Network-Centric Access Control Systems Take Security to the Edge

March 23, 2015
Converged responsibilities, network security and authentication setting the tone for technology advancements

Security Technology Executive editorial director Steve Lasky recently sat down with several of the industry’s top experts to find out what was trending and what issues were shaping the future of access control technology. Here is what they had to say:

STE: What would you consider the most dynamic and important trend in access control technologies end users can expect over the next 2 to 3 years?

      • Jason Ouellette: Over the past two to three years, the big trends have been the increase in IP readers and in particular wireless locks. Looking ahead a few years, with the improvement of wireless technology,     wireless locks will likely continue to dominate and eventually outpace traditional readers. Quite simply, this allows us to provide locks to more doors at a less expensive price point. Wireless locks also mean we can extend the access control decision making to cabinets, IT racks or closets and pharmaceutical storage, and all those capabilities are selling more access control points because of the decreasing cost of technology and improvements in wireless communications. These communication advances include NFC and Bluetooth low energy technology, which we see as becoming a viable credential communications path in this space and changing the way traditional access control and ID cards are used.

      • Julian Lovelock: The most important trend is the adoption of new credential form factors that offer a more secure and convenient way to open doors and parking gates.  A card, phone or “wearable” will replace mechanical keys and dedicated OTP solutions for physical and logical access control.  Using Bluetooth Smart or NFC technology, users will simply “tap in” (directly tap an RFID card to a reader) to access facilities, VPNs, wireless networks and cloud- and web-based applications. Bluetooth extends the access transaction range and, when combined with gesture technology, enables users to open doors from a distance by simply rotating their device.   

      • Peter Boriskin: One of the most important trends we see is the ability to put more control in the hands of users. Facilities now have more opportunities to interact with and make use of the data they are capturing from their access control systems. By providing the capability to connect to the data, they can use the information as a resource that is useful beyond traditional security. For example, a small business owner now has the opportunity to monitor times his store is opened and closed and when employees arrive and leave. In a real estate application the access control system can be used to tell us who is using a common facility at what times during the day and for how long. A facility can tie access into other building management systems. The ability to interact with the data from access control is going to provide a lot of added value that will continue to produce additional benefits going forward.

  • Scott Lindley: We are finding many users asking their integrators to provide a high-security handshake, or code, between the card, tag and reader to help prevent credential duplication and ensure that their readers will only collect data from these specially coded credentials. In a sense, it's the electronic security equivalent of a mechanical key management system, in which their organization is the only one that has a key that only they use. Such keys are only available through their integrator and their integrator never provides another company with the same key. In the electronic access control scenario, no other company will have the reader/card combination that only they get from their integrator. Only their reader will be able to read their card or tag and their reader will read no other card or tag. This level of increased security is being requested from a host of devices, including traditional 125-kHz proximity readers, 13.56-MHz contactless smart card readers and2.4-GHz long range identification solutions.  It doesn’t take a big stretch to foresee these parameters also being applied to tomorrow’s wearable security technology products. 
  • Robert Laughlin: In the coming years, access control systems will no longer be discrete and separate from other data sources or security systems. Instead, as networked systems they will provide information and intelligence in the form of data that contributes to the new predictive analytics model, helping to move the industry from reaction to prevention. This is true for all systems, as the Internet of Things matures and more powerful software is developed to process and analyze the vast amount of data generated.
  • Frank Gasztonyi: Affordable and simple readers delivering high assurance authentication are just around the corner. The wide availability of integrated electronic locks will continue to increase the percentage of access controlled doors in a typical system. As the IP-connected edge readers market matures, so will the understanding of the appropriate application of those readers in systems. Field experience will prove that components supporting a layered hierarchy are required to produce scalable, true access control systems. In addition, I believe that a tremendous opportunity exists for system manufacturers that can offer an attractive solution to upgrade the many large corporate systems that are limping along with outdated hardware and software. The typical options are either very limited or are very disruptive and expensive. Solutions that lessen this pain, such as the “bridging solutions” offered by Mercury’s Partners, will become a large part of the access control business.
  • David Ella: It’s tricky to pick just one trend as there is a lot going on at the moment. Certainly IP at the door - either through power over Ethernet door controllers, or for less secure doors different wireless technologies. True unified systems rather than just integration is a hot topic. I’d pick Bluetooth Low Energy as a hyped trend that won’t happen and cyber security of your physical access control system as a sleeping monster issue.
  • Ajay Jain: The Internet of Things (IoT) will bring a vigorous and powerful mix of new opportunities – and new risks – to access control.  I expect we will see a wide range of new controllable and intelligent access devices, along with access management elements with new capabilities. Because of this, end users should lean towards systems that are flexible and easily scalable to take advantage of these new capabilities. They are the systems most likely to provide users with the benefits without requiring replacement or upgrades to existing deployed system elements.
  • John Szczygiel: The answer here depends on the job that the access control system is doing for you personally. From the perspective of the security manager, the most important trend will be the introduction of automated event monitoring and predictive analytics driven by rules-based systems. These tools will allow security managers to respond more proactively to security events. From the perspective of the credential holder, the most important impact will come from the move toward digital credentials that are based on mobile devices, allowing your phone to open the door for you.
  • Mitchell Kane: There are so many from which to choose that are all relevant and desirable. Many of the current trends are centered on improved data accessibility and the proliferation of intelligent devices. To name a few, expanded mobile applications, offline and online smart locking systems, smart phone Bluetooth credentials – the list goes on and on.

