What Is a Holistic Access Control Approach?

March 7, 2022
An integrated and holistic strategy for physical security is more than a buzzword

A holistic approach can be applied to almost anything that requires security be it a person, a computer, a network or a facility

The security industry loves buzzwords, and among the most ubiquitous of them is the catchphrase of holistic security, which describes a strategy that strives to integrate all the elements designed to safeguard an organization into a multifaceted and interconnected system. The endgame of this holistic approach to security is to provide a continuous level of protection across the organization’s networks, its software, its human capital and the physical footprint.

Based on systems thinking, holistic security involves consideration of how any security system's fundamental parts interrelate and work within the framework of larger systems. A holistic approach can be applied to almost anything that requires security be it a person, a computer, a network, a building or a property, but must always be considered within the broader context.

In this special technology roundtable-in-print, sponsored by Brivo, Security Technology Executive editor Steve Lasky is joined by Steve Van Till, Founder and CEO of Brivo, a pioneering cloud services provider of access control, video surveillance, mobile credentials, and identity solutions delivered as a SaaS offering. He also serves as Chairman of the SIA Standards Committee and is a frequent author and speaker for numerous security and Proptech publications and forums, and the inventor and holder of several patents in the field of physical security, and Chris Gilbert, who is the Founder and President of Security Pros, LLC. He has been in the industry for 24+ years and has worked in just about every aspect of the integrator side of the industry. Over the past 12 years, working as the president of his own company, based in Southern Indiana and is an integrator partner of Brivo.

Steve Lasky: What does it mean to create a truly holistic access control strategy for an enterprise-level client?

Steve Van Till: When we consider holistic access control, we insist it involves four features:

  • Standardization involves a platform that connects all facilities in a single view. It allows enterprises to better manage and service buildings and suites in a single solution.
  • The holistic solution must be open and connect to an ecosystem of devices and applications to meet the unique needs of the properties. Open APIs connected to applications enable the enterprise security team to standardize without giving up flexibility.
  • A holistic system must pull and gather intelligence from data. Even sifting through hundreds of thousands of access events, machine learning and AI technology help to quickly identify events that are out of the norm and flag them for follow-up.
  • Security undergirds all the other features, from cybersecurity to identity management to health and safety. Cybersecurity is paramount across the platform that is used. Integrating the access control system with the digital IAM solution and managing granular level permissions into access to the platform ensures that you maintain a least-privileged posture in how that access system is managed. Given the ongoing pandemic, enterprise-grade solutions need the ability to enforce health policies through access controls across the enterprise.

Chris Gilbert: While a holistic system should integrate or include critical security components such as video surveillance and intrusion detection, it could additionally benefit the business operation by including features such as lighting control, energy management, occupancy monitoring, and room scheduling. The access control system can be at the core of that. Not only do these extra Proptech features add important building management features, but they also yield data that generates value for the whole organization. For example, data showing negligible staff usage in specific areas could trigger lighting, HVAC, or other modifications that save money and increase efficiencies. A holistic system also leverages the power of the cloud. It allows single-point management across multiple properties from any place there is an Internet connection.

STE: Access control platforms that work integrate technologies that expand security and safety solutions. How does this evolving approach to access control encompass emerging advanced technology?

Van Till: An access control platform should champion new technologies that solve real problems facing building owners and users. An open API and diverse ecosystem encourage innovation with third-party software developers who need access control in their own products. This strategy creates a diverse multi-vendor ecosystem, extending the platform into dozens of vertical markets. Cloud-based access control solutions with an open API ecosystem not only bridge the physical and digital worlds but offer a gateway to enable a host of capabilities. Access control becomes the gateway to the growing world of Proptech capabilities that connect emerging technology solutions like property management, co-working, HR management, and health and wellness.

Gilbert: The present and future of facilities management lie in enabling clients to tailor custom solutions to their particular needs and situation. Thus, open platforms are critical to extending today’s access control solutions to work with emerging technologies. Platforms must also be both robust and scalable to accept multiple integrations. But we shouldn’t forget about legacy hardware. While facilities managers are eager to entice and retain tenants with the newest offerings, they don’t want to scrap existing components. So the right solution accommodates both emerging advanced technology as well as legacy hardware. For integrators, it’s critical to understand each potential integration and the business value it can deliver to the client. Also, just because a system is open and robust doesn’t mean that the organization has the appetite to add integrations.

