6 Jan 2017

SDM Magazine: The Challenges of Access Control

***This article first appeared on the SDM Magazine website.

According to the SDM Top Systems Integrators Report, published in July 2016, the top three vertical market sectors are corporate, education/campus and healthcare, all of which rely heavily on access control technology as part of their overall security solution. Security integrators also mentioned other relevant verticals as front-runners in security spending, including utilities/critical infrastructure and one that is being increasingly discussed by manufacturers and integrators alike: multi-family residential. Each of these five verticals is very different from one another; but they do have some commonalities concerning access control.

“Access control as a whole has grown over the last several years, with some reports showing an annual growth rate at 7.5 percent,” says Mitchell Kane, president, Vanderbilt, Parsippany, N.J. “For corporate entities, higher education, healthcare, utilities and critical infrastructure, as well as multi-family units, this growth can be attributed to rising urbanization, increased threats to public safety, and the need for technology to change in line with evolving risks.”

It is impossible to talk vertically without some overlap, and in SDM’s interviews with industry professionals in these sectors a few general, and even surprising, trends surfaced. For example, biometrics was mentioned as a factor in virtually every one of the five, as was cybersecurity. Mobile credentialing is an emerging technology that has varied acceptance rates across these vertical sectors (with some starting to really embrace it and others not at all). And, of course, the general desire for access control applies in almost all of the cases.

“The top three trends across the majority of these verticals are all very similar,” says Justin Wilmas, director of sales for Eastern U.S., AMAG Technology, Torrance, Calif. “In my experience they are all looking at identity management, visitor management and the latest and greatest in technology…. Fundamentally all of these verticals have the same challenges when you look at how they manage identities and how they get access. The organization invests lots of money in access control systems thinking that will solve the problem, but you still need people to manage these systems. Operationally you haven’t solved the problem. Then there are external factors such as compliance and regulatory bodies that want to know why these people have access.”

This leads to a common desire for better information-gathering, says Derek Arcuri, product marketing manager, Genetec, Montreal. “One trend we are seeing across multiple verticals is unifying information for quicker and more informed decision-making. A common pain … is large data sets coming from disparate sources that lack timely amalgamation so that informed decisions can be made in a timely fashion.”

Wilmas, Arcuri and others point to another common thread across the verticals: Cybersecurity. “If you look at what is happening in today’s world, in three of the verticals it is more pertinent than others: corporate, healthcare and utilities/critical infrastructure,” Wilmas explains. But higher education and even multi-family are not immune to this widespread threat.

Similar concerns do not always lead to similar approaches, says Bruce Czerwinski, U.S. general sales manager, Aiphone Corp., Redmond, Wash. “While each vertical market may have slight variations, the basic concerns are the same: who can access the premises and for what reason. [But] healthcare and higher education by their nature have to be more open than the other verticals, which makes access control more of a challenge than that faced by corporate and utilities facilities.”

However, some technology trends are nearly universal, such as integration and the desire for open protocols, says Rick Focke, senior product manager, Tyco Security Products, Westford, Mass. “People don’t like to be hemmed in and pushed into one choice.”

Manufacturers of access control systems tend to offer systems that can be tailored by the integrator to any number of verticals.

“You modify the system around how you need it to work, versus changing how you do things around the system,” Wilmas says. “All these verticals are very different in nature, but the problems are all the same.” Wilmas recommends looking for a policy-based system that can help the end user incorporate how they operate.

But a growing number of vendors of both software and hardware are designing at least some of their solutions around one or more specific vertical needs. For example, ASSA ABLOY, New Haven, Conn., has solutions tailored to the multi-family market, says Mark Duato, vice president of integration solutions. What’s more, he recommends that such specialization might be a good approach for some integrators, as well.

“Progressive integrators in the marketplace build marketing programs and services around the verticals they feel they can be most effective at serving. You don’t have to be everything to everybody. You can be really good in healthcare and run a really great business. Our goal is to build specialized products that help those progressively focused integrators deliver unique approaches into the verticals they serve,” Duato says.

Tyco generally produces access control products that apply to most verticals, Focke says. “Access control opens doors, whether it is for hospitals or higher ed. But we have started focusing on specific [vertical] features. First it was government because they have such different standards for the FICAM high-assurance cards. Now we are looking at the utilities/infrastructure market, which is a nice fit for our system that scales for thousands of sites.”