STE: Where will the proliferation of smart devices, NFC and mobile technology take access control technology in the near future and does this signal a paradigm shift for users?

  • Ouellette: A little over a year ago, Bluetooth low energy technology came on the scene, and that has really made NFC recede from the forefront. That happened relatively quickly. Bluetooth technology, of course, is well known in the consumer market as being a largely mobile technology tool and it’s already in the hands of millions of people in their smart devices.  The access control industry is able to leverage this enormous and growing network of devices already out there. Some key advantages include Bluetooth’s ability to detect a credential at a distance of up to 60 feet as well as the fact that it can detect multiple credentials within a specified area. That provides security staff the ability to make multiple decisions based on that information well ahead of the actual door transaction. Access control will inevitably need to leverage such pervasive technology to evolve with user demand for mobility and flexibility with their business systems. That may take the form of development of mobile apps that use Bluetooth technology to grant access. Or perhaps security devices will be made to work more like mobile devices.
  • Lovelock: Yes, the paradigm shift is the marriage of security with convenience as new devices are added to an access control system.  For instance, adding wearables to the system will enable users to leave home with only a digital wristband carrying their ID.   These devices, combined with the extra flexibility of using NFC and Bluetooth Smart connections, will drive a growing number of applications across the enterprise that are enabled for close-range tap. The Bluetooth Smart connection will extend transaction distance to many meters and make wearables an ideal choice for the longer range authentication model, for the ultimate in convenience.
  • Jain: Emergence of these technologies will increase the usage of mobile smart devices as an identity credential, and will be a significant paradigm shift in the near future. It has some big advantages – for example, no employee is going to lose their own mobile device and not do anything about it. The ability to track and de-activate mobile devices remotely is also a potential security enhancement. And, mobile devices provide a new communication path for users to be connected to the security team for anytime, anywhere assistance.
  • Mitchell: The functionality of these technological advancements is certainly taking hold in our market, albeit slowly. Although NFC hit the market first with many trial installations, the jury is still out on its use for access control. As such, Bluetooth seems to be surpassing NFC as the preferred technology. Many of our vertical markets can look forward to expanded mobile capabilities, including access control capabilities using mobile credentials. Additionally, with the ever-expanding Internet of Things, we can expect a greater amount of interoperability between disparate products. That can only help users in this market gain new levels of security, mobility and operational efficiencies.
  • Ella: Bluetooth Low Energy [BLE] seems to be the  winner rather than NFC, but we are not sure there’s going to be a surge away from smart cards based on progress to date. Forgotten phones, flat batteries, lack of a visually verified id card and inconsistent technologies across devices are all issues. The most useful smart phone application for access control surely has to be the downloading of one time credentials for visitors for access to remote sites.
  • Gasztonyi: NFC sounds interesting, but I do not see it having a major impact on access control. The one vertical that may benefit from NFC is the small business systems market. The use of NFC for campus, corporate or any large-scale identity verification faces serious challenges. For example, placing control of the “identity credentials” into the hands of mobile device carriers is bound to create potential trust issues. On the other hand, I expect that certificate-based high assurance credentials will gain much wider use. They are a much improved version of the time tested identification card, while still retaining all the characteristics that made the basic access card viable, popular, and deliverable.
  • Laughlin: The shift is already underway, and it will continue to grow and evolve in ways we cannot foresee. Many of the new technologies which will ultimately reshape access control are coming from the consumer world, particularly retail commerce, which has been using NFC and other location-based data in some extremely interesting ways. Adoption and evolution take time, however, and rather than leap into untested waters it is important for security users to recognize that our first mission is to keep people and property safe. We are carefully watching all the new technologies, but only pursuing those that make sense for our own industry.
  • Lindley: The future of RFID is growing each and every day. Today, RFID technology provides us access to our offices, parking lots, hotel rooms, gyms, cars and homes. In California, as in other locals, it is widely used to identify individual library books and allows the charging of electric vehicles. Security administrators today need to work in tandem with other departments within the enterprise to determine how elements of the security system can also be of benefit to them. In addition to the functionality for multiple applications, smart credentials also increase the security of information kept on the card and stored in the facility.  If applications require multiple forms of verification, the smart card securely stores other credential types such as biometric templates, PIN codes and photos right on the smart card, utilizing the enhanced storage and encryption of smart technology.  It also provides an extra level of security at the access point, protecting the information behind closed doors or on the secure network.