STE: The migration to cloud-based solutions has impacted how users apply access control solutions to fit their needs, employing mobile credentialing and custom APIs to better mitigate risk and increase cost efficiencies. What are key considerations users must understand to optimize their systems?

Van Till: Upgrading to a cloud-based access control system is a huge step up. The customer benefits in many ways. First, cloud-based solutions have a lower total cost of ownership. It's more efficient to run software in the cloud. You realize cost efficiencies immediately by not managing your own servers, patching, updating, etc. Second, the cloud enables you to remotely manage an entire portfolio from a single dashboard. That includes changing permissions, granting or terminating access, opening or locking specific doors, pulling data, and so on. The cloud also enables mobile capabilities. Mobility is king in the new hybrid work world where health and safety are paramount. Phone-based apps serve as card keys as well as the figurative keys to elevated tenant experiences.

Gilbert: Users should take several things into account if they want to optimize a cloud-based system. For one, they must understand the user population. What’s the culture of the organization? Is the organization’s ethos traditional, conservative, innovative, or cutting edge? Next, what are the user expectations? Culture drives expectations, of course, but so do industry/sector, location, facility type, working environment, and so on. In the end, user acceptance and ability to use technology will dictate its fate. A tech startup in Silicon Valley might reject facial recognition due to privacy concerns, for example, while staff at a high-security R&D complex might welcome it. At the bottom, an organization using a cloud-based system must understand and be able to articulate its business use case as well as the financial and cultural impact it has on the organization.

STE: Machine learning and AI analytics seem to be driving the security technology world. How can enterprise-level access control systems incorporate these advanced analytics to improve security and safety?

Van Till: Advanced data analytics with AI and Machine Learning is the future of access control. New products come on the market daily.  It goes beyond just the fusion of video and access events. Solutions like Brivo Snapshot provide time-saving capabilities that automatically detect faces from a video and display the image in context to the access event.

Once the neural network is embedded and actively learning, it can then use that to signal any deviations from the norm. AI and machine learning are poised to have a dramatic impact on not only the security industry but across many areas where we can use intelligence as a way of reducing system noise and catching things humans wouldn’t detect.

Gilbert: The sky’s the limit with machine learning and AI. We are at a primitive stage with both of these interrelated fields. A lot of what passes today as AI is extremely basic, not much more than an algorithm. As these technologies mature, applications to enhance security and safety in enterprise-level access control systems will skyrocket. We will see autonomous technologies such as robotics and drones integrate with these systems, providing a richer array of usable data and a more multilayered, nuanced, and effective approach to security. Right now, most businesses are still learning how the technologies work, how they can improve security, and how they can add to the bottom line. Credit the pandemic and remote work with expanding the organization’s imagination and appetite for new approaches.

STE: Cybersecurity is now a key consideration for any network-centric or cloud-based security system. How can solution providers build in cybersecurity safeguards into these advanced physical security solutions?

Van Till: Cybersecurity is central to any security offering and should embed in many ways. First, it should be built into the product. For instance, the product should be designed with encrypted device communication with no open inbound ports. Unlike static server-based security,  the cloud enables regular and automatic software updates. Other important components are triple redundancy and high availability to meet the basic security requirements for a modern IT system.

Compliance requirements should provide the baseline for cybersecurity, whether they are internal policies or federal statutes. Security and access control providers should attain the highest levels of certification for cyber protections, privacy protections, and other areas such as PCI compliance.

Gilbert: Building cybersecurity into a cloud-based physical security system is essential. There are many aspects to cybersecurity of cloud-based systems. Who is the cloud carrier and how rigorous is their security? System data should be encrypted. System providers should continuously scan and test for vulnerabilities and threats, have ongoing patch management, use firewalls and intrusion detection systems, require multifactor authentication for administrators, and more. Compliance with relevant standards, regulations, or laws is paramount. That could include HIPAA, FISMA, or the NIST Cybersecurity Framework, for example.