He acknowledges there can be challenge to integrators in specializing. “Most can’t afford to specialize in just one vertical and instead go for whatever job they can get,” he observes. However, whether you are a specialist or a generalist with a concentration of jobs in particular verticals, Focke advises getting more involved in the particular needs of the vertical market you are working in. “If it is a healthcare vertical, get involved in local healthcare organizations and talk to security directors in that vertical. There are some working committees. Just get involved locally and keep your ears open and look for new opportunities.”

Tim Vahary, product manager, RS2 Technologies LLC, Munster, Ind., adds that even as a generalist, a good relationship is the key to getting the most out of access control technology for your client. “Being [cognizant] of the needs of your client is key to building a lasting business relationship that is beneficial to both parties. Every client has different requirements, but with the options of modern access control, a knowledgeable integrator can provide the right solution to meet their needs.”

Read on for what makes each of these five verticals unique to work in, the challenges and rewards, as well as how they are reflecting the common trends in their individual markets.


Vertical Market Sectors

Security professionals share knowledge about what makes each of these market sectors tick when it comes to their access control and identification needs:

  • Corporate

  • Healthcare

  • Utilities/Critical Infrastructure

  • Higher Education/Campus

  • Multi-Family Residential

CORPORATE

The corporate vertical is by far the most broad-ranging, and really more of an umbrella term for a collection of businesses that range from a small law office to an international enterprise. Integration, automation and centralization are the general rule-of-thumb for any corporate business of scale, says RS2’s Tim Vahary.

“Modern corporate demands are constantly changing. Access control is capable of managing and monitoring facilities spanning the globe from a single location,” he says.

“Frictionless” describes a whole host of trends in this vertical, from a renewed interest in biometrics such as iris and facial recognition, to automatic visitor registration to elevator destination dispatch.

“These buildings, the security part of it is card access or biometrics, meaning you don’t get access unless you can identify who you are,” says Dave Chritton, senior sales manager, Microbiz Security Company, San Francisco. “Right now that is typically done with badges or fobs, but the trend is going towards smartphones and also biometrics. Another big thing we are seeing is smart elevators that allow tenants to go from the first floor straight to the top without all the stops and starts.” It also ensures that only authorized people can reach certain floors, particularly critical in a mixed-use or multi-tenant office complex.

For integrator Henry Hoyne, vice president of professional services, Northland Control Systems Inc., Fremont, Calif., the corporate experience is tied to his company’s Silicon Valley location. “In our vertical, which primarily comprises high-tech corporations, autonomous robots, cybersecurity hardening and facial recognition seem to be on the forefront.”

While this vertical is hard to pin down to individual traits, Hoyne says his corporate customers are technologically savvy, interested in “keeping up with the Joneses,” even to the point of seeking out cutting-edge or bleeding-edge technology, and extremely concerned about cybersecurity.

The latter is a common theme among manufacturers and integrators alike when discussing the corporate space, which has been hit with some high-profile breaches in recent years.

“Integrators selling into the corporate market need to understand that they must provide solutions to cybersecurity as well as physical security,” says Scott Lindley, president, Farpointe Data, Sunnyvale, Calif.

Corporate clients large and small are looking for less bulky infrastructure, Wilmas says. “Traditionally to do access control is a very heavy lift to buy a lot of hardware and build a security infrastructure. Now they are saying, ‘Well it doesn’t have to be, with things that are sustainable like PoE integrated locks that can essentially control everything without a lot of infrastructure.”

In some cases the desire for less “bulk” means turning to a hosted or managed access control system, increasingly cloud based. This logically follows on general corporate business trends, says Nikhil Shenoy, director of product marketing for Kastle Systems (SDM’s 2015 Systems Integrator of the Year). This has led to a more distributed workforce that is not only more apt to look for different types of architectures, but also more interested in newer types of credentials such as mobile or biometric.

“Corporations themselves are evolving,” Shenoy says. “The world’s largest photo-sharing site doesn’t take any pictures. The world’s fastest space-leasing company doesn’t own any real estate. The world’s largest ride service doesn’t own any cars. It is becoming harder to classify and having solutions to evolve with those needs is the way all security is going in that vertical.” Kastle offers a managed access control approach, which works particularly well in the SMB and multi-tenant office space, along with providing the integrator a nice source of RMR.

Access control, particularly in larger deployments, is historically a “sticky” technology — not frequently or lightly changed out. As a result, many in the corporate space are looking to do much more with the information gathered by access control.

