State of the Market: Access Control 2017
This year’s story on access control is one of disruptors, drivers and deciders.
Meet the Credential ‘Disruptors’
Much has been discussed around the cloud — and it may well be the technology that ultimately “disrupts” the access control space. However, credential technologies are also vying for that distinction and some of them may be closer than ever to succeeding.
In its recent report on the Electronic Access Control market, IHS Markit called out two technologies as being the top hardware trends to watch: biometrics and mobile credentials.
For years, biometrics seemed destined to stay a niche item, with a glut of technology choices of varying reliability and usually high cost — until Apple and Samsung mainstreamed the technology in their popular smartphones. All of a sudden biometrics are everywhere and the access control industry has taken note.
For example, a recent AMAG technology conference featured partnerships with FST Biometrics, an in-motion facial recognition software company, and Bioconnect, a biometric app overlay that allows several biometric technologies to be paired with mobile credentials on the phone.
IHS Markit noted in its report that facial recognition “will make further strides towards establishing itself as the second most popular type of biometric reader” (after fingerprint). The firm forecasts that facial recognition will grow rapidly over the next five years.
“Biometrics changes the paradigm of what you would consider a credential,” says Kurt Takahashi of AMAG.
Biometric technology is absolutely viable right now, adds RS2’s Gary Staley. “It is getting advanced by social media. I took a picture on my phone the other day of someone I am not friends with on Facebook. As soon as I took the picture I got a message asking if I wanted to send a message to her. It recognized her face and sent her name back to my phone within a millisecond!”
It is hard to talk to anyone in the access control space without hearing an opinion on mobile credentials. Most agree this technology is still in the “innovator” phase. But it is moving forward rather quickly.
“Mobile credentials has become a very hot buzz phrase,” says Michael DeMille, senior director, product management, Mircom Group of Companies, Vaughan, Ontario, Canada. “In mature markets, mobile credentials have a great opportunity to capture the interest of decision makers for the larger portion of most markets. They reduce the burden of credential administration while potentially increasing the accuracy and security of users.”
Tutela’s Steven Pharis thinks Bluetooth technology is the wave of the future. “We have some installations that use mobile credentials but it is not the entire company yet. I think it will pick up. The Bluetooth technology is where it is going to head. It has great sex appeal … and I believe the technology is actually making a fast move in the industry.”
According to IHS Markit, approximately 4.5 million credentials were estimated to have been downloaded in 2016 and the company forecasts this number will triple to around 13.5 million in 2017.
Among the major manufacturers offering BLE, some, like AMAG and Brivo have or will soon introduce license-free mobile credentials.
Even HID, which has traditionally treated mobile credentials more like a card, is looking at changing their approach. Beginning this year HID will roll out subscription-based mobile credentialing for larger enterprise clients with a target of the end of the year for mass market availability. “We are clearly hearing from the market that subscription is the preferred way to pay for this,” says Brandon Arcement of HID Global. “We feel like it has been a barrier and one we fully intend to address.”
They Might Be Giants (But They Can Still Move With the Times)
One of the questions for the access control market is whether new architectures and approaches will disrupt the entrenched top access control manufacturers, many of whom have been around a very long time. While this happened swiftly in the video space, a similar shift in access is unlikely, say most experts.
“I do not see the powerful big three or four being threatened on the larger systems because they are stable and can do some things that others cannot,” says PSA’s Bill Bozeman. “The guys that make the new stuff can squawk all they want. In the meantime these giant companies are not sitting around doing nothing. They are developing some cool stuff of their own.”
Here are a few perspectives from the top:
“We are definitely looking at those new entrants and companies that are focused on pure cloud…. If you are not being innovative or trying to disrupt yourself, chances are you will become complacent and be disrupted. We put together a new program called the growth board, where we are taking innovative ideas, vetting them and in cases where we believe they are really something different, investing in them like a start-up company. Given enough success, they will get folded into the product business. It is a real advantage to have that enormous company backing.” — Jason Ouellette, Tyco Security Products.
“When you hear the word traditional you know you are almost in trouble just by the nature of the word. We know the market will evolve. I don’t have a crystal ball, but some of those trends are clearly taking hold a lot faster. Still there is nothing worrying me. Everything excites me. The industry is evolving and the connected part is a great place to be. Access control is the hub of that connected building.” — Samir Jain Honeywell Security and Fire.
“I hear that customers don’t want proprietary, but there are a lot of installations out there. I think there is a different discussion to be had. Because we control the entire end-to-end product, we can control the outcomes. We can be nimble because we made that…. It will be a long, slow evolution and it is dangerous to jump off a cliff. We are taking calculated steps towards the future DNA of our company.” — Kurt Takahashi, AMAG Technology.
“We are caught between two strong forces. In the end any product line in almost any sales area is successful because it fills a need for an end user. They don’t really want proprietary systems. Yet when it comes to security there are advantages to it being a locked system, a carefully constructed system that has its proper ties to integration components and APIs and other extensions.” — Richard Goldsobel, Napco/Continental.
Who Will Fill the Cyber Vacuum?
In the past year talk of cybersecurity has really exploded onto the scene — helped no doubt by an election year in which hacking featured prominently. High-profile attacks in recent years of such companies as Target, Sony, insurance companies and the government itself has demonstrated that no device, software or system on the network is intrinsically safe.
“One of the movements that really took hold in 2016 was emphasis on penetration testing on corporate networks,” says Mitchell Kane of Vanderbilt. “There was a push to really analyze the installed system and reprogram and create new patches against issues that didn’t exist when they were installed.”
While some in the industry have been sounding the alarm for a few years, the issue of cybersecurity is still very new to the security space, and it is one that is destined to dramatically influence the way all systems are designed and addressed in the future. The big question is how? “When there is a void there is something that fills the vacuum,” Kane says.
“The good news is we have definitely made a lot of progress,” says Bill Bozeman of PSA, who was one of the earliest to start trying to educate the integrator channel about this issue. “In the past we were in the denial stage with the entire community. Even some of the smart integrators thought we were beating this thing to death. We don’t hear that anymore. Everyone has adapted and accepted that this is a real, live problem that we can’t ignore.
“Part two is what are they doing about it? Many, but not all have taken the advice we have given them and are protecting themselves internally and that is a win. But the third level is protecting the end user and that is more difficult…. This is where we are now. How do we train and work with the integrator and vendor community to help protect the end user from a potential cybersecurity breach that is related to products and services being deployed under our flag? The progress is not as fast as we would like, but we are making progress.”
Where things stand right now, Bozeman continues, is still tied to the two market strategies. “On the enterprise level if you don’t understand cyber you won’t be able to play. You will be gone. It is more about opportunity on the SMB business end. It might not be for everyone, but we are already seeing some doing it.”
When it comes to access control, there haven’t been high profile breaches, yet, as there have on the video side. But that doesn’t mean it isn’t just as vulnerable, says Peter Boriskin of ASSA ABLOY. “Anything, any application or file server or control board on the network is a window to breaches if not locked down and hardened properly. A few years ago IP cameras and access control were off the radar for hackers because they were focusing on servers. Now they have become a target and it is critical that they are hardened and locked.”
Cybersecurity solutions today need to involve several key players, Boriskin adds. “When these issues are brought up integrators have to immediately engage us. If it is system-related it is beyond their scope. There needs to be cooperation between the end user, integrator and manufacturer. There was a heavy flow with that this year. It is high on the radar, especially the world we live in with international banks and insurance.”
Access control manufacturers are working to protect their products, but those vary, Bozeman says. “Manufacturers are taking certain steps to ensure their products aren’t wide open or being shipped with malware. We see a lot of progress, but it has been slow. It has not been easy. It is a new art, a new science, and it has been tough.”
For security integrators the idea that cybersecurity is important has crystalized. But what to do about it is still very much in flux, leading to a situation that could present both great threat and great opportunities.
“I think we all have a role in cybersecurity,” says integrator Wally Carriero of Casco Security Systems. “We are not going out there and offering network services yet. However, we promote network security from physical access control as well as advising the customer of everything we put on their network that we will maintain or improve. We are not putting holes in their system.”
Robert Hile of Securadyne Systems adds, “I see us as the tip of the spear. Customers are asking us to bring products and recommendations on future of technology to the table. If we put in a product that gets hacked, we are the throat they are going to choke. No amount of liability insurance will keep the tarnish from hitting us. At the same time, until recently the manufacturers put all that responsibility on us, or the end user. That is changing. Now manufacturers are doing self-certifications and providing to us their IT security features.”
Tyco Security Products is one manufacturer that has begun really focusing on cybersecurity says Jason Ouellette. “We are tightening that down with standards and making sure we send our products for testing. We have a full, rigorous cybersecurity program available on our website where we provide full vulnerability testing.”
Genetec takes its cybersecurity protection all the way to the user, says Derek Arcuri. “We recognize that vulnerabilities are usually social. The strongest way to protect the network or access control is for card holders to be aware of the vulnerabilities. We actually warn users when the general password hasn’t been changed on edge devices, for example.”
Axis publishes a cyber hardening guide for integrators and partners, says Bruce Stewart. “We take it very seriously both on video and access control,” he says.
It is becoming more and more challenging from the manufacturing side, acknowledges Richard Goldsobel of Napco. “Everything we put out there is being battle tested by the Black Hats and White Hats and whatever type of hats,” he says.
On the opportunity side, it still very much the Wild West, Bozeman says. “I think we are really struggling with that. We want integrators to be able to share cybersecurity products and services with their end users. What has been tough about this is there is no model. The channel is mature in video surveillance. Access control is mature. But in cybersecurity nobody knows what they are doing. They don’t know how to treat the physical security integrator. These are small, entrepreneurial start-ups. We have found some that will work for our integrators and the vast majority have an RMR spin to them. But we can’t go to [a major access control manufacturer] yet and say ‘What [cybersecurity solution] can I sell to my end users?’”
That is beginning to change, however. Tyco’s solution can be monetized by the integrator, Ouellette says. “We are just starting to see them do that as they look for opportunities to differentiate,” he adds.
In the end, many say it will sadly take a high profile event to make greater strides.
“I know for a fact that cybersecurity will have a huge impact and there will be lawsuits,” Bozeman says.
“The channel cannot overlook the cybersecurity aspects of access control,” says Scott Lindley of Farpointe. “Once the government begins to litigate companies for providing cybersecurity lapses, the channel will need to pay attention. Cybersecurity is no longer a possible consideration; it must be an integral focus of their solution.”