Over the years, a large corporation has invested millions of dollars in its enterprise access control system. It has worked well and offers a wide assortment of bells and whistles; however, the system has a proprietary database that does not allow information to be easily shared with other applications, its encryption precautions do not seem to pass corporate audits, and applying patches to its operating system sometimes causes unanticipated problems. Should the corporate officials abandon their legacy system investment and go with an open standards-based system favored by the IT department?
A growing young high technology company is finally ready to make a major investment in access control. The security director favors a proven top-tier system featuring client-server architecture. The chief technology officer backs a Web-based system that offers fewer security features but more fully supports IT standards, is configured as a “network appliance” and does not require another server. The CEO has to make a choice, but which one?
Like it or not, security systems have become an application that runs on the corporate data network. It is not just security — the phone system, intercom/public address, signage, building climate control, elevators and parking controls all are finding their way onto the corporate network. If it involves voice, video or data, it can be communicated effectively over the TCP/IP networks that have become the lifeblood of U.S. corporations and institutions. No longer does each separate system need its own wiring infrastructure — they all can communicate on the IT network.
This fairly recent involvement of the IT department into matters of security is creating dramatic changes that will continue to play out over the coming years. The first encounters between the security and IT functions were frequently the result of security’s desire to view video — often from remote sites — over the corporate network. Bandwidth was the issue: when video starts streaming, the network can be brought to its knees. The first words spoken to security were often “You can’t do that on our network!”
The Standards Issue
When it comes to access control systems, the issue with the IT department is not bandwidth, since the amount of data moved by an access system is miniscule compared to video. For access control, the issue is standards. While the security industry has adopted the same technology as the IT industry, (security uses the same databases, the same operating systems and the same networks) it does not use the same standards. As a result, the tools used by the IT industry to keep things running smoothly and make their jobs easier do not work very well on most legacy and many current security products.
Since the IT staff has long provided access control on the logical side of the network, it might seem like a natural extension for them to also do the same for the physical side. They would like to use their existing standards, like LDAP or Active Directory, to configure both logical and physical security. These are features many of the security industry’s enterprise-level offerings have only recently begun supporting. Many IT professionals find security’s legacy access offerings to be wanting.
At the heart of this battle is demand from IT for open architecture. IT people are used to mixing and matching components from different manufacturers and having them all work together. This does not fit well with the strategies of the major companies that have made huge investments in security. Access control systems manufacturers, along with CCTV, fire alarm and communications firms, all want to offer branded solutions that focus end-user choices exclusively on their products.