Tech Watch: Balancing BYOD and physical security

How to ensure your company stays safe in the ever-changing world of mobile communications


In today’s competitive and connected workforce, many companies provide employees the freedom to use their personal mobile devices to access company resources.  The millennial generation has accelerated this trend, known as Bring Your Own Device (BYOD), based on their experience in an education system that adopted this approach years ago. 

Companies have learned some valuable lessons from higher education - not just in recruiting and retention but also understanding how BYOD affects their bottom line.  Gone are the days of the corporate-issued Blackberry since companies no longer have to purchase computing resources if prospective employees want to use their own smartphone or laptop.

Increasing the bottom line with a happy and more productive workforce: What could go wrong? 

Today, people read their e-mail, take notes during meetings, modify spreadsheets, access company contacts and communicate with partners, vendors and customers all on a device that the company technically doesn’t own.  The information accessed and, in many cases, stored is the legal property of the business, but at the same time the device typically stores personal information and applications as well.  Clearly there is a glaring information security risk should the wrong person gain access to this data, but what does this have to do with physical security?  

Mobile Apps, meet Physical Security

It didn’t take long for the security industry to embrace mobile computing application development and extend operational capabilities of their systems with mobile devices.  As early as 2010, manufacturers were in development of access control systems that use digital keys embedded in mobile devices to open doors.  This technology makes sense for one major reason: How many times has an employee left their badge at home versus their mobile phone?  Additionally, it is considered basic functionality for intrusion detection and alarm systems to have a smartphone interface that enables the user to arm, disarm, view logs and receive notifications of intrusions via a mobile device. And following on the consumer trend of watching videos on smartphones and tablets, VMS companies launched remote monitoring apps that enable users to view, control, record and share video from installed cameras. While the BYOD trend using these physical security applications can make security personnel more efficient, effective and, ultimately, safer, the technology can expose employers to increased risk.

The Technology Behind the Innovation

Near Field Communication (NFC) is a protocol that enables devices to share data when in proximity to another device.  You might have seen commercials for smartphones that show people "bumping" their devices together to transmit data such as pictures or contact information.  This same technology can be used by card readers to receive a digital key that is provisioned to an employee’s mobile phone.  That key is stored in a proprietary application from the access control manufacturer that was installed on the mobile device.  The user simply opens the application, "bumps" the card reader and unlocks the door. 

NFC is an open standard that was ratified by the IEEE in 2008, but not all mobile manufacturers support it.  The most popular smartphone in the world, the iPhone, does not support NFC; however, you can purchase a case that is NFC-enabled if you are an Apple diehard.  These applications rely on a two factor identification method through the digital key embedded in the device and the password that should be used to unlock the device before launching the program (more on this later).

Interfacing with other physical security systems is typically done using a proprietary Application Programming Interface (API), which is transported using Hypertext Transfer Protocol (HTTP).  The proprietary nature of the individual systems requires the user to download different applications to control the alarm panel, intrusion detection, access control and video management systems.  This silo approach to application interfaces will continue until interoperability standards become more widespread.  For instance, on the video side, an ONVIF-compliant mobile viewer could enable a security practitioner to view cameras across multiple manufacturers.   

This content continues onto the next page...