Working with IT on Access Control

Jan. 27, 2009
Manufacturers and physical security pros must adjust to the IT world

Over the years, a large corporation has invested millions of dollars in its enterprise access control system. It has worked well and offers a wide assortment of bells and whistles; however, the system has a proprietary database that does not allow information to be easily shared with other applications, its encryption precautions do not seem to pass corporate audits, and applying patches to its operating system sometimes causes unanticipated problems. Should the corporate officials abandon their legacy system investment and go with an open standards-based system favored by the IT department?

A growing young high technology company is finally ready to make a major investment in access control. The security director favors a proven top-tier system featuring client-server architecture. The chief technology officer backs a Web-based system that offers fewer security features but more fully supports IT standards, is configured as a “network appliance” and does not require another server. The CEO has to make a choice, but which one?

Like it or not, security systems have become an application that runs on the corporate data network. It is not just security — the phone system, intercom/public address, signage, building climate control, elevators and parking controls all are finding their way onto the corporate network. If it involves voice, video or data, it can be communicated effectively over the TCP/IP networks that have become the lifeblood of U.S. corporations and institutions. No longer does each separate system need its own wiring infrastructure — they all can communicate on the IT network.

This fairly recent involvement of the IT department into matters of security is creating dramatic changes that will continue to play out over the coming years. The first encounters between the security and IT functions were frequently the result of security’s desire to view video — often from remote sites — over the corporate network. Bandwidth was the issue: when video starts streaming, the network can be brought to its knees. The first words spoken to security were often “You can’t do that on our network!”

The Standards Issue
When it comes to access control systems, the issue with the IT department is not bandwidth, since the amount of data moved by an access system is miniscule compared to video. For access control, the issue is standards. While the security industry has adopted the same technology as the IT industry, (security uses the same databases, the same operating systems and the same networks) it does not use the same standards. As a result, the tools used by the IT industry to keep things running smoothly and make their jobs easier do not work very well on most legacy and many current security products.
Since the IT staff has long provided access control on the logical side of the network, it might seem like a natural extension for them to also do the same for the physical side. They would like to use their existing standards, like LDAP or Active Directory, to configure both logical and physical security. These are features many of the security industry’s enterprise-level offerings have only recently begun supporting. Many IT professionals find security’s legacy access offerings to be wanting.

At the heart of this battle is demand from IT for open architecture. IT people are used to mixing and matching components from different manufacturers and having them all work together. This does not fit well with the strategies of the major companies that have made huge investments in security. Access control systems manufacturers, along with CCTV, fire alarm and communications firms, all want to offer branded solutions that focus end-user choices exclusively on their products.

Manufacturers Step Up
Why haven’t the top-tier manufacturers updated their systems in response to these demands from IT professionals? Many of these systems were initially designed perhaps 20 or more years ago — long before most of today’s IT standards were even proposed. Bolting on today’s standards in ways that enable the existing investments to stay in place is often unwieldy and oftentimes impossible. Sometimes, the code for these legacy systems has been patched and extended to the point of no return. Notably, a few top-tier access control products of more recent vintage are better able to support IT standards and have benefited with increased market share.

Concurrently, each top-tier manufacturer has developed, or is in the process of developing, a new product that meets many of the IT industry demands for standards. The problem is, this effort is taking a long time. The history of new product development in the security industry seems to predict at least 18 months to get the product out the door and at least another year to get feature sets working robustly. Usually, the new product initially supports only a subset of existing panels with legacy support coming much further down the road, if at all.

Complicating the matter, many of the major players in the access control market have acquired multiple legacy access lines and are attempting to develop one product that will support each of these investments. Ironically, IT staffs often perceive physical access control applications to be trivial database applications — something that could be developed with a few months of focused effort.
IT professionals generally understand their industry’s standards in addition to industry trends. They often lean toward products that embrace IT industry trends — some of which are disruptive to the traditional security marketplace. One example is the trend toward moving intelligence to the edge of the network. For access control, that means pushing some of the intelligence that we traditionally put in access panels into the card readers located at the door. This allows the possibility of system that can more easily scale from a few doors to tens, hundreds and thousands of doors without reconfiguration. This trend could disrupt the growth prospects of traditional access panel sales and might not be eagerly embraced by their manufacturers.

Instead, we see the card reader companies carefully introducing these intelligent card readers into the marketplace. These new products may not offer the full range of features supported by current access panels, but edge readers fit into the way IT looks at the world in terms of IP network infrastructure. More full-featured products are likely to soon emerge.

The IP Trend
A second trend is the move away from the client-server architecture and toward embedded, Web-based network appliances. For many applications, this eliminates the need for a separate security server and looks to the IT professional like one of his intelligent network routers. Manufacturers employing this approach have been taking market share from the traditional client-server manufacturers for at least the past year.

Yet another disruptive trend in our industry is lock manufacturers building card readers directly into their locksets. The next step is building IP-based locks that are combination card reader/control panels that can work over a wireless network. The rule of thumb in the security industry is that the installed cost of adding card access to a door runs between $2,500 and $3000. IP-based locksets offer the prospect of cutting that cost in half and creating entire new markets for access control. While early in their evolution and not appropriate for all applications, this example of pushing intelligence to the edge of the network will likely be a game-changer for the security industry.

One of the truisms in technology is that trends and transitions do not happen as fast as we initially think they will, and yet when they do happen, our initial perception of their impact is often widely underestimated. When the trend finally reaches its tipping point, the effects are often more profound than we had imagined.

The Death of Legacy Systems?
While the days of the large legacy access control systems may be numbered, they are not going away anytime soon. Despite the pressure from the IT staff, most corporate executives are loath to change out a six- or seven-figure investment while it is still functioning at full capacity. Manufacturers will find compelling ways to extend the useful lives of these investments. The newer IT-based access control solutions will find traction most often in new “greenfield” projects and the transition from the legacy systems will largely come through attrition.

So what we are seeing is IT people pushing decisions on access control that are based on how well the solutions fit into their standards and trends. And sometimes the security side of the operation may suffer for that. But things will evolve. The features will become more robust on the new emerging architectures; however, we are not there yet. So, a security director may need to be vocal and willing to fight for those critical features and functions.

But the change has begun. At a recent conference, I was talking with a security consultant who told me about a long-term client of his that requested he design a security package and specifications for a new data center. Two integrators were invited to bid — a security system integrator and an IT integrator. Both had established relationships with the client. Even though his price was higher, the IT integrator won the job because the decision makers were more comfortable with his knowledge of their networks, standards, policies and procedures. This is a cautionary tale for security integrators.

The bottom line for security directors, CSOs and system integrators is this — you have to get up to speed on the IT side of the business. If you are competent, the IT folks will be willing to work with you or at least listen. If you know their language and their standards and you propose things that make sense from their point of view, then you will be a friend. You may know the best place to position cameras, but if you do not know the IT jargon, in their eyes you do not know what you are talking about.

If all you know is legacy equipment and you cannot understand the IT objections to it, you are going to be left outside the door. Yet the IT staff probably knows very little about security in general, much less the many specific needs (like life safety codes) of an access control system.

So stay involved and remain relevant in the new world order. Learn how to apply your wealth of security knowledge using the emerging IT centric trends and standards.

Jim Coleman has more than 30 years of experience in the security industry. He is the president of Operational Security Systems, which is headquartered in Atlanta and also operates offices in Florida. Coleman is also a past president of SecurityNet, a 24-member international group dedicated to providing a single source of electronic security for institutional and corporate installations.