Redefining ACCESS CONTROL

Mar 1, 2008 12:00 PM, By Larry Anderson

Our exclusive survey ponders the changing role of access control as the security industry converges and transforms.

Here are some ways that access control is changing in today's security systems:

• It is becoming higher-profile.

• It is able to offer more useful information.

• It is becoming more closely aligned with a company's core business.

• It is becoming more affordable for companies of all sizes.

• It is, and will continue to be, core to a broader security system.

Evolving from a history of door locks and gates, the term “access control” in recent years has come to include technology innovations such as keypads, biometrics, smart cards and computer systems based on Internet protocol (IP). However, the basic idea of controlling access has been a constant, even as the many ways it can be achieved have multiplied, and even as it has become dependent on — and integral to — the broadest view of security's role in an enterprise.

“Access control's role hasn't really changed,” says Bill Stern, IT manager, ESSI. “Its main function is to control entry. The way it accomplishes this task has changed. Electronic security's convergence with information technology (IT) has made a change in the way access control works. IP and wireless access control have made the installation much easier and flexible. [Improvements will make] access control even more effective and easier to use.”

To understand exactly how the role of access control is changing, Access Control & Security Systems surveyed users, integrators and suppliers to gather opinions and commentary. This article summarizes the results of that survey and, in the process, looks ahead to what role access control will continue to play in security systems, now and in the future.

How important is access control?

One way that access control is important is that it largely provides the “face” of a security system. Anthony L. Clark, supervisor, system security, RiverLINE Light Rail Transit Systems, comments: “It is the first thing that the employee sees of the security effort. It sends the message that this company is attempting to provide a safe working environment.”

Even beyond appearances, respondents see access control's role as critical.

“Access control is the most critical step of securing a facility,” says Dave Williams, director of national accounts, Brivo Systems LLC. “Keeping unwanted people out of the building and being able to limit who has the ability to go where and when in a business is key to any organization's level of success and accountability.” Here is another opinion from Brivo: “From managing access to business by their customers to providing valuable audit trails and marketing information, access control systems can provide real security while providing a means to reduce cost and even generate new streams of revenue,” says Reuben Orr, Brivo director of business development.

By providing “safety and security for all,” access control can “result in a better mindset to the rest of the company, which in turn increases productivity,” says Cliff Barber, security manager, Sea-Launch LLC.

“It is the gatekeeper and identifies who may enter or not,” adds Stern of ESSI. “More importantly, in most systems, it keeps a record of who, when and where an entrance through the system was made.”

It “allows control and surveillance of persons depending on sensitive areas and authority levels. It safeguards information and helps comply with Sarbanes-Oxley,” says Keith Ladd, CEO, The Protection Bureau.

“It is becoming the foundation for a security solution that incorporates video as well as audit logs for secured areas such as server rooms, patient records, drug storage, etc.,” says Scott Lord, vice president, All Systems.

“[There is a] change from ‘who’ is allowed access to: should they be allowed access?” says Steve Day, director, Misedio.com. “In other words, the metrics or business rules for allowing access will become more integrated with business intelligence systems.”

Other comments about the importance/benefits of access control include:

• “It is proactive.”

• “It is still the clearinghouse for all system-wide security events.”

• “It manages the database of system users, system devices and system annunciation.”

• “It is the heartbeat of a total security management system.”

• “It provides data retention and mustering capabilities.”

Some respondents see the role of access control from a broad perspective. “Access control authorizes authenticated credentials to access resources,” says Will Harmon, principal security engineer, PlaSec Inc. “This information is important to many organizational business functions such as building evacuation, HVAC systems, physical access to restricted spaces and remote network access.”

The future of access control systems will likely depend on their ability to adapt to changing technology needs. “To support business outcomes, access control must form part of the new business intelligence systems that are gaining prominence,” says Day of Misedio.com. “Systems that remain separate from these are dead in the water as they won't be part of the reporting systems that will become the main source of strategic information for business.”

One end-user respondent shared a specific example of the importance of access control. “In our situation, we are moderately regulated for hazardous chemicals, pathogen safety, transportation (import/export) and safety control of products,” says Jim Schuyler, security systems specialist, Gambro BCT Inc. “Further, as one of the Best 10 companies in Colorado to work for, the feeling of a secure environment that cares about the safety and welfare of its employees was a critical element in securing that designation. Access control play[s] a large part of the employee comfort level on the campus.”

