Andy Grove, the founder and former chairman of Intel Corporation, calls it an inflection point: “a time in the life of a business when its fundamentals are about to change.” Access control has reached one of these points. IT technology is starting to impact every area of a traditional system. While much has been written about the use of the corporate network and about new forms of credentials, the changes in computer software will also be profound.
Historically, access systems have been hosted by a computer running a traditional Windows program. If additional workstations were required, each used an additional client program. There is, however, a growing trend to question this basic design. At the center of the changes is the browser user interface standardized by the Internet. Let's have a look at a few examples of how some creative people have used that interface to change the basics of access control.
Spreading out the Task
Fundamentally, access control management applications haven't changed in 25 years. You fill in a database that either allows people to get in the door or not. What has changed is the way these systems get administered. Over the years, system size and complexity have increased, so the job of maintaining the access database has mushroomed. While large companies today routinely tie their systems back to an HR database to reduce that workload, such interfaces only solve half the problem. They contain the “who” information, but the information on where each person can go, and when, is still missing. Instituting a rule- or policy-based approach that allows a certain type of employee certain levels of access will help, but it is not a cure. There are always exceptions.
Worse, the trend is for the number of controlled doors in buildings to increase. With more doors, a policy-based system becomes less effective at reducing the administrative workload. Why will the number of doors increase? I have discussed this subject on these pages in greater depth in the past, but converting the door hardware to an IP-based technology has the potential to cut total system cost by a third. (See ST&D Jan.2005: “IP Access on the Way.”) Less cost per door means more doors.
The answer? Administering that data is not a job the security department can hold onto. They need to control the process, not the work itself. In fact, the only answer that meets the dual demands of security and cost effectiveness is to enlist the help of “security area managers” around the company who can administer privileges for their area. If your system is big enough, and your budget small enough, you have no choice. Even a smaller organization may need to distribute database administration if it includes a number of smaller offices scattered around the country.
Familiar Interface, Less Training
But how do you train this large a number of administrators and keep them trained? You need a system that requires zero training. While nothing out there literally fits that bill, the standard Web page interface we all know and love comes closer than most. A number of companies such as AMAG, GE Security (CASI), and TAC (Andover Controls) have introduced access control systems with an optional browser-based user interface. Middleware Associates introduced a new system at ASIS that uses that interface exclusively. Does it really cut training? That depends on the implementation, but in general, yes. “If a person knows how to order something online from QVC, they know how to operate a Web-based system,” said Matt Barnette, vice president of sales for AMAG.
Of course, when large numbers of people will be accessing the system, it ordinarily means each of their computers needs to have a client software package installed and paid for. The cost of installing and maintaining these packages can be significant, and it's most certainly not what the IT department wants to spend their time doing. A Web-based system eliminates that issue, since all corporate computers come with a browser pre-installed. Not only are there no initial client software installations, but there are no recurring updates to those computers either. “Using a pure Web environment drastically lowers the total cost of ownership, because there are no client license fees or client software to maintain,” said Patrick Conners, founder and president of Middleware Associates.
The Simplicity of Outsourcing
Using a browser-based user interface for access control has another clear advantage. The host computer can be anywhere in the world, operating over the Internet. This presents the option of outsourcing the operation of the host computer to make systems even easier to administer. Brivo Systems offers an example of such a system, where local panels talk to a computer hosted by Brivo. All configuration of the system is done by the customer using a set of Web pages hosted by Brivo. As with any outsourced solution, it is the provider's responsibility to worry about keeping the host computer up to date. They update the software, back up the data and archive your history. “This solution is particularly good for companies with multiple small sites. There is no need to maintain a local computer or even to have a network to interconnect the sites,” remarked Bob Mosler, senior vice president of sales and marketing for Brivo.
HID Corporation has introduced a similar approach with their VertX CS controller, which allows alarm central stations to offer access control to their customers. Central station software providers such as Bold and Dice offer this functionality, as well as a Web-based user interface so end users can administer it. HID estimates that there are 30 million commercial monitored accounts in the United States , and only 15 percent have access control.
