Overcoming the Perils of Access System Implementation

Oct. 27, 2008
Five common pitfalls and how to avoid them

The basic elements of an access control system are relatively simple and few: credentials, credential readers, control panels, and a computer system with software. However, as the features and size of these systems have escalated, so have the variables and the complexity associated with new and updated installations. This article will explore some of the common problems that have caused stormy projects and provide some tips to help you sail through calm waters into safe harbors.

Pitfall No.1: I have started the project, but I can't see clearly where I am going.

Just as the mantra in real estate repeats “location, location, location,” so in any major systems project the three most important concepts are “planning, planning, planning.” Trying to develop solutions without understanding the problems that need to be overcome is like batting blindfolded at a piA±ata.

The first step of planning is to perform an analysis of the security needs. What are the assets (e.g., people, information, operations, negotiables, image) that require protection? What are the threats and their likelihood of occurrence? Where are the current vulnerabilities, and what are the constraints against mitigating them (e.g., operations, traffic, budget)? Security needs are dynamic, changing as assets, threats and operations change, so even if the project is a security system upgrade, it is beneficial to review security needs first.

The second step is to define the project goals. Depending on the nature of the project, these might include a reduction in security operating costs, increasing pedestrian traffic throughput, improving system reliability, adding a new or better photo identification badging capability or augmenting information distribution.

The third step is to develop a clear road map of the tasks necessary to reach the defined goals. Some of the problem issues and pitfalls described below may suggest points to include in the road map.

Time spent up front in brainstorming and analyzing is extremely valuable. That's a lesson consultants learn early to ensure successful projects.

Pitfall No.2: The IT department is not cooperating and won't let me connect my system to the corporate network.

Today's access control systems, particularly large, multi-site and enterprise-level ones, increasingly use the organization's network for data communication. It used to be that only head-end servers and monitoring and administration workstations would be connected to the corporate LAN. Now most field panels—and some door control modules that provide power and communication over Ethernet (POE) for card readers and locks—require IP addresses and communicate via network cabling. Access control systems use very little bandwidth for their data transmission, so why are the IT folk raising red flags? Understanding and negotiating this problem and the convergence issues between IT and security can mean the difference between the success and failure of the project.

There are two major issues: responsibility and, believe it or not, security.

The network turf belongs to the IT department, and they, rightly, need to know all that is occurring in their realm and how anything attached to their “plant” affects them. Their performance is measured in their ability to keep network production singing and delivering data quickly, accurately and reliably. When they encounter a new piece of hardware that is not made by Cisco or Dell or HP or IBM, or application software that is an unknown quantity, they have a responsibility to ensure that its introduction to the network will not hurt performance. And one of the performance factors revolves around data security. Can this new system attract and proliferate network nasties such as viruses, spam and malware?

IT likes to standardize on hardware and software so that bugs can be fixed globally. Software standardization extends to version control and the testing of any and all changes, updates and patches before they are introduced into a production environment. So an access control server or workstation, with application software running under Windows, needs to be checked to ensure that the hardware follows the IT shop's standards, that the operating system is the same version that is used by all other machines in the department, that communications software and network security software match the standard, and that the access control application software does not negatively impact security or performance.

All members of the security system design and implementation team, including the manufacturer, the design consultant and, in particular, the systems integrator/contractor, need to be able to talk to the network gurus in their own language, and they need to coordinate this phase of the work very closely and in full cooperation with the IT department. In some cases, for example where the access system stands alone and does not need the corporate LAN or WAN, a dedicated and unconnected security network may obviate the IT coordination task. However, if the installation includes such items as network cabling, switcher, routers and hubs, IT may claim that it has a corporate responsibility for any network installed within the facility, even if it does not connect to the main LAN or WAN.

The security professional should also understand the limitations of using a corporate network. Unless the network is designed for complete redundancy, there will be occasions when the network needs to be powered down for planned maintenance, and networks and the hardware supporting them have been known to fail unexpectedly. Although most access control systems provide a measure of operational redundancy—intelligent field panels may continue to make entry control decisions when communication to its server is severed—alarm conditions cannot be annunciated at the system server or a monitoring workstation when the connection is down. For mission-critical applications, a redundant communications path such as a dial-up phone line should be considered in the design.

Pitfall No.3: Who forgot the badge cards?

Access control cards are viewed as small, unsophisticated, cheap and simple, and they often get overlooked in the planning and implementation of a new or upgraded access control system. Certainly they are small, but the rest of that impression is off the mark. If you plan to issue new access control badges to the user population, this piece of the project needs its own requirements analysis, design, procurement and production tasks to be well coordinated with the main body of the project.

While you may ultimately select a simple, single-function card, now is the time to investigate leveraging the services the card can provide. Most card manufacturers offer multiple identification technologies combined on a single card. For example, the physical security system may use the older proximity technology, but a new logical (data) access control system may call for more sophisticated smart card features, such as encrypted passwords, and the company cafeteria may be planning to go cashless with a “pursing” application on a smart card or on a magnetic stripe. Other potential applications include parts allocation in a manufacturing facility and book lending at a library.

The planning phase is the best time to canvas other potential adopters of the card, since significant savings can be made and user acceptance is greatly enhanced if the individual needs to carry only one credential. However, beware adopting changes to the card for blue-sky applications that are still a gleam in someone's eye, because these may not make it off of the drawing board before the card reaches the end of its useful life. And remember that volume counts when negotiating for the supply of multi-technology cards that are not available off the shelf.

The delivery schedule for the badge cards should be arranged well in advance of system launch since, depending on the number of applications for which the card will be used, there is plenty of work to be done once the cards have arrived. If the cards will include user photos (was a new badge printer ordered, and when will it be delivered?), the print layout for the card needs to be designed, tested and approved, and the taking of user photographs needs to be scheduled (typically over a period of a few weeks to allow for the road warriors in the company). Badge card printers are not the fastest producers so, where a large volume of new cards is required, ensure that there is plenty of time scheduled for the printing or arrange for the loan or lease of additional printers.

If multi-technology cards are to be used for applications that are the responsibility of other departments, consensus should be reached early on how the data for the other applications will be encoded on the card. Cards may need to be passed through a number of processes before they can be distributed to the users. (And don't forget necklaces, pouches and pocket clips!)

Pitfall No.4: I didn't know that my access control database was such a mess.

If you are planning to upgrade an existing access control system to that manufacturer's latest model or if you are changing the system to that of a different manufacturer, in all likelihood you will need to allocate significant time to clean up your existing cardholder database.

The changeover from the old record format to the new (and each manufacturer has its own layout) is relatively simple, and most manufacturers offer software routines that will make the conversion almost painless. However, do you want to add new or delete existing fields in the record? Maybe the old system did not have an entry for a cardholder's cell phone number—maybe they didn't have cell phones back then! Deleting fields is easy, but for new fields, the data needs to be gathered and the record format designed appropriately before data input.

Are you upgrading from a disparate set of systems at multiple facilities to a single enterprise-level system? The current cardholder record format may well be different at each site—even with a common make and model—unless rigid standards were enforced. All need to adopt a common record format with the data type and length of each field defined. The design of that format and standards for nomenclature and abbreviations should be developed early in the process.

Does your old system show a cardholder population of 1,200 people but you only have 800 employees? The time for spring cleaning is now, before the conversion is made. Resolve duplicate entries and determine if historical records from those no longer with the organization need to be kept and converted to the new system.

Pitfall No.5: The devil is in the details!

There are many details that need to be included in the planning phase, some related to the implementation of the new system and some related to design. Most upgrade projects require the old system to continue working to the last minute before the cutover to the new, and the cutover must be performed quickly so that there is minimum down time for the security systems.

As much preparatory work as possible should be completed before the cutover. This includes delivering equipment, cable and tools to the site, installing any new cable field panels (alongside the old if necessary), testing network and communications cabling, and loading applications software. The preparations build to a crescendo as the cutover approaches, and it is easy to lose site of the minutiae that must be arranged if all is to transfer smoothly.

Will the loading dock be available for last-minute deliveries, and are there any union issues with drivers and building personnel? In a high-rise building environment, will elevator cabs be assigned to the work crew(s)? Are keys to electrical and data closets available? Will there be enough work crews and supervision to perform the required work within the available time? Are the lines of communication and authority clearly understood? Have security monitoring personnel been adequately trained for a seamless change the next day? Do you have cash on hand to buy coffee and sandwiches when the crews need to work a few hours more?

Make plenty of allowances for Murphy's Law: If anything can go wrong, it will. Adequate up-front planning will ensure that most, but not all, eventualities will be foreseen, and experience and good leadership will allow you to adapt to solve those unforeseen problems.

David G. Aggleton is principle security consultant at Aggleton & Associates Inc., based in New York . He and his firm have planned, designed and managed the implementation for dozens of access control system upgrades varying in size from a few card readers to more than 1,000 with 20,000 card holders. Mr. Aggleton can be reached at [email protected] .