Access Control Takes to the Web

Oct. 27, 2008
Web-enabled systems find their niche in the right facilities

Just as the Internet has changed the way we shop, entertain and inform ourselves, it has transformed the manner in which we protect and secure our buildings, critical facilities and infrastructure. With the Internet, security directors and corporate and government executives can view and control video surveillance systems from almost anywhere in the world. The same is true for access control systems.

Using Web-enabled or Web-hosted applications, authorized system users can add or delete cards and change access control and alarm schedules—all from remote locations.

Web-enabled and Web-hosted access control systems can offer you tremendous advantages in the right circumstances. However, as with any technology, this technology may not be the best choice for every situation. I asked several of the country’s leading systems integrators to share their opinions and experiences, and those of their customers, in dealing with these systems.

What Is Web-Enabled Access Control?
First, a couple of definitions are in order. In the Access Control Trends & Technology supplement published with Security Technology & Design’s June 2006 issue, Christie Walters wrote a backgrounder on the different types of Web services available for access control. In this article we’ll focus on two of the categories Ms. Walters discussed: Web-enabled and Web-hosted applications.

Web-enabled applications use on-site software and a server that can be remotely accessed with a Web browser and password. The user, or the security department, is responsible for maintenance, software updates and security upgrades. In some cases, adding the software—which controls the system’s functions—to the controller eliminates the need for a separate server. Remote system control is available through dial-up or network configurations such as a LAN/WAN or VPN. Another option available to corporations is the use of multiprotocol label switching (MPLS) networks. MPLS gives network operators a great deal of flexibility to divert and route traffic around link failures, congestion and bottlenecks. MPLS networks are private and lend a known and comfortable network design model for corporate implementation.

The choices among Web-enabled systems are becoming more plentiful as manufacturers rush to capture their share of the market. Some of the systems my colleagues and I have installed recently include the NetBox from S2 Security, the Access Easy Controller from Bosch Security Systems and Integral Technologies’ Intelli-M.
In the Web-hosted model, an application service provider (ASP)—usually a systems integrator or equipment manufacturer—hosts the server, software and user databases in its own data center. The ASP also provides system redundancy in case of equipment failure. Authorized security staff and executives can access the system via a browser and password. This type of service requires no use of your corporate bandwidth and no network configuration between multiple sites.

The Fit for Small- to Mid-Size Facilities
Many of the integrators I spoke with agreed that Web-enabled and Web-hosted access control systems seem best suited to small- to medium-sized companies with a need for some level of security—traditional intrusion security integrating access control for a few doors.
Potential problems may occur as more people are authorized to remotely view the system reports or are permitted to add a door or delete a person’s access card—all of which is likely as a system is expanded to cover 25, 50, 100 or even more sites. The administration of the system database is best left in the hands of a few knowledgeable professionals within the corporation. Also, implementing changes over a handful of Web-enabled boxes is relatively easy, but can become a major challenge in larger numbers.

Multi-tenant facilities may provide one of the more ideal situations for a Web-enabled access control system. Such a system can be partitioned to give the building manager control over common areas such as lobbies, elevator banks, parking garages and cafeterias. At the same time, the building tenants can use the Web to control access to their own spaces.

According to Jim Coleman, president of Atlanta-based Operational Security Systems, these systems offer several advantages to the end user.
“Out of the box, these Web-enabled systems are pretty easy to get going,” he said. “There is no need for patches or the need to worry about viruses or software updates. The simplicity may entice more people to use these systems.”

But Bill Savage, president of Security Control Systems, warned that simplicity could have a downside for a system user who is relatively new to access control. “Just because you have a simple potential for a product, that doesn’t mean that every application is going to be simple to execute,” Savage said. “People that have a history of buying because products are simple and inexpensive get involved and then cannot execute the full range of applications. And that generally turns into disaster.”

What About Enterprises?
Web-enabled access systems can also appeal to the enterprise user under the right set of circumstances. A corporation with widely dispersed locations may not want to be dependent upon a large head-end system with a single, centralized control center or security operations center. Corporate executives also may give a high degree of independence to remote site managers and expect them to handle the day-to-day administration of the access system. A Web-enabled system still allows the headquarters-based security director to keep tabs on outlying operations or take control of the system if necessary.

Based on our experience, however, these systems may not be ideal for a Fortune 500 company doing business globally, although some are using this model to provide access control to multiple remote office locations.

“I think they are going to have to get a few systems of substance under their belts and know how they work and what their limitations are before we can roll these Web-based systems out on a large-scale basis to the big corporations,” said Coleman. “Database synchronization and scalability issues will have to be overcome.”
Also, Web-enabled systems based on thin clients currently are not as robust in feature offerings as the more traditional client-server systems. But Coleman said that feature gap could narrow as technology develops.

Security Concerns
Another issue that users should keep in mind concerning Web-enabled and Web-hosted systems is security. Because these systems put sensitive data on the network, they require diligent network security and rights management. Without this, outside hackers could maliciously attack an access system to gain entry into a critical operations area, or employees could give themselves access to restricted areas or mask alarms to hide transgressions.

Appropriate security measures can help guard a Web-enabled system against attack. “These systems can be as secure as you make them,” said Steve Morefield, president of Firstline Security. “If you enable the appropriate safeguards and know how to implement them, you can make these systems as safe as any other Internet-based system.”

Considering the ASP Model
The integrators I spoke with said their customers have not yet been attracted in large numbers to the ASP—or Web-hosted access control—model. As mentioned above, this service does not tie up corporate bandwidth or require an IT team on staff, but the cost savings of it is offset by recurring monthly fees. Savage commented that he’s seeing operational costs driving some users away from the hosted model.

Morefield has also seen a shift away from ASPs by some of his major office building customers. While the systems work in providing service to individual tenants, the cost is being passed along to the leaseholders. “The ASP solution may work fine when rents are going up and companies are paying whatever it takes to move into a property that they like,” he said. “But in today’s economy, the idea of not keeping an eye on expenses is gone.”

Without a doubt, the Web-enabled and Web-hosted access control systems have opened new markets, bringing customers into the market for the first time. And these systems have a place in providing better security in the right situations. But before making the jump, remember that proper product selection is critical. The best way to make that choice is to count on the expertise of a systems integrator with experience in this area of security.

Chris Wetzel is chief operating officer and co-founder of Warrendale, PA-based InterTech Security. The company is a member of SecurityNet, a network of 21 leading systems integrators across North America, the U.K., Japan, Australia, Brazil and the Dominican Republic.