by Alan S. Brown
Access control has changed a lot since the days when a 200-pound bouncer with a club in his hand would guard the door, says consultant Ray Bernard of Lake Forest, Calif.
What started out as the most low-tech of jobs has become a dazzling showcase of high technology. In addition to such technology leaders as Honeywell, Siemens and Johnson Controls, which got their start automating factories, the field has attracted sophisticated software developers. Many would agree with Rudy Prokupets, cofounder of Lenel Systems International of Pittsford, N.Y., when he says, "We're actually an information technology company that just happens to be in security."
Today, vendors are racing to introduce new, better, easier-to-use and cheaper technology. Today, even a basic access control system consists of a door or turnstile to control entrance; credentials, such as swipe cards and/or personal identification numbers (PINs); credential readers; and a control system that decides whether to let you in or alert the security guard, says consultant Jim Gompers of Belleville, Ill.
Bells & Whistles
State-of-the-art systems incorporate digital video, biometrics, intrusion detection, smart doors and checkpoints to ensure that guards patrol the premises. They link to corporate databases and control such building functions as lighting, elevators and heating and air conditioning systems.
What really sets these newer systems apart is their intelligence. They manage credentials through the corporate human resource (HR) database. This lets security managers grant clearance to entire categories of workers based on their roles. All computer technicians, for example, may have access to computer rooms but not the warehouse. Warehouse workers, on the other hand, cannot walk into the executive suite.
"When an employee is terminated, all clearances are immediately revoked," says Amy Driver of access control systems developer Interactive Technologies Inc. of North St. Paul, Minn.
"If he or she tries to reenter the building and swipes the card, it immediately sets off an alarm. A video camera automatically captures the incident as an alarm event. It pops to the top of the control screen and alerts the security administrator, who can then look at the video and see what's going on." Some systems provide floor plans and even prompt guards on how to handle the situation.
New types of software may even help prevent crimes before they occur, say Gompers and Driver. Behavioral analysis or digital sentry software can track behavior to determine if it presents a risk.
Software can spot unusual behavior. If someone is running up the stairs during a fire drill, it can tag him. It automatically detects cars that sit in the same place too long, or someone loitering in a stairwell. Some software tracks objects that enter a space together and then separate, and will trigger an alarm if someone puts down a bag and walks away.
Access control systems may soon help reduce insider hacking, which accounts for most computer crimes, says John Fenske of Honeywell NexWatch Systems, which markets security systems to large corporations.
"The next step is to use the same card that allows me to enter the building to access the computer. If someone tries to log into the computer but did not enter the building, it's going to trigger an alarm. We'll also have an audit trail not only of where these people have been but also what data they have accessed. We're not there yet, but we're moving in that direction."
There are several reasons why access control systems have grown more comprehensive. To begin with, security systems increasingly resemble computer networks. Adding features often involves little more than adding a new circuit board or installing new software.
Economics also plays a role. "People want solutions that work for the whole business, not just the security project," says Gompers. "In a multi-tenant facility, you can tie the air conditioning, heating and lighting into the user of a security card. If John Smith comes to Suite 201 on a Saturday morning and swipes his card, the elevator turns on, the lights go up in his hall and office, and the heat comes on."
He points out it's a convenience for the tenant, and it saves money because you're not lighting or heating the whole building. It also provides additional security. It limits the elevator to the second floor and keeps Smith from going into any other suite than 201.
Curt Hilliard, director of commercial sales and marketing for ADT Security Services Inc. in Boca Raton, Fla., agrees. Simply programming a warehouse door to post an alarm if it is not closed in 10 seconds can keep people from stealing by throwing inventory in the dumpster and returning after work to retrieve the goods.
Security itself has also become more important since 9/11. "The decision-makers are changing," says Hilliard. "We're seeing more people from legal and human relations. In high-risk areas, such as chemical plants and refineries, we're seeing the top brass because the risks are so much greater than 3 or 4 years ago."
Yet terrorism ranks as only the fourth most common security risk among the 1,000 largest American businesses. Risk number one is workplace violence. Large companies with multiple facilities are increasingly upgrading and standardizing security to deal with these issues, says Fenske. "If something happens at a remote location, they want to know that their security measures and response were up to standards," he explains. "No one wants to get sued because a removed employee got back in because of a security flaw."
Credentials and Readers
Any access control system begins with credentials. Credentials establish who is allowed inside a facility and what areas he or she is allowed to enter. An accountant, for example, may have access to a room containing secure financial records but not a laboratory.
Credentials work best when used in combinations. A simple swipe card may let all employees into a building, but they may have to punch in a PIN or numerical code to open the door to a more secure room. Biometrics, unique physical identifiers such as fingerprints or iris scans, are also growing in popularity (see "Biometrics: From Science Fiction to Practical Fact," Homeland Response, September 2004).
Credentials continue to evolve. Smart cards, for example, are swipe cards that contain small microprocessors with biometrics or other encoded security data. While many people resist putting fingerprints or other identifiers into a corporate database, they are willing to keep it on a card that they carry with them. Such cards work very fast since card readers can confirm biometric information on the spot.
Unlike swipe cards, which are easily changed using cheap commercial card writers, smart cards encrypt data. This makes it difficult to read, rewrite or recreate the data without authorization.
