printer friendly version

Access control in 2017

The access control market is growing, not only the cool stuff like biometrics and mobile credentials, but also the traditional cards and fobs business. Yet, as many companies as there are that still use cards and fobs, the technology for access control has evolved and offers more options than ever for controlling access to various places, systems and devices.

In one way, this makes the industry more complex for those who have to make sense of all the noise and ensure their access solutions do what is required in their companies. Yet it also opens the door to more integrated systems that allow one to more effectively manage access and other security or building management functions from a central point.

Hi-Tech Security Solutions asked some leaders in the field to make sense of the access control market in a world that is bigger and smaller than ever, more complex and simpler than ever, with a wider variety of choices and price points than ever.

In the world of access control systems, people and companies install solutions for the long haul. They do not want to have to replace or upgrade everything every three or even five years. So what do people look for when considering their electronic access control options today? Are we still focused on letting people in or out of the door; or are people looking at more integrated use of access technology to control, for example, access to cabinets and safe areas, what about integrated physical and logical access to PCs, printers or cloud services controlled from the IT directory? Do companies consider these options at all?

Walter Rautenbach.

Walter Rautenbach, MD of neaMetrics, local Suprema distributor, explains that, in an ideal world, we would have a one-to-one relationship between a person and identity data. One enrolment used everywhere from building access, time attendance, logical access, devices and cloud services.

“This is nothing new with Single Sign-On (SSO) talked about and implemented for many years to address the problem of managing multiple passwords and where using the same one everywhere is a significant risk. With this, flowing into biometric identities, clients want the convenience of utilising their single identity across all aspects of life.”

Unfortunately, one of the significant identity flaws in today’s age is that most of us have many biometric identity profiles, with most of them managed on separate platforms, he continues. “The biometrics I use to access my phone, work access control, workstation or even employment vetting, are in most cases all different and introduce a problem that different biometric identities are presented by one person.

“In a society aiming for non-repudiation, the search to eliminate these isolated identities is a hot topic which more vendors and solution providers are trying to address. It is easy to see the value, why would I not want to use the same biometric data used for HR vetting for the company’s access control and logical access to data. At the present moment, the number of solutions offering linking access control and logical data alone is widespread, but the uptake is limited. However, we will see substantial growth in this area, even over just the next year.”

One of the reasons he gives that development in this arena is not as fast as we would think or like, might be that it is easier to do this in a closed system. However, when implementing solutions across vendors or providers, a matter of trust arises with everyone wanting to be the controller of the identity or not trusting identities created in competitors’ systems. In addition, implementing multiple levels of access and attaching user authority to a centrally managed identity introduces a level of trusted integration that needs careful consideration.

This may also be changing soon since, while trust remains an issue, several providers are now offering centralised Identity Vaults or Trusted Identities, which are becoming more popular. “I suppose in our particular environment, with PoPI being a hot topic, it is easier for companies to outsource this responsibility to external providers,” says Rautenbach.

Users want more

Stephanie Hensler, director business development, access control, Axis Communications, agrees that the lifespan of an access control system can be very long, sometimes up to 20 years. “There are many things people are looking for in their access control system, most have their priorities depending on their type of business and needs. With end users becoming more self-educated in this industry, they know what is available and no longer depend on their system integrators to tell them what they want.”

With this in mind, she highlights some of the access issues the industry is facing:

• End users are demanding more integration to be able to have the option to select best-of-breed solutions.

• Wireless locks are one of the hottest trends in the access control industry today and are everywhere. With wireless locks and devices such as cabinet locks, access control systems can be expanded beyond exterior doors.

• Another trend sees the industry is moving away from proprietary hardware for better flexibility. One of many reasons for this is end-user demand, they don’t want to be locked in to a system without the ability to select the best devices offering expandability and various options in the future.

• Integrated physical and logical access has been around for years, however, this technology has not been widely adopted, mostly due to the different departments managing these two types of access.

• Cloud services have also been around for years and are definitely taking off. More companies are now developing cloud services as companies want convenience and feel that this service is now secure enough.

Philip Verner, regional sales director, EMEA, CEM Systems, also sees access today moving beyond the door, integrating to other systems and even, in some instances, reaching to the level of logical access. He says the uses of electronic locks is growing rapidly, allowing for more security monitoring of access to doors as well as other areas such as data centre cabinets and so on. The level of monitoring is also growing, providing more security and information on what happens on a daily basis.

Philip Verner.

CEM sees access as an intelligent system that can do more than open doors. As such, the company is always on the lookout for ways to add value to its access control solutions in a way that supports the facility they are installed in, even to the point of supporting revenue growth for the client. The emerald multi-functional terminal is an example of this. It provides online and offline access control services, but also has intercom facilities and integration to a command and control centre built in. It also offers other functionality, such as time and attendance, room booking and so on.

Verner adds that access is part of a much larger solution and we see companies integrating it and monitoring access along with surveillance, intrusion detection, perimeter and so forth. We can see evidence of this in the number of video management systems (VMS) that now include the ability to monitor and manage access control as standard.

