IP Access on the Way

Imagine an access control system that runs on a common IT server, uses the corporate network for all communications, is completely cabled with common Cat 5 network cable right down to the door, and installs as simply as plugging in your toaster. Well, we may not be there yet, but we are clearly headed in that direction.

You only have to look at the trends toward IP-based cameras and video systems to see the wave of the future. As each trade show passes, more companies bring out video products that use the network for cabling, power and management. The reasons are clear: dramatically lower wiring cost, better reliability, increased flexibility and full use of the infrastructure the company has already paid for. In the access control world, however, things are not quite so clear. Even the most state-of-the-art systems today use more conventional wiring than they do network cabling. In fact, some would argue that increased use of corporate networks marks one of the biggest turning points, and possibly disruptions, the access control industry has ever seen.

Network Connections Are Old News
The move to using the corporate network as the backbone of the access control system has been around now for 10 years or more. "Over 90 percent of our field panels get installed with network connections," said Dennis Smith, director of Integrated Services for SFI Electronics in Charlotte, NC. But so far, the network has only been used to connect the field panel to the host computer and the workstations.

The connection between the field panel and the door hardware is another story. Today, you have a choice between using standards from the 1970s such as Wiegand and installing a manufacturer's proprietary solution. If you go Wiegand, you will find yourself pulling up to a dozen conductors' worth of expensive shielded wire to each door. Going with the proprietary solution saves wiring cost initially but often locks you into a cabling scheme that makes upgrades hard in the future.

Why wasn't this fixed years ago? Getting all manufacturers to agree on a new standard is not an easy task. What is different this time is that the IT standards are coming to us. Ethernet, with its Cat 5 wiring, has become the universal connection for sending data between computer devices. Moreover, as everyone knows, IT departments are becoming more involved in access system purchases.

"One of my customers recently tried to upgrade their existing access system that uses Microsoft SQL Sever as a database, and was told ?Absolutely no' by the IT department; any new system must be Oracle based. Often the security department has no responsibility for the server hardware or software," said Zach Hamm, president of Security Management Consulting in Raleigh, NC. "The proprietary stranglehold that all of the manufacturers have had is going to have to go away because IT will force the standards."

Follow the Money
IP-based video systems are exploding in popularity for many reasons, but a key one is cost. Since the IT department has already paid for the network, installation costs are dramatically reduced. In addition, ongoing costs drop because of the standardization of network cabling installation.

Today, networks use Cat 5 cable, which has been standardized by the Institute of Electrical and Electronics Engineers. This international body has standardized the type of cable, the color code, the connectors, and the installation tools. More important, the sheer volume of Ethernet installations has given rise to the development of inexpensive diagnostic tools and that allow the cable plant to be completely checked out in a way that conventional wiring never could. All of this makes for dramatically lower installation and maintenance costs. "You have low-voltage people who are already under contract on a buildout to put in all the network infrastructure. If security can define their wire pulls in a way that makes it feasible for this same contractor to pull everything at once, it has got to give you a super low cost and a consistency in the way it gets done," said Ed Chandler, chairman of Security By Design, Martinez, CA.

You can expect access control systems to follow the same path as video. There are dramatic cost reductions available where network connections can replace conventional wiring. The vision looks a lot like today's IT systems. Today we have a network that connects to devices like printers, workstations, wireless communication points and even telephones, all of which just plug in. Picture an access system where the readers and door hardware plug into the network in the same fashion, and you can start to see the future.

Beyond just cost savings, the flexibility of the system is dramatically improved. No longer are you limited in terms of the technology that is out at the door. For example, imagine being able to take an existing door installation with an IP-based reader and add a biometric device to that door with no rewiring. "You could have a new reader that has a little micro camera on top with enough intelligence so that when you present your card, it looks at you, grabs the clearest, best image, and forwards that on with the access transaction. All that sort of stuff and more can happen, and the wiring never changes," said Chandler.

One new technology that promises to dramatically simplify installation and improve reliability is power over Ethernet technology, or POET. This new standard from the IT world allows you to send power to operate the door electronics down the same wire as the Ethernet signal, and it is already being used to power IP video cameras. Access control, however, is trickier, since the amount of power available with this technology is limited. Powering door electronics should not be an issue, but today's door locking hardware is too power-hungry to use POET alone.

