Cloud services can deliver scalable capabilities quickly without the need to purchase, install, or configure any new on-site physical assets
Cloud connectivity can provide a linkage between the mobile users
and the facilities and systems they want to interact with

From enterprise applications to small businesses, schools, health care facilities and beyond, investments in physical security systems provide valuable resources to help protect people, property and assets – and ultimately the financial security and well-being of the organization. As need and demand for better security has dramatically increased over the years, today’s technology is more software and computer driven, enabling systems to be networked internally or managed externally through cloud computing platforms.

Increased Connectivity

 In today’s mobile, connected world, end users expect the ability to view and manage their systems from anywhere at any time, making hosted access control an attractive and economical proposition. Cloud connectivity can provide a linkage between the mobile users and the facilities and systems they want to interact with, whether those systems are in one place or distributed over several locations. And, cloud services can deliver scalable capabilities quickly – often on demand – without the need to purchase, install, or configure any new on-site physical assets, such as servers or work stations.

However, these benefits are not without their drawbacks and potential risks, most notably cybersecurity and the availability of the system and its data. Any system outage, whether the result of a network breach, server failure or other factor, compromises security and could leave an organization vulnerable. The resulting risks could be catastrophic, making it vital that organizations ensure that their access control, video surveillance and other security systems are always up and running. Management concerns over the cybersecurity risks of cloud-based solutions grow with each high-profile data breach that is reported, and with good reason.

Incorporating the cloud services into your operation will continue to take time and resources that will need to be included in your plans
Risks could be catastrophic, making it vital that organizations
ensure that their security systems are always up and running

Maintaining Critical Functions

As companies move forward with IT and physical security planning, here are some factors to consider and incorporate appropriately into the process.

Step 1: Consider the benefits and risks of cloud-based services objectively

Be honest about how your company functions today, how you want it to function in the future, and how cloud-based services might help get you from here to there. But don’t think that cloud services will solve problems magically – when it comes down to it, cloud services are really just renting hardware and software in somebody else’s facility. There are definitely benefits to renting versus owning, but there are also significant risks. And, incorporating the cloud services into your operation, and/or maintaining them, will continue to take time and resources that will need to be included in your plans.

Step 2: Determine which functions must continue, even in the event of cloud system failure.

This should be an extension of your current business strategy, which already evaluated your essential functions, personnel, etc. Remember that the risks are compounded if the cloud is used to store or process important business data – in the event of a failure, that data may not be accessible or under your control. Be very clear about the procedures and steps you will take if your cloud services go down so you can keep your operations up and running.

Step 3: Implement backup processes to ensure critical business continuity.

Once the intended benefits of cloud services are evaluated in the light of foreseeable risks and critical functions are clearly identified, it is time to put the changes into effect, along with backup and contingency plans that will be triggered in the event of service disruptions. For access control, it is essential to quickly be able to re-load your list of authorized users and permissions so that normal operations can resume as soon as possible after an outage or failure.

Both hardware and software technical advancements continue to provide new options for security management across every vertical market application
Data backup and contingency plans are crucial in the event of service disruptions

Security Applications Of Cloud-Based Services

Most firms are realising that physical security systems, including access control and video surveillance, are critical facility functions that need to be maintained 24/7 under any circumstances. Even so, both of these security applications are current offerings from cloud-based service providers that companies can consider to supplement or outsource their internal functions.

Choosing An Approach

As an example, let’s see how the suggestions in the steps above might affect a firm’s planning for access control. Before we start, we should note that different organizations will have varying risk tolerances which will contribute to what type of access control solution they choose, on premise or cloud. There is no single “right” or “wrong” answer for the general question of how to choose the right approach or services; the right answer depends on the specifics of the situation for each firm.

