getting started in access control -...

MANAGED ACCESS: The Darling of All

Market Insights— ‘GROW’ WITH THE FLOW

GETTING STARTED IN ACCESS CONTROL

MAY/JUNE 2010

Supplement to Locksmith Ledger International, Security Dealer & Integrator and Security Technology Executive

[S-2] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] ——————————————————————————————— MAY/JUNE

MAY/JUNE

Visit Cygnus Security Media on the Web at www.securityinfowatch.com

ACCESS CONTROL TRENDS & TECHNOLOGY 2010

Published by Cygnus Business Media, Inc.Phone: 800-547-7377 • Fax: 631-845-2736

3 Huntington Quadrangle, Suite 301N., Melville, NY 11747 USAPhone: (631) 845-2700 • Fax: (631) 845-2736

3030 Salt Creek Lane, Suite 200, Arlington Heights, Illinois 60005Phone: 847-454-2702 • Fax: 847-454-2759

12735 Morris Road, Deerfield Point, Bldg. 200, Suite 180Alpharetta, Georgia 30004 • Phone: 800-547-7377

EDITORIALEditor-in-Chief, Security Technology Executive—Steven LaskyEditor-in-Chief, Locksmith Ledger International—Gale Johnson

Editor, Security Dealer & Integrator—Deborah L. O’MaraManaging Editor, Security Technology Executive—Paul RothmanManaging Editor, Locksmith Ledger International—Emily Pike

Associate Editor, Security Dealer & Integrator—Natalia Kosk

ART & PRODUCTIONArt Director—Bruce Zedler

Production Manager—Jane Pothlanski

ADVERTISINGPublisher, Security Technology Executive—Steven Lasky

Publisher, Security Dealer & Integrator—Carol EnmanPublisher, Locksmith Ledger International—Nancy Brokamp

CYGNUS BUSINESS MEDIACEO—John French

Chief Financial Officer—Paul BonaiutoV.P. Corporate—Elizabeth Pennell

V.P. of Manufacturing & Information Technology—Tom MartinV.P. of Business Development—Scott Roulet

V.P. of Audience Development—Julie NachtigalCorporate IT Director—Eric Kammerzelt

CYGNUS PUBLISHINGPresident—Mike Martin

Corporate Production Director—Brett ApoldSenior V.P. Custom Marketing—Patrick Nadler

Brand Director—Paul Caplan

CYGNUS EXPOSITIONSSenior V.P.—Julie Thompson

Company Name Reader Service No.

Page # Web Site URL Tel#

Brivo Systems, LLC 382 S7 www.brivo.com (866) 692-7486

Cisco 381 S5 www.cisco.com (800) 553-6387

DKS Doorking, Inc. 386 S15 www.doorking.com (800) 826-7493

Honeywell Security Group 391 S24 www.honeywell.com/security

Kaba Access Control 383 S9 www.kaba-access.com (800) 849-8324

Keyscan Access Control Systems 388 S17 www.keyscan.ca (888) 539-7226

Linear 380 S3 www.linearcorp.com (800) 421-1587

Marks USA 385 S11 www.marksusa.com (800) 526-0233

Paxton Access 384 S10 www.paxton-access.com (877) 438-7298

Security Door Controls 387 S16 www.sdcsecurity.com (800) 413-8183

Trine Access Technology 390 S23 www.trineonline.com (718) 829-2332

U.S. Lock Corporation 389 S21 www.uslock.com (800) 925-5000

Advertiser's index

On the CoverAccess Control—Leverage the Legacy .......................8

By Natalia Kosk

‘Heavy lifting’ in the market projects positive movement in the industry.

AlsoNew Products ......................................................................4

Managed Services—Darling of RMR .........................12By Deborah L. O’Mara

Outsourced access control services could spark this decades-old market

Key Management for Physical Access Control ........18By Tam Hulusi

Whether a physical or digital key, policies and practices for their use must be in place

Getting Started in Access Control...............................22By Gale Johnson

There’s a perfect place for this discipline

18

12

22

[S-4] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] ————————————————————————————————May/June

New ProductsWireless Communication Gets ‘Safe’The Dunbar Cash Man-ager SafeSM from Dunbar Armored is designed to provide immediate wireless transmission of cash deposit data from safes located in stores and restaurants to Dunbar where the information is consolidated and formatted into multiple cash manage-

ment reports available for real time access by customers’ corporate offices through Dun-bar’s secure Valu-Trak® Web site. Select e-inquiry #400 at www.securityinfowatch.com/ste/einquiry.

IFSEC 2010 Unveiling!Access Control Technology (ACT) Ltd. show-cased the ACTentry V-IP video / door entry system at last month’s IFSEC 2010 confer-ence. The system provides a solution for both commercial and public spaces. The company also showcased their ACTpro access control product suite, which includes the IP-based

range of door controllers and Mifare-based reading technologies. Recent enhancements to the ACTpro software application include the addition of Sitemaps, ACT Notifier (for e-mail and text messaging) and the Web-based version of the ACTWin software. Select e-inquiry #403 at www.securityinfowatch.com/ste/einquiry.

Power Times 2 Over Single Ethernet Cable

Phihong’s new 21W split-ter has outputs of 10W over PoE to a powered device such as an IP camera and 12W DC to an accessory device including heaters and illu-minators. Designated the POE21-120H, this device

takes power from a Phihong IEEE802.3at-compliant midspan for use with low-power IP cameras and adjacent devices for use in secu-rity systems and access control. Select e-inquiry #401 at www.securityinfowatch.com/ste/einquiry.

Control and Audit AccessThe CyberLock Electronic Lock and Key Sys-tem from Videx offers an effec-tive, affordable solution for fire

departments and emergency medical service organizations that need to get control of their keys and track and control access to their narcotics safes. CyberLock uses the lock hardware that is already present in rescue vehicle and firehouse narcotics safes, cutting down on installation costs. Simply replace the mechanical cylinders inside existing safe locks with CyberLock electronic cylinders. Select e-inquiry #402 at www.securityinfowatch.com/ste/einquiry.

New Site Offers Online EducationDORMA Architectural Hardware’s new “DORMA eLearning” site, www.DORMAe-learning.com, offers a convenient, online plat-form for learning about architectural hardware and obtaining continuing education credits through the American Institute of Architects (AIA). The classes provide essential informa-tion about architectural hardware to help the building team make informed decisions about product selection and performance. Select e-inquiry #404 at www.securityinfowatch.com/ste/einquiry.

Access Control for Small to Large EnterprisesThe NetAXS-123 access control system from Honeywell enables smaller facilities to leverage the same reliable access control features tradition-ally available to larger enterprises. The one-, two- or three-door system features a flexible, Web-based design that helps reduce or eliminate costs and oversight associated with PC-based systems by eliminating the expense of servers and software licenses. Select e-inquiry #405 at www.securityinfowatch.com/ste/einquiry.

New Upgrades Designed to Meet Security DemandsNew features to Morse Watchmans Key-Watcher® line of key management solutions range from re-organized menus to optimized database capabilities. Other feature upgrades include the ability to adjust the previously fixed door timers and enhanced reservations that may now be made for up to 10 days instead of 24 hours. Select e-inquiry #408 at www.securityinfowatch.com/ste/einquiry.

Rugged Reader SeriesBiometric Access Con-trol ReaderThe MorphoAccess™ 500+ Series reader from MorphoTrak (Safran group)

comes in an IP-65 rated ruggedized version for outdoor

use with optional fake finger detection and has the ability to withstand extreme temperatures from -40 degrees Farenheit to +122 degrees Farenheit. Select e-inquiry #412 at www.securityinfowatch.com/ste/einquiry.

Designed for Tight Spaces and PlacesThe Axion 4850 universal elec-tric strike from Trine features a ½-inch thickness surface mount, designed for tight areas. Additional features include a patented anchoring system which provides extra strength when needed and a 1/8-inch steel spacer. Select e-inquiry #421 at www.securityinfowatch.com/ste/einquiry.

Codebench Integrates DAP Guard HandheldCodebench, Inc formed a technology partner-ship with rugged-computer manufacturer DAP Technologies to offer a mobile solution for the validation and registration of FIPS 201, PIV II compliant credentials. Codebench’s PIVCheck software suite integrates with DAP’s CE3240B Guard System handheld computer and can configured with readers for magnetic stripe cards, contact and con-tactless smart cards and HID Proximity cards to accommodate credential formats including TWIC, PIV and CAC as well as fingerprint biometric readers. Select e-inquiry #407 at www.securityinfowatch.com/ste/einquiry.


Dual RegulatorLinear Technology’s LTC3615, a high efficiency, 4MHz synchronous buck regulator, incorporates a constant fre-quency, current-mode architecture. The combination of its fast switching capability and the extremely small 4mm x 4mm QFN-24, or thermally enhanced TSSOP-24 package, offer a highly compact solution footprint for applications requiring dual outputs up to 3A. Select e-inquiry #423 at www.securityinfowatch.com/ste/einquiry.

Configurable Locking SystemLenel ILS from Lenel Systems is the first inte-grated electromechanical locking system specifically engineered to be config-ured, programmed and managed directly from the OnGuard® total security solution. It is available in

both offline and wireless variants, enables users to secure more doors within a facility from a single security platform, and provides real-time priority alerts and single seat man-agement of cardholders. Select e-inquiry #410 at www.securityinfowatch.com/ste/einquiry.

Wireless CredentialsDot Wireless Creden-tials, based on Axcess Interna-tional’s patent-ed MicroWireless technology, together with AxcessView™ software comprise a unique system that enables existing access control systems to be expanded easily into advanced workforce management solutions. Dot provides local position determination, tracking, sensing and control capabilities, leveraging MicroWireless™ technologies to implement a unique Control Point Location System (CPLS) architecture. Select e-inquiry #419 at www.securityinfowatch.com/ste/einquiry.

Reader UpdatesHID Global’s versatile multiCLASS® reader line now offers some added benefits. The new additions to the multiCLASS fam-ily include two keypad models; the RMK40 which offers magstripe to iCLASS migration, and the RMPK40 for

migration from magstripe and proximity to iCLASS. The expanded multiCLASS reader line is designed to deliver the ultimate migra-tion tool and a unique card-technology read-selection feature to provide customers limit-less card management flexibility. Select e-inquiry #411 at www.securityinfowatch.com/ste/einquiry.

Discounted DealsDue to the continued popularity of their Radio Key® proximity technology, SecuraKey increased the discount on the SYSKIT1 and SYSKIT2 Proximity Access Control kits. These two-door starter kits include SK-NETTM access control software, the SK-ACP 2-door control panel, a DC power supply, a PC serial cable, 25 RKCM02 rugged clamshell proximity cards, and two Radio Key® proximity readers. Select e-inquiry #420 at www.securityinfowatch.com/ste/einquiry.

Integrated Tailgating Detection SystemKeyscan’s tailgating detection system (TDS) is designed for high-security appli-cations where tailgating presents a seri-ous threat. When more than one person passes through the curtain on a single card read, the TDS triggers a built-in audible alarm and activates an alarm relay that can be interfaced with the access control system. Select e-inquiry #413 at www.securityinfowatch.com/ste/einquiry.

Retrofit Electric StrikesThe UniFLEX™ 55 Series heavy duty

electric strikes from Security Door Controls (SDC) are designed for installation in hollow metal frames for access control of cylindrical and mortise locksets and mortise exit devices. The choice of six applica-tion faceplates eliminates the need for centerline relocation, making them ideal for new or retrofit,

high-security access control applications.Select e-inquiry #422 at

www.securityinfowatch.com/ste/einquiry.

Converter Streams DataFor programmed entry via the Internet,DoorKing’s TCP/IP Network Connection Module (DK P/N 1830-175) allows customers to monitor live activity at the entry system and to stream data for other applications. It easily connects to any DoorKing 1830 Series telephone entry or access control system through the RS-232 interface on the system circuit board. This allows the device to be connected to older or legacy 1830 series sys-tems as well. Select e-inquiry #416 at www.securityinfowatch.com/ste/einquiry. Approved

and CertifiedThe E-Plex 5800 series from Kaba Access Control is a standalone access control system approved by GSA to meet

FIPS 201 requirements: PIV; PIV-I; TWIC; CAC; FRAC; and more. The system can be as simple as enrolling FIPS 201 cards right at the reader without requiring any software or using software. Users can check card valida-tion against the Federal Bridge PKI, import photos, set access schedules and retrieve audit trail. Select e-inquiry #417 at www.securityinfowatch.com/ste/einquiry.

Start Small and Build BigThe OnSite Aparato from Brivo Systems is a full-featured appliance-based access control platform with built-in security features. With a capacity of up to 1,000 readers and half a million active card holders, Aparato’s scalable licensing model allows customers to start with a small system, scale up as needs grow, and add capabilities. All user data saved in the Aparato system is fully secure due to its use of a Trusted Platform Module (TPM), compliant with ISO Standard 11889. Select e-inquiry #415 at www.securityinfowatch.com/ste/einquiry.

New Products

Continued on page S-16

[S-16] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] ��May/June

Visit www.securityinfowatch.com/ste/einquiry and Select No. 387

No Cutting Required!The 4200 Series eLatch, a new “no-cut” solution from Adams Rite is an electrified deadlatch that pro-vides 12- or 24-volt electric unlocking capability for commercial aluminum stile and glass door entrance systems. The eLatch installs or retrofits without stile modification with Adams Rite MS Deadbolt prep. Simply change out an MS Deadbolt and slide the eLatch into the existing prep. Next, add a lever or paddle from the inside and door is good to go. The eLatch is powered by an internally-mounted solenoid

that gives instant access when interfaced with card readers, key-pads, timers and other access control components. Select e-inquiry #406 at www.securityinfowatch.com/ste/einquiry.

Online Wireless Campus ControlThe Access 700® PWI1, a WiFi-enabled lock-set from CORBIN RUSSWIN allows cam-puses to establish online access control by tapping into existing WiFi networks. This WiFi capability eliminates the need for a proprie-tary wireless network and the cost of running wiring to each door. The Access 700 PWI1 communicates with the host server or access control panel as often or as little as specified. User access can be controlled locally and access events are transmitted to the host system. This enables the system administrator to modify user access rules and review histori-cal event logs. Select e-inquiry #407 at www.securityinfowatch.com/ste/einquiry.

Cellular-Based ModulesThe CCM-1 and CCM-2 Cellular Control Modules from Securitron Magnalock Corp. are self-contained cellular-based access control systems that eliminate the need for expensive wiring and con-

trol panels. Designed for indoor and outdoor oper-ation (NEMA-3R), both units feature a dedicated 1 A M P 12 V D C l i n e a r power supply. CCM mod-ules can be hard wired or powered by eff icient solar panels and of fer battery back-up capabil-

ity. The CCM modules allow users to operate virtually any electric gate, electric lock or Wiegand card reader or Wiegand keypad with the simplicity of a cell phone or internet connection. Select e-inquiry #409 at www.securityinfowatch.com/ste/einquiry.

Biometric Facial RecognitionDirect E-Secure’s Ex-Eye, is its latest biometric facial recognition mobile working station product. It contains: face recognition appli-cations (Watch List / Access Control);license plate recognition; document capture & OCR; digital visual communication (text / video / speech); and more. Select e-inquiry #414 at www.securityinfowatch.com/ste/einquiry.

New ProductsContinued from page S-6


D eveloped market research thus far points to growth in access control technology over the next

few years but the response from security professionals who deal with access control has been varied. Some are skeptical as to how much growth the access control market has seen and will see. Others see growth not so much in product develop-ment but instead in what already exists.

Taking a look back at the economic impact of the American Recovery and Rein-vestment Act of 2009 (ARRA), the sec-ond quarterly report released January 2010 cited that as of the end of December 2009, $263.3 billion of the original $787 billion,

or roughly one-third of the total, has been outlayed or gone to American households and businesses in the form of tax reduc-tions. An additional $149.7 billion has been obligated for projects and activities, which means that the money is available to recipi-ents once they make expenditures. And although there are no specific projected numbers showing how much of that money has specifically gone to projects in access control of the electronic security industry, Chart 1 below shows a breakdown of four of the projects at the top of the search list that have been funded, their progres-sion and estimated completion rate out of a 6,586 resulted search for “recipient reports

only” in access control projects.“We’re not seeing a lot of growth in

terms of companies putting in more access control into the existing footprints,” explained Marty Guay, president, Niscayah U.S., Duluth, Ga. “For example, a com-pany that had 10 readers securing 10 doors last year, they are not adding two to three more readers to that system. The growth is either coming from expanding or consoli-dating onto one platform or multiple plat-forms or they’re doing acquisitions.”

And with 80 percent of deployments in the access control market consisting of less than 16 card readers, opportunities exist for existing access control transition-ing to a managed access approach.

“You’re always going to have server model access control in giant facilities,” said Bill Bozeman, president and chief executive officer of the PSA Security Net-work, Westminster, Colo. “But I predict that the one- to 16-reader business, the majority of that is going to go to managed access as time goes on. You don’t have all the hassle. You don’t have the upfront cost. You don’t have to worry about redundancy. It ’s all taken care of for you. If you’re a large enough corporation that you can do all that, then you probably would stick with a server model. But once again, as busi-ness people, you have to look at how many of those types of corporations there are versus thousands of people that need six card readers instead of 600.”

According to The Freedonia Group, the market for electronic access control is pro-jected to increase 11.9 percent per year through 2012 to $5.9 billion. The research firm also cites that shipments of access control products and systems from U.S. facilities will rise 11.5 percent per year through 2012 to $6.2 billion. But as far as product sales go on the distribution side, the majority of the distribution business will come from the smaller scale of the access control market.

“ Those big thousand card reader

Access Control:Leveraging the Legacy

By Natalia Kosk

EXCLUSIVE REPORT

‘Heavy lifting’ in the market projects positive movement

Data in this chart comes from research found on www.recovery.org and is compiled of data collected from grant recipients themselves and may not be all inclusive.


jobs—those are not going to go through distribution and are going to go directly from the manufacturer to the systems inte-grator,” continued Bozeman. “I do see the rest of the market going through distri-bution similar to how the video surveil-lance market works because the products

are easier to deploy, easier to service and easier to program than they were several years ago.”

Results from SD&I’s exclusive industry readership research in 2009 showed that 59.65 percent of respondents grow their business through the sales and installation

of access control products; while 54.39 percent grow their business through net-worked access control products.

But the biggest area in terms of changes has to do with the architecture of these sys-tems, according to Tony Varco, vice presi-dent of the Security Division of Convergint Technologies, Schaumburg, I l l . “More and more customers are looking for more native, IP-based access control solutions. They are looking to leverage their existing IT infrastructure or a dedicated security IT infrastructure and that is really one of the growing trends. And probably the biggest reason for that is the buying influence—the people who are now involved in these decision processes with our customers are really coming from the IT side of the house and sometimes in a shared role with the facilities or with the physical security group,” Varco said.


ONVIF ‘Highlights’ In StoreONVIF, a leading standardization ini-tiative for network video products, recently announced that it is expanding its scope to include physical access control systems, with hopes to cre-ate a global network interface stan-dard for access control devices as well as to ensure interoperability between network video products and access control systems. And the new stan-dard could mean a lot for the bigger systems integrators that have a global outreach. Many companies, including several ONVIF members, see a great need for such a standard as it would bring benefits to system integrators, device manufacturers and end-users alike, including the following:- System integrators benef it from

increased flexibility, enabling them to design inte grate d solut ions based on best-of-breed products from different vendors;

- Manufacturers benefit from better market penetration by providing future-proof devices with standard network interfaces; and

- End users benef it from reduced integration costs and lower cost of ownership.

EXCLUSIVE REPORT

May/June ——————————————————————————————— [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] [S-11]

More customers are looking for seamless integration and the need for non-proprietary technology will continue to necessitate.

Driving access control“IP-based solutions are so attractive

because they tend to scale both up and down so larger enterprise customers can implement them but smaller customers can also use them as a building block approach and start small,” explained Varco.

And with more seamless integration, it ’s no surprise that among one of the hot vertical markets for access control is government.

“What’s driving access control is cer-tainly in the areas where compliance and government regulation are getting into, such as CFATS and the larger petrochemi-cal facilities,” continued Varco. “With HIPPA and other regulations that the healthcare market is facing, it’s about get-ting systems in place both on the access control side as well as other physical secu-rity solutions to help ensure that all of the

regulations are being met.”Healthcare and education are the other

two verticals that Bozeman is also see-ing the majority of projects being shipped to. “And I think they are continuing to do well,” he confirmed. “When you think about it , the government is actually involved in all three of those, so there is money and opportunity there.”

And integrators are continuing to go after those projects. “Since there is not much new growth in access control, install-ers are trying to go after more segments of

the market,” explained Guay. “If an installer typically does a large system, now they’re trying to position their product line differ-ently from a cost point of view to address the smaller systems. And we see that is mainly a function of the overall market real-ly not growing fast enough.”

Good news for the access control mar-ket, both for manufacturers and integra-tors, even particularly for the integrators, is that the margin squeeze and the margin erosion on the access control business has not been as significant as the squeeze and erosion of the video surveillance busi-ness, according to Bozeman. “Video sur-veillance is just getting really, really tough. It is a commodity. And that is having a real impact on the business models of the physical security systems integrators.”

Although there is skepticism for growth in the access control market, it is clear that opportunities do exist and is it about leveraging what is already put in place to continue seeing development in this aspect of security. ■


‘Hot’ Markets for Access ControlMore customers are looking for seam-less integration and three main ver-ticals that continue to drive the need for development in access control are:• Government• Healthcare• Education


M anaged and hosted access control is a game changer�the stimulus if you will�to really drive this market home.

The timing for what sources refer to as this ‘para-digm shift ’ is critical, because recurring monthly revenue (RMR) is at stake, as is the model of the traditional installing company. As products become increasingly commoditized across the board, inte-grators can no longer make the higher profit mar-gins they had been accustomed to from install-ing hardware alone or from long-term monitoring

contracts. They need new avenues of RMR and managed and hosted access control is one way to get it.

Out of the box and into serviceThis is an important fundamental shift in the

way systems integrators do business. They have to become service providers, and that’s a totally differ-ent way of selling�and compensating�the sales force. Sales and installation need training and more IT-centric skills. Integrators have to educate the end

Managed Services �

Darling of RMROutsourced access control services could spark this decades-old market�changing the way integrators do business

By Deborah L. O’Mara

Managed services from G4S are hosted at the Video Monitoring Support and Data Center. Photo courtesy G4S

May/June �� [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] [S-13]

user with consultative selling on why they need man-aged services. They have to understand fully the capa-bilities and limitations of the access control products they select and what solution fits their service model and that of their customers.

“Installation contractors have to move away from the equipment model or hardware mentality to one that the IT and mobile communications side has embraced for years�and that’s being a service com-pany,” according to Yanik Brunet, director of sales for the Kantech brand of solutions from Tyco Secu-rity Products. “Because margins are so low on equip-ment, it’s difficult to make any real money from prod-uct only and as systems become increasingly com-moditized this will be true up and down the sliding scale of the security solutions environment. Resellers have to concentrate on new ways to get RMR and those include hosted and managed video services and access control managed services. Every adjunct to the business that integrators sell�remote connectivity, convenience, systems management�are all part of the move to garnering RMR under the services type of model,” Brunet said.

Bob Stockwell, director of Systems Operations-U.S. for Niscayah, Duluth, Ga., said the market for managed access control started kicking in several years ago. He said companies with large-scale deployments wanted to “swipe their cards and have it all recorded or man-aged in one place.”

“We are seeing a trend where some users want to outsource the complete management of the system, rather than just some of the databases. Another issue is capital versus operating expense. With managed services, it ’s a monthly operating expense versus what can be a large capital expense,” amortized over multiple years.

Stockwell said end-users want to get out from under the constraints of these big investments as well as the day to day management of access control. “It’s the reverse model of what it used to be with regards to access control. Now some of the users want to get out of that business, even mid-sized companies, not only larger companies want to completely outsource functions,” he said.

Gary Venable, founder and chairman of All Systems Designed Solutions Inc. in Kansas City, Kan., begin offering managed services through Integrator Support about two years ago.

What All Systems did “Nine months ago we hired and trained an RMR

sales team to handle managed services for both access and video plus service agreements and moni-toring. We have over 200 doors under management,” he said.

Venable said the company has worked to educate the end-user, although some get the concept better than others. On the benefits side, once they try the

outsourced services, most keep adding more, he said.

“Cer tainly this ser vice dif-ferentiates us from competitors and continues our tradition of exceptional service and support of our clients,” Venable added. “We see it growing our busi-ness into new areas and enhanc-ing our ability to serve our cli-ents as the next generations of systems come to market.”

Sharon Shaw, vice president of Integrator Support, Westmin-ster, Colo., said security install-ing company owners have been anxious about the decline in profit margins and are grasping the importance of managed ser-vices, while some “pioneers” have been running with the con-cept for some time.

“The marketing and roll out of managed services is a very dif-ferent sell from what many were used to,” Shaw con-tinued. “They were used to selling the system, not the service. The idea with managed access and hosted video is that you have to sell the service first. You can go after the existing customer base and even after a year still have relevant services to bring to them. You have to change your incentive program for your sales consultants as well.”

Shaw added that managed access also allows inte-grators to approach legacy customers with proactive solutions. “Managed and hosted services are the ‘why’ behind IP,” she said.

There’s a tremendous focus on hosted and man-aged services and Software as a Service (SaaS) has been getting a lot of play as well, according to Jerry Cordasco, vice president of Operations for G4S Video Monitoring Support and Data Center, Boston.

“One of the best ways for an integrator to continue to increase their revenue is to get more business from existing customers,” Cordasco said. “As you start add-ing hosted and managed services to your portfolio you are in constant contact and you are always there. That continued contact leads to a much higher probability you will do more business with that customer.” G4S, as a provider of those services at the hosting level, allows the integrators to maintain relationships without being a threat to their business, he added.

Cordasco said there are a number of different types of managed access solutions available on the mar-ket. “Some suppliers provide the hardware and the software as well as the hosting and managing entity. That’s not the model we have chosen. We have the hosting and we give the security integrator access to those services. We are acting as a hosting service to

“We see it [managed services]

growing our business into new areas and

enhancing our ability to serve our clients as the next generations

of systems come to market.”

� Gary Venable, All Systems Designed Solutions Inc.


the integrator who is acting as a managing service to the user. That allows the integrator to be in the revenue stream without the high capital expense,” he said.

Integrators getting into managed services on their own, he said, often have to invest in servers and other equipment and software upgrades, not to men-tion provide skilled staffing. “With us it’s no risk. If they only end up with one customer they’ve made no investment whatsoever,” he said.

Jacky Grimm, Diebold’s director of Security Solu-tions and leader of the Diebold Event Monitoring Center in Canton, Ohio, said managed services broaden the traditional play list of what access con-trol can do and it applies to many different users, from simple to complex scenarios. She concurred that it’s a great way for systems integrators to be in front of their customers and their needs.

“It all depends on the end-user and their available resources as far as what they decide to do,” Grimm said. “The bottom line is that when someone wants access control they want the functionality; the end result that access control is going to get them.”

Grimm said systems integrators have to be mindful of the different types of of ferings and have to think carefully about what model they select, especially i f it means they have to host the ser vers 24/7 from their own facilities. That scenario brings a whole host of new challenges, including costs, security, control and even compli-ance issues.

Acco r din g to J o hn Szczygiel, executive vice president of Brivo Sys-tems LLC in Bethesda, Md., integrators should b ecome educated on the various models for managed access and the potential limitations of some solutions.

“ M a n a g e d s e r v i ce s place constraints on the end-users because they were not built as multi-tenant plat forms,” he continued. “We have a true multi-tenant, multi-user software built from the ground up with com-plete data integrity.”

Other types of software are built for a single user, and then shared, he added. “There needs to be a frank understanding by the dealer of what they are selling and with the user on what they are using,” Szczygiel continued. “Is it a client/server application that is being used as a managed service or is it true SaaS?” Brivo’s product is built on a secure IT model which uses X.509 certificates and authenticates from the edge device (Brivo panel) to the center, eliminat-ing complexities and making the communications secure without opening ports in firewalls, which can often be flagged as a risk by users.

The upside of the market cannot be denied. Man-aged access services provide flexibility in use to the installing company and the end-user, according to John Smith, senior channel marketing manager for Honeywell Access Systems, Milwaukee.

“With managed services, there’s not a single typi-cal type of installation�it’s all over the board and every dealer can decide what’s best for the customer based on the level of accountability desired,” he said. “The value is not about the access control, it’s about the management attributes. That’s how deal-ers should sell it.”

Charlie Powell, SET and corporate sales manager for the Security Integration Group of Koorsen Fire & Security in Indianapolis, which offers different types of managed services for customers, said one of their biggest successes has been with property manage-ment in low-rise real estate or smaller medical offices and similar profile clients. Koorsen Fire & Security has provided managed services for about six years.

“ These smaller customers need access con-trol but maybe they don’t want to own a com-puter at the proper t y and make all that stuf f work and do the updates,” Powell said. “ Typi-cally, managed access users don’t have a big IT department. Even if they do have an IT depart-ment they may think they can manage it cheap-er themselves, but in reality they can’t,” he said. Powell said that in contrast some of the larger medi-cal customers are protective of their network access and usually try to manage the access control systems themselves�and they may have a good business case for doing it that way.

“Managed services are part of the sales process in trying to understand their needs. What are they try-ing to accomplish and what can help get them there? Managed services make a ton of sense and integra-tors can offer it in all sorts of ways.”

Powell said the service really sets Koorsen Fire & Security apart from its competitors. “It differentiates us in a number of ways from the competition. With managed services, we can offer a solution that keeps us in a consultative selling role.” ■

Deborah L. O’Mara is the editor of SD&I magazine. Reach her at [email protected].

“Managed services

make a ton of sense and integrators can offer it in all sorts of ways.”

� Charlie Powell,

Koorsen Fire & Security

[S-18] [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] �� MAY/JUNE

H ow many keys have you use d so f ar to day? For most of us, this question

calls to mind a limited number of traditional keys that we use at home, to start our car, to open a file cabi-net, and so on. It is relatively easy to keep track of these keys because they are so visible and so frequent-ly needed. And if we do misplace or lose a traditional key, we have a straightforward means of replacing it � we simply call a locksmith or the car dealership, and request a new one. If the loss is due to a theft, we may take the extra precaution of requesting that the lock be re-keyed, so that the stolen key will no longer work.

Ask someone who is responsible for the security of an entire building, or who manages the access privileg-es of a large and varied workforce, about keys and you will get a very different type of response. In today’s corporate security environment, tra-ditional keys have given way to a variety of digital keys inside access tokens such as key cards. Imple -menting secure access control for thousands of doors or other assets, and ensuring that the individuals authorized for access will get it read-ily while everyone else will be kept out is a challenging task. It requires a combination of hardware (often in

Key Management for Physical Access ControlWhether a physical or digital key, policies and practices for their use must be in place

By Tam Hulusi

MAY/JUNE �� [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] [S-19]

the form of key cards and card read-ers), software, an understanding of digital security and encryption, and carefully developed key management policies and practices.

T his ar t ic le present s an over-view of the decisions and process-es involved in successful physical access control from a key manage-ment perspective.

Key management fundamentalsKeeping track of digital keys is called key management. The purpose of a key management system is to pro-vide the information necessary to enforce a key management policy. The primar y way a key manage -ment system does this is by keeping a cradle-to-grave record of the life of every key, every when, why and how of its creation, use, breach and destruction. That may sound like an impossible task�and it would be if digital keys were managed along the same lines as the traditional keys in our pockets.

IT professionals and key manage-ment vendors have worked for years to design key management systems that will serve the needs of all types and sizes of organizations. A key management system enables you to see and monitor the digital keys that are deployed in your corporation with the same degree of detail as you track your personal keychain, or manage the accounts receivable and other internal systems.

I will focus on the three primary phases in the life of a managed key: key generation, key usage and key breach. While it may be helpful to have in mind the keys inside a smart card such as an HID iCLASS card, these three phases define the life of any managed key, no matter where it is stored or where it is used.

Key generationWhether it is a physical key or a digi-tal key, the management of a key

starts with key generation. You have probably noticed that there are some keys in your pocket or purse that the local hardware store can duplicate and some that it cannot.

In wel l - managed s ystems, key generation takes place in a carefully controlled environment. Each and every key generation is recorded in a permanent log. The log includes when, where, what, why, how and who. In not-so-well-managed sys-tems, no records are made of who is generating keys, why they are being generated, what they going to be used for or how they are going to be protected. A moment’s reflection tells you that unmanaged key gen-eration is the headwater of a river of downstream trouble.

It is during the generation phase that decisions about cryptographic algorithms, key length and key dis-tribution are made. For example, in the smart card case, this is the time to decide questions such as whether cards may share keys for specif ic types of access or whether all keys must be unique.

Key useO ne way the physic al keys and digital keys are exactly alike is that you cannot use them unless you actually possess the key. The obviousness of this statement for physi-cal keys is matched by the lack of obviousness o f t h e s t a t e m e n t f o r digital keys. This stark difference in awareness is due in part to the fact that while we all understand what having a physical key means, it is not so clear what “having” a digital key means in practice.

In both cases, it means that if an interloper takes the key from you while you are in the act of using it, that interloper can subsequent-ly use it too. In particular, in the digital key case, it means that the

key is exposed in its unprotected, unwrapped, unclothed and natural form for everyone to see. That con-stitutes a key breach, which requires remedial action. So protecting the digital key during use becomes a high priority for key management.

Key management is not “fire and forget” � or, in the specif ic case of digital keys, “generate and for-get.” Best-practice key management is a continuous process that moni-tors the health of every key every day and is prepared to take immedi-ate action should the health of a key start to fail. This is one reason why forward-looking companies are start-ing to offer key management servic-es to its access control customers.

Key breachQuite unlike the management of physical keys, the management of digital keys is often disconnected from the physical manifestation of the keys themselves. One area where this becomes most evident is policies

regarding key breaches.Key breach means that some inci-

dent has exposed the key to unau-thorized use. In the case of a physi-cal key, it does not mean necessarily that a malicious person is in posses-sion of the key; and in the case of a digital key, it does not mean that the person knows the value of the key. It just means that somebody can use the key that should not be able to.

In physical reality, key breach can


mean an authorized user losing the key, or somebody making a unau-thorized copy of the key. But physical key breach can also mean getting hold of a master key, learning how to bump a lock, or coming into pos-session of a good set of lock picks. In whatever form, the breach of a physical key � both the breach itself and the harvesting of the breach � will have numerous physical manifes-tations that careful observation has a very good chance of detecting.

It is quite different in digital real-ity. Indeed, one of the most trouble-some � and most ignored � chal-

lenges of digital key management is detecting key breach. Unless some-thing really egregious takes place whose only logical cause could be the compromise of a key, digital key breach may go undiscovered and therefore unaddressed.

Let ’s assume that a key breach has been discovered. In the case of a physical key loss, one remedy is to change all the locks that the breached key f its and then issue a new key to each authorized person. In almost every case, the list of locks

and the list of people are complete-ly known. Knowing the list of locks is usually suff icient, since rekeying the locks will cause the key hold-ers to step forward and request a replacement.

What has to be done in the case of a breached digital key is just as obvious. The key has to be rolled. But doing that for a digital key is as no means as straightforward. First, the responsible key manager has to locate all the places and situations in which the digital key is being used. In the case of a physical access con-trol system, this process might be as easy as in the case of physical key since, after all, the digital door access is replacing a physical lock. In other cases � for example cards used to log- in to computers , or for document encryption and data access � it may not be so easy to find all the breached keys.

Even when an instance of the breached value is found, changing it to a new value can surface pre-viously unacknowledged problems. One problem can be acquiring the authorization to change the key value at all. Just because a digital key is in use does not mean that somebody can be found who can change it. In fact, there are cases in which policy decisions may make it impossible to change the value.

Suppose that somebody in securi-ty or IT can be found that does have the authorization to change the key value. It is highly likely that proce-dures for generating a new key value and for getting it into a form that can be used for key rolling are not frequently practiced even if they are

known. All aspects of key breach detection and key rolling need to be addressed in practice to ensure that the written policies are possible and cost-effective to implement when-ever the need arises.

To reconnect with the realities and practicalities of the key management for digital keys, it may be helpful to work backward from a key breach scenario. The surfacing of a road-block to key rolling and recovery from a key breach well before an actual security issue arises has obvi-ous advantages. It may also help to shine more light on other areas in an existing key management program where policies and practices are less than optimal.

Key management benefitsThis overview of key management processes provides a starting point for evaluating your company’s cur-rent key management prac t ices � whether you are working with a turnkey system from a vendor, or have implemented selected policies internally. It may also raise questions about the value of developing a com-prehensive key management strat-egy. According to BITS, a security

Further Reading

Matt Blaze’s classic paper on master keys is a beautiful case study of the similarities and differences of physical and cryptographic keys: http://www.crypto.com/papers/mk.pdf

MAY/JUNE �� [ACCESS CONTROL TRENDS AND TECHNOLOGY 2010] [S-21]

working group for the financial ser-vices industry, a good key manage-ment program can assist in accom-plishing the following:

• Improve usability and effective-ness of key and key usage;

• Increase reliability and effi-ciency of key structure and key implementation;

• Reduce costs by leveraging com-mon infrastructure and administra-tive processes;

• Reduce complexity and improve transparency by re-using well-defined processes and interfaces;

• Automate manual steps to reduce human error and improve consistency;

• Support a variety of keys con-sumed by a variety of encryption/decryption processes delivered by commercial, open-source and customer-developed applications on multiple platforms;

• Allow for segregation of key man-agement from encryption/decryp-tion operations;

• Improve transparency by aligning and integrating with the business-es processes; and

• Provide evidence of having implemented sound and secure practices.

Strong keys coupled with best-practice key management are at the foundation of token-based access control systems. Strong keys alone are not sufficient. If you are running a keyed security system, then either you buy a key management system and put in place a continuously-run-ning key management process, or you seek a vendor that can provide these ser vices. Running a keyed security system without a key man-agement system underneath should not be considered an option. ■


Tam Hulusi is senior vice president of strate-gic innovation and intellectual property at HID Global, the trusted leader in providing access and ID management solutions for the delivery of secure identity.


P eople reading this special access control guide may have diverse interests and varied business experience levels. Some of you have been installing and servicing large

access control systems for years. Others are just getting started in this exciting, changing field. This article has been written as a guide for those who consider themselves access control ‘begin-ners.’ All details described here are real and are ongoing as this article is being written.

The locksmith company depicted in this article has been in busi-ness for over 75 years and specializes in general locksmithing includ-ing automotive, residential and commercial lock installations and servicing. In the last 10 years there has been a noticeable increase in customer requests for electronic security. Customers are now look-ing for both audit trail reports and ways to limit access according to time and date. Mechanical locks cannot provide these capabilities.

This locksmith company has formerly handled access control system requests by either installing battery-operated single door access control products, or referring customers to other compa-nies. Larger access control projects have been considered either beyond their scope or would require too much time away from their normal type of locksmith work.

Laws in the state where this locksmith is located require a license in order to run low voltage wiring of any type. This has also hampered the possibility of doing major access control jobs. In the past, when this locksmith had jobs requiring wiring for maglock or electric strike installations, wiring work was sub-contracted to a licensed electrician.

Although wireless security products have been available for many years, there have been questions in the past about dependability. Some people have claimed that wireless signals can travel outside the secured area and cause false readings. Others believe that wire-less signals can be intercepted and put to some devious use.

Newer technologies incorporate encoded signals and concerns about false or intercepted signals are now increasingly unfounded. At the same time, additional types of wireless products are now available on the market which serves to open new opportunities for more simplified installations while still providing customers with almost every security option they may require.

Armed with the knowledge that wireless security systems could be a practical choice, the locksmith owner decided to bid on a job requested by one of his regular commercial customers. The job location was a high-rise condominium building with approximately 1,000 tenants. Building management wanted to change approxi-mately one dozen common area doors from a key-operated to a card-operated system.

Wire runs would have had to traverse hundreds of feet in order to control pool areas, parking areas plus front and rear entrance doors. In addition, door construction included solid-core doors, a few alu-minum doors and a Herculite glass door. A wireless access control system seemed to be the best and easiest solution.

A call to a locksmith distributor yielded a list of possible product lines which could be used for the job. After comparing the require-ments for the condominium against available products, the lock-smith soon found that all the suggested product lines might not do the job. As example, one manufacturer had an impressive wireless system, but this manufacturer did not have electronic hardware avail-able for aluminum doors. Another manufacturer had products which would possibly do the job, but parts pricing was not competitive.

Be a problem solverWith a diminishing confidence in choosing the correct approach

for the job, the locksmith contacted local representatives for Ingersoll Rand Security Technologies (IR). IR maintains an office in this par-ticular metropolitan area, and agreed to send an expert out to survey the job. The IR expert used special equipment to check for wireless signal strength between each of the door locations and the location of the wireless receiver. There was some question about both being strong enough signals from the longest wireless runs and about what specific hardware would be used on the Herculite door.

The locksmith then made a decision to work with another locksmith company in the area which is experienced in installing both alarm and access control systems. This locksmith company agreed to survey the job and take the responsibility for choos-ing the correct hardware. If their bid was successful, they also agreed to have employees from both locksmith companies work on the installation. The bid proposal has now been sent to the condominium owners for their approval.

In the final analysis, solving a problem for a regular customer is paramount. Whether a manufacturer or another area locksmith gets the job, the owners’ request will be answered. Every job, large or small, should be a learning experience. This locksmith has gained important knowledge about access control problems and solutions which can be put to good use on the next access control job. The first step has been taken toward entering the profitable arena of electronic access control. ■

By Gale Johnson

Getting Started with Access ControlThere’s a perfect place for this discipline

getting started in access control -...

Documents