Where Access Is Going

Sept. 13, 2006
Industry experts sound off on IP impact, enterprise systems and the convergence phenomenon.

The complexities of planning and implementing an integrated access control program are becoming much more intense. Rapid technology advancements have forced security directors to reassess what the term “access control”really means in the context of their business environment.

For many caught in the mixing bowl of enterprise-risk and network-centric approaches to security, access control spans both physical and logical domains. A new world of internal partnership between IT and corporate security directors has facilitated the integration of biometrics and smart cards into the access control landscape. Web-based options have also enabled the global expansion of the security function.

Still, most security professionals are operating legacy systems that must evolve or become obsolete in time. How can technology evolve, show ROI and protect the enterprise? Some of the top access control manufacturers in the world tackled these questions in this month's roundtable.

Dave Adams is the product strategy manager for Tyco Safety Products Access Control and Integrated Systems. Mr. Adams has been with Tyco/ADT for more than 20 years, working in integrated systems applications management, national account sales management, ADT branch management, and installation and service. He has had extensive involvement on many of ADT's largest integrated systems projects.

Daniel Smytka, president of Engineered Systems for GE Security, joined GE in 1990 and has held a variety of roles primarily within GE Consumer & Industrial. Most recently, he was president and CEO, Asia Pacific, for GE Consumer & Industrial. In May 2005, Mr. Smytka was appointed as a GE Officer.

Mark Peterson is HID Global's director of the Intelligent Technology Design Resource or iTDR Group, which was established to provide technology and design counsel to specifiers, consultants, engineers and designers as they work with their clients to migrate to new secure identification technologies. A former security industry consultant, Mr. Peterson has more than 27 years of experience in intrusion detection, access control, video surveillance, parking control and integrated security management systems.

Steve Thompson is the director of marketing for Johnson Controls Fire & Security Solutions worldwide. He has been involved in the design, development, and marketing of technology products serving the commercial controls, fire, and security industries for more than 25 years.

Masami Kosaka has been president and CEO of PCSC and TTIK Inc., of which PCSC is a subsidiary, since 1989. He previously held positions with BASIX Control Systems Corporation, Cardkey Systems and TTI (Transaction Technologies Incorporated).

Jim Clark is vice president of Global Marketing & Strategy for United Technologies Fire & Security group. Previously, Mr. Clark served in a variety of management roles at GE, including vice president of Global Sales & Marketing at GE Security. Mr. Clark is a former board member of the Security Industry Association and chair of the education committee.

Rob Zivney is vice president of marketing for Hirsch Electronics. His career in the security and building controls industries spans 30 years, and his expertise covers access control and intelligent building systems including the integration of environmental, lighting, fire and security systems. Mr. Zivney is on the board of directors of the Security Industry Association, serves as SIA's chair of the Personal Identity Verification Working Group, and represents SIA to the Smart Card Interagency Advisory Board Physical Access Committee.

ST&D: How much of an impact has Web-based technology had on conventional card access control, and where do you see it going in the next three to five years?

Clark: Web-based services have introduced a whole new dimension to information access and sharing within an organization. The three-to-five-year future will include further integration with other enterprise systems and third-party integration. But keep in mind that the Web is not the ideal interface for every aspect of an access control system—at times other data is needed to help inform decisions. Additionally, for functions requiring device interactions like capturing photos or reviewing video, controls must be downloaded onto the machine, which means it is not a purely Web-based solution.
Our overall enterprise standpoint is that an access control solution has to have the right combination of Web-rich clients and mobile clients, which allows the end users to pick the right interface for their needs.

Kosaka: Network security concerns need to be resolved before Web-based systems are fully adopted. In today's market, Web-based access control systems have a place in the “small security” sector. Many of the companies requiring access control have fewer than 100 employees with the need to control less than 12 security doors. In many instances, the security manager is the president/owner or one of its managers, where security takes a secondary role and its use becomes a tedious task. By offering simple card access management tools and no workstation software to worry about, Web-based systems continue to mature in today's security market. The Web itself offers a convenient infrastructure for application communication, allowing users to access security data no matter where they are. The convenience factor will encourage higher usage and acceptance, which in turn will increase new application developments.

Thompson: Web-based technology is very well suited to conventional access control with three primary benefits: 1) Improved workflow by allowing non-security personnel to enter data and queue up badge additions/deletions/changes for an authorized security decision-maker to simply review and approve—streamlining the whole paperless process; 2) Provide for limited access functions to authorized users of portions of the security management system from any connected Web browser—eliminating the need for occasional users to have physical access to the full workstation environment; and 3) Allow for improved mobility of the security staff through wireless PDA connectivity to the security system.
Because of these benefits, and others, functions will continue to migrate from dedicated security workstations to Web servers.

Zivney: The fastest growing part of our business is professional services. This business is driven by the need for interoperability at the enterprise level ….
With the introduction of new standards from SIA, BACnet, and NIST implementing interoperability through XML and Web Services, this will become a standard product offering for all.

ST&D: What strategies would you suggest for end users still employing traditional card-based access control technology but moving towards an IP-based retrofit?