Some companies have begun to use radio frequency identification (RFID) cards to send data to remote sensors, says Eric Widlitz of HID Corp., North Haven, Conn., which pioneered the technology. Each card contains an embedded chip and antenna. Right now, says Widlitz, the range of such cards is limited. Ultimately, though, such cards could eliminate swiping.
Badging – adding photos to IDs – has also become more popular. "If someone shows up with your badge, a guard could quickly tell if the face and picture did not match," says Hilliard.
All access control systems need some type of impartial physical barrier to bar unauthorized entry. This often comes down to some sort of turnstile, revolving door or entry portal, says Robert Sedivy, president of Tomsed Turnstile Corp. in Lillington, N.C.
Anyone accustomed to spoked turnstiles used in stadiums and arenas may be surprised by the optical turnstiles favored by corporations and government today. Stretched across building lobbies, these sleek, waist-high pedestals show no visible barriers. They remain open, allowing passage of up to one person per second – as long they have the right credentials.
If someone is denied access, the turnstile beeps, lights bright red, snaps a barrier arm into place and alerts a guard. Many vendors can outfit turnstiles to close if they detect metal or dangerous chemicals.
More secure is a revolving door that admits only one person at a time. While this is too time-consuming for buildings with hundreds or thousands of workers, it works well at smaller, more secure installations. Some systems use weight mats on the floor to ensure only one person enters at a time. Tomsed's more sophisticated units use ultrasonic sensors to ensure there is only one individual in the space at a time.
Portals are even more secure, says Sedivy. They consist of two interlocking doors separated by a small room. After an individual uses a credential to enter the room, the first door locks. Only after a sensor has determined that only one person is in the room can he or she unlock the second door and enter the secure facility.
Intruders often try to sneak through doors by tailgating or piggybacking behind someone. Often, a properly credentialed person will even hold the door open. "People are just courteous, especially in big companies where no one knows all the other employees," says Mark Ellsworth, director of business development at Smarter Security Systems Ltd. of Austin, Tex.
This had led to putting more sensors on doors. Many optical turnstiles are designed to sound an alarm if two people try to go through at once, and revolving doors and portals are even harder to penetrate.
A state-of-the-art system may look a lot like Smarter Security's Door Detective. It uses an infrared sensor linked to a neural network – software designed to analyze images like a human brain – to determine whether an unauthorized person is attempting to penetrate the door. "Typically, if you have a proper ID and bring in an umbrella or suitcase, it will set off an alarm," says Ellsworth. "With Door Detective, the neural network analyzes size, mass, shape, movement and other factors to determine if it is another person."
Still, as Sedivy points out, even smart barriers need supervision. "If no one responds to an alarm condition, then anyone can get in," he says.
Cameras have become an indispensable part of access control in large facilities. Today's digital cameras have become smarter, easier to operate, and cheap enough for everyone to use.
In the past, even the most highly trained and motivated guards could not monitor banks of cameras for extended periods of time, says Bernard. Their attention would wander.
Integrating cameras with credential readers and alarms has changed that. "When the system detects someone approaching a restricted area or trying to open a forbidden door, the system goes into an alarm condition," he explains. "The camera focuses on the event and sends the picture to the screen. It doesn't matter if the guard is paying attention because the alarm will get his attention."
The digital nature of video also makes it easier to find, replay and analyze what happened during an event. "Today's videos evolved from VCRs," says Fenske. "If a window was broken or an intruder entered the premises last night, even though the alarm told you when it occurred, you'd still need two or three guys to go through the video to see what happened.
"Now, with digital video, you just look at the event log. It says a door was forced open. Instead of rummaging through a room full of tape, you can click on an icon and you've got the video. You can even e- mail it to someone." The only downside, he says, is that video remains a "bandwidth hog," a system that can slow a corporate network to a crawl.
The future of access control systems clearly lies in their ability to integrate security information into a single unified format, says Interactive Technologies' Mark Lampe. "Integrated systems not only increase the efficiency of the system but also increase the effectiveness of people, who only need to learn and maintain one system," he says. This type of integration makes possible such futuristic technologies as behavioral analysis, biometrics, and software access control.
Yet many systems remain proprietary, that is, they work with only one vendor's equipment. Some firms are now attempting to move towards what computer developers such as Lenel Systems' Prokupets call "open architecture." Such systems would work with a much wider range of third-party software, databases and access control and monitoring hardware.
Prokupets says that when different companies use a single open architecture standard, it becomes easier to make them work together. "Today, when you have products from five different companies, they act like five systems that don't know very much about each other. Even when they are integrated, they often require different monitors, training and maintenance, and that gets expensive.
"An even bigger problem happens when there's a breach of security. Each of these systems generates activities. While we want to treat this as one event, we need to investigate it through five different systems. This makes it a lot harder to react to something that is occurring right now."
Many single-vendor systems offer that level of integration now. Being able to mix and match components without sacrificing integration is likely to make it easier for innovative companies to introduce new products into the market. It is also likely to push the price of high-tech security systems still lower.
Yet, as Gompers points out, the highest cost of any security system is responding to alarms. "People often assume that if they put in nifty stuff, they will reduce the number of guards they need to hire," he explains. "Instead, the opposite is often true. People often wind up adding more guards."
System capabilities are much more comprehensive than they were in the past, says Gompers. They generate more alarms.
"Most companies find they don't reduce their guard force," says Gompers. "But the one or two perpetrators that they catch during the lifetime of the system pays for the system many times over."