Tim Purpura, of Morse Watchmans, explores the notion of enforcing ‘zero trust security’ in the hospitality sector…
The hospitality industry is focused on delivering the best possible guest experience attainable. From boutique hotels that cater to the most discerning travellers to vast casinos that function as small cities for the masses, every hospitality venue functions with the same goal to build their reputation and generate repeat business.
In doing so, every hospitality establishment needs to implement appropriate measures to protect the wellbeing of a large, ever-changing number of individuals, including guests, staff, vendors, contractors, and more.
To maintain the safety and security of people, property and physical assets, hospitality establishments require an iron-clad approach to security – also known as zero trust.
With the help of key control and asset management solutions, hospitality security and operations personnel can easily and quickly implement zero trust policies that address a longstanding challenge: managing key access to guest rooms and back-end operations.
What Is Zero Trust?
Zero trust security is a risk reduction strategy that began as an IT-centric approach to securing networks. It works by assuming that every connection and endpoint is a threat and therefore the connection must repetitively ‘prove’ it is not a threat through multiple levels of authentication.
When applied to physical security, the deploying organization assumes that every individual on site is a potential threat, regardless of their real or perceived status.
In order to eliminate threats, an individual’s identity is verified explicitly using all available data points. As it relates to physical access, this typically involves the use of PIN codes, proximity cards, biometrics, or a combination of credentials to verify identity.
Zero trust then employs the principle of least privilege wherein an individual only has access to the specific assets, data, and applications needed to complete a required task.
The processes of verification and limited access are then repeated to continuously mitigate risks across an enterprise.
To best exemplify how zero trust works, let’s look at a meeting room, ballroom or conference area typically found in hospitality environments which are easily accesses by anyone.
This type of open access leaves the managing enterprise vulnerable to risks such as theft, vandalism, accidental injury, etc.
With a zero trust policy in place, an outside contractor, for example, would be required to verify identity to gain access for the time they need to be there, thus mitigating against risk through strict access restrictions.
The Ponemon Institute reports insider threat incidents have risen 44% between 2020 and 2022, covering instances such as an employee stealing supplies or, worse, an ex-employee using a stolen access card to enter rooms.
Others include theft, loss, physical harm, loss of customer confidence, costly liability judgements, or worse.
Enforcing Zero Trust
Key control solutions put zero trust into action by providing guarded access to keys, access cards, cashboxes and other valuable assets that are on the premises.
First, tamper-proof key systems are designed to only release assigned keys/access cards only to users with the proper authorizations, thus fulfilling the zero trust principle of explicit identity verification.
The identity of users requesting keys can be confirmed in a variety of ways, including a numerical code, proximity card, fingerprint, or a combination of these for highly secure multifactor authentication.
Key control solutions effectively limit access to keys based on time, job function, date, and more to enforce specific zero trust policies.
In this way, a key intended for use by housekeeping cannot be accessed by maintenance personnel, or during hours when housekeeping services are not available.
This goes for keys and access cards related to guest rooms, cash boxes, storage facilities, facility lockers, and more.
This type of localized access ensures that staff, vendors, and contractors are only granted physical access to the areas required to perform their job for the period they will be there and nothing more, hence enforcing principal of least privilege aspect of zero trust.
With integrated key control management software, facility management can more easily control the system and maximize its reporting and programmable access capabilities.
For example, if an employee working the late shift calls sick at the last minute, and another staff member must cover for that individual, it’s much easier for the manager to remotely authorize access to a key cabinet than to physically travel to the site to release a key.
Alerts can also be sent to the manager on duty if an individual tries to remove a key that he/she is not authorized to use, or attempts to leave the building without returning a key.
In addition, the key control software can run activity reports, document every key’s access history based on different criteria, view and print detailed reports and more, making it possible for management to generate useful and practical information to help maintain maximum control of access and security issues.
Key Control
The enforcement of zero trust policies is not the only benefit afforded by key control solutions. Deploying organizations can also expect a return on investment in the form of improved employee productivity.
Key management systems eliminate the manual procedure of signing out or returning keys and can also be linked to time and attendance systems.
When such a process is implemented, the system automatically reminds staff to return keys and other tracked assets before departing, reducing risk, and streamlining employee clock in/out processes. Further consider the ROI when key control cabinets are installed throughout a large resort, as there is no more wasted time searching for keys, receiving assignments, signing key logs, and more.
Additional ROI is provided in the form of reduced liability. Implementing meaningful controls on keys and access reduces the risk of security incidents.
Having such a system in place demonstrates that the hotel has taken appropriate actions in support of security objectives, thereby reducing the liability that might be otherwise assigned to the hotel related to injuries, loss, theft, or violence.
When employees know key activities are tracked, they also have a naturally increased tendency to adhere to policies and practices. It reinforces the message to staff and guests that security matters and the team is accountable.
Key control cabinets are also infinitely customisable to include various modules for physical keys, access cards, and even lockers to manage larger objects with extreme efficiency and control. Asset management lockers are ideal for housing equipment such as radios or laptops as well as personal staff items like a mobile phone.
Even panic buttons, a security measure mandated for hotels by law are an ideal use case for asset management.
A key control and asset management system is the best way to store, track, and account for panic button fobs. Each fob can be locked safely in the cabinet and only removed or replaced by the individual who is scheduled to use it at that time.
All activity can even be tracked so management receives a clear picture of whether employees are adhering correctly to hotel policy.
Extending requirements
Casinos are popping up everywhere as municipalities look to generate more revenue by awarding new gaming licenses. Gaming establishments are highly regulated entities that have different security requirements than other hospitality sectors.
The gaming industry is perhaps the most regulated and has the greatest number of in-house areas requiring key control and management. In counting rooms, three signatures are usually required to sign out the keys.
A key management system automates the process of ensuring that keys for counting rooms can only be removed and returned once the required authorisations are provided. Those keys not permitted to be out at the same time as drop keys cannot be removed from the cabinet until the drop keys are replaced.
It’s necessary for casinos to provide a range of compliance documentation and many gaming regulations require notation of key access and that cash drop procedures were followed.
Key control software can be set up to generate the specific reports required for compliance audits. These reports can be automatically generated and sent to the appropriate personnel for review, or manually requested from within the system at any time.
Because of their ability to generate these reports documenting correct usage, electronic key control systems provide even more value and utility to casino environments.
More Than Just Physical
Traditional locks and keys have been used as a method of access control for millennia and are not going anywhere anytime soon.
And though proximity cards and biometric credentials continue to grow in popularity, the doors they protect all typically have keyed access in the event of emergency situations when power is down.
Keyed doors and lockers cannot be hacked or spoofed, making key control solutions ideal for applications relating to layered cyber-security. The ultimate success of hospitality organisations depends on revenue, costs, and the overall guest experience and key management technology is and easy way to protect premises and profits.
They keep costs low by preventing risks relating to theft, loss, damage, and liability judgments. Plus, they can help streamline internal processes and maintain regulatory compliance.
All these benefits make key control and management systems an essential component for zero trust security at hospitality establishments.
Click to Open Code Editor