing data loss.
  • Increasing productivity by reducing downtime & inefficiencies.
  • Saving money through smart planning.