Rautenbach echoes the sentiments about integration. He adds that clients and security consultants are increasingly looking for a total security solution that interlinks all elements of security and that can address the full security life cycle. “To achieve this, more intrinsic matters are highlighted, addressing questions such as: What threats are introduced with access control platforms running on the same IP network as my corporate network, and can that expose my company data through IP at the door? What encryption is used to protect data? With biometric data now storing thousands of identities at the door, how safe is it and can someone just steal it? What interoperability standards are utilised?”

In response to questions like this, the industry has taken steps to re-examine the value of RS-485 using Open Supervised Device Protocol (OSDP) V2.X, moving identity data to controllers or secure masters not openly exposed, or removing biometrics totally from the network and back to cards, mobiles, tablets, wearables, etc. We are also seeing the implementation of secure credentials, such as the latest HID iCLASS Seos. These issues, including biometric spoof prevention, have become some of the ‘hot topics’ when it comes to vendor selection.

The question of standards

When referring to standards, the access control industry is not renowned for its love of open standards. However, now that IP access control is growing (see a separate article in this issue), standards are becoming more important.

Open standards have historically been sparingly used by the access control industry, admits Hensler. “However, as the access control industry becomes more ‘IT-centric’ and devices must plug into an existing network, open standards will become a requirement for communication and security. “Future interoperability requirements will result in much greater adoption, but which open standard is to be adopted is still yet to be determined.”

The industry needs to become more open, according to Verner, as it is more important than ever to be able to work with other systems without problems of middleware or custom development. He notes, however, that more open should not mean less secure. This is why standards like OSDP was developed as a secure solution to ‘Wiegand sniffing’. In addition, he says there is a definite move towards more secure cards that are also more versatile in what they can do.

“I cannot say that all access systems are moving away from proprietary solutions as many vendor-specific platforms exist,” counters Rautenbach. “Many access or integrated security software vendors are, however, not hardware vendor specific, and it is here where not being locked into specific access control end-point, be it a biometric, card reader or camera, is critical.

“The importance of interoperability is, therefore, imperative, and we see OSDP playing the same role in access control as ONVIF in the video arena (and ONVIF also has access control profiles). These types of interoperability protect clients from vendor lock-in and allow for direct inter-vendor performance measurement. The implementation of these standards also adds more than just interoperability, as with OSDP 2.x, for example, also bringing encryption of data to the table. Compliance with these standards is becoming the de facto yardstick, with non-complying vendors being frowned upon.”

Another important element with interoperability, when it comes to biometrics, is compliance with ISO and ANSI, Rautenbach advises. These standards ensure that the biometric data itself does not lock down users. All recognised vendors comply with ISO/ANSI, but a word of caution is in order because although all recognised vendors comply, it is the system integrator’s responsibility to consult with the clients to ensure implementation of these specific configurations from the start, as these configurations are not default.

“It is also important to note that compliance with ISO/ANSI is not difficult, but the challenge is for vendors to offer the same kind of performance using ISO/ANSI versus proprietary. It is for this reason that NIST introduced, for example, Minutiae Interoperability Exchange (MINEX), allowing for performance measurements across fingerprint vendors. Failing to meet good benchmarks in MINEX will mean that vendors might comply with the standard, but cannot perform as well in interoperability mode, forcing clients back to proprietary mode.”

Spoofing and biometrics

When it comes to dealing with biometric technology, we have seen dramatic advances in the use of and the capabilities of various biometric identification and authentication technologies. Yet, some people still have a sceptical view of biometrics of all types. One of the arguments against biometrics is not that it doesn’t work as an authentication mechanism, but that it can be tricked or fooled by determined criminals. This, they say, is a problem as, opposed to a password which can be changed or a smartcard that can be blocked, you can’t change your face or fingerprints.

AC2000 Security Hub in use.

Hensler says there are many reasons why biometric technology is not more widely accepted. Initially, the technology wasn’t as secure is it today. Another reason for the lack of uptake is the cost, it is cheaper and easier to stick with what one currently has, which is typically cards.

“When end users are looking at implementing biometrics, they need to look at all options,” she says. “Issues to consider would be their current system and staff and which type of biometric is best for what they are trying to secure. Another important thing to consider is the company, as this industry is still a bit volatile, be sure to select a stable company with a stable technology.”

Verner agrees that some people still have a bad opinion of biometrics, but the number of naysayers decreased significantly after the first iPhone with biometric authentication was launched. It has since become more accepted and people use it daily without a problem.

There is always a trade-off between cost and reliability, however, and users need to manage this carefully. If you get cheaper products, you can expect a higher rejection rate. If you intend to install your biometric access control system in an area with high levels of traffic, these rejection rates will cause frustration and can result in long queues or irate employees. Additionally, a higher percentage of people will find their biometrics can’t be recognised. Again causing more hassles.

Multi-modal biometrics is perhaps an answer to this problem and Verner sees this market growing. Multi-modal biometrics combines two types of biometric scans in the same reader, such as fingerprint and finger vein checking. This adds a layer of security for access to high sensitivity areas, as well as offers a solution if a fingerprint, for example, fails to register.

