301.519.9237 exdirector@nesaus.org
Photo courtesy of SAGE Integration

11.17.23 – SSI

Customers have two main priorities regarding access control today: increased cybersecurity and ease of managing access permissions.

With technology advances and emerging security threats, it might be surprising to know that most organizations are using access control systems with a key card and panel. The problem is that such methods contain 40-year-old technology and are not as secure. 

 “This technology, known as Wiegand, named after its inventor John R. Wiegand, is an unsupervised communication protocol and has several security vulnerabilities including being easily cloned with DIY, as well as commercially available handheld and kiosk-type cloners,” says Troy Riedel, director of sales at Springfield, Missouri-based Digital Monitoring Products (DMP). 

 Criminals can easily copy a key card and gain unauthorized access, which can lead to physical harm to property and people or information theft. 

 “Over the last five years, access control technology has shown an accelerated digital transformation, leading physical door locks and basic security cameras to be solutions of the past,” says Greg Parker, vice president of innovation and portfolio management at Johnson Controls.

“By harnessing the power of insights provided by current access control solutions, facilities are properly preparing themselves to prevent incidents from the inside out in an evolving threat landscape,” he says. 

 Modernizing access control systems and having a technology roadmap will help ensure organizations’ facilities and their people are protected.  

Determine Customer Goals 

Customers have two main priorities regarding access control today: increased cybersecurity and ease of managing access permissions. 

“Every access control device today is put on a client’s network. If you don’t have the right equipment or cards or credentials, you’re a cyberthreat to an organization,” says John Nemerofsky, chief operating officer of SAGE Integration. 

 Permissions refer to who is allowed in which doors and when. 

 “Most clients today are looking for frictionless access control,” he says. “In some cases we recommend a mobile credential. With the turnover at a university and class size, you could be recreating 20,000 physical cards per year.” 

 Mobile credentials utilizing secure near-field communication (NFC) and Bluetooth technologies are gaining popularity. 

 “Recently, powerful innovations including ‘frictionless’ or ‘touchless entry’ to spaces, as well as integrations with popular mobile wallets have been introduced to the market providing users a simple, BYOD [bring your own device], easy to deploy, highly secure option,” says Riedel.  

 Employee-owned integrator NAVCO had been installing a fair amount of traditional access control systems with key cards until supply chain issues during the COVID-19 pandemic made it difficult to acquire panels.

The company has lately been installing more cloud-based systems where a mobile credentials are used in place of a card. 

 “There’s been a lot of conversion to the mobile pass and mobile cards, purely from supply issues we had,” says Angie Barnes, NAVCO’s executive vice president of sales. “You have to come up with a way to secure your properties. There is huge growth for the cloud and mobile credentials.” 

 The company is seeing end users with systems that are reaching their end of life or for which parts are no longer available, which can lead to an opportunity to modernize. 

 Integrating access control with systems that offer features like facial recognition or gunshot detection can prompt real-time push notifications or the locking of doors immediately. 

 “Having the ability to lock all those doors immediately, being able to notify people quickly, and having an intercom system to really allow better protection are drivers in certain verticals,” says Barnes. “When we can achieve an integration, it’s a big win-win for the customer.” 

Multifamily is an emerging market for NAVCO and its largest growth area for its access control business. Barnes attributes the growth to the pandemic and the fact that property owners and managers needed better door control for things like package and food deliveries, and they wanted an audit trail to detect who came through and when.  

Mobile credentials are an easier and preferred method to manage this. Assigning physical cards to employees or residents is a challenge to manage, especially when there is turnover or lost cards. Mobile credentials are reusable. 

 “Multiple industry reports have shown a significant increase in the use of mobile credentials, especially in the last five years,” says Stephen Russo, global product management lead, at LenelS2, which operates internationally. “LenelS2 experienced 78% growth in this area in 2022 alone. We expect this growth to continue as we add more mobile technology to access control.”  

Today, LenelS2 often sees organizations using a hybrid of both physical access cards and mobile credentials.  

Mobile credentials can work with the security layers built into a phone, such as code, fingerprint or facial recognition for multifactor authentication. 

