In my last column, I provided thoughts on the ONVIF specification effort, which was initiated in 2008 by Axis, Bosch, and Sony. This month, I’ll turn my attention to another effort to drive system interoperability. Also founded in 2008 by over 20 companies, including Cisco, Honeywell, GE (now UTC), and Tyco, that organization is the PSIA, short for the Physical Security Interoperability Alliance (www.psialliance.org). Although neither have the power of a true standards making organization, I believe that either would claim success if their efforts became de-facto standards and widely adopted by both manufacturers and specifiers.
The PSIA has created a security ecosystem, relying on seven complementary specifications, which enable systems and devices to interoperate and exchange information. Three of these - the Service Model; PSIA Common Metadata & Event Model; and the PSIA Common Security Model – provide a framework for the functional specifications, including the IP Media Device spec (video), Recording and Content Management spec (storage), Video Analytics spec, and Area Control (access control, intrusion, power management) spec.
While early on, both organizations focused on video, ONVIF has evolved to have a strong international coalition of companies who, today, are mainly video centric. The PSIA has emerged to have access control as its primary focus, embodied in the functional specification for Area Control. Leadership contends that most of the significant North American PACS (Physical Access Control System) manufacturers now participate in this effort.
I asked David Bunzel, PSIA Executive Director, about the need for interoperability of access control systems since, unlike cameras, there seems to be less of a requirement for “mix and match”, particularly since many hardware panels can be repurposed with a change in access control software. David explained that the idea is to provide actionable intelligence coming back to a dashboard from disparate systems, with the ability to share data among systems. This suggests a larger, enterprise focus, which David verified. Think of a scenario where a company grows by acquisition and wants to avoid a fork lift replacement or extensive modification of acquired systems. If both the incumbent and the acquired system meet the PSIA specification, the barriers to a lower cost implementation may be lowered. An integral part of this enterprise scenario is identity management, which PSA also claims to be addressing
The PSIA has achieved industry attention in the last year because of its Physical Logical Access Interoperability (PLAI) profile, which is part of the Area Control specification. PLAI is a dynamic identity management protocol, designed to have Lightweight Directory Access Protocol (LDAP) as a single authoritative source for identities using role-based access control (RBAC). NIST (National Institute of Standards and Technology) has mandated that RBAC requires all access occurs through roles, and permissions are connected only to roles, not directly to users. (CINCITS 359-2012 is the current standard for RBAC, approved by ANSI in 2012.) In IT terms, this is in lieu of Access Control Lists (ACL’s), where permissions are assigned to individual users, much like today’s physical access control world. In RBAC, roles can be easily created, changed, or discontinued as the needs of the enterprise evolve, without having to individually update the privileges for every user. A study commissioned by NIST in 2010 listed advantages of RBAC as:
- More efficient access control policy maintenance and certification
- More efficient provisioning by network and systems administrators
- Reduction in new employee downtime from more efficient provisioning
- Enhanced organizational productivity
- Enhanced system security and integrity
Originally intended for the logical domain, using a working standardized framework in the melding of the physical and logical domains makes good sense, as the above benefits could certainly be imparted to the physical world. And, clearly, the industry recognizes that common physical-logical credentialing is a necessary component for next generation access control systems. The PSIA expects to be a key driver in this regard. According to the PSIA, that “synchronicity makes it much easier and cost effective to create solutions such as confirming an employee is physically present before permitting access to an application or database as well as solutions for easily managing physical and logical access privileges when employees travel.”
The PSIA is also moving to include areas adjacent to access control, such as power management, an integral part of many access control systems. Both Altronix and LifeSafety Power are participants in the initial stage of this effort. Other areas of emerging interest are battery-powered locks and the Internet of Things (IoT).
So, while ONVIF has dominated the “de facto standards” of IP surveillance video, the PSIA has clearly staked its future on access control, the physical-logical evolution of access control, and adjacent areas. We’re not yet seeing the PSIA compliance splashed throughout manufacturers’ product literature or web sites, and PSIA compliance has not become a key consultant spec item. Also, ONVIF approved its access control standard in December, 2013. Can ONVIF push its advantage into access, given its broad membership and the increasing integration of video and access?
Ray Coulombe is Founder and Managing Director of SecuritySpecifiers.com and RepsForSecurity.com. Ray can be reached at [email protected], through LinkedIn at www.linkedin.com/in/raycoulombe or followed on Twitter @RayCoulombe.