The IT world brings us a number of other technologies that will make our systems simpler or safer. For example, dynamic IP addressing makes adding devices into the system a simple plug-and-play operation with none of the hassles or errors caused by having to set dipswitch settings. Simple network management protocol (SNMP) allows each device on the network to be monitored for standard maintenance and performance issues by software that IP already owns.

The result is that the security hardware becomes just one more network device being monitored by IT, which can look for such things as status, throughput, database information, memory use and up-time, and alarm if any of those parameters is outside of normal limits. Standard network encryption technologies such as AES and 3DES are widely available and proven. Encrypting the system from the card through the network to the database will produce a far more secure system than the industry has had in the past.

All these technologies have been standardized. This will be a major shift for the security industry, since it appears that devices will be relatively interchangeable. While the software will need to have drivers to accommodate all of these devices, gone will be the days when your investment in field hardware and field wiring precluded your ability to upgrade your system economically.

How Close Are We?
While everyone agrees we are on the road to a fully IP-based access system, the major manufacturers have yet to release first-generation product, although the buzz would have some announcements coming soon. Some of the newer players, such as Colorado-based ISONAS, have brought IP-based readers to market. "Our key premise is to eliminate the panel with a reader that is a network device. Wiegand is old technology," said Kenneth Butte, president of ISONAS. "Essentially, the cost per door of our system is, in many cases, a third of (the cost of) competing systems."

While widespread deployment may still be in the future, early adopters could be installing a fully IP-based system next year. "We are going to see this; it is going to happen," said Chandler. With the possible exception of low-powered door hardware, the technology required to build these products is available today in the IT world. The major manufacturers, however, will be required to leave their comfort zone of proprietary systems. By all accounts, that is what we are about to see.

And the Downside?
Here is where it really gets interesting. On the technical side, some would argue that there are risks in using a shared resource such as the corporate network for a mission-critical application such as physical security. "There are two camps of security directors; one that knows security systems run better and more effectively over the WAN, and then there is the camp that wants to control their own destiny," said Bill Jacobs, corporate senior manager for Security Technology and Systems, Cisco Systems.

Arguments about the lack of security or reliability will ring hollow to senior management that already knows about dozens of critical applications running on the same network seemingly without incident. "The financial community is looking for ROI wins," said Jacobs. That is not to say that those who have a strong concern about network security are completely wrong. If a properly installed system employs encryption and authentication, however, most experts believe the risks are very low. Certainly the alternatives have either their own significant risks or a far greater cost.

While the number of valid technical concerns that cannot be overcome is small, there are bigger organizational and market concerns. Each piece of the value string, whether it be the end-user security department, the installing dealer or the security manufacturer, is going to come under question. As these products and systems move closer to the types of systems IT deals with every day, many will question why they shouldn't come from traditional IT vendors, be installed by network installers, and be run by the IT department. There is a great deal of concern in the marketplace today about this very possibility. "The installers and manufacturers are going to have to morph," said Chandler.

To be successful, all the camps will need to understand and adopt the IT standards and points of view. Many already get the picture. "I've got four business journals on my desk, and one of them is VAR Business," said Smith.

That said, many also believe this fear is unwarranted. "The IT vendors are never going to understand effectively the angle of view of a camera. They're not going to understand all the perturbations around an access door and what it takes to make it right," said Chandler. "The heads of security need to make it clear to senior management that this is a different animal than your purchasing system or network security. People don't get killed if someone breaks into your network," said Hamm.

Where Does This Lead?
The security industry is at a crossroads. It can either attempt to fight the adoption of IP technology in spite of its clear financial benefits, or it can wholeheartedly embrace those standards and move towards adding value in the areas those standards never considered. When a number of companies attempted to hold onto their proprietary standards in the IT industry, they suffered a painful death.

All segments of the security industry need to understand the true value they bring to security solutions. It is not in basic networking and computing hardware, but in our knowledge of the security problems that must be solved. If we hesitate to embrace those standards as the solution to our problem, the industry will leave itself open to the mainstream IT manufacturers solving physical security problems for us. If they do, they will market their solutions through their dealers and directly to the IT departments.

Where does that leave us? We need to start demanding this type of solution for new systems. Some already are. "Native IP-enabled readers will be the next big step for Cisco's security department," said Jacobs.

About the author: Rich Anderson is the president of Phare Consulting, a firm providing technology and growth strategies for the security industry. A 25-year veteran of high tech electronics, Mr. Anderson previously served as the VP of Marketing for GE Security and the VP of Engineering for CASI-RUSCO. He can be reached at randerson@phareconsulting.com.