Norma Schiller, global systems, Honeywell Security and Fire, Melville, N.Y., points to a definite trend in sharing databases between access and other areas to determine things like how space is being utilized and which entrances are being used. “Are people working from home three days a week? Can we reduce our footprint in space leasing?”

For Hoyne, the corporate vertical is savvy, yet resilient. “Do your homework,” he advises. “Have a team that is up-to-speed in all that encompasses IT. Do not just throw around buzzwords, because once they see through that they’ll discredit you. And most importantly be up front and honest. Do not exaggerate your capabilities. Speak about what’s possible and discuss and share risks [but] don’t be afraid to say ‘no.’ Clients, believe it or not, do not want a ‘yes’ man. They want to be challenged. It shows you care and want to do what’s right.”

HEALTHCARE

Hospitals are often faced with a conundrum when it comes to security, says Kelle Shanks, senior account executive, Convergint Technologies, Schaumburg, Ill. “There is this dichotomy of ‘come in and stay out,’” she describes.

“There are public and non-public areas,” adds Jeremy Bates, general manager, Bates Security, Lexington, Ky. “There are all kinds of areas where you have to put security but still be an inviting and open place.”

Shanks says card access control is a bigger deal than ever before in this vertical as hospitals tie many more areas to the card. “They have card access for trash chutes, food, vending, soiled utilities. It’s not a new technology, but it is coming back in vogue.”

Added to that, hospitals are also actively looking at biometrics these days, particularly technologies that can provide security while still allowing gloved personnel to be “hands free.”

Cybersecurity is also high on the list for healthcare — perhaps even more than some of the other verticals. “Patient records are the next gold mine of information that is often stolen, so their IP systems are really getting locked down,” Focke says.

Shanks agrees, adding that one hospital client recently told her they get 20,000 hits per day on their network with people trying to access patient or even research information.

Regulations such as the Health Insurance Portability and Accountability Act (HIPAA) touch on both the cyber and the physical when it comes to regulations, typically requiring two-factor authentication to get into sensitive document areas.

Access control systems play a vital role in healthcare security when it comes to such regulations — beyond just locking the door. “The Joint Commission requires special areas and rooms to be secure, defined as a locked container or door with an ongoing analysis of measures you have in place and level of compliance,” says Del Deason, senior vice president, Vision Security Technologies, Birmingham, Ala. “The reporting feature of access control gives us the forensic ability to demonstrate that compliance.”

While HIPAA is well known, another regulation is newer and requiring not just two but three-factor authentication.

“The Global Threat Reduction Initiative (GTRI) is a project from the Department of Energy with Sandia Labs to secure radioactive sources,” Shanks explains. “Anytime you do blood you have radioactive, plus the radioactive materials they use in cancer therapies. There has to be a triple factor on every one of these rooms.”

Like its corporate cousins, the healthcare vertical also seeks to get more out of the access control investment, says Scott Wheatley, senior account manager, KST Security, Indianapolis. “I’m starting to see several of my hospitals try to maximize their investment by using that equipment in non-traditional ways. They are using existing cards and readers to track training, resident lectures and run reports to verify a resident has attended that lecture for their compliance and instructional needs.”

Another similarity with corporate is the upswing in visitor management for more than just the maternity wards. “We are seeing more interest in self-service kiosks at main entrances to track everybody who is in house,” Deason says.

For integrators working in the healthcare sector, there are a few things that distinguish this vertical from others.

“A lot of working in hospitals is about infection control,” Shanks says. “Anybody who works at a hospital has to have their full array of vaccinations. The technicians also have to understand that it can be an emotional environment and be sensitive to what they see and hear.”

Hospitals are faced with complex challenges that demand cooperation from many groups, she adds.

“Healthcare is as demanding a customer as you can probably have,” says Skip Sampson, president of KST Security, Indianapolis, and current president of Exton, Pa.-based Security-Net. “Many of their services are internally staffed, so they are accustomed to instant response to problems, whether in the kitchen or a patient’s room. So you really have to respond and communicate at a very high, fast level with healthcare. They demand and expect that and it’s one reason we are successful at it.”

UTILITIES/CRITICAL INFRASTRUCTURE

Healthcare is not the only heavily regulated vertical on this list. No vertical here is more regulated than utilities/critical infrastructure, and that informs much of their needs for access control.

