Role of IT in Access Control
System
It is a fact that IT is becoming more involved in the
physical security world. In a small minority of companies, these two
departments are actually merging, although this is a mammoth task fraught with
problems, not only in terms of technology, but primarily in terms of culture.
In the access control world, one could say it’s normal
for IT to be involved in networking (assuming the access systems make use of
the corporate network and/or the IP protocol), but the scope of IT has slowly
been creeping into more of the access control functions. In smaller companies,
for example, it’s not unusual for the service provider responsible for the
company’s IT to also take the responsibilities of physical security.
So how far has IT made inroads into the access control world
in general? HID Global broadcast arrange a webinar in October 2018 in which it
revealed some new research into the increasing role IT departments and
personnel are playing in the physical access control world. The webinar was
hosted by HID Global’s Brandon Arcement and Matt Winn. After discussing the
findings of the research, they went on to advise physical security operators as
to how they can embrace their IT colleagues further, with the goal of improving
the holistic security posture of their organisations.
The survey was conducted by The 05 Group, sponsored by
HID and was completed in March 2018. As the title of this article notes, the
research found that IT departments are now more involved than ever in
organisations’ physical access control decisions and implementation, and that
trend is set to increase.
The 05 Group surveyed 1 576 individuals from more than
a dozen industries, including education (19%), information (16%), government
(11%), manufacturing (8%), health services (8%), and security, professional and
business services (8%). Of the respondents, 35% were IT managers, 26% were IT
directors, 13% were IT staff, 8% were CIO/CTO, and 3% were VPs of technology.
The survey also spanned companies of different sizes, with 24% having less than
100 employees, 22% 101-500 employees, 11% have 501-1000 employees, 17% have
1001-5000, 6% have 5001-9999, and 6% have 10 000-24 999 employees. The results
therefore cover a broad spectrum of companies and industries.
The numbers tell a
story
The
research offers a significant amount of data about the role of IT in access
control, however the webinar brought out a few pertinent facts (a link to the
white paper written by HID from the research is at the end of this article).
When asking the organisations being surveyed “Who is primarily responsible for
physical access control in your organisation”, the responses were as follows:
•
29% said both IT and physical security.
•
26% said IT only.
•
25% said facility management handles the job.
•
12% said physical security only.
•
8% said the property management company was tasked with access control.
With a quarter of the respondents already saying IT is
responsible for access control, and a further 29% saying it is shared between
the two departments, it’s clear that the divide between IT and physical
security is rapidly vanishing – and in some cases, altogether gone. And this is
a trend that will continue; in organisations where IT is not involved in access
control, 36% of the respondents said it will be within the next five years.
For those organisations where access control
responsibilities are shared, 47% of the respondents report it had been shared
within the past five years. Similarly, where IT owns the responsibility, 42% of
the companies say they were given this task within the last five years. Once
again we see that IT/physical security convergence in the access world is an
expanding reality.
We mentioned IT’s influence in access control above in
terms of the networking of access systems, however, this is an old function. The
webinar showed that both IT professionals as well as physical security
professionals see IT being involved in all areas of access control. When it
comes to physical security professionals:
• 66% of physical security professionals see IT
involved in influencing the decision-making process.
• 48% see IT’s involvement in integrating access and
other systems.
• 37% see IT involved in implementation.
• 22% see IT involved in managing the systems.
From the other side of the table, IT professionals have
a similar view:
• 76% expect to influence decision making.
• 72% will be involved in integration.
• 59% will be involved in implementation.
• 39% expect to be involved in managing systems.
Not all wine and roses
Of course, as these different cultures work together,
there are bound to be some issues. It is in the field of integration where IT
sees problems. Half of the IT people surveyed have issues with the lack of
integration of access systems with other IT systems. This is an area in which
the access control industry could make significant changes in the short-term to
ensure their software and hardware can be more easily integrated with existing
business management and security systems.