1. Considering Cloud Service Benefits

We would consider the potential benefits of a cloud service for access control, sometimes called ACaaS, for Access Control as a Service. Offerings vary, but might include the provision of a server and software to process access requests, which would interact with the local access controllers via IP connectivity. Thus, it would generally be required for the controllers to support not only IP communications, but also encryption and digital certifications. Older controllers would have to be upgraded if they could not support these functions. Managed access control is a service where the firm pays a third party to administer the access control platform, including such tasks as adding and deleting access rights, printing badges and other credentials, monitoring for doors that are propped open or forced open.

On the upside, up-front capital costs could be reduced by limiting the amount of purchased hardware, and the ongoing management and maintenance of that hardware is done by the supplier. Depending on the supplier, the ongoing service costs might be based on the number of controlled doors, the number of users or credentials, the number of transactions, or some combination thereof.

On the downside, the list of credentialed users will now reside at the supplier’s location, where it could be subject to tampering, loss and/or theft. And, if the host server must be contacted in order to process a transaction (that is, open a door), then the operation of the system now depends on active and successful communication with the supplier’s off-site server at all times. A complete tradeoff can now be evaluated that compares the cost of owning hardware and software, along with necessary maintenance, and expected usage patterns, to the proposed cost from the cloud supplier and various related contract terms.

 2. Potential Risks

It goes without saying that in the event of a cloud-based or premises based access control failure, people within your facility will still need to be able to exit without the risk of being trapped inside. The question is, how important will it be for people to be granted or denied access based upon the configuration in the database prior to the failure? And, how urgent is adding/deleting authorized users, permissions and the other functions that require access to the host access control software? How much impact would there be on the company if the list of authorized users was altered or stolen by hackers?

3. Contingency Plan

An implementation and backup plan is developed and put into action. For the purpose of this example, let’s assume that ACaaS was approved and put into place. One part of the plan might be to capture complete back-ups of the user database periodically and to store them both on-site and off-site. Another part of the solution might be to select access controllers that have the ability to be battery backed up and hold a copy of the user database and device configuration locally so they can continue to function even in the event of a communication breakdown with the cloud supplier’s server or power outage. By taking this approach, the affected facility would be able to continue operating normally in the event of a communication breakdown or power outage, and update authorized changes after network communications were restored.

Implementing The Best Cloud-Based Plan

Both hardware and software technical advancements continue to provide new options for security management across every vertical market application. When changes are being considered that affect organizational physical and IT security, it is important to evaluate the options carefully.

Choosing an equipment supplier that has designed their products for maximum uptime is critical. This criteria will enable more effective and cost-efficient contingency planning, so you can implement the best plans possible for all your operations.

Want to learn more? Read SourceSecurity.com's Cybersecurity White Paper here

Download PDF version

Author profile

Karen Evans President & Chief Executive Officer, Sielox LLC

In case you missed it

Importance Of Establishing Security Standards For K12 School Security
Importance Of Establishing Security Standards For K12 School Security

As we approach National Safe Schools Week (October 21-27), it is appropriate for a conversation to begin regarding establishing standards for K12 school security. Currently no standards exist for assisting schools navigate the complexity of understanding what they need, how much it will cost and how they will secure their learning environments. Security Industry Experts The Partner Alliance for Safer Schools (PASS) is one of the organizations at the forefront of establishing security standards for schools. In 2014, the Security Industry Association (SIA) and the National Systems Contractors Association (NSCA) formed PASS, which brought together a cross functional group of members including school officials, safe schools’ consultants, law enforcement and security industry experts to collaborate and develop a coordinated approach to protecting K-12 students and staff. School administrators are often contacted repeatedly by organizations with multiple safety and security products PASS has provided valuable insights regarding an ‘All Hazards’ approach to school safety and security. In fact, PASS suggests that school administrators are challenged with two decisions: Determining what they need to do How to prioritize Safe School Environment School administrators are experts in running schools and providing education. However, most are not security experts and do not understand the complexity of implementing a comprehensive physical security and safety program across their districts. Still, they are often contacted repeatedly by organizations with multiple safety and security products. School administrators are experts in running schools and providing education, but most are not security experts  Some of these organizations recognize their products are just pieces of a safe school environment puzzle and how they fit in, whereas others focus on specific applications and do not understand how their specific solutions may affect life safety codes and Americans with Disabilities Act law. (Note: Many ‘barricade devices’ fall into this latter category and actually introduce liability concerns with the unintended consequences of their use.)Schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis Even for experts, the plethora of options and disparate systems required to integrate a safety and security approach at schools is daunting. The ongoing challenge is integrating access control, video, mass notification, and/or visitor management products into a single, effective, and appropriate system the owner can understand, utilize, and afford and that meet local codes and ADA laws. In the absence of standards, schools are likely to amass a collection of devices that do not constitute a comprehensive solution. Lack Of Consensus In years past, the our industry and commercial buildings adhered to legacy codes – like Building Officials and Code Administrators International Inc. (BOCA), Uniform Building Code (UBC), Southern Building Code Congress International Inc. (SBBCI), and International Conference of Building Officials (ICBO) – which have traditionally been revised every three years, while local jurisdictions decided what versions to adopt and enforce. Currently, however, there is a move toward the International Building Code (IBC), which is published by the International Code Council (ICC) and includes standards and guidance for commercial buildings on doors, windows, and other openings. A risk assessment is the next step toward developing a comprehensive security plan, and begins with developing a trend analysis Still, despite this migration of codes from a patchwork of local decisions to global guidelines, there remains a lack of consensus around school security. The current fragmented approach causes confusion regarding how new schools are designed and how to retrofit existing school buildings, whose average age is 45+ years. Right Protection Equipment One can point to the fact that there hasn’t been one student lost in a school fire in over 50 years as testament to standards like NFPA 80 and NFPA 101 being referenced in model building codes. Additionally, schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis. It’s not just having the right protection equipment in the building, it’s also having a procedural layer in place to make sure everyone knows their roles and responsibilities in the event of fire. The stress of the actual event can limit ones’ ability to think clearly. Practice makes perfect. Why would we approach school security any differently? School security is a team effort, and it is important to understand all the areas security impacts and involves School security is a team effort. It is important to understand all the areas security impacts and involves. PASS suggests starting with a basic team consisting of: Security Director Local Law Enforcement School Administrator Integrator Door and Hardware Consultant IT Director Comprehensive Security Plan Quantifying and mitigating risk are the jobs of security professionals and school administratorsA risk assessment is the next step toward developing a comprehensive security plan. This often begins with conducting a trend analysis requiring the collection of data from a variety of public and private sources. The challenge is to pull these pieces into a usable and easily understood format that provides a guide for current and future risk concerns. Risk assessment and mitigation can never eliminate risk. Quantifying and mitigating risk are the jobs of security professionals and school administrators. Data from the following sources can help measure risk: Campus: Review incident report trends for at least the past 36 months. Area and city: Review crime data from local law enforcement for the surrounding neighborhood and city. Screening procedures: How is hiring conducted? Anonymous tip reporting systems: Enabling students, staff members, parents and the community to anonymously alert administrators to perceived and actual threats. Social media monitoring: such monitoring can provide important information that can be used to identify risks. Monitoring social media could help measure risk for school safety Delay Adversarial Behaviors These assessments can then be incorporated into the best practice approach of Layered Security. Layered security combines best practice components within each layer that effectively deter, detect and delay adversarial behaviors. Layered security works from the outside in. As one layer is bypassed, another layer provides an additional level of protection. The asset being protected is at the center of the layers – students, staff and authorized visitors. PASS defines five layers of Security:As one layer is bypassed, another layer provides an additional level of protection District Wide Property Perimeter Parking Lot Perimeter Building Perimeter Classroom/Interior Perimeter Appropriate Tier Target Each layer can be broken down into Tier levels with Tier 1 being basic and Tier 4 being the highest level of security. It is important to understand that the demographics of individual school buildings varies, even within the same district. Security experts will quickly point out that ‘if you’ve seen one school, you’ve seen one school’. The assessments will determine the appropriate Tier target. Figure 1 Each layer includes essential protective elements, or components, of security. Every layer does not necessarily include all seven of these common components, and a layer may include additional components unique to that particular layer. Safety And Security Components Policies & Procedures People (roles & training) Architectural Communication Access Control Video Surveillance Detection and Alarms Layered Security While components are not listed in a priority order, three components included in all layers are policies and procedures, the roles and training of people, and communication. These components often perform a function in every layer and every tier in each layer. Three tools come together in the PASS approach as outlined in the new 4th Edition of the PASS Guidelines (Figure 2) - the Layers are established and defined, a Checklist/Assessment breaks down each layer into tiered best practices which then tie into the guidelines where a narrative explains each best practice in more detail. Figure 2  Schools need not reinvent the wheel when it comes to school security planning. Following the best practices of Risk Assessments and Layered Security will ensure that every school building in a district will have a unique and comprehensive plan that is tailored to their individual needs.

What Is The Changing Role Of Training In The Security Industry?
What Is The Changing Role Of Training In The Security Industry?

Even the most advanced and sophisticated security systems are limited in their effectiveness by a factor that is common to all systems – the human factor. How effectively integrators install systems and how productively users interface with their systems both depend largely on how well individual people are trained. We asked this week’s Expert Panel Roundtable: What is the changing role of training in the security and video surveillance market?

Dispatches From GSX 2018: A Smaller But Successful Show For Visitors
Dispatches From GSX 2018: A Smaller But Successful Show For Visitors

The last day of Global Security Exchange (GSX) in Las Vegas proved to be the calm after the storm. But a slower third day could not undermine a largely successful 2018 show for exhibitors and attendees. Sometimes the success of a trade show isn’t measured by numbers of attendees (which were reportedly down again this year). Sometimes it’s the individual successes that make an impression. “Just learning about this made the whole trip worthwhile,” said one GSX attendee at the Johnson Controls booth, referring to the company’s new PowerSeries Pro intrusion devices. It’s the kind of feedback that makes the expense of exhibiting at a big trade show worthwhile. The new PowerSeries Pro is an extension of Johnson Controls’ existing line that is expressly designed for the commercial security market. The ‘hybrid’ (wired or wireless) device offers ease of installation and full cybersecurity including 128bit AES encryption with spread spectrum for no jamming or interference. It employs frequency hopping technology first developed for the Israeli defense force. Wireless Technology For Cybersecurity PowerG eliminates the need for wires by providing ‘invisible wired technology’, a marketing term that emphasises the cybersecurity of the product PowerSeries Pro uses PowerG wireless technology and expands the portfolio of PowerG devices from residential through commercial. For use in a wired solution, the main advantage is ease of installation; terminal blocks ‘pop out’ easily and can be wired and plugged back in. Alternatively, PowerG eliminates the need for wires by providing ‘invisible wired technology’, a marketing term that emphasises the cybersecurity of the product – wireless at the same level of cybersecurity as wired. Johnson Controls addresses three big factors with the product line: cybersecurity, user control, and easy installation and dependability. It’s part of Johnson Controls’ broader approach to provide ‘one-stop shopping’, enabling an end user to control their environments, video and access, and protect their contents, according to the company. Need For More Security In K-12 Schools In addition to reaching end users, lock company Allegion sees the show as an opportunity to meet with technology partners. “It’s great to bring together a concentration of people in the industry,” said Brad Aikin, Channel Led Business Leader, Integrator Channel. “We have had good conversations with technology companies here at the show in terms of partnering, both physical access control and OEM partners. We have also had good conversations with the integrator channel.” From speaking with education end users at GSX, Aikin sees a large unmet need for security in K-12 schools, more so than in colleges and universities. “K-12 is underserved,” he says. “They need to identify their priority of needs, and now they can serve needs they couldn’t before, both layering levels of security and phasing in implementation over time. Now things can be applied and tried out without disrupting the environment.” An example is the Von Duprin RU RM (Remote Undogging and Remote Monitoring) door exit devices, which are being integrated by access control partners Sielox, IDenticard and Vanderbilt. Intelligence is added to the door exit device to enable inexpensive monitoring of secondary, previously unconnected doors. The doors can be monitored and locked or unlocked at various points in the day. Lock company Allegion sees the show as an opportunity to meet with technology partners Bridging The Gap Between IT And Physical Security One exhibitor – ADT – noticed more information technology (IT) professionals accompanying their physical security counterparts at this year’s GSX exhibition. “They come along to kill dreams on the spot,” said Morgan Harris, Senior Director Enterprise Solutions, noting the IT department’s frequent hesitancy to add untrustworthy elements to the network. ADT is looking to transform and expand its 144-year-old brand in the commercial security space and has completed eight acquisitions in the last year to accomplish the goal. Some of the acquisitions build on ADT’s expanding cybersecurity initiative, which is both a fully-functioning stand-alone business and an effort to bridge the divide between IT and physical security. ADT is positioning itself to manage enterprise risk in the broadest sense. Combining IT And Cybersecurity The Internet of Things (IoT) is fuelling convergence but are we missing out on how to talk to each other and communicate effectively between IT and security?" “The Internet of Things (IoT) is fueling convergence but are we missing out on how to talk to each other and communicate effectively between IT and security?” asked Harris. “Projects have failed because information was lost in translation.” ADT seeks to have skillsets, experience and certifications on both sides of the issue. “It enables us to be the in-between,” says Harris. “We can blend the two together and be the translator. It’s great for both sides, advocating for security counterparts and for the network simplifies deployment and processes.” Harris sees a trade-off between cybersecurity and convenience in the industry. For example, if a manufacturer says they have a simplified process and only offers firmware updates once a year, cybersecurity suffers, he said. Lack of third-party testing is another way that manufacturers sometimes trade cybersecurity for convenience, at heightened risk to integrators and end users. Training Courses For Integrators And Partners Milestone Systems is expanding its level of involvement with integrator partners, and now provides Partner Business Reviews (PBR) to assess an integrator’s activities, sales and training, pipeline and marketing initiatives. The partner reviews often uncover issues that can be easily rectified through additional training, says Megan McHugh, Milestone’s Training Marketing Manager, Learning and Performance. Milestone uses a dashboard to track each integrator’s completed training courses and can point out additional courses needed to ensure an integrator partner’s success. Milestone offers a variety of in-person, e-learning and YouTube video courses to train installing partners, systems integrators and self-integrators on best practices Milestone offers a variety of in-person, e-learning and YouTube video courses (in 12 different languages) to train installing partners, systems integrators and self-integrators on best practices. ‘Cloud Labs’ are instructor-led online classes. All courses are linked to a variety of support resources. Sometimes a simple checklist accessed on a smart phone can ensure that every aspect of an install is performed and can instill added confidence in customers. The open platform company’s new agile development cycle – releasing multiple versions of XProtect software throughout the year – creates extra challenges to keep learning initiatives up to date. Along with each new release, various existing courses are updated. The concepts of “training and certification” are being replaced at Milestone with “learning and performance,” says McHugh. Milestone is also looking to hire 170 new R&D staff and open a new center in Barcelona (in addition to current R&D centers in Copenhagen and Sofia, Bulgaria). Making Camera Installation Easy Hanwha Techwin is another company that is seeing more interest in cybersecurity, as well as concern about whether a product is supported professionally. They have doubled-up production in South Korea and added capacity in Vietnam to avoid manufacturing in China. Thinking about their integrators, Hanwha Techwin is putting more emphasis on making installation easy. Installation costs may be up to 50 percent of a job, so easier installation frees up money to buy more or better cameras. With a new design of their cameras, an electrical contractor can now install the camera base and conduit, and then the integrator can easily plug in the camera later. Camera bases are common across multiple models, so a customer could switch out a 5-megapixel for a 2-megapixel camera later on if they want to (same housing plate). ‘Skins’ allow the color of cameras to be changed to match surrounding décor. “We are changing the idea of how people approach selling a camera, and it’s a whole new idea of how to install cameras,” said Tom Cook, Senior Vice President, North American Sales, Hanwha Techwin. Hanwha cameras can include a sound classification analytic to detect sounds such as gunshots Cameras With Sound Detection Technology Hanwha offers more flexibility in the field – interchangeable parts are packed together to enable configuration on site. And there is no need to stand on a ladder to position cameras; stepper motors help with remote camera positioning. Multi-sensor cameras have modules (combining lenses and sensors) that can be switched out at installation. Hanwha Techwin cameras can also include a sound classification analytic to detect sounds such as gunshots, screams or glass breaks, especially useful in K-12 education environments. Unification and the customer journey were a key emphasis for Genetec at GSX 2018. Unification for Genetec means combining multiple functions on one platform, from one vendor and using one source code. The company approaches the market by analyzing each customer’s journey as it relates to Genetec products. A typical customer journey involves (1) a company looking for standalone systems; (2) the need to centralize systems through integration and unification; (3) increasing automation and workflow; and (4) adding intelligence for more informed decision-making. “Genetec wants to get more in-depth with customers, be more comfortable with their business, and understand their challenges,” said Derek Arcuri, Product Marketing Manager. “We want to get naked with our customers.” Machine Learning Engine For Crime Prevention In the city of Chicago, Citigraf detects patterns in crime behavior and determines where a crime is likely to occur There was a big crowd at the Genetec booth, and not because the comment was applied literally. Genetec has divided itself into multiple parts, each focused on a vertical market such as retail or transportation. The approach is to operate as a ‘federation of startups’, with each market sector accountable to fill in the gaps in the portfolio to meet the specific needs of each vertical. For example, Genetec’s Citigraf is an unsupervised machine learning engine with an algorithm to detect anomalies and trends from a large pool of data in a municipal environment. In the city of Chicago, Citigraf detects patterns in crime behavior and determines where a crime is likely to occur. The system alerts operators in a bureau or area that has a higher risk level and should beef up the number of first responders. Chicago has seen a 39 percent decrease in average response time of first responders as a result. In the retail market, Genetec leverages the security infrastructure to analyze shopping trends and provide data for merchandising and operations. “Each customer is getting a portfolio of products tailored to the industry they are in,” says Arcuri. Demonstrating IoT Devices Axis Communications displayed its range of products at GSX, demonstrating its almost total transformation from an IP camera company to a supplier of a full range of Internet of Things (IoT) devices. “Axis is broadening its portfolio to include more solutions,” said Scott Dunn, Senior Director, Business Development Systems and Solutions. “Our success is driven by continuing to innovate our portfolio. The market is continuing to grow, and Axis is continuing to expand its market share.” Eight ‘Axis Customer Experience Centers’ around the United States help Axis stay close to their integrators, customers, partners and prospects. IP addressable audio speakers from Axis can provide music as a service, and then can be interrupted for audio messages on behalf of physical security Axis has offered access control IP edge devices since 2013, and now has a new A1601 door controller being sold with partner-only software (no embedded Axis software like previous A1001 devices). In audio products, Axis has a portfolio of speakers, intercoms, and public address systems. Acquisition Of IP Door Intercom Company Enhancing the audio line was acquisition in 2016 of 2N, an IP door intercom company headquartered in Prague, Czech Republic. In North America, the 2N team is now fully part of Axis. The line emphasises simple architecture, programmability, and the ability to integrate widely. The products use Session Initiation Protocol (SIP) to integrate through the cloud or peer-to-peer. IP addressable audio speakers from Axis can provide music as a service, and then can be interrupted for audio messages on behalf of physical security. Retail, education and enterprise customers are gravitating to IP audio. An IP bridge can tie existing analog components into the IP system. For perimeter security, Axis offers a radar device to help eliminate false alarms, as well as thermal cameras.