A supplier respondent sees access control as the second most important part of a physical security system, next to video. However, “to get the most out of your security system, access control and video go hand in hand,” says Brian Pinnock, sales engineer, GE Security.

All in all, the “importance [of access control] is increasing day by day with increasing security threats and the evolving complexity of security requirements,” says Mitja Kolbe, time and space international business development manager, Spica International.

But in the end, access control is “only as important as the company makes it,” says Bob Wethington, management of access control and electronic security, Washington University, St. Louis. “If you don't have total buy-in from the top down, both financially and organizationally, what have you accomplished?”

Access control as a central point of integration

Today's security systems are more integrated than ever. Historically, for better or worse, the access control system has come to be the central point for that integration. Respondents to our survey generally expect that trend to continue, although some point to forces at work that could change that outlook.

“[Access control] is central in that it relates all facility databases,” Wethington comments. “It has the capability to be earmarked for all relative and general information with regard to buildings, facilities and/or institutions. No other system is tied to all quantitative systems within an organization.”

Another respondent — John P. Davies, managing director, TDSi — refers to access control as a “natural convergence point.”

All Systems' Lord says that access control is “about 70 percent effective in being the central platform in which to converge various security technologies.”

For example, “many digital video suppliers depend on the physical access control system to integrate their products,” says a technology specialist for a large supplier company. “This trend is going to continue.”

Others suggest the future role of access control is less clear: “Today, access control is still the primary platform for integrated systems,” says John Hunepohl, director, ISS group, ASSA ABLOY. “In the future, the access control components will become part of the network, be more interchangeable and be managed by a more robust business management process.” In other words, it's all about the network.

But in the end, the role of access control — or another technology — as the central point of integration will depend on the needs of the customer. “Some will centralize around their video, others around their burglar intrusion system. This also depends on how well the client understands the importance of access control,” says David Monk, president, Maglocks.com.

In addition to the expectation that computer servers and networks will push access control aside as a central point of integration, others see building management systems, identity management systems, so-called “middleware” or even video systems as being central to integration in the future. One respondent points to the emerging importance of Web services systems that communicate using so-called Extensible Markup Language (xml): “Current systems are largely missing the glue that xml can provide,” Day of Misedio.com says.

What do we need to learn?

There is still plenty to learn about access control systems, survey respondents contend, including how to use the systems effectively. Becky Shelton, site supervisor, Wackenhut/ZINK, comments: “Most companies only use a small portion of the services their systems offer because they don't know how to use the whole thing.”

There is also a lesson to be learned about the relationship of physical and logical access control: “Access control should not be thought of only in terms of physical access control,” says Harmon of PlaSec. “The gap between physical and logical in the organization is rapidly disappearing. The common organization is largely supported by enterprise class IT systems, and most likely sooner than later, many physical functions like access control will be assimilated into IT-based systems, one way or another.”

Jeff Duchac of LVC agrees about the IT influence: “What our industry should learn about access control is the future of networking and integration into other markets. This should be communicated by value-added resellers (VARs) and local representation of manufacturers.”

However, acknowledging the influence of IT doesn't diminish the role and function of the security department: “The four D's of security - deter, detect, delay and detain - still apply,” says Hunepohl of ASSA ABLOY. “This needs to be communicated in understandable terms to the new players making business decisions.”

Another lesson that has been long in the learning is the role of standards. “Access control needs to continue to move to an open standard platform using the IP networks as the backbone,” Lord says. “The decision-makers for security today, predominantly, come from the information technology world, where proprietary equipment and software are not the norm. They are used to open architecture for software.”

“Access control is not about cards, biometrics, smart cards, readers, etc.,” says Day of Misedio.com. “Access control is about data that is used to determine whether someone should gain entry and the transportability of information collected by the access control system.”

“It isn't just a box that opens doors,” adds Rick Fournier, COO, Galaxy Control Systems. “It can be extremely flexible and used as the central database and control center for a number of additional security and administrative functions.”

