Standards Rise as Access Matures
Proximity technology is giving way to contactless smart cards; access control software is modular to let end users integrate access control, digital video, visitor management, fire and security, and other systems into a single platform; systems run on the company network; and the security director can dial-in to the system from anywhere in the world to see what activities are occurring. Technology allows all of this to take place cost-effectively and with relative ease.
We continue to hear about the convergence of physical and logical security. This convergence phenomenon initially began at the card level. Simply put, end users wanted one card to function as a photo ID badge, control access to both a building and a PC, provide funds for lunch or the vending machine and automate the time and attendance. Although this seems to be an easy task, this aspect of the convergence process is still a work in progress.
Yet, while we work to have one card for multiple applications, we begin to hear about the use of intelligent tokens, which promise to replace smart cards via the use of personal devices. Estimates are that this phase of technology use is three years away. Has the smart card taken so long to get here that its life span may be a fraction of that of the proximity card?
To support the one card functionality, it became apparent that work remained to be done on the data side.
According to Rob Zivney, vice president of marketing for Hirsch Electronics of Santa Ana, Calif., "Everything is going IP -centric." Zivney adds that "PC technology is now residing in the top tier controllers, not just at the client-server level. It is becoming increasingly necessary for system integrators and dealers to have IT department skills to put together an access control system. Digital video is going the same way, which means the concept of a separate access control and digital video system may soon be a thing of the past."
IT will continue to take a more active role in the security environment. As a result, Mark Cherry, global product development manager for Honeywell Building Control Solutions of Minneapolis, indicates that "IT wants to be the recipient of messages they identify as critical to them. IT seeks technologies that eliminate the need to integrate to the access control system at the host level. For example, if there is an access denied at the computer room door, IT may want the message directly from the controller / reader using Simple Network Message Protocol (SNMP) or via XML messaging structures being defined to extend LDAP like SPML and DSML. IT knows that the host systems may sometimes be under repair or inoperable; they do not want this to limit the messaging from the controller getting to them."
Tony Hanseder, vice president of product marketing at HID (San Jose, Calif.) sums it up, saying "The current technology trends in access control are open systems, those not based on proprietary formats but rather on IT-friendly solutions that are network-compatible (TCP/IP) and hence are plug-and-play. This is directly driven by the advent of the convergence of IT and security. As convergence continues, IT departments will increasingly require that physical devices be IT-friendly and that access control readers and panels to be network-accessible."
As the access control industry continues to mature, there is increased pressure for standards. This pressure comes from the Department of Homeland Security, a facility manager’s needs for interoperability between systems, the global nature of the market and needs that are specific to individual organizations.
In particular, government mandates regarding standards are coming down often and faster. The mandate for biometrics as a method of verification of identity, and the requirement for cross platform, cross agency interoperability are clearly delineated in the U.S. Patriot Act, the Transportation Security Act and other laws. It is only a matter of time before these government requirements force products to meet certain standards before they can be purchased with government funds. The days of each manufacturer setting proprietary standards appear to be coming to an end.
To respond to the pressure for standards development, SIA recently held a kick-off meeting to begin working on standards associated with access control systems. In order to make the standards well accepted and understood by the IT community (encouraging easier acceptance of physical electronic security products into the IT space), this work is focused on creating a UML data model and use cases, a procedure well established and understood in the IT arena.
Another issue on the horizon involves standards for national identity credentials and the secure transporting of security information between systems. The latter is addressed by the Common Criteria, ISO International Standard 15408, and made applicable to U.S. products via the National Information Assurance Partnership. (More info at: www.niap.nist.gov/)
There are many industry groups being formed that address one or more aspects of the new regulations. This includes groups such as the Document Security Alliance and the Open Security Exchange (OSE).
The need for standards will, of course, force manufacturers to redesign and re-architect their offerings. Although good in the long term, these changes will produce challenges for both the supplier and the consumer.
End user roleTraditionally, the security industry has thought of the end user as being the physical security director. Today, as access control systems reside on the company network and the access control card is used for more than just physical access, the industry must take a fresh look at who the end user is.
In many organizations, security decisions are now based on input from many individuals, including those from disciplines such as physical security, information technology, facilities and human resources. It is the responsibility of the industry to learn how to work within the end user’s organization to understand the big picture and how a solution might cut across department lines and/or improve more than one aspect of the organization’s operation.
In the past, manufacturers would create solutions or develop technologies that they thought end users wanted. When deployed, companies would discover that the solution only solved one piece of the puzzle. If the industry had only solicited their input before developing a solution, end users likely could have, and still can, provide the industry with valuable data on the problems they are experiencing. By clearly articulating problems and the implications if not resolved, the industry can then explore what technological resolution can be used to accomplish the task. This goes against the old way of doing things – create a solution or technology that the industry thinks the end user wants or fulfills a perceived need in the marketplace.
As a way of getting this input, many organizations are now welcoming the end user into their activities. SIA, for example, sponsors an annual Corporate Security Roundtable. The OSE has recently announced the formation of a convergence council comprised of end users from both the physical security and IT disciplines.
These activities also more closely connect manufacturers with end users, thus driving the development of solutions to meet end user requirements. As long as these organizations offer a value and benefit to the end user for their participation, they will become involved.
Some might say that the greatest industry obstacle is the inability to think outside of the box. The industry needs to shift away from its traditional way of thinking and begin to explore how changes in the end users’ organizational structure and the advances in the technology landscape will drive it forward.
As access control systems become more plug-and-play with application capabilities that extend beyond traditional access control, it is foreseeable that these systems will be purchased by end users through distribution channels that today may not be selling security solutions. These open systems will facilitate a new level of interoperability, giving rise to more and tighter integrations between physical security, information technology, building management and human resources/administrative systems.
This, in and of itself, creates a whole new set of issues. System integrators will be forced to become more IT-centric as a means of supporting Web-based solutions and IT-friendly access control products that will also be sold through IT-centric channels. IP-based video, software drivers, Web-based access control software and network readers will all play a larger role.
And from the end user perspective, what are the costs for moving ahead? Security purchases are often seen as a cost of doing business; thus customers tend to minimize their investments. Cherry says that "customers are not going to willingly give up their legacy systems without significant reason or the need to meet new business objectives. Factually demonstrated savings may also be required." He goes on to predict that "newer technologies will not be as backward compatible as systems have been in the past, creating additional obstacles."
Organizations such as SIA have taken the first steps to lead the charge forward by establishing working relationships with other organizations that provide complimentary skill sets.