Secure by Design

Tamper Proof

For our publicly mounted devices there is no physical access to the chip, which is hidden beneath a secure layer that can only be removed by destroying the reader. Housings are secured with security screws and proprietary algorithms, including a built-in accelerometer in the reader that is specifically tuned to detect physical sabotage. In addition, the hardware has built-in tamper detection.

Embedded Software Security

Since all Kisi devices have their own OS, to update and operate independently, we execute critical code in a secure environment that is physically and cryptographically secured and completely on-die with no debug ports (hardware disabled at time of manufacturing). This means each app update we ship is protected by TLS 1.2 with mutual authentication and ephemeral key exchange to ensure privacy and integrity with full PKI chain validation, and also protected in local storage with per-device keys and AES-GCM-AEAD.

Device Connectivity

Devices connect to the Kisi Cloud over TLS-secured IP channels to ensure privacy and integrity with full PKI chain validation.

Over the Air (OTA) Updates

Kisi’s devices are designed to apply firmware updates automatically during off-hours (to keep bandwidth usage low). The updates we run are Over the Air (OTA) with near seamless uptime and are RSA signed with an HSM-hosted RSA key and AES encrypted. Typically we run updates every two weeks and downtime is usually below 10 seconds. That means you’ll never miss new features or critical security updates.

Secure Boot (Chain of Trust)

One of the biggest threats to device security is to run a different firmware without the device knowing it. To prevent this, Kisi uses (aside from industry best practices including 2FA for any deployment accounts) a method called “secure boot” with encrypted code loading. Storage is encrypted with a per-device key meaning that each time a Kisi device starts, it can only run previously verified firmware—an absolute novelty in the physical access industry.

Trusted Manufacturers

Our hardware is manufactured and assembled by trusted partners in Europe and the United States who adhere to the same stringent security policies as we do.

IP Devices

Kisi is a future-proof product that works on the IP layer. This means that Kisi operates on the same local network as your other devices, so you don’t have to pull specific cables for your access control system. One of the reasons we built Kisi is because access control is one of the last domains that does not use IP devices. We believe this must change, as exploitation of physical access vulnerabilities becomes more common.

Device-to-Device Communication

Controllers and Readers communicate with each other through the Kisi Cloud over TLS. Where available, Controllers and Readers also communicate over the local network using AES-encrypted UDP channels. Network communication over UDP signed and AES / HMAC encrypted.

Required Network Settings

All Kisi-powered security ecosystems are configured to follow our network protocol guidelines.This is how we offer industry-leading security practices, even on your local or personal network.

Compliance

Because of our commitment to security and durability, we are compliant with some of the strictest electronic hardware standards. Out of the box, we are GDPR compliant and Privacy Shield certified, Kisi is also configured to comply with HIPAA.

Google Cloud Platform Security Measures

Google has an exceptional security protocol for their web services. Read more about security, one of Google's four pillars of its secure storage of data with end-user privacy safeguards.

At-Rest and In-Transit Encryption

We encrypt data in-transit and at-rest

Automatic Cloud Backup

Kisi devices automatically sync their local storage to the cloud. That means no matter what happens on-site, or even to the device itself, your data will be safe and sound and enables failovers to guarantee availability.

Reliability

GCP and our cloud architecture eliminate any single point of failure in your security system. We also utilize Web Application Firewall to mitigate DoS attacks.

International Compliance

GDPR Compliance & Privacy Shield Certified

Passwords

Passwords hashed with commonly used password hashing algorithm.

Single Sign-On using SAML 2.0

We partner with the most trusted single sign-on (SSO) providers in the industry using SAML 2.0 with signature verification for organization users, including Okta, OneLogin, Google Business Apps and Azure Active Directory—not only for administrative access but for end-user access as well. This means that your doors are secured with SSO.

Two-Factor Authentication (2FA)

If you prefer not to use SSO, we also offer a robust Two-Factor Authentication system. Even if physical credentials (access cards) are shared, the user has to confirm receipt of these cards via the email associated with the user to prevent abuse.

Role-Based Access Control

Easily customize individual and group access settings to thoughtfully assign access to the right people and to share sensitive data. Since many of Kisi’s admins utilize centralized access control for many different facilities spread out across the country, Kisi provides the possibility to add administrators per place and global admins.

Audit Logs

Comprehensive audit logs specify who has accessed your system, and any changes they have made. Kisi also provides event logs via RESTful API so they can be pulled in corporate system logging or audit control tools.