“Mobile credentials also provide the flexibility to physically present the phone to the reader or keep the phone stored but execute a ‘gesture’ to the reader, such as a wave of the hand or even ‘pulse’ the door from a remote location to allow access for a visitor entry at a gate, or package delivery,” says Riedel.  

 If a building manager is expecting a plumber to arrive at 2 p.m., they can send the contractor a link via mobile phone to grant temporary access. 

 “It’s the convenience factor. Using your phone as your pass card saves from having to use an actual card, and it is easy to grant temporary access,” says Juli Rodriguez, NAVCO’s vice president of marketing and events. 

 In addition to mobile credentials, Johnson Controls offers an array of security products that are growing in implementation, including identity management and advanced biometrics. 

 “New systems can leverage the power of AI to enhance safety without creating sticking points for approved entrants. Combined with advanced access control, facial authentication AI technology is creating safer, healthier, more connected building environments. AI technology can also instantly identify and alert security personnel to entry abnormalities,” says Parker. 

Secure Access Control

Photo courtesy of LenelS2

Emphasize the Ease of Cloud Management 

Access control has traditionally been an on-premise deployment, but as companies try to gain efficiency, they are looking to the cloud where access can be managed from an online platform or app. 

“The cloud is providing open architecture,” says Doug Greenwald, identity assurance development manager at Convergint, a global systems integrator. “This makes access control more accessible than before. … When you move to cloud, now you can manage from anywhere.” 

This growing interest in the cloud has prompted LenelS2 to launch its native-cloud platform, Elements. 

It offers “lower cost of entry, lower total cost of ownership, streamlined maintenance labor and costs, and increased scalability and flexibility while providing continuous monitoring and rapid enhancements are driving the move to the cloud,” Russo says. 

According to DMP, cloud-based access control benefits end users in the following ways: 

  • Integration with other business systems: More businesses want the ability to enhance employee engagement by using a web portal where they can do a variety of things from establishing security credentials to resetting passwords. 
  • Access to real-time user data and reporting: For businesses who have multiple floors or locations, they need the ability to pull live data to review access credential usage. They also need to deactivate a user’s access if their credentials are lost or due to  employee terminations immediately. 
  • Simplified credentialing for floating employees: There is a desire to have a single credential for employees who need access to other sites beyond their primary location. Security providers who can offer customized access profiles based on groups of systems or authority levels will have an advantage. 

Security threats are evolving, and manufacturers and integrators must help organizations balance rapid access while defending against bad actors, especially in cyberspace and facilities open to the public like hospitals. 

“They can’t compromise security, but they need it to be simpler to manage and as frictionless as possible, less labor intensive, more automated, yet powerful enough to support diverse needs. Hybrid and cloud-based solutions are gaining traction as a result of these and other trends. Cloud-based solutions can ensure the very latest enhancements are available and operational in a continuous delivery model,” says LenelS2’s Russo. 

Automating the Credentialing Process 

 The ultimate goal for a customer is to reduce auxiliary support staff and focus on how to operate more efficiently. 

 “Touchless access control to remote management of systems I think are key,” says Nemerofsky. “Building automation starts to play a part in this, as do IoT and multifactor authentication.” 

Onboarding and managing credentials can be easier and more cost effective. 

“You can automate a lot of this onboarding and offboarding through software platforms,” Convergint’s Greenwald says.  

 An employee can move through their journey seamlessly, starting with human resources and onboarding when they receive their access credentials. Upon their leaving or termination, access can be immediately removed.   

 Even some of the largest companies are manually entering new employees into the access control system, which can lead to incorrect personal data being entered or a wrong role assigned. 

 “We want to help organizations automate as much as possible … at all critical points to not only reduce risk but meet auditing requirements,” Greenwald says.  

For visitors, suppose a system sends the person a welcome email that explains where to park and how to check in, and creates a badge, creating a positive experience. On the back end, the company sees how a facility is being used and how much visitor traffic it actually has. 

“Economic and social factors around the world are driving organizations of every type toward increasing efficiency and doing more with less while trying to always stay ahead of potential threats and vulnerabilities,” says Russo.

“Schools, hospitals, retailers, corporations, banks—they’re looking to automate and streamline their daily operations and boost productivity and sustainability,” he says. “They are also looking to use access and security data to understand usage patterns and tie that into more intelligent operations of facilities.”

Secure Access Control

Photo courtesy of NAVCO

Develop a Technology Road Map 

 Given the technology choices on the market and the expense of a widespread system upgrade, how can integrators and installers convince an end user to take action? The key is to work with the customer to develop a technology plan that includes updating their access control system, in phases if necessary. 

How NAVCO approaches an upgrade with the customer depends on what access control system they are currently using and how close to end of life it is. 

“It’s always case by case. We look at what they have existing and look at end of life of what they’ve got. We may create a staged upgrade over a six-month to 12-month time or only do certain buildings,” Barnes says. “We may have to do an overhaul where you take it all out at once. The goal is to show all those options.” 

A good integrator helps the customer build a custom technology road map. Ask what technology they would like to have and how they will need to control access in the future. 

“Ask where are you going? What do you want to be doing? Where are you going? So you can have a 3-year plan instead of a now plan,” Barnes says. 

In some cases, NAVCO can work with a technology partner to determine if there are new products the customer can pilot. 

“It’s really all about what their goal is and what they want to accomplish,” Barnes says. 

In addition to building a technology roadmap, help the customer justify the ROI for upgrading and help them maintain the system they have. 

“We’re coming into a traditional system and helping them create a maintenance plan to enable them to extend the life of the traditional system until they can afford to convert,” she says. 

An upgrade can cost a substantial amount if a business must rip and replace technology. 

SAGE typically will update card readers first then credentials. Any field hardware they install follows the Open Supervised Device Protocol (OSDP) standard, which was developed by the Security Industry Association (SIA) to improve interoperability among access control and security products, Nemerofsky says. 

Potential Negative Effects of Not Upgrading 

 The consequences of not upgrading technology could be high. 

 “The cost would be your system,” Nemerofsky says. “If I duplicate your cards and I am in your facility, I am there to do damage to your network or hurt your employees.” 

Businesses should consider how security breaches or acts of violence affect their reputations and hurt employee recruitment. 

“You put your brand and your people and assets at risk by not protecting your people,” he says. 

Workplace violence, the use of temporary workers, and privacy issues all have contributed to a shift away from traditional access control systems, says Greenwald. 

Hospital campuses, for example, used to be more open. Visitors could easily find out which room a patient was in. Today, facilities need to determine how best to manage access of all the types of people who pass through.

Hospitals are “leaning into” physical security and looking for ways to better understand and track movement of their employees, temporary workers, and contractors, he says.  

Suppose an employee’s shift starts at 8 a.m. but they arrive at 5 a.m., and they are trying to access drug cabinet they don’t normally access. A legacy access control system could generate a log of this activity, so security personnel could see whether this behavior is different from the worker’s normal routine. A newer system and AI could help provide a better view of what that that person is actually doing. 

“Through AI, machine learning, algorithms, and modeling, we are able to understand historical data. We can look at that badge from the beginning of time,” Greenwald says. 

Some industries also have regulations that specify access security, and non-compliance can lead to penalties. At utilities, certain areas need two-factor credentials, such as a key card plus a biometric scan. Pharmacies storing drugs need to know who went into an area and when, and they are required to produce reports monthly, Nemerofsky says. 

No system is 100% immune from cyberattacks, but end users can benefit from products developed following rigorous security practices and that continuously monitor for threats. 

“Staying up to date on cybersecurity safeguards equips end users with the best possible defense against threats,” says Russo. “This includes maintaining support plans for providers’ software updates so that end users don’t have to think about or monitor for cybersecurity updates to their systems.” 

Separate security systems can make it difficult to gain a full picture of what is happening at a facility. Centralized access control solutions can take siloed data like traffic counts and how people are entering and leaving buildings and give a snapshot of potential security risks and space usage.  

“With a connected system, security leaders need not analyze access multiple systems and dashboards to access critical information, the insights they need across fire and life safety can all exist within a single pane of glass,” says Parker. 

System upgrade and support plans ensure end users their equipment providers and installers are watching out for them. 

“Access control as an industry has become significantly more proactive,” Greenwald says. “You can’t have a proactive stance with legacy systems … Everybody thinks everything’s ok until it’s not.” 

Sandra Hosking is a freelance writer and communication manager for a fintech company; she has more than 10 years’ experience covering high-tech industries.