Rautenbach’s view of the negative perceptions on biometrics differs somewhat, probably due to his company being intimately involved in the biometrics world from both a sales and custom development perspective.

“I see the excuses of ‘it’s not working’ and ‘intrusion of privacy’ being the principal reasons used towards the resistance of implementing biometrics. I think we must look where these opinions come from because they frequently originate more from the persons being forced to use biometrics than from the actual beneficiaries, such as employers and government. Hence why the acceptance of biometrics has drastically increased over the last few years, making the progression to mobile phones and tablets.

“Personally, I have never heard of someone who has purchased a new iPhone and said they are not going to use the biometrics because it does not work or infringes on their privacy, even though the first implementations of this did not perform half as well as its current release. The iPhone [and other smartphone] biometrics experience saw an immediate tilt in the acceptance of biometrics.

“This acceptance, unfortunately, does not translate to general acceptance where people being controlled will do the most to not make it work, avoiding looking into the camera, half-heartedly touch fingerprint readers and even use the wrong finger just to get the red light flashing as a reason to complain. Normally those with reasons to resist have good reasons, or sometimes good people feeling insulted by needing to be controlled. With this said, biometric technology did not always work as well as it does now, and this historical fact could be used by some as an excuse for resistance from employees and unions.”

He is also careful to note that all technology is not equal and some just do not work. Rautenbach’s advice for selecting a vendor is to look at their track record. See if they comply with ISO/ANSI standards, participate in performance measurements provided by institutions such as NIST, comply with standards such (OSDP/ONVIF/various encryption technologies), and if they continuously work on increasing the performance and reliability of their products.

It’s also worth remembering that any technology is breakable and any technology can be applied incorrectly. Finding a qualified and certified system integrator that knows what they are doing is critical. These days the SI’s job goes further than just installing devices, configuring Wiegand and powering maglocks, they need knowledge about TCP/IP and corporate infrastructure, and need to advise clients and act as security consultants.

Therefore, while biometric technology does ‘work’, the responsibility is on the buyer to make sure they select the right technology and partners to get the results they require. In pursuit of getting the results they require, there is also a trend in access, as there is in almost every other industry these days, for data analytics.

Intelligence from access data

There are two schools of thought to the issue of gathering and using data analytics in the access control world. On the one hand Rautenbach says this is not a mainstream focus yet, as employers want to see how long their employees spend in smoking areas and on lunch. In these instances the employers are trying to address productivity, payroll and overtime issues and may not want more from their access data than that.

From a Suprema perspective, however, he notes that access data is available for analytical processing for specialised implementations. Although this data is being used more as sensor input into video management platforms where it can be used to enable user bookmarks on video streams, proactively triggering video recording and allowing for forensic user-based investigation on video data.

Verner says data analytics is becoming more important, but agrees it is still primarily in the video surveillance space where companies want to find behavioural trends and data to prevent issues from arising instead of only reacting after an event.

Take aways

There are so many issues one needs to focus on when considering access control, some already mentioned in this article, but many can be found in other articles in this publication, and even more are still to be mentioned. However, we put our three interviewees on the spot and asked them what they considered the two most important things decision makers should consider when looking at upgrading or installing new access solutions.

Choosing only two important issues is not a simple task, but Rautenbach advises buyers look for a reliable vendor that actively participates with open standards and interoperability platforms such as OSDP, ISO/ANSI and MINEX.

“Secondly, consider a partner that, on an ongoing basis, improves hardware and algorithm performance by continuously investing in technology and growing device offerings that keep and set the pace of development in the access control arena. With cyber security threats growing at a rapid pace, end-to-end security and technology needs to keep growing and developing at an even faster pace. It is essential to find reliable and trusted vendors, system integrators and consultants that can keep up with the pace and which offer secure end-to-end solutions.”

Hensler simply suggests selecting a solution that will grow with emerging technologies and the user’s business, as well as selecting partners, including system integrators and manufacturers that have standing in the security industry and are forward thinking.

Verner warns that upgrading and installing are two very different scenarios. When one upgrades you need to consider the existing equipment and make sure the new kit works well with it, while advancing or improving the whole installation.

“Access control installations are actually quite complex, which is why you find these systems installed for long periods. When you change something, you need to consider the entire system, down to the individual readers, you can’t simply add something in.”

There are also different needs in different companies. A small office may focus more on access control for time and attendance functionality and may not be too concerned about security. A large installation, such as an oil or gas plant would be more focused on the security aspect.

“What they all have in common, however, is they want value for their money and quality products that will serve them for a long time. Security systems in general are a grudge purchase, but if the user gets added value that supports their operations as well as their security needs, the value of the system is easier to understand and support.”

For more information:

Axis Communications: www.axis.com

CEM Systems: www.cemsys.com

neaMetrics/Suprema: www.neametrics.com / /www.suprema.co.za

Share this article:

Further reading: