Bridging the gap between security and IT

What 'the C-word' means, and how access control fits into the converged picture

Access control systems for the security professional are designed to control who goes where and when, and then to provide either the monitoring of live events or the historical data of these events in the form of a report. Access control for the IT professional means almost the same thing as for the security professional: authentication, authorization and audit. The "who" is IT's authentication, the "where and when" is part of their authorization, and the "monitoring and report" is their audit.

Going Beyond Simple Protection

Through convergence of physical security and IT, many organizations are finding innovative ways to go beyond just protecting. Electronic physical security devices gather and share information in order to provide benefits for the end user. Generally speaking, these devices are used to prevent disruption of core business practices. However, by leveraging integration, they can now augment and improve their business practices. Here are a few examples:

• Conventional security uses physical access control system information for safety (mustering) and security (keeping unauthorized people out). Recently, we have seen companies making use of this information in ways that can improve efficiency, reduce overhead, or even generate new sources of revenue.

In the health club industry, an access control system traditionally is used to provide secure 24-hour access to the facility for its employees and members. Now that access control systems can interface with point-of-sale systems and even websites, they can be utilized for marketing feedback and generating new revenue in this unique market area. Imagine a health club website with a one-day free trial offer. A potential new customer enters all the information the health club requests and then is sent a "one-time use" PIN that can used at any of the club's locations. Upon using the PIN, an automated message is sent to the club manager notifying them of a new guest. For marketing purposes, the health club would now know when the prospect signed up, how long it took before they used the free trial, what time of day they used the facility, and which facility they used. All this information can then be leveraged for a targeted marketing effort directed at that new prospect.

• Video systems are traditionally designed to observe who did what, where, and when, and then provide this information to the appropriate entity. I say "entity" rather than person because just like the previous example, CCTV systems are already being used for more than conventional security.

Let's consider a video camera behind the counter in a hotel lobby. For conventional security, the camera is a deterrent to robbery and theft, and provides protection from lawsuits. Now, through analytics, this same camera can also count the number of people standing in line and, through proper integration, reroute incoming phone calls when people are waiting for help at the counter. This way the desk clerk can focus on serving the customers waiting in front of him rather than answering the phone. This increases efficiency and improves the satisfaction of the customers waiting in line.

• Another example of how access control systems are bridging the gap between physical security and IT is found in the way manufacturers are addressing IT concerns. Most modern access control products are now manufactured with a built-in Ethernet port and communicate via native TCP/IP, while older systems require a serial to the Ethernet converter. While most access control panels now use Ethernet for communications, the IT professional's concern is how these devices appear on the network and what additional resources they will have to manage-IP addresses, routes, VPN tunnels, bandwidth requirements, and inbound ports-and how these devices will impact network performance as well as other network devices. Another IT concern is the server and software associated with management of the access control panels and associated devices, since this computer/server's operating system and virus protection must be updated along with the other business-related computers.