When it comes to new access control systems, the IT
school has a few things it wants to see on the vendors’ to-do list. They want
improved ease of use (71%), the ability to support or add new technologies
(68%), mobile access (59%), and integration with existing security platforms (54%).
It’s also clear from the survey that IT is not all that
comfortable with access control technology. Areas such as credential
management, decision making with respect to access control systems, how system
components work and also individual features within access systems can cause a
bit of nervousness among the IT folk. These are areas in which physical
security professionals can make their mark, as they are more skilled in dealing
with these issues as well as others unique to their industry.
Helping IT in access
The driver behind this convergence is not a technical
issue, but is itself a convergence of a number of separate drivers. HID notes
the primary drivers are:
• Converged threats that impact both physical and
logical infrastructure. If you have a physical vulnerability it puts your
logical systems at risk, and vice versa.
• Proliferation of networked devices in the age of IoT
(the Internet of Things) which all require both physical and logical
security. Interestingly, the webinar held its own real-time survey of the
attendees and this topic was selected as having the biggest impact on access
control’s shift to IT with half of the audience selecting it.
• Compliance to new regulations, which again rely on
both sides of the table.
• Budget consolidation, which we are all suffering
through.
• A shift in reporting structures as executives try to
get a handle on the seemingly endless threats companies face on all fronts.
When it comes to the role of physical security
professionals and how they can assist in the convergence between the two sides
and help improve organisational security, 80% of the respondents said they play
a role in establishing best practices, while 50% see physical security having a
role in preventing unauthorised access in general, and 49% say they can help in
achieving compliance. In order to streamline collaboration, the HID webinar
suggests, among other issues, that both sides need to work on aligning project
priorities and determining responsibilities, and balancing the technical acumen
of IT when it comes to access products and management.
A converged example
The webinar went on to provide an example of how the
two divisions could work together in an access control installation. When it
comes to the physical access control host, HID advises organisations to
integrate physical access control systems (PACS) with an IT source of identity
such as LDAP. Furthermore, administrators should ensure there is a set policy
around regular software updates and patches, while they should also take
advantage of IT’s experience (and equipment) to ensure high availability.
When it comes to the controller, HID advises
organisations to settle some of the issues raised above by requiring an open
controller platform that can be integrated with other technologies and other
vendors’ products. Preventing vendor lock-in is a costly lesson IT departments
have learned. It also suggests considering an ‘IP-at-the-door’ topology,
keeping controller firmware updated to the latest versions, using strong
passwords and encrypting communication between controllers and hosts (and using
OSDP – Open Supervised Device Protocol – for encrypted reader communications).
Another strong warning was to take care when selecting
access credentials as many of the card and fob technologies available are easy
to replicate, making it simple for the wrong people to easily gain access.
There are secure card technologies out there and these should be used as a
standard. A business benefit of these more advanced credentials is that they
can also be used for additional business functions, such as secure printing,
vending machines and network logon.
The webinar presenters also touched on the benefits of
using users’ mobile devices as credential holders. These can offer higher
levels of authentication, easier administration and more user convenience that
does not come at the expense of the company’s security.
Whether you are on the IT or physical security side,
the most important part of the research (depending on your biases) can be seen
in the answer to the question “Do you believe that increased collaboration
between physical security and IT can improve the overall security of your
organisation?” An overwhelming 95% of all the respondents said “yes”.
While the full convergence of physical and logical
security is still some way off, people in the access control sector obviously
understand that IT and physical security working together is critical to develop
a successful security defence strategy for their organisations. In the access
control industry this may be easier to achieve, but as noted in the
introduction, it is often a question of culture (or ego, to be blunt) that
prevents collaboration and results in organisations being vulnerable to the
ever-increasing threats they face from well-organised criminal syndicates, as
well as unhappy teenagers with too much time on their hands.
End of the article thanks to Mr. Andrew Seldon, for
valuable time to us & security sa team.