Kosaka: Before making any decision to upgrade your exiting system to an IP-based network communication infrastructure, one needs to make certain that your existing system can be upgraded and what benefits you will receive in the upgrade process. Many people jump into upgrading their system without knowing if the controller or the exiting software package can support the new communication architecture or a combination of old and new. In many cases, upgrading existing controllers to an IP-based network will only increase communication speed by a small fraction.

The “old” RS485 technology is a highly reliable network compared to an Ethernet network, which relies on … servers and routers. The only outside vulnerability to an RS485 network is the physical cutting of the RS485 cable. TCP/IP networks rely on hubs, routers, servers or even the Web for proper operation. If any one of the devices fails, you could lose all or part of your network.

Peterson: My suggestion is not to focus only on the technology. Understand the operational and policy and procedure changes that come with an IT-centric strategy. First, involve the IT and infrastructure group in your strategy decision. Define roles and responsibilities between IT, security, facilities, operations and any other affected group. Focus on what expertise and services each entity provides toward a comprehensive deployment. Then agree on how the business units will work together and share information during the planning, deployment, operation, administration and maintenance activities. Applicable internal standards, policies and procedures may need to be revisited and revised to reflect changes in strategy. Focusing on a technology solution without first considering how that decision may affect the business operation could adversely impact system acceptance and the perceived overall effectiveness.

Smytka: One of the things end users might do is get to know the IT professionals in their organizations. Moving to IP technologies is clearly going to involve the IT organization. The better the working relationship is, the more easily technology can be implemented. This will also get the IT professionals in the organization up to speed on the requirements of the security organization; so, as they plan for future IT expansion, the IP needs for the security organization are included.

Thompson: The transition to IP has already occurred in most security management systems connecting controllers to workstations, and workstations to each other …. What remains is an IP connection to the reader. The benefits of IP-based readers lie in the integration of controller functions—putting the access decision at the door. The key for end-user preparation is to develop a long-term plan among their security staff and IT staff to manage applications, bandwidth, and support.

ST&D: Do you view enterprise-wide security as more than simply technology solutions? If so, how?

Adams: Enterprise-wide security is absolutely more than a simple technology solution. As the title indicates, enterprise-wide security is really the entire culture of business operations. Security technology has to integrate with the entire corporation; otherwise it's not meeting the new needs of the company and would be no different than their past practices. Enterprise-wide security platforms now play a vital role in ensuring higher business efficiency levels, while at the same time providing safer work environments. Some examples of this scenario would include video audits, employee level to production level data, unmanned delivery services, and other such uses.

Clark: Yes, definitely. First, technology has dramatically reduced but will never eliminate the human component in security. So the screening and training of security personnel remains critical to the system integrity.
Second, routine security standards can become lax over periods when there is no apparent risk, and that makes the system vulnerable. Examples include an employee who allows an innocent-looking non-employee through the door, failure to display photo ID badges properly, lax visitor logging, failure to change passwords on computer systems; and many others.

Peterson: A comprehensive enterprise-wide security program consists of a balanced mixture of people, policies, procedures and technology tools. It is easy to focus solely on technology solutions, without first considering what problems are being solved by technology; what risks does the technology present; does the technology fit the unique environment and culture of the enterprise; etc. Often the mistake is made to find a problem for a shiny new technology to solve. The responsible course of action is to define the business problem, and only then to identify which technology tools may be used as part of the total solution.

Smytka: GE Security views enterprise-wide security as much more than technology solutions. It is a holistic approach of combining logical and physical access systems and their associated processes. For example, consider the new-hire process for an organization with enterprise-wide security. The establishment of a user account for the new hire is linked to the new hire gaining access to facilities within the organization. As the role of an employee changes within an organization, logical access and physical access parameters may change (the employee may need to access more sensitive information or areas within the organization). Having the two systems—logical access and physical access—linked can improve data accuracy and reduce duplication of data within the organization and thereby reduce overall administrative costs.

ST&D: Do you see security convergence as a technology “buzzword” or an evolving approach to enterprise-risk management?

Clark: Both. “Convergence” has become an abused attention-getter in security marketing, but real convergence remains one of the key elements of change in the industry.

Kosaka: Buzzwords are the descriptive forms of the applications or solutions. A word or phrase would not become the buzzword if it wasn't important. “Convergence” is another term that emphasizes the need for industry cooperation and standardization. For convergence to take place, product interfaces will need to evolve from proprietary to cooperative open standards. In the end, convergence will lead to more applications solutions and open the door for applications outside of the security community.

Peterson: Security convergence is a much overused, and many times misused industry buzzword, much like we have experienced from terms such as “open architecture” and “integrated.” Some mistakenly view this term as meaning that security signals are transported over the network infrastructure. In reality, this trend involves significant changes in how business is conducted and with whom business is conducted. Value propositions, product positioning strategies, and distribution channel models must be analyzed and retooled to remain effective in an IT environment.

Smytka: GE Security sees the movement toward security convergence as a direct approach to reducing an enterprise's risks. (My) previous example of the new hire process flows into the termination process for an employee. To be able to quickly, efficiently, and to a very high confidence level be able to disable a former employee's physical access to buildings and logical access to networks and data can protect an organization. If these processes are not converged, then gaps can occur, and a former employee may be able to continue to access information or physical spaces within the organization.