Who Needs the Computer?
If a Web-based user interface makes operation easier and accessible from anywhere, it also introduces another opportunity to make things simpler: Get rid of the host computer entirely.
When office devices, such as printers, first became network compatible, a need quickly emerged to configure and check the status of these devices remotely. This could have been done by writing a little software package for each device that an IT administrator needed to look at. While technically possible to do, it would have been a bad idea due to the number of different devices to be monitored, leaving the IT department with potentially hundreds of programs to use and maintain. Instead, developers built miniature Web servers into the field devices and used Web browsers to talk to them. This type of device is referred to as a Web appliance, because just like a toaster, you simply plug it in and use it. The approach has become so common that it is hard today to buy an office printer, a network access point, or a broadband modem without finding that you configure them using a built-in Web server.
S2 Corporation is using this same concept in their Netbox access control system. There is no host computer; only a network controller appliance that plugs into the network and serves up the Web pages needed to administer the access system. The network controller discovers the other S2 control devices sitting on the network, which simplifies system configuration.
“We asked installers when they send out a truck to maintain a typical access control system, what are they fixing?” said John Moss, president of S2. “Turns out it is not the hardware, since that has become pretty solid in the last few years. Instead, we found it was the client software. New programs get installed on a workstation and interfere with the access client. Windows patches get applied and blow things up. Hard disks fail, and the client has to be re-installed.” In fact, the need to upgrade the computer on everyone's desk every few years comes at a huge cost, because the client software has to be re-installed, often on a new version of the operating system or with a new library of other programs. “Access control applications average a lifetime of 12 years, while the IT applications and hardware average three years,” commented Moss.
While this seems like a natural approach for small systems, it turns out the S2 approach can be extended to large systems as well. “We divided the problem in a way that large systems can be built using many small systems, which is unlike a traditional architecture, where a four-door software package is completely different from the one that serves 4,000 doors,” Moss said. S2 also plans to introduce a combination reader, keypad, LCD, intercom and camera as a network appliance next year. Putting this door hardware directly up on the net eliminates the proprietary wiring and dramatically reduces cost. “Network appliances are the architecture of choice for the next 10 years,” said Moss.
What do you give up with this type of approach? Not much, it seems. The resulting system is a fully integrated security management system with photo ID management, digital video display and recording, intrusion alarm management, an API for external system integration, and network storage backup. What you gain is a significant reduction in the total cost of ownership, since the software maintenance and training costs go down dramatically. Eliminating the host computer also saves real dollars, leading to a system where the hardware finally lasts as long as the application, according to Moss.
Changing the Industry
There are a number of reasons that using a Web page to connect to the access system is revolutionary for the industry. The obvious advantages are cost reduction, the ability to administer from anywhere, simplicity of use, and the clean fit into most IT strategies. Less obvious, perhaps, is the impact on the structure of this industry. All of these new technologies reduce costs by reducing installation labor, proprietary hardware, training, and post-sale service. While this is good for security professionals, these are profit centers for today's well-run security installers and manufacturers. Even after the savings on these traditional security items, users will shift some of their spending to network expenses and IT suppliers, giving security suppliers a double whammy. In fact, Axis Communications, the IP video supplier, estimates that 37 percent of a typical IP video installation today will go to an IT supplier, not a security supplier.
The impact? Here is that inflection point Andy Grove was talking about. Closer cooperation between security and IT departments will change who manufactures our systems and who installs them. Security manufacturers who get it will find ways to add value in that environment. Installers will learn new skills, change their model, or enter new businesses. The good news about convergence is that security professionals are going to enjoy lower-cost, easier-to-use solutions with better functionality. Happy surfing!
Rich Anderson is the president of Phare Consulting, a firm providing technology and growth strategies for the security industry. A 25-year veteran of high-tech electronics, Mr. Anderson previously served as the vice president of marketing for GE Security and the vice president of engineering for CASI-RUSCO. He can be reached at firstname.lastname@example.org.