The Bigger Picture of Enterprise Access Control

As anyone who operates in the enterprise space already knows, enterprise-level access control is not just a bigger version of the SMB market. While everything about enterprise access control is indeed bigger, it is also much more complex, from the systems you choose to secure it, to other business operations it needs to integrate with, to who ultimately is the decision maker.

And like most of the world today, the enterprise is not immune to the fast-paced world of technology. Customers want all the latest and greatest things; but with thousands or even hundreds of thousands of cards and readers — not to mention back-end systems — in play, it is almost always not a simple upgrade. And it is the security integrator’s job to figure out how to get the customer to where they want to be, tomorrow or 10 years down the road.

John Moss, chief product officer, LenelS2, Framingham, Mass., says, “The enterprise is flattening. Most enterprises today consist of a small number of large facilities and a large number of small ones. This trend means that enterprises that were focused on a small number of large facilities now have many more facilities with which to contend. Enterprise access control systems need to be capable of addressing these requirements by offering scalable, flexible and open systems that offer customers choices.”

Integrator Ed Heisler, president, Facility Control Systems, St. Charles, Mo., agrees. “Because of the nature of large enterprises with several remote sites operated by different business units, and the lifecycle and new developments of technology, upgrades are seemingly constant — especially with acquisitions and expansions.”

That is not all that is driving upgrades these days. The issue of cyber security is huge in the enterprise. As more security systems, including access control, sit on the IT network, enterprise IT customers are realizing the vulnerability that is inherent in these legacy access control systems, some of which could be 15 or 20 years old.

“Customers are looking to upgrade their systems because of the issues surrounding their legacy deployments and the cyber threats they may represent,” says Matt Barnette, president, Mercury Security, part of HID Global, Long Beach, Calif.

And as they do that they are looking hard at what is next, and what more can be done. For many, this includes some of the hot button topics of the industry, such as big data, IoT, unified systems, business intelligence and identity.

“We are reaching a point in time where the industry is experiencing a boom in technological growth,” says Tim Vahary, product and marketing manager, RS2 Technologies, Muncie, Ind. “This, in turn, has provided a real impetus for organizations to change. Features that were once considered to be a luxury are now indispensable in a modern facility and they are looking to maximize efficiency and security by adopting new technologies … Tools revolving around mobile, biometrics and the cloud are now starting to be both trusted by end users more readily and are starting to stabilize at lower prices … These factors, in conjunction with the added value of higher security and a better overall experience, have been serving as a catalyst for enterprise organizations to adopt these new features and redefine their entire access control infrastructure.”

Another motivating factor — at least in some sectors of the enterprise — is increasing reporting and regulation requirements, says Despina Stamatalos, product marketing manager, access control, Genetec, Montreal. “The average lifecycle of an access control system is about 10 years. Rules and regulations have changed in that time and the reasons they installed the system 10 years ago may not answer today’s reasons … We are seeing more government and industry mandates that force customers to upgrade.”

For these customers in particular, unified systems — those with access and video and possibly more systems designed to work seamlessly together on one platform — are particularly a draw, adds Eric Green, chief product owner, enterprise solutions, Honeywell Building Technologies, Atlanta. “A lot of customers don’t want to have to learn three, four or five systems to manage all this; they are looking for ways, if not one system that can do it all, then one that can take or provide input from other systems so it can be managed from a single point,” he says.

“I think now more than ever clients want to see that truly unified platform,” agrees integrator Jorge Lozano, CEO, Condortech Services Inc., Fairfax, Va. “Our clients also expect a certain level of intelligence and intuitiveness from an enterprise PACS … Clients want to be able to verify the credential with an actual identity of a person. They want to know if that person has swiped in more than once today. They want to be able to revoke or grant permissions instantaneously.”

George Grammer, strategic product manager for access control, intercom and integration systems North America, for integrator Johnson Controls, Boca Raton, Fla. also sees more enterprise customers looking at unified solutions, but says the ultimate desire is choice. “Customers want lots of choices. They want to include mobile. They like unified platforms now … If they are going to go through a rip and replace upgrade they might as well dig deep and make the changes to get the end result they are looking for. No one wants a 1-2-3 step upgrade. They want a single step.”

While the good news is that enterprise customers — often described as “big ships” that don’t move or turn easily — are more interested in change and upgrades, this does put more of a challenge on both the integrator and the manufacturer. “They are demanding more of us, both the manufacturers and integrators,” says Rick Focke, director of enterprise access control, global security products, Johnson Controls, Milwaukee. “They want to make sure they get the most benefit out of their investment. They don’t want it to just give access control privileges but also provide other information, such as how many people are in the building? What is the occupancy rate?”

Do Enterprise Customers Like Cloud & Mobile?

The traditional thinking about enterprise customers is that two of the hottest technology advancements in recent years are less interesting to them: cloud managed and mobile credentials. But is that actually true? Not necessarily, say the experts.

Cloud

When it comes to cloud, there are two ways to take advantage of this growing trend in access control: hosted and managed. More enterprises are interested in hosted (either privately or by an outside service) today, but managed enterprise access may not be as far off as you think.

Brivo’s John Szczygiel says enterprise customers are interested in a SaaS model, particularly as they see that model working in other areas of their business. “Enterprise customers are in a constant state of change driven by business needs and IT standards. Fewer customers want to own and operate the computing infrastructure for their software due to this constant need for change and upgrades. This is driving enterprise customers to shift the burden for security systems operations to cloud service providers like Brivo.”

Enterprise customers are very interested in getting rid of the whole server/cyber security headache, adds Richard Goldsobel, vice president, Continental Access, Napco Security Technologies, Amityville, N.Y. “We have been actively working on the hosted environment,” he says. Not only does cloud hosting or managing help the end user, but it also brings coveted RMR to the integrator and their manufacturing partner who is hosting, he adds. “We have many integrators that are hosting for their end users now and we want to provide an even lower cost of hosting for the integrator.” While he expects the bulk of the customers to be on the SMB side, he says enterprise customers are also interested. “We do expect some medium to somewhat large locations to look to go with a hosted environment.”

Genetec’s Despina Stamatalos agrees. “According to IHS, over the last few years the biggest subscribers were small to medium businesses. But now as enterprises start seeing the cost savings they can have by not having all these servers on-premise and start understanding how it is just as secure as an on-premise system we will see a trend of more enterprise customers wanting to go to cloud.”

Integrator George Grammer of Johnson Controls is already seeing movement in that direction. “Two or three years ago I would have said the majority of enterprise customers are not interested in a hosted environment with anyone else but I am starting to see that change. We are starting to see customers interested in the cloud, provided they can get an Azure or AWS or whatever tailored just for them.”

He notes that some of the major manufacturers are opening up their previously proprietary software to allow for this model, which is also helping adoption.

Integrator Challenges

As more enterprises look to upgrade or plan for upgrades to their access control systems — or even their whole security ecosystem — this puts the security integrator front and center in every aspect from strategizing to making it happen. What are some of the biggest challenges integrators face today?

“The integration — true integration — with so many disparate applications,” says Nathan Schwab, president, Care Security Systems Inc., Montebello, N.Y. “There is an incredible amount of resources and costs for putting together and building these systems … We see many integrators and customers who don’t recognize the strategic planning [that goes into] enterprise integrated systems … putting the moving parts together in order to come up with a solution that is priced for budget and time and setting the expectation for what the outcome will look like.” This is a constant challenge, he says.

“Really the biggest challenge is providing an end-to-end solution that can integrate into the organization and provide operational efficiencies and situational awareness without creating an additional burden on the organization,” says Justin Wilmas, senior director of global sales, AMAG Technology, Torrance, Calif. Wilmas adds that access control is the traditional center of the security ecosystem of the organization, and increasingly the business overall.

“Everyone wants to be integrated into a single unified system, but with that comes challenge and complexity; and if you are adding complexity to the user inside the organization you are actually creating another problem,” Wilmas says. This means the integrator not only has to make sure the solution works, but that it is easy to use.

Another issue for integrators is the growing list of stakeholders within the enterprise with whom they have to interact — and converse knowledgeably. IT is an obvious one, and most integrators that work in the enterprise space have gotten a good handle on “IT speak.” But what about HR? Legal and compliance? It is frequently the case that all these departments, in addition to security, have not only a say, but are part of the funding of the whole upgrade.

Do Enterprise Customers Like Cloud & Mobile?

Mobile

Surprisingly, enterprise customers are very interested in mobile credentials, largely because it solves a major pain point for them — badging and replacing lost cards. The hurdle many expected in the desire for a physical ID that identifies a person belongs there is also starting to be overcome by technology, or even a shift in priorities. They also appreciate the cyber security element of mobile credentialing, particularly where it can be combined with biometrics or second form of ID.

“The biggest change we see is at the edge of the architecture, as our enterprise customers consider new kinds of credentials, including virtual credentials,” says LenelS2’s John Moss. “They are hardening their facilities by replacing prox readers and other readers with technology that has not been compromised.”

Other barriers were cost and licensing, which manufacturers are starting to find ways to alleviate, says Scott Lindley, general manager, Farpointe Data, Sunnyvale, Calif. Lindley says his company’s mobile credential solution has started to take off with integrators and their enterprise customers. “We have helped our integrators open the mobile access control market … Our Conekt solution provides free download, user’s choice of smart phone and distribution via existing or independent access control software.”

Carl Stark of Security 101 agrees mobile credentialing is becoming more attractive to enterprise customers, although for many it is still in the very early stages. “In most cases it’s still a pilot project being tested by corporate leadership. One driver of the technology is the truly global nature of enterprise customers. We’ve seen too many offices put off ordering replacement cards until they absolutely needed them. Mobile credentials can be sent from the corporate office via email and arrive the same day.”

Tony Mucci, director of product management and engineering for integrator Johnson Controls, has seen some “gutsy” enterprise customers going all in on mobile credentials. “Some enterprise customers with over 150,000 credentials want to totally replace the hard credential environment and go mobile,” he says. One thing that may help this along is the company’s patented approach that allows mobile phones to “interrogate” each other and alert the proper authorities if they find one that doesn’t belong in the area — a high-tech replacement for an ID badge.

Brandon Arcement, senior director of product marketing for physical access control technologies, HID Global, Austin, Texas, has seen both situations, often dependent on how far along the user is in creating new policies around IDs and bring your own device situations. “Enterprise customers are increasingly interested in mobile,” he says. “Of the 3,000 end users using HID mobile today we have seen some that are in the pilot phase or just offering it to an exclusive group of executives where they haven’t yet augmented policies around cards. The other side is ones that have gone mobile only across tens of thousands of users and have evolved policy along with that.”

“The reality is out of all those departments IT has the most funding,” Wilmas says. “It is very important we are partnered with IT in order to utilize that. But there are other key stakeholders or departments that are very important in getting funding.”

Stamatalos agrees. “One of the biggest challenges for integrators is who do they actually speak to? Who are the decision makers within the organization? In the past it was the security director but now we are seeing a lot more players.”

Beyond that, end users are more involved and educated about the process, she adds. “We are seeing end users are much more knowledgeable about the technology. They do their research before they speak to integrators. They talk to us at trade shows. They know what is out there, so the integrator needs to be up to date with the latest technologies and be able to add value to the information the end user already has.”

Green adds that this knowledge needs to be more specific than in the past as well. “One of the biggest things I see for enterprise integrators is the expectations for understanding the customer’s end-to-end business is higher. They are expected to have a knowledge of the business itself and the particular security needs of that type of business. They are expected to work with the IT teams and understand the IT infrastructure … Those who succeed are those who can take in that view and start to map out solutions that provide value to the end user.”

While more funding might be available today than in the past, there are also more places to spend it, meaning the integrator has to be able to coherently explain to each stakeholder how their solution will help them.

“There is some budget that customers are able to get to improve the system, but unfortunately most of them need to bring that message to upper management to highlight the risk [and reward],” says Francois Brouillet, product manager, Genetec — even then there are no guarantees. “A lot of our customers are still using technology like proximity and Wiegand. When we highlight that they are vulnerable they know, but don’t have the capability to re-card everybody or the budget to change all the readers … No one has a magic chest to pull money out of.”

One issue many organizations are willing to spend money on is cyber security. But that can be a double-edged sword for integrators who are only in recent years getting a handle on the issue themselves, or who may view it as a negative rather than an incentive.

“It could be argued that cyber security is now the most critical aspect of enterprise access control and security solutions,” says Eric Widlitz, vice president, North American sales, Vanderbilt, Parsippany, N.J. “Customers are more knowledgeable on this topic than ever before and they demand manufacturers and integrator partners that are confident in their abilities to protect their physical systems against the latest cyber threats.”

One thing is for sure, however. The issue of cyber security will only grow in importance and will become an increasing part of the process for manufacturers and integrators alike.

“The role of cyber security in enterprise customer deployments has now become embedded into every discussion,” Barnette says. “Nothing can be deployed, upgraded or modified without a review of the cyber-hardness of a product. The acceleration of these discussions, and the depth of the questions and information enterprise customers want, is commiserate with the threat. We expect this to increase over time.”

Last but not least, the relationship between the integrator and the enterprise customer has undergone a shift in recent years. More and more the term “consultative sale” is used, and the emphasis on the service side is often the differentiator between a happy or dissatisfied client.

“Organizations face a constantly changing array of pressures from multiple sources,” says John Szczygiel, executive vice president and COO, Brivo, Bethesda, Md. “Savvy CIO/CSOs are building lithe organizations with systems and infrastructure capable of responding to threats and capitalizing on opportunities with amazing speed. Integrators are challenged to keep up with this pace by bringing a continuous stream of new ideas and capabilities to help enterprise customers respond effectively to these pressures.”

Heisler refers to a “relationship of trust” with his enