A fake ID card can get a college student access to a six-pack of beer and entrance to the local watering hole. But there are some situations involving false credentials were the risks are much, much greater, such as when a potential criminal forges identification cards to allow them access to sensitive areas or critical information, putting people and businesses at significant risk.
Unfortunately, technological advances are making it easier for people to counterfeit credentials and gain access to restricted sites. And concerns about events such as 9/11 and its aftermath have brought that all-too-clearly into focus.
That’s why the U.S. government in 2004 implemented HSPD-12, the common identification standard that covers credentialing for government employees and contractors. Those same secure credentials and physical access control systems (PACS) that are deployed at critical infrastructure nationwide are now garnering a closer look from those in other segments of business.
Why should commercial organizations consider adopting some of the government’s secure credentialing measures? Think about how closely some commercial sectors parallel those in government, especially finance, healthcare and energy.
The last thing someone wants to think about in a hospital is if a doctor, nurse or other healthcare worker is someone other than who they say they are, or that they are able to falsely gain access to medical records, drug rooms or other secure areas. The same is true within energy plants where we want the highest level of assurance that the access control credentialing being used can deny access to people who could manipulate the servers that control the energy supply. And on the financial front, high assurance security credentials can help keep out criminals who could potentially gain unauthorized access and steal personal information from credit card providers, banks or similar agencies.
Most legacy card readers do not test the authenticity of the card. Adding a challenge and response to the transaction when a card is presented — as is required with governmental IDs — makes it a more secure operation. If a card is a clone or fake, a challenge and response can identify that and then immediately tell the PACS to deny access. There are other options too, such as multifactor authentication, which incorporate biometric technology and RFID.
So how can you ensure your organization has the most secure credentialing option? First there needs to be a review of what is currently in place and what means it would take to improve upon it. It may be a matter of changing out the reader, the card and the reader, or switching out the entire system, including the panel depending on factors such as the age of the system, level of security and type of cards used. There may also be IT system upgrades that would be required.
Fortunately, as governmental entities have rolled out their secure credential programs, those in the commercial sector have the opportunity to leverage that development as outlined in the latest FIPS 201 (Federal Information Processing Standards Publication Series) directive.
If your company or customer is seeking to improve their credentialing system, making it safer and more secure against attacks, then please consider participating in June 20th webinar at 2pm EDT, “Lessons Learned from PACS deployments in Government Applications” where we’ll explore the credential vetting processes; various card, badging, and biometric options; logical access control; and more. Even if you can't make it, register and you'll receive a link to watch a recording of the webinar afterwards.
What concerns you most about PACS in your commercial environment? Please leave your concern below as a comment to discuss.
According to the Global Retail Theft Barometer (GRTB), shrinkage losses in North America accounted for roughly $35.28 billion in 2011. That’s 1.42% when expressed as a percentage of retail sales (at retail prices). Those are staggering statistics. The main sources of retail shrinkage are shoplifting, theft by employees, theft/fraud by vendors and suppliers, and process failures and accounting/procedural errors. All of these can happen throughout the lifecycle of a product.
So, the next time you walk into a retail store, give this some thought. Most products you see on the shelf or hanging on the rack already have an indelible security footprint that originates at their development, and continues all the way through their production in the manufacturing plant and finally to their retail display. This is all done to combat the continued threat of retail loss through shrinkage.
This holistic, life cycle approach ensures not only the security of the item itself, but also benefits the stakeholders involved: manufacturer, distributor, retailer, and end user. The same video surveillance, access control, intrusion, and fire systems deployed to protect merchandise are beneficial to the people who create, move, and sell that item as well.
Take, for example, a high-end electronic mobile device such as a Smartphone, tablet, or laptop. At the manufacturing site, video surveillance is employed to view that item as it rolls down the production line, as well as while it is packaged and readied for shipment. Meanwhile, that same video system can also be used to measure productivity, record a workplace accident, or deter or detect a crime.
Increasingly, an Electronic Article Surveillance (EAS) tag is included at the manufacturing site and stays with the product throughout its journey from plant to distribution warehouse to retail store. Linked in with video and EAS tagging can also be access control, intrusion, and fire systems that provide an added level of protection for products, people and the corporation — all of which are part of this holistic approach.
As the smartphone or laptop moves along its pathway to a consumer’s home, it will likely reside in a warehouse, and then be shipped to a retail site where it is placed on a shelf or stored in a backroom. At both the warehouse and the retail level, that EAS tag becomes an alert system that can tell the distribution center or store personnel if it is being stolen by triggering an alarm when it passes a checkpoint without being disarmed. But in addition to providing a safeguard for the product, the pedestal that monitors the EAS tag can itself also be used to track the movement of people, indicating the need for more staff at store level, for instance.
By bringing together all of these systems, which can be monitored from a central location, the company can react more quickly and efficiently to potential issues. If there is a fire at one warehouse, and the system sends that alert to headquarters, video can be used to verify the alarm and an intercom system can send out pre-determined messages about where to go and what to do. Additionally, products that may be in transit to that warehouse can be diverted to another location, or production put on hold until the gravity of the situation is accessed.
At store level, video from a theft at one store can be viewed and analyzed to prevent a similar situation at other locations, as well as provide information on the perpetrator so it can be shared with personnel throughout the retail chain.
The ability to tie together systems from beginning to end can be a boon to any company, whether it’s a large retail entity or a standalone store. Having consistency throughout the process is likely to pay dividends down the road because of the ability to prepare for and react to a wide range of scenarios.
To learn about the best practices of a unified system, the possible pitfalls to avoid, and how it works for day-to-day business and in a crisis, please watch our recorded webinar on a holistic approach to retail security.
What are you biggest security concerns in the retail market? Please leave me a comment to discuss.
Many in the security industry, specifically those involved in developing and installing credentialing systems, are keenly awaiting the final review and approval by the United States National Institute of Standards and Technology (NIST) of FIPS 201-2, also known as the Federal Information Processing Standards Publication Series, the latest incarnation of the U.S. government directive that requires federal employees and contractors to be identified and authenticated to gain access to Federal facilities and information systems.
More than half a year has passed since NIST released a revised draft of FIPS 201-2 (PDF). Since its inception in 2005, FIPS 201 has provided federal agencies with guidance as to how to comply with Homeland Security Presidential Directive 12, or HSPD-12.
The next incarnation of FIPS 201 (FIPS 201-2) is expected to be released early this year and brings the potential for a host of changes aimed to make credentials for government employees and contractors more secure and to increase its usability.
FIPS 201-2 key benefits include:
- Increased interoperability because of the mandatory requirement of Card Authentication Key (CAK) technology
- Introduction of IRIS technology, which extends biometric fidelity
- Improved security through mandatory electronic verification of PIV (Personal Identity Verification) credentials (e.g. visual checks solely are no longer allowed).
As security practitioners await a decision, it’s important to know how these potential changes could impact customers and the access control systems in use at their facilities.
First, security professionals should know that one of the major initiatives by the government is to assure that Physical Access Control Systems (PACS) meet the government’s requirements for FIPS 201 and PIV/FICAM capable. This means that the systems will be required to undergo rigorous compliance testing of the entire access control “platform.” The certification will require that the system head-end software, control panels, readers, and PIV credentials be tested as a complete system.
Secondly, OMB M-11-11 has accelerated the adoption of Public Key Infrastructure, or PKI-based PACS resulting in a critical need for manufacturers to demonstrate requirements adherence, interoperability and performance in high assurance, ICAM (Identity, Credential and Access Management) compliant environments. These new access control systems are sophisticated, multi-vendor supplied PACS. Early adopters of these PACS often experience non-interoperable and non-conformant systems.
So what is a systems integrator to do to ensure the deployment of systems that are end-to-end, PIV/FICAM capable?
One valuable resource to turn to is CertiPath, an independent testing lab that currently certifies end-to-end, PIV/FICAM capable. Many U.S. government agencies and commercial companies rely upon the Certified Products List (CPL).
As a company, Tyco Security Products is proud that the Software House C•CURE 9000 system has successfully completed this testing and has been certified through CertiPath, joining a select list of trusted PACS, validation service and reader manufacturers.
As you continue to address credentialing at the U.S. government level, make sure you stay abreast of the latest developments relating to FIPS 201-2 and its impact on the solutions you plan to deploy.
Thinking about migrating your Government site to an Enterprise Security System? Download this informative white paper for helpful information to first consider.
Are you finding any barriers to ensuring your PACS meets and continues to meet government credentialing requirements? Please leave me a comment below.
Posted by
Rick Focke on Fri, Apr 12, 2013 @ 06:04 PM
Providing power to an access control system has always meant multiple, specialized DC power supplies for controllers and locks, each with their own battery backup requirements. As access control moves towards the edge with small, smart IP controllers at each door, a new option is gaining traction – PoE, or Power over Ethernet.
Because PoE provides power and data through a single cable, it is especially suited for new construction, where CAT-5 network cabling can be easily run to each door. While often associated with Voice over IP phones, IP surveillance cameras and wireless access points, PoE is becoming a more commonly accepted method for powering access controllers, readers, and yes, even locks.
As the trend toward intelligent network devices at the edge grows, this lends itself to a higher reliance on PoE. Thus, knowing that this is the way the industry is moving means it’s important to have a good understanding of PoE and how it will work for access control.
Clearly, there are benefits to PoE, not the least of which is that it can save money for most installations by taking advantage of the economical CAT-5 cable. Instead of paying to have power run to each door, integrators can make use of the existing PoE infrastructure, especially in new buildings. Additionally, there can be some savings as installations get away from relying on numerous battery setups, especially for locking systems, and move instead to PoE.
As with any installation, planning is going to be critical. Standard PoE provides 15 watts on each port, so knowing how much power each device uses will dictate your needs. A single door controller, for instance, will work well in a PoE setting, while a controller that provides both card-in and card-out functions, or one that uses biometric readers, is going to require more power.
PoE Plus ups the power ante to 30 watts per port, but some devices may not be rated for PoE Plus so, again, it’s important to have that data in hand when planning the installation.
The next generation of PoE — in the form of PoE Ultra — will be at least 50 to 60 watts, up to possibly 90 watts, thus being able to support more locks and even more powerful readers, ensuring PoE will be a viable option well into the future.
Devising a more efficient installation, while also staying competitive on costs, is driving many integrators and their customers to explore PoE.
Want to learn about the benefits of implementing PoE with Access Control?
Learn the basics of PoE, PoE standards, benefits of PoE, PoE within access control and avoiding the pitfalls, and the future of PoE by watching a recording of my PoE opens new doors webinar.
Here are just a few testimonials we received after the live webinar concluded:
- "Thanks for a really informative webinar. The information on the Midspan power was really helpful. As a matter of fact, I used that knowledge today to figure the needs for a 16 camera installation we just received." - Paul Abbott, RCDD | Simplexgrinnell
- "I found the webinar was extremely well presented and very informative. Please pass on my thanks to Rick who was my tutor when I got my C•CURE 800/8000 certification."
- Barry Dawson | Tech Systems, Inc
How are you using PoE at your business? Please leave me a comment below.
Intellectual property theft. Burglaries. Regulatory compliance. Disgruntled employees. Shrinking budgets. The growing complexities of today’s business climate means that not only are we doing more with less, but that security is playing an unprecedented role in ensuring that businesses keep their people, places, and information safe from harm.
Combatting these threats requires a sophisticated array of tools to help security personnel manage these risks. From advancements in video surveillance that allow a security director to view video and control cameras around the world from a mobile device, to asset tracking tools that deliver real-time information about the location of staff or equipment, these technologies are consistently raising the bar of what we can accomplish.
While there’s little doubt that the capabilities of technology are nearly limitless, these sophisticated features can sometimes do more harm than good to a security system if implemented poorly. Instead of making it easier for end users to manage, they can instead add unnecessary levels of complexity to the security system.
That complexity is in sharp contrast to the growing simplicity of consumer devices, driven by the engineering prowess of the likes of Apple and Google, that have transformed how we use technology in our every day lives. Today’s security technology is also following this trend, mirroring the clean, intuitive, yet sophisticated user interfaces we’ve all become accustomed to. In other words, the popular KISS premise — Keep It Simple, Stupid — applies now more than ever.
The trend is recognized in a recent report from IMS Research on Video Surveillance Trends for 2013. Citing that the video surveillance market can be complex at times, IMS Research predicts that in 2013 manufacturers will focus on making systems “more straightforward” and will focus on making products that are “easy to install, easy to operate, and easy to maintain.”