Making sure the system matches the application is another important issue. “I believe the access control industry needs to learn that their products must meet the actual needs of the end-users rather than the perceived needs,” says Gordon B. Longton, security consultant, James L. Johnson Associates Inc. “In too many instances, the providers feel they have ‘the’ system and are unwilling or reluctant to listen to their customers.”

One should also remember that security extends beyond the technology system: “Policy is part of the system and needs to be stressed more often,” says Chuck Hutcheson, systems manager, DeKalb Board of Education.

Affordability of the systems is another issue, although some respondents suggest the systems are becoming less expensive. But Monk of Maglocks.com disagrees: “The biggest shock to our clients is the cost of quality products. There are many — I would say 50 percent or so — that think that access control can be done for cheap or little investment. The price is the price is the price. Cutting corners on access control equipment is not good in the long run.”

He adds: “[Something suppliers] need to learn is to make the systems affordable. They would sell more systems and likely make more money in the long run.”

And remember “that all systems are not created equal,” Williams of Brivo reminds us.

ABOUT THE SURVEY

Our survey was designed to be non-scientific and informal, geared toward encouraging respondents to provide us commentary for this article. The survey reached out to our readers using our Web site, securitysolutions.com, and our e-mail newsletter, Security Beat. Readers were directed to a link to the survey added to the Web site on Sept. 21, 2007. We reached out to supplier companies by distributing hard copies of our survey at the ASIS show last fall, and with an e-mail message to our list of supplier companies on Jan. 8, 2008, with an invitation to participate. We also distributed a link to our survey to members of two dealer/integrator organizations — SecurityNet and PSA Security Network.

How Important?

We asked respondents to rate (on a 1 to 5 scale) the importance of access control related to topics such as “overall security,” “security's higher profile,” “converged systems,” “digital video” and “regulatory compliance.” The chart shows the results.

Interestingly, there appears to be a disconnect between how suppliers answer the questions and how users answer, especially regarding the role of access control as it relates to regulatory compliance and security's higher profile.

More end-users rate the importance of access control to “regulatory compliance” as “extremely important” (62.5 percent), versus fewer for suppliers (34.6 percent).

Conversely, more supplier companies rate access control's role related to “security's higher profile” as “extremely important” (69.2 percent) versus only 45.8 percent of users.

Also, more suppliers (65.4 percent) rate as “extremely important” the role of access control related to “converged systems;” only 41.7 percent of users answer “extremely important.”

Suppliers may want to consider the results carefully related to what benefits of their products they choose to emphasize to end-users.

The chart summarizes ratings of access control's contributions to “promote overall security” and to “promote the overall business goals of a company or institution.” The most common response among all three groups is a rating of 4 on a 5-point scale, with 5 being “extremely well.”

In Their Own Words

Our survey included end-user companies, integrator companies and supplier companies. Here is a sampling of verbatim comments from each group.

USERS

“To some degree [access control] replaces manpower, but of far more importance, it enhances the availability of human intervention and supports investigations.”

“[It's] faster, more reliable and [offers] user-friendly systems.”

“No longer are there people who want to use a physical lock and/or barrier. They want to be amazed and satisfied with technology.”

“[Access control] has more capability than it has in the past. I would assume that enhancement features will continue to improve.”

INTEGRATORS

“Regulatory is a huge initial driving force, but once adopted, it seems to take on a life of its own as the value to the organization is realized above and beyond compliance.”

“Access control will change when biometrics becomes more user-friendly and affordable.”

“If this country is attacked again by terrorists, you will see everyone locking their buildings to access.”

“We are installing more enterprise-level systems.”

SUPPLIERS

“Access control has become much more of a commodity solution for standard door access, yet technology has vastly improved with the addition of biometrics much enhancing solutions for sites with a higher security requirement.”

“Access control has grown from keypad to proximity and smart cards, thus improving security levels.”

“Access control used to be solely about which person at which door at what time. Now it is a trigger for many other procedures in the system.”

“Basically there are two branches: ‘Cheap’ physical security which is more focused on electronic access control commodity than real security, and ‘advanced physical security’ featuring smart cards and multi-application; convergence of physical and logical; digital video surveillance interoperability.”

“I have noticed a trend for smaller organizations to be more concerned with control of more areas of their facilities.”

“[Access control] will be at the heart of every company's compliance requirements and will embrace every aspect of an employee's workplace experience.”

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue