For the past several years, there has been a focus by integrators and customers to assure that their card-based access control systems are secure. To give businesses an extra incentive to meet their cybersecurity threats, the Federal Trade Commission (FTC) has decided to hold the business community responsible for failing to implement good cybersecurity practices and is now filing lawsuits against those that don't.

For instance, the FTC filed a lawsuit against D-Link and its U.S. subsidiary, alleging that it used inadequate safeguards on its wireless routers and IP cameras that left them vulnerable to hackers.Many companies perceive that they are safer with a card but, if done correctly, the mobile can be a far more secure option 

Now, as companies are learning how to protect card-based systems, such as their access control solutions, along comes mobile access credentials and their readers which use smart phones instead of cards as the vehicle for carrying identification information. Many companies perceive that they are safer with a card but, if done correctly, the mobile can be a far more secure option with many more features to be leveraged.

Handsets deliver biometric capture and comparison as well as an array of communication capabilities from cellular and Wi-Fi to Bluetooth LE and NFC. As far as security goes, the soft credential, by definition, is already a multi-factor solution.

Types Of Access Control Authentication

Access control authenticates you by following three things: 

  • Recognises something you have (RFID tag/card/key),
  • Recognises something you know (PIN) or
  • Recognises something you are (biometrics).

Your smart phone has all three authentication parameters. This soft credential, by definition, is already a multi-factor solution. Your mobile credentials remain protected behind a smart phone's security parameters, such as biometrics and PINs. Organizations want to use smart phones in their upcoming access control implementations Once a biometric, PIN or password is entered to access the phone, the user automatically has set up 2-factor access control verification - what you know and what you have or what you have and a second form of what you have.                

To emphasize, one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone. The phone must be “on and unlocked.” These two factors – availability and built-in multi-factor verification – are why organizations want to use smart phones in their upcoming access control implementations.

Smart Phone Access Control Is Secure

Plus, once a mobile credential is installed on a smart phone, it cannot be re-installed on another smart phone. You can think of a soft credential as being securely linked to a specific smart phone. Similar to a card, if a smart phone is lost, damaged or stolen, the process should be the same as with a traditional physical access credential. It should be immediately deactivated in the access control management software - with a new credential issued as a replacement.

one cannot have access to the credential without having access to the phone. If the phone doesn’t work, the credential doesn’t work. The credential operates just like any other app on the phone.
Your mobile credentials remain protected behind a smart phone's security parameters, such as biometrics and PINs

Leading readers additionally use AES encryption when transferring data. Since the Certified Common Criteria EAS5+ Computer Interface Standard provides increased hardware cybersecurity, these readers resist skimming, eavesdropping and replay attacks.           

When the new mobile system leverages the Security Industry Association's (SIA) Open Supervised Device Protocol (OSDP), it also will interface easily with control panels or other security management systems, fostering interoperability among security devices.

Likewise, new soft systems do not require the disclosure of any sensitive end-user personal data. All that should be needed to activate newer systems is simply the phone number of the smart phone.All that should be needed to activate newer systems is simply the phone number of the smart phone

Bluetooth And NFC The Safer Options

Bottom line - both Bluetooth and NFC credentials are safer than hard credentials. Read range difference yields a very practical result from a security aspect. First of all, when it comes to cybersecurity, there are advantages to a closer read range. NFC eliminates any chances of having the smart phone unknowingly getting read such as can happen with a longer read range.

There are also those applications where multiple access readers are installed very near to one-another due to many doors being close. One reader could open multiple doors simultaneously. The shorter read range or tap of an NFC enabled device would stop such problems. However, with this said in defense of NFC, it must also be understood that Bluetooth-enabled readers can provide various read ranges, including those of no longer than a tap as well.

One needs to understand that there are also advantages to a longer reader range capability. Since NFC readers have such a short and limited read range, they must be mounted on the unsecure side of the door and encounter all the problems such exposure can breed. Conversely, Bluetooth readers mount on the secure sides of doors and can be kept protected out of sight.

Aging Systems Could Cause Problems

Research shows that Bluetooth enabled smart phones are continuing to expand in use to the point where those not having them are already the exceptions With that said, be aware. Some older Bluetooth-enabled systems force the user to register themselves and their integrators for every application. Door access – register. Parking access – register again. Data access – register again, etc.

Newer solutions provide an easier way to distribute credentials with features that allow the user to register only once and need no other portal accounts or activation features. By removing these additional information disclosures, vendors have eliminated privacy concerns that have been slowing down acceptance of mobile access systems.

In addition, you don’t want hackers listening to your Bluetooth transmissions, replaying them and getting into your building, so make very sure that the system is immunised against such replays. That’s simple to do. Your manufacturer will show you which system will be best for each application. Research shows that Bluetooth enabled smart phones are continuing to expand in use to the point where those not having them are already the exceptions. They are unquestionably going to be a major component in physical and logical access control.

Gartner suggests that, by 2020, 20 percent of organizations will use mobile credentials for physical access in place of traditional ID cards. Let’s rephrase that last sentence. In less than 18 months, one-fifth of all organizations will use the smart phone as the focal point of their electronic access control systems. Not proximity. Not smart cards. Phones!

Download PDF version

In case you missed it

Importance Of Establishing Security Standards For K12 School Security
Importance Of Establishing Security Standards For K12 School Security

As we approach National Safe Schools Week (October 21-27), it is appropriate for a conversation to begin regarding establishing standards for K12 school security. Currently no standards exist for assisting schools navigate the complexity of understanding what they need, how much it will cost and how they will secure their learning environments. Security Industry Experts The Partner Alliance for Safer Schools (PASS) is one of the organizations at the forefront of establishing security standards for schools. In 2014, the Security Industry Association (SIA) and the National Systems Contractors Association (NSCA) formed PASS, which brought together a cross functional group of members including school officials, safe schools’ consultants, law enforcement and security industry experts to collaborate and develop a coordinated approach to protecting K-12 students and staff. School administrators are often contacted repeatedly by organizations with multiple safety and security products PASS has provided valuable insights regarding an ‘All Hazards’ approach to school safety and security. In fact, PASS suggests that school administrators are challenged with two decisions: Determining what they need to do How to prioritize Safe School Environment School administrators are experts in running schools and providing education. However, most are not security experts and do not understand the complexity of implementing a comprehensive physical security and safety program across their districts. Still, they are often contacted repeatedly by organizations with multiple safety and security products. School administrators are experts in running schools and providing education, but most are not security experts  Some of these organizations recognize their products are just pieces of a safe school environment puzzle and how they fit in, whereas others focus on specific applications and do not understand how their specific solutions may affect life safety codes and Americans with Disabilities Act law. (Note: Many ‘barricade devices’ fall into this latter category and actually introduce liability concerns with the unintended consequences of their use.)Schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis Even for experts, the plethora of options and disparate systems required to integrate a safety and security approach at schools is daunting. The ongoing challenge is integrating access control, video, mass notification, and/or visitor management products into a single, effective, and appropriate system the owner can understand, utilize, and afford and that meet local codes and ADA laws. In the absence of standards, schools are likely to amass a collection of devices that do not constitute a comprehensive solution. Lack Of Consensus In years past, the our industry and commercial buildings adhered to legacy codes – like Building Officials and Code Administrators International Inc. (BOCA), Uniform Building Code (UBC), Southern Building Code Congress International Inc. (SBBCI), and International Conference of Building Officials (ICBO) – which have traditionally been revised every three years, while local jurisdictions decided what versions to adopt and enforce. Currently, however, there is a move toward the International Building Code (IBC), which is published by the International Code Council (ICC) and includes standards and guidance for commercial buildings on doors, windows, and other openings. A risk assessment is the next step toward developing a comprehensive security plan, and begins with developing a trend analysis Still, despite this migration of codes from a patchwork of local decisions to global guidelines, there remains a lack of consensus around school security. The current fragmented approach causes confusion regarding how new schools are designed and how to retrofit existing school buildings, whose average age is 45+ years. Right Protection Equipment One can point to the fact that there hasn’t been one student lost in a school fire in over 50 years as testament to standards like NFPA 80 and NFPA 101 being referenced in model building codes. Additionally, schools incorporate evacuation drills as part of their emergency preparedness plans and practice on a regular basis. It’s not just having the right protection equipment in the building, it’s also having a procedural layer in place to make sure everyone knows their roles and responsibilities in the event of fire. The stress of the actual event can limit ones’ ability to think clearly. Practice makes perfect. Why would we approach school security any differently? School security is a team effort, and it is important to understand all the areas security impacts and involves School security is a team effort. It is important to understand all the areas security impacts and involves. PASS suggests starting with a basic team consisting of: Security Director Local Law Enforcement School Administrator Integrator Door and Hardware Consultant IT Director Comprehensive Security Plan Quantifying and mitigating risk are the jobs of security professionals and school administratorsA risk assessment is the next step toward developing a comprehensive security plan. This often begins with conducting a trend analysis requiring the collection of data from a variety of public and private sources. The challenge is to pull these pieces into a usable and easily understood format that provides a guide for current and future risk concerns. Risk assessment and mitigation can never eliminate risk. Quantifying and mitigating risk are the jobs of security professionals and school administrators. Data from the following sources can help measure risk: Campus: Review incident report trends for at least the past 36 months. Area and city: Review crime data from local law enforcement for the surrounding neighborhood and city. Screening procedures: How is hiring conducted? Anonymous tip reporting systems: Enabling students, staff members, parents and the community to anonymously alert administrators to perceived and actual threats. Social media monitoring: such monitoring can provide important information that can be used to identify risks. Monitoring social media could help measure risk for school safety Delay Adversarial Behaviors These assessments can then be incorporated into the best practice approach of Layered Security. Layered security combines best practice components within each layer that effectively deter, detect and delay adversarial behaviors. Layered security works from the outside in. As one layer is bypassed, another layer provides an additional level of protection. The asset being protected is at the center of the layers – students, staff and authorized visitors. PASS defines five layers of Security:As one layer is bypassed, another layer provides an additional level of protection District Wide Property Perimeter Parking Lot Perimeter Building Perimeter Classroom/Interior Perimeter Appropriate Tier Target Each layer can be broken down into Tier levels with Tier 1 being basic and Tier 4 being the highest level of security. It is important to understand that the demographics of individual school buildings varies, even within the same district. Security experts will quickly point out that ‘if you’ve seen one school, you’ve seen one school’. The assessments will determine the appropriate Tier target. Figure 1 Each layer includes essential protective elements, or components, of security. Every layer does not necessarily include all seven of these common components, and a layer may include additional components unique to that particular layer. Safety And Security Components Policies & Procedures People (roles & training) Architectural Communication Access Control Video Surveillance Detection and Alarms Layered Security While components are not listed in a priority order, three components included in all layers are policies and procedures, the roles and training of people, and communication. These components often perform a function in every layer and every tier in each layer. Three tools come together in the PASS approach as outlined in the new 4th Edition of the PASS Guidelines (Figure 2) - the Layers are established and defined, a Checklist/Assessment breaks down each layer into tiered best practices which then tie into the guidelines where a narrative explains each best practice in more detail. Figure 2  Schools need not reinvent the wheel when it comes to school security planning. Following the best practices of Risk Assessments and Layered Security will ensure that every school building in a district will have a unique and comprehensive plan that is tailored to their individual needs.