Some providers that offer security management systems, VMS or even next generation intrusion detection systems have incorporated this vision of a seamless user experience into their next generation of technology offerings.
For example, the introduction of unified technology platforms that combine functions like video, access, and life safety functions into a single, shared system, has helped to simplify many mid-to-large scale projects. This provides security directors with simple, intuitive user interfaces and seamless operations between the different disciplines within the system.
Rather than relying on various forms of interfaces for communication, a unified platform ensures that the core video, access and intrusion functions, as well as other ancillary functions such as real time location systems, are unified at the operating level. This goes a long way in reducing training on multiple interfaces.
These native integrations also exist for smaller scale projects as well, with a more plug and play approach for easy deployment and reduced installation costs for the end user.
Access to mobile applications that give end users remote access to their systems from any mobile device will continue to be an important trend and customer expectations will drive development for the foreseeable future. The key will be apps targeted for specific usage scenarios, rather than being a stripped down version of a thick client.
The changes are being driven at the device level as well, through innovative touch screen technology that is further streamlining the user experience. Technology providers who respond to these trends will be well positioned for the future as the trend toward simplicity continues.
Visit booth #20009 at ISC West in Las Vegas, NV, USA - April 10-12, 2013 to learn more about Tyco Security Products’ approach to simplicity, unification, and future technology.
What changes are you noticing that will affect the future of the Security industry? I would love to hear your thoughts in the comments below.
Posted by
Tim Myers on Thu, Feb 21, 2013 @ 04:29 PM
Ahhh…simplicity. That’s what comes to mind for many when the topic turns to wireless intrusion systems. No cables to deal with, no drilling through cinderblock, no multi-day installations.
But even these systems come with some caveats for installers. So consider these tips when embarking on a wireless system.
Tip 1: Select the Proper Mounting Location
The location for mounting a device is one of the most important aspects of installing a wireless intrusion system. There is nothing worse than climbing a ladder, mounting a device and finding out later it doesn’t adequately communicate with the control panel.
So, what’s an installer to do? Perform a placement test to ensure the panel can communicate with a particular wireless device, such as a keypad or motion detector. These tests are as simple as pushing a button to test the device while it is held up near a specific location. Today, some devices come with an LED light designed to glow green to affirm mounting location or red if it is not optimal.
Tip 2: Take Interfering Sources into Consideration
If a device will be in a smaller home or in an area with an abundance of radio frequency signals, it is important to understand that additional RF noise can impact the overall range. Even smartphones and tablets can interfere with a wireless security device’s ability to communicate to the control panel.
Also, stay clear of mounting a wireless device on or too close to an electrical box. The alternating current can interfere with the device, while the metal box can alter the characteristics of the antenna on each device, thereby reducing range.
If there is interference, a wireless repeater can be used to increase the range and transmission capabilities of the wireless system.
Tip 3: Know the Environment
Today, home and small business owners like to think outside the box when installing a security system, expanding the boundaries to include pool houses, sheds and garages. And this is doable, as long as you take into account the environmental characteristics of a device and if it is rated for outdoor use. Devices that aren’t rated to operate in extremely cold weather environments won’t function properly. The same holds true for exposure to rain and moisture.
Tip 4: Understand the Range & Battery Life
While the overall range of wireless systems has increased significantly in recent years, it is still important to know the range limitations of the system you plan to install. A wireless intrusion system rated for an area of less than 3,000 square feet will not be adequate for a 5,000 square-foot home. Range can also have an impact on the mounting location selected. Consider the headache for the homeowner if a mislocated PIR sensor near a large picture window sounds every time someone walks by the window.
By keeping these few points in mind, you can ensure an easy installation process and installers can deliver a reliable system to their customers.
What other tips would you add to this list? Please leave them in the comments section below.
Taking a page from the Boy Scout manual, companies considering migration to an enterprise security system should heed the call: Be prepared. Knowing what resources are available, who the key players are in getting you from beginning to end, and what goes into developing a successful migration plan are key parts of the process.
Too often, however, the excitement over what an enterprise solution — defined here as achieving central control over an access control system that spans multiple facilities — can mean to the success of the organization once it’s up and running is overshadowed by how the progression from start to finish is best handled. There can be bumps along the way, and it’s always prudent to go into the undertaking with eyes wide open and a playbook in hand.
Many experts would agree that a good way to start is to first define the operational paradigm for your business, taking into consideration how the migration will impact and improve your administrative, reporting and monitoring processes. And don’t forget about scalability: If you aren’t forecasting the volume of activity associated with your enterprise system, you may be shortchanging the underlying architecture.
Another possible pitfall is poor coordination among vendors or, internally, between departments. By its very nature, an enterprise system is going to involve multiple partners and multiple sites that will require coordination by your IT and security teams. Are you prepared to undertake this, or will you rely on a third party to get the job done?
As we said at the outset, preparation is the key, and nothing should happen without a plan, a team and a solid foundation that begins with knowing what you have now and where you’re headed. You can never know too much about what exists in terms of equipment, firewalls, data and policies, nor can you be too vigilant about ensuring a smooth transition once all the pieces are in place.
We encourage you to download our guide, “Key Pitfalls to Avoid When Migrating to an Enterprise Solution” and familiarize yourself with the ways in which you can make the migration to an enterprise solution easier and more successful for your business. Being prepared will pay dividends in the long run!
What pitfalls concern you about migrating to a robust enterprise security solution? Please leave me a comment below.
The traditional approach to access control involves concentrating all system intelligence in a central server. But with new access control technology that pushes intelligence to the edge, that traditional approach, along with the industry, is being revolutionized.
For years there have been many driving forces towards edge devices. In access control security these include the development of TCP/IP connectivity and web based technology, the acceptance of communication standards, as well as a major change in the way security systems are viewed.
The strength of IP networks today enables Ethernet connectivity to quickly transport real time data from the server to a local device, and vice versa. In an intelligent access terminal at the door, IP connectivity means a single cable can be used for both integrated intercom and access control functionality.
New acceptance of communication standards has also made possible the use of access control edge devices. Now, ‘SIP/VoIP’ protocol can be utilized to achieve integrated Voice over IP (VoIP) intercom functionality and a secure web portal can enable server-based applications to run on an access terminal directly at the door.
The shift in the way traditional access control systems are viewed; with IT managers and security managers working closer together, this means that security management systems now need to be extremely user friendly and do so much more than was previously required.
These driving forces are pushing access control systems to offer users nearly unlimited flexibility and more power to drive additional functions.
Bringing true security intelligence to the edge of the network, the Intelligent Access Terminal goes beyond securing premises to empower users, improve overall business needs and increase operational efficiencies in a variety of ways.
With remote applications available at the door instead of limited to a client PC, various levels of security intelligence are available, depending on cardholder permissions. System Installers could have access to device settings at the door for configuring door opening/closing times or to check which system readers are online. End Users could have access to scheduled visitor lists, time & attendance data or have the ability to change their own Personal Identification Number (PIN) at the door. For Security Personnel, these remote applications provide access to muster-zone intelligence to check area occupancy in the event of a health & safety hazard, or remote views of cardholder images and access levels at the door for visual confirmation of cardholder IDs during spot checks.
With the technology now available to bring server based intelligence to the door, the possibilities of remote applications are seemingly endless.
Learn more about the revolution of access control intelligence at the edge by watching a recording of my webinar security intelligence at the edge.
What concerns you the most about Edge Devices in Security? Please leave me a comment below.
In the conventional world, those who rely on the time-honored traditional model of access control are often limited by the size of the server that supports it, the version of their operating system and the reliability and accuracy of their back-up plan.
But in the cloud, these issues disappear. Need to control 10 doors, 100, maybe a couple thousand? That’s all possible in a cloud-based application, where capacity is rarely an issue. Similarly, those who opt for a managed, hosted or hybrid access control platform are ensured that basic but critical maintenance, such as regular back ups and software upgrades, are taken care of because their data is residing on secure, cloud-based servers.
And that’s important because the majority of end users are woefully undertrained when it comes to system updates and back-up processes. Up to 90 percent don’t perform regular back ups, risking the loss of data and the likelihood of incurring costly, lengthy service calls from their integrator who will have to rebuild the system when it crashes.
So, rather than focusing on keeping the system up-to-date and in working order, end users with entrée to cloud-based offerings in the access control world can now shift their concentration to how best to interface with this system and make it work for them.
One of the greatest developments within the past few years has been the creation and growth of the mobile application. Via Android and Apple smartphones or tablets, it’s now possible to perform the same functions that used to take place in front of the computer screen. Via mobile app, security professionals can execute tasks within the access system such as controlling doors, elevators, inputs and relays; updating and managing the card database, including adding and deleting individuals and updating photos, generating reports, and viewing event history.
Additionally, via new web-delivered applications, customers can connect using a web browser, which eliminates worries about updating software and investing in the labor to do so.
Operating in the cloud may bring with it some concerns about the security of the data, but with the high levels of encryption that are used, these information security issues are easily addressed.
With those assurances in place, security directors can turn their attention to the benefits they’ll see, starting with reduced infrastructure expenses — no need to invest in the latest PCs and software as everything resides in the cloud — and continuing with lower manpower, maintenance and training costs.
If you are interested in learning more about access control as a virtual model, please consider watching a recording of my recent webinar on cloud-based managed access (you must register for webinar to watch recording.) You may also want to check out a colleague’s article and subsequent webinar on working in the cloud.
What areas of cloud-based security are of most interest to you? Leave me a comment with your request.
Posted by
Chris Ryan on Thu, Jan 03, 2013 @ 09:19 AM
Tablets, smartphones and the mobile apps that can be used on these devices are increasingly the technology of choice for business and personal use, including the physical security industry.
Within our industry, demand for apps is high, even though implementation is still relatively low. Integrators can lose a job if the products they offer don’t have a related app, and asking for an app has become second nature. In response, companies are developing apps to complement the products they sell, making the systems, whether for surveillance, access control or home security, more interactive and the information provided by them more immediately useful.
Where companies are seeing the greatest level of app adoption is in settings where the number of cameras is still relatively small, and where coordination with the IT department is minimal, if at all required. The challenge often comes with large sites that need to comply with IT department policies and coordination. This can limit the opportunity to use mobile apps because it involves providing access to ports.
Still in its infancy, app usage is expected to become more widespread as the functionality they provide continues to evolve.
So what are some of the key features that the latest round of security apps, version 2.0 if you will, are providing, and how have apps evolved?
One major progression is that apps are no longer being developed as replacements for the overall functionality of the desktop system. An app isn’t meant to be a substitute for a complete access control or video surveillance system. Rather, it’s designed to tackle unique applications that can enhance the overall system, taking advantage of the technology provided by the smartphone or tablet format. Using a phone for monitoring is very different than sitting at a bank of monitors, so the application should reflect that difference.
With that in mind, what the industry is seeing in the surveillance arena is a demand for apps that can allow security officers to view live video from any camera within the system, or recorded video from an NVR or DVR. Via a mobile app, the security officer can view recorded video from any location, managing the playback by selecting the date and time they want to evaluate
Increasingly, police departments are requiring verification of certain events, such as the triggering of a home or business alarm, before they respond. The police department in San Jose, Calif., for example, instituted such a policy in January 2012, requiring a verified audio, video or eyewitness account of a crime that was occurring or had occurred. Through a mobile app, homeowners can view their residence and business owners their corporate address, and verify that the alarm isn’t a false one. If needed, the video could be shared with police.
Video that can be viewed live or recorded via an app is helping to increase general productivity and profitability when applied to non-security situations. A business owner, for instance, can call up a live feed to check on the status of inventory, or determine if additional employees are needed to service customers.
However, with increased reliance on video comes the issue of managing bandwidth. The advent of 3G and 4G networks has made it easier to view video on a mobile device. Nevertheless, the fastest growing trend in security — high-resolution, megapixel cameras — requires more bandwidth than a typical mobile network can support. Mobile app users need to think about ways to manage bandwidth, such as deploying additional hardware that allow them to dynamically reduce the resolution or change the frame rate of a video stream to get the video across the mobile network.
Fortunately, companies are continuing to refine their physical security products to meet the demands of the mobile device end user. Issues such as bandwidth management will be addressed as the camera or encoder is designed, rather than creating a product and then expecting the user to adapt to its limitations.
Please leave me a comment below with an example of how you are or would like to use mobile apps for physical security.