This article originally appeared in the June 2023 issue of Security Business magazine. When sharing, don’t forget to mention Security Business magazine on LinkedIn and @SecBusinessMag on Twitter.
A stroll around ISC West and it was not hard to see the vast number of access control companies that have sprung up in the security industry. Lee Odess, CEO of Access Control Executive Brief, has tallied that there are almost 400 companies singularly focused on controlling access. The truth is that access control is needed, but no one cares about it – until they need it.
For lack of a better word, security cameras, analytics, robots, and drones are some of the “sexy” products in security industry terms. We can accomplish cool things with them. Access control is seen as a panel on a wall, with minimal monitoring or use until there is a problem or an employee’s access needs to be modified. It is largely functional, not sexy.
Large, enterprise-level access control management systems typically involve using the platform more like a Physical Security Information Management (PSIM) application with integrations; however, these also tend to be the same applications where tens to thousands of alarms – most of them false – obstruct flow. In fact, there are now software solutions to help reduce access control-related false alarms because so many systems are plagued by them.
Nevertheless, for every enterprise access control management system, there are many smaller access control systems – typically in the 64-door category or less – that simply need to unlock a door for approved personnel, and to keep the door locked for everyone else, with minimal oversight.
Even as a staple product in the security industry, the problem with access control may be a growing influx of companies – from the one-trick ponies to the enterprise solutions and everything in between – making it difficult to identify solutions through the chaos. It has become what Odess called a “users-choice” model, limited by marketing, distribution channel adoption, and integrator line cards.
There are a variety of go-to-market strategies that access control companies have; however, the current perception is that of chaos, with many of the companies trying to find where they fit in the current industry model.
Cloud vs. On-Premise
It has been written that 94% of companies have adopted some version of cloud services. That’s because the cloud has made access control significantly easier to implement, and companies are already accustomed to working with cloud services.
The cloud allows access control manufacturers to make small batches of panels, requiring little to no inventory and less funding. The software is license-based and they – just like their end-users – can scale only when needed.
The amount of data going to the cloud is minuscule, with basic transactions taking minimal bandwidth, and only when integrated with other systems are these transactions taking additional space.
On-premise and cloud-hosted solutions are also moving to a Software as a Service (SaaS) solution or even a full Access Control as a Service (ACaaS), which is more common with cloud solutions but may be also offered by on-premise solution providers. These “as a Service” models allow end-users to pay monthly, where IT departments are already correlating costs based on a per-person scale just like Office 365 or Adobe.
Cutting-Edge, Not Old or Unfriendly
Customers experience often see access control management software as “old” or “bulky” or “not user-friendly” – but new software designs focused on a webpage-based access instead of a thin client alleviate these issues. The interface is typically designed for a simplistic look (think Apple not Windows).
The features are designed around only what the user cares about: Exciting peripherals, business intelligence and interoperability, and cybersecurity.
Peripherals: When most non-security industry people think of access control, they think of the card, reader, or intercom (what they need to interact with), and the user doesn’t care if cards use 125 kHz, 13.56 MHz, MIFARE, or something else. The user wants to enter the door the easiest way possible. The security industry wants the user to enter the door securely with some level of trust.
Cards are still here, but there is growing adoption for both biometrics and mobile access – after all, who wants to carry a card when nobody leaves home without a phone or, of course, their biometrics.
Business Intelligence and interoperability: Even though both are buzzwords, they are actually relevant. Security has always been seen as an insurance policy, siphoning money from an organization with little to no return on investment. Information collected by access control is directly correlated with other business stakeholders including IT and HR at the very basic interaction.
Most access control management systems offer an Open API for integration with IT resources like Office 365, email, messaging apps, HR platforms for data analytics, desk booking, and much more. Where most access control manufacturers fail is when they offer minimal reporting features, preventing the sharing of applicable data; or worse, their Open API is not truly open.
Cybersecurity: There is a sliding scale on how companies provide cybersecurity and it adds to the chaos. Not all cybersecurity is the same. In a very general sense, most companies offer ways to cyber-harden a physical system as well as the data. Conversely, cybersecurity is not the primary focus of most access control platforms. The level of cybersecurity incorporated is often based on the targeted end-user.
There are many ways to address cybersecurity in the access control world, such as Trust Platform Module (TPM) chips, encrypted communication from the panel to the server (or hosted server), Open Supervised Device Protocol (OSDP) encryption between peripheral and panel, and signed firmware.
Both on-premise and cloud-hosted require data to be secured as well as the software. Securing network traffic can be accomplished with firewalls, micro-segmentation, and Zero Trust architecture; however, the software infrastructure must also secure data. For example, Amazon Web Services (AWS) explains that they provide the physical and cybersecurity “of” the cloud, while they rely on the software provider – i.e. the access control management platform – to provide the security “in” the cloud.
How to Make a Choice
There are so many different manufacturers of access control management systems on the market, so how do integrators choose which ones to carry? Typically this is driven by the number of systems installed, and the highest discount at the time of sale; directly correlated to the number of manufacturer-certified technicians. However, as many of the larger established access control management systems have yet to adopt the cloud, integrators are finding they need at least one or two cloud-based systems as part of their offering, directly driven by types of clients: Enterprise clients will not settle for a startup, while multi-tenant buildings may want the user experience brought by new and innovative platforms.
Whether it is an established manufacturer or an innovative startup, the cybersecurity of the product should help determine the amount of risk the integrator and the customer is willing to accept.
Jon Polly is the Chief Solutions Officer for ProTecht Solutions Partners www.protechtsolutionspartners.com, a security consulting company focused on smart city surveillance. Connect with him on linkedin: www.linkedin.com/in/jonpolly.