What Is The Changing Role Of Training In The Security Industry?
What Is The Changing Role Of Training In The Security Industry?

Even the most advanced and sophisticated security systems are limited in their effectiveness by a factor that is common to all systems – the human factor. How effectively integrators install systems and how productively users interface with their systems both depend largely on how well individual people are trained. We asked this week’s Expert Panel Roundtable: What is the changing role of training in the security and video surveillance market?

Dispatches From GSX 2018: A Smaller But Successful Show For Visitors
Dispatches From GSX 2018: A Smaller But Successful Show For Visitors

The last day of Global Security Exchange (GSX) in Las Vegas proved to be the calm after the storm. But a slower third day could not undermine a largely successful 2018 show for exhibitors and attendees. Sometimes the success of a trade show isn’t measured by numbers of attendees (which were reportedly down again this year). Sometimes it’s the individual successes that make an impression. “Just learning about this made the whole trip worthwhile,” said one GSX attendee at the Johnson Controls booth, referring to the company’s new PowerSeries Pro intrusion devices. It’s the kind of feedback that makes the expense of exhibiting at a big trade show worthwhile. The new PowerSeries Pro is an extension of Johnson Controls’ existing line that is expressly designed for the commercial security market. The ‘hybrid’ (wired or wireless) device offers ease of installation and full cybersecurity including 128bit AES encryption with spread spectrum for no jamming or interference. It employs frequency hopping technology first developed for the Israeli defense force. Wireless Technology For Cybersecurity PowerG eliminates the need for wires by providing ‘invisible wired technology’, a marketing term that emphasises the cybersecurity of the product PowerSeries Pro uses PowerG wireless technology and expands the portfolio of PowerG devices from residential through commercial. For use in a wired solution, the main advantage is ease of installation; terminal blocks ‘pop out’ easily and can be wired and plugged back in. Alternatively, PowerG eliminates the need for wires by providing ‘invisible wired technology’, a marketing term that emphasises the cybersecurity of the product – wireless at the same level of cybersecurity as wired. Johnson Controls addresses three big factors with the product line: cybersecurity, user control, and easy installation and dependability. It’s part of Johnson Controls’ broader approach to provide ‘one-stop shopping’, enabling an end user to control their environments, video and access, and protect their contents, according to the company. Need For More Security In K-12 Schools In addition to reaching end users, lock company Allegion sees the show as an opportunity to meet with technology partners. “It’s great to bring together a concentration of people in the industry,” said Brad Aikin, Channel Led Business Leader, Integrator Channel. “We have had good conversations with technology companies here at the show in terms of partnering, both physical access control and OEM partners. We have also had good conversations with the integrator channel.” From speaking with education end users at GSX, Aikin sees a large unmet need for security in K-12 schools, more so than in colleges and universities. “K-12 is underserved,” he says. “They need to identify their priority of needs, and now they can serve needs they couldn’t before, both layering levels of security and phasing in implementation over time. Now things can be applied and tried out without disrupting the environment.” An example is the Von Duprin RU RM (Remote Undogging and Remote Monitoring) door exit devices, which are being integrated by access control partners Sielox, IDenticard and Vanderbilt. Intelligence is added to the door exit device to enable inexpensive monitoring of secondary, previously unconnected doors. The doors can be monitored and locked or unlocked at various points in the day. Lock company Allegion sees the show as an opportunity to meet with technology partners Bridging The Gap Between IT And Physical Security One exhibitor – ADT – noticed more information technology (IT) professionals accompanying their physical security counterparts at this year’s GSX exhibition. “They come along to kill dreams on the spot,” said Morgan Harris, Senior Director Enterprise Solutions, noting the IT department’s frequent hesitancy to add untrustworthy elements to the network. ADT is looking to transform and expand its 144-year-old brand in the commercial security space and has completed eight acquisitions in the last year to accomplish the goal. Some of the acquisitions build on ADT’s expanding cybersecurity initiative, which is both a fully-functioning stand-alone business and an effort to bridge the divide between IT and physical security. ADT is positioning itself to manage enterprise risk in the broadest sense. Combining IT And Cybersecurity The Internet of Things (IoT) is fuelling convergence but are we missing out on how to talk to each other and communicate effectively between IT and security?" “The Internet of Things (IoT) is fueling convergence but are we missing out on how to talk to each other and communicate effectively between IT and security?” asked Harris. “Projects have failed because information was lost in translation.” ADT seeks to have skillsets, experience and certifications on both sides of the issue. “It enables us to be the in-between,” says Harris. “We can blend the two together and be the translator. It’s great for both sides, advocating for security counterparts and for the network simplifies deployment and processes.” Harris sees a trade-off between cybersecurity and convenience in the industry. For example, if a manufacturer says they have a simplified process and only offers firmware updates once a year, cybersecurity suffers, he said. Lack of third-party testing is another way that manufacturers sometimes trade cybersecurity for convenience, at heightened risk to integrators and end users. Training Courses For Integrators And Partners Milestone Systems is expanding its level of involvement with integrator partners, and now provides Partner Business Reviews (PBR) to assess an integrator’s activities, sales and training, pipeline and marketing initiatives. The partner reviews often uncover issues that can be easily rectified through additional training, says Megan McHugh, Milestone’s Training Marketing Manager, Learning and Performance. Milestone uses a dashboard to track each integrator’s completed training courses and can point out additional courses needed to ensure an integrator partner’s success. Milestone offers a variety of in-person, e-learning and YouTube video courses to train installing partners, systems integrators and self-integrators on best practices Milestone offers a variety of in-person, e-learning and YouTube video courses (in 12 different languages) to train installing partners, systems integrators and self-integrators on best practices. ‘Cloud Labs’ are instructor-led online classes. All courses are linked to a variety of support resources. Sometimes a simple checklist accessed on a smart phone can ensure that every aspect of an install is performed and can instill added confidence in customers. The open platform company’s new agile development cycle – releasing multiple versions of XProtect software throughout the year – creates extra challenges to keep learning initiatives up to date. Along with each new release, various existing courses are updated. The concepts of “training and certification” are being replaced at Milestone with “learning and performance,” says McHugh. Milestone is also looking to hire 170 new R&D staff and open a new center in Barcelona (in addition to current R&D centers in Copenhagen and Sofia, Bulgaria). Making Camera Installation Easy Hanwha Techwin is another company that is seeing more interest in cybersecurity, as well as concern about whether a product is supported professionally. They have doubled-up production in South Korea and added capacity in Vietnam to avoid manufacturing in China. Thinking about their integrators, Hanwha Techwin is putting more emphasis on making installation easy. Installation costs may be up to 50 percent of a job, so easier installation frees up money to buy more or better cameras. With a new design of their cameras, an electrical contractor can now install the camera base and conduit, and then the integrator can easily plug in the camera later. Camera bases are common across multiple models, so a customer could switch out a 5-megapixel for a 2-megapixel camera later on if they want to (same housing plate). ‘Skins’ allow the color of cameras to be changed to match surrounding décor. “We are changing the idea of how people approach selling a camera, and it’s a whole new idea of how to install cameras,” said Tom Cook, Senior Vice President, North American Sales, Hanwha Techwin. Hanwha cameras can include a sound classification analytic to detect sounds such as gunshots Cameras With Sound Detection Technology Hanwha offers more flexibility in the field – interchangeable parts are packed together to enable configuration on site. And there is no need to stand on a ladder to position cameras; stepper motors help with remote camera positioning. Multi-sensor cameras have modules (combining lenses and sensors) that can be switched out at installation. Hanwha Techwin cameras can also include a sound classification analytic to detect sounds such as gunshots, screams or glass breaks, especially useful in K-12 education environments. Unification and the customer journey were a key emphasis for Genetec at GSX 2018. Unification for Genetec means combining multiple functions on one platform, from one vendor and using one source code. The company approaches the market by analyzing each customer’s journey as it relates to Genetec products. A typical customer journey involves (1) a company looking for standalone systems; (2) the need to centralize systems through integration and unification; (3) increasing automation and workflow; and (4) adding intelligence for more informed decision-making. “Genetec wants to get more in-depth with customers, be more comfortable with their business, and understand their challenges,” said Derek Arcuri, Product Marketing Manager. “We want to get naked with our customers.” Machine Learning Engine For Crime Prevention In the city of Chicago, Citigraf detects patterns in crime behavior and determines where a crime is likely to occur There was a big crowd at the Genetec booth, and not because the comment was applied literally. Genetec has divided itself into multiple parts, each focused on a vertical market such as retail or transportation. The approach is to operate as a ‘federation of startups’, with each market sector accountable to fill in the gaps in the portfolio to meet the specific needs of each vertical. For example, Genetec’s Citigraf is an unsupervised machine learning engine with an algorithm to detect anomalies and trends from a large pool of data in a municipal environment. In the city of Chicago, Citigraf detects patterns in crime behavior and determines where a crime is likely to occur. The system alerts operators in a bureau or area that has a higher risk level and should beef up the number of first responders. Chicago has seen a 39 percent decrease in average response time of first responders as a result. In the retail market, Genetec leverages the security infrastructure to analyze shopping trends and provide data for merchandising and operations. “Each customer is getting a portfolio of products tailored to the industry they are in,” says Arcuri. Demonstrating IoT Devices Axis Communications displayed its range of products at GSX, demonstrating its almost total transformation from an IP camera company to a supplier of a full range of Internet of Things (IoT) devices. “Axis is broadening its portfolio to include more solutions,” said Scott Dunn, Senior Director, Business Development Systems and Solutions. “Our success is driven by continuing to innovate our portfolio. The market is continuing to grow, and Axis is continuing to expand its market share.” Eight ‘Axis Customer Experience Centers’ around the United States help Axis stay close to their integrators, customers, partners and prospects. IP addressable audio speakers from Axis can provide music as a service, and then can be interrupted for audio messages on behalf of physical security Axis has offered access control IP edge devices since 2013, and now has a new A1601 door controller being sold with partner-only software (no embedded Axis software like previous A1001 devices). In audio products, Axis has a portfolio of speakers, intercoms, and public address systems. Acquisition Of IP Door Intercom Company Enhancing the audio line was acquisition in 2016 of 2N, an IP door intercom company headquartered in Prague, Czech Republic. In North America, the 2N team is now fully part of Axis. The line emphasises simple architecture, programmability, and the ability to integrate widely. The products use Session Initiation Protocol (SIP) to integrate through the cloud or peer-to-peer. IP addressable audio speakers from Axis can provide music as a service, and then can be interrupted for audio messages on behalf of physical security. Retail, education and enterprise customers are gravitating to IP audio. An IP bridge can tie existing analog components into the IP system. For perimeter security, Axis offers a radar device to help eliminate false alarms, as well as thermal cameras.