“The electrical grid grew organically starting in Manhattan 134 years ago and now spans all 49 continental states,” says Stephen Joralemon, engineering manager, G4S Secure Integration, Willowbrook, Ill. “Thus, from a security perspective, utility companies are a geographically dispersed customer with facilities ranging in age.

“Government regulations drive the implementation of security measures at utility providers. Proposed security needs to be tied directly to a customer’s tier rating and reduction of risk. Otherwise, there is not only risk of an intrusion, but of a fine.”

Christopher Kieta, senior director of strategic sales for Dallas-based Securadyne Systems, SDM’s 2016 Integrator of the Year, says utilities are more like government verticals because the regulations have real teeth to them. North American Electric Reliability Corp. Critical Infrastructure Protection (NERC CIP), the predominant regulation in this vertical, is fairly straightforward, he adds. “When NERC CIP changes it is very clear what you have to do to help them remain compliant.”

Unlike many of the other verticals here, utilities are much more traditional and risk-averse when it comes to trying new technologies such as wireless, mobile and cloud. But that doesn’t mean they aren’t interested in them, says Matt LaRue, senior sales executive, Convergint Technologies. “We are often asked to team up with consulting firms to come up with technology to test. Some make it to the final design criteria and others don’t.” One recent project was seeking to understand the security of mobile credentials and how the data is encrypted, he says, although they are not implementing it at this point.

One thing utilities are on the forefront of, however, is cybersecurity. “They are creating security-centric IT teams,” Kieta says. “This is a subset of traditional IT services that either embeds itself with security or is dedicated to … creating standards for not just how they get deployed but what they will do to safeguard them once they are installed. We don’t see that in other industries.”

Utilities are farther along with cybersecurity because of their more formalized compliance structure, says Tyco’s Rick Focke. “They have had white papers and have had to respond to different issues and standards [around cyber],” he says. “They are more interested in biometrics, as well.”

One of the unique things about working in the utilities/critical infrastructure space, say integrators, is the level of commitment it takes to succeed. “You can’t just wake up tomorrow and decide to do it,” Kieta says. “It requires a large investment. Our service relationship with utilities is stronger than any other vertical we have. We have strategic discussions about how our service program supports their business. We meet with them on a quarterly basis and have reviews. It is a constant fine-tuning of that process.”

Utilities can be a very challenging client, LaRue says, because things move so fast. It is also important to be aware of safety. “There is a high possibility of injury or worse on these sites; continuous safety training and checks are critical,” he says.

“The installation of security technology is only one part to an effective security program,” Joralemon says. “We often find that it is necessary to go beyond just a technology solution and actively engage the customer to develop operating procedures, system and personnel performance reviews, and security education programs.”

HIGHER EDUCATION

At his freshman daughter’s college orientation, even integrator Darren Wieder, business development manager for Convergint Technologies LLC, was surprised to learn how much both access control and cybersecurity have become a part of daily life on campus.

“It is access to their room, their building, their school ID, it gets them food, laundry, McDonalds, Starbucks and checking in for tests. The single card is now doing everything.”

But what really surprised him was the cyber aspect. “You can’t just go sit and use the Internet. You have to register all your devices so they can monitor who you are and what you are doing.” Students even have to register video games and smart TVs, he adds.

“Higher education has a high density of door applications, meaning the traditional cost of deploying access control is expensive and cumbersome to manage,” says AMAG’s Justin Wilmas. That is why a larger reliance on the campus Wi-Fi, IT and wireless technology is much more typical in this vertical. “Most universities build their wireless IT infrastructure to support anywhere from five to 20 devices over time. That is a huge investment they are making, so why would you not bolt your access control onto that same investment?”

The proliferation of wireless locks on dorm room and classroom doors has been a big trend in recent years, says Tyco’s Rick Focke. Now some of those facilities are starting to look at what’s next; but the very ubiquity may hold some back. “In higher ed we are seeing trends to finally upgrade from old magnetic stripe cards. Some are interested in mobile credentials. There hasn’t been a groundswell, but it is coming. Most colleges like the one-card system and everything on the card is pretty entrenched. I see mobile being used as more of an extra credential. There will be movement, but there are so many infrastructure systems to change it will take a while.”

Still, the same elements driving the McDonalds and the Starbucks to campus may eventually play a role here.

“Schools are now using housing to compete for students,” says Vision Security Technologies’ Del Deason. “We are seeing granite countertops and condo-like facilities, and the same credential to get everywhere.” Deason reports in 2016 his company is just beginning to have some real inquiries about Bluetooth readers. This has surprised a few in the industry who see the university market as a prime target for the mobile phone as credential.

“Higher ed has always been very price-sensitive,” says Skip Sampson of KST. “The pricing model for secure mobile credentials is not at a point yet that it makes sense for large, higher education deployments. There is a cost associated with that technology that will come down in the future, but that is why adoption has been slower than we expected.”

Deason has seen more interest in biometrics, however, “particularly around athletics where kids are coming in from the football field and they don’t have their credentials on them.”

In some ways the university market is similar both to healthcare and to multi-family residential in that convenience and openness must live side-by-side with high security in certain areas. “Open campuses are unique because security directors must balance the need for an open environment with strong safety measures to protect students, faculty and staff,” says Vanderbilt’s Kane. “Integrators must be an advisor to schools to help them find the right balance.”

MULTI-FAMILY

A convergence of factors has resulted in the recent surge of the multi-family market sector.

“The way people are buying and owning property today is changing,” says Mark Duato of ASSA ABLOY. “Multi-family in the last five years has been a boom market, particularly in cities where security is of utmost concern.”

Multi-family units are often mixed-use buildings with retail on the bottom, perhaps offices in the middle and residential units on top, Duato explains. “The uniqueness of that is that traditional software manufacturers and security management products have been almost over-engineered for those types of applications, especially if the end user wants to maintain and service their own solution.”

Unlike in some of the other vertical sectors here, cloud, mobile and wireless are more likely to be the norm than an experiment in multi-family. And for property managers that do not want to self-manage the system, it also offers a logical RMR-based opportunity for integrators that offer that option.

“It’s where the smart money is going,” says Gregg Miller, president and CEO, ASCI Security & Fire, Irvine, Calif. “Everyone wants that ROI.”

Kastle Systems, Falls Church, Va., was founded on a managed access premise years ago and got its start in multi-tenant office facilities, but added multi-family several years ago. “It’s a really dynamic marketplace and there is so much innovation out there influenced by residential and consumer-oriented technology,” says David McGuinness, vice president of corporate strategy. “We have been serving this market for the past 10 to 12 years but really doubled down about three years ago with more tech investment.”

The general “theme” of multi-family is the notion of hospitality coming to where people live, he adds. “Through the years there has been an escalation of the amenity wars. Ten to 15 years ago key amenities were location, covered parking, a pool, and maybe a gym. Today it is much more hospitality-centric with roof decks, pet washing stations, dog runs, bike storage and repair, and more. What properties are doing to differentiate themselves is to focus on lifestyle and that has led to the adoption of access control across the community.”

The perception of security is one way to attract residents, Miller says, but what constitutes that has changed dramatically over the years. “When we first got into this a number of years ago it was, ‘How can we put a telephone call box out front?’ A couple of years ago we started to see concerns about resident entries and integrating that all into one package.”

Miller credits the online wireless lock with the change. “Without that you do not control a resident entry. You cannot hardwire 450 units.”

With access control, properties not only can make sure that residents are secure, but also rely on its powerful database, apps, wireless locks with or without mobile credentialing, and more, to allow property owners and residents to get the most out of the system.

“Say I am new to a city and don’t know anybody. How convenient is it if I could tell from my phone that there are people on the roof deck? That might cause me to go upstairs and meet my neighbors,” McGuinness says. “Leveraging access control data and expressing that through a user interface can trigger different types of decisions.”

McGuinness attributes the rise of this vertical to changing demographics. Millennials are more likely to be attracted to living in this type of environment, both socially and because buying a home has gotten tougher since the 2007 economic recession. On the flip side, baby boomers are retiring and heading to town. “All these factors have driven up demand, which in turn has driven up construction and all these properties have to compete and differentiate and are looking at security as a means of doing that,” McGuinness explains.

This vertical is much more likely to try new things, perhaps because of its residential influence, Miller says. “I think multi-family is much more apt to look at and experiment and run beta sites with [mobile credentials],” he says. “The smart home trend has also influenced it.”

The most important thing in this vertical is to seamlessly blend the security with the convenience, he adds. “It is really important to provide a solid level of security, with convenience, without turning the community into an institutional feel. This is still home to individuals, and that fact cannot be overlooked.”