STE: With more than 22 billion internet customers expected within the next five years, how much more important is it to ensure identity with more secure access control authentication by fusing physical and logical controls? Is this is a growing priority for your company considering the growing ID management threat?

  • Boriskin: As the barriers to electronic access control continue to be lowered by removing infrastructure costs, we see a similar increase in the number of systems deployed per year. With that in mind and the fact that many more systems are leveraging their in-house networks to provide the backbone for their security and surveillance systems, it’s critical that we make sure we have the necessary protection in place. Since so many of us are already walking around with smart credentials and possibly in the future, biometric templates, it makes sense to add additional forms of authentication to the network and the security systems themselves. This is a high priority for ASSA ABLOY. HID Global, ASSA ABLOY Group brand has an identity assurance division that is focused on this area.
  • Lovelock: Provisioning a combination of IT and PACS credentials to one smart card, smartphone or other mobile device, using one set of processes, will greatly enhance security.  We will also see greater momentum behind biometric authentication models for both physical and logical access control.  Innovative use cases include “binding” a person to a device such as a key fob with a fingerprint sensor for multi-factor authentication without the need for a biometric reader.  We will also strengthen security through cloud-based credential delivery and management solutions into which all entities have been biometrically authenticated.
  • Ouellette:    Identity security is a significant priority within Tyco Security Products and across many technology-based markets. Our CEM Systems brand provides biometric features natively in products, which is particularly important to users who require the highest levels of security. Our Software House brand also provides the multi-factor authentication access control required to meet government’s high-assurance needs such as FICAM. Within access control, biometric applications will undoubtedly continue to play a significant role in increasing the security of identification. Frictionless access control, or non-contact access control, may be the final lynchpin in creating an identity management security program that uses both physical and logical controls in the best way possible. Finger/palm vein and face recognition are growing trends that could function well in a non-contact environment.”
  • Szczygiel: There are several weak links in most security systems today starting with processes for authentication and authorization. Physical security systems are pathetically bad at authentication but particularly good at authorization. This is partially due to the weak binding between today’s credentials and the bearer. Fortunately there are many ways to improve this binding through the use of phone based credentials, biometrics and two factor authentication. The future of physical access control is very clear; we must follow the path of IT towards a more holistic identity assurance lifecycle within our PACS systems. Once we improve ways to authenticate users, the authorization part is fairly simple.
  • Jain: Identity management threats are definitely a major driver for increased security spending by high risk organizations worldwide. Fusing physical and logical security system controls is one strong method for improving identification accuracy, and it can be tailored to the specific needs of the user organizations. As a provider of Physical Identity and Access Management systems, one of our priorities is to ensure that our management systems support the right levels of fusion for the right locations, job functions, and risk levels.  This flexibility is needed both now and to meet future needs.
  • Ella: For U.S. Government applications, we are shortly going to see more widespread end-to-end implementations of PKI for physical access control. The same technology is used in high security authentication for PC applications such as online banking. Linking physical and logical identities through a directory such as Microsoft Active Directory is already quite common for some organizations, and for increased security in critical infrastructure, industries like Utilities are going to see a lot more fusion of physical and logical event data for anomaly detection.
  • Gasztonyi: Every manufacturer has the responsibility to recognize and address the reality that network-connected security equipment faces a very real exposure to security threats. Fortunately, the technology is readily available to incorporate countermeasures to ensure identity is secure. Mercury uses certificate-based cryptographic methods for communication, as well as for authenticating our field devices and adding native support for high assurance credential authentication. Since these underlying methods apply equally to logical and physical security applications, true “end to end” secure ID management is feasible.
About the Author

Steve Lasky | Editorial Director, Editor-in-Chief/Security Technology Executive

Steve Lasky is a 34-year veteran of the security industry and an award-winning journalist. He is the editorial director of the Endeavor Business Media Security Group, which includes the magazine's Security Technology Executive, Security Business, and Locksmith Ledger International, and the top-rated website He is also the host of the SecurityDNA podcast series.Steve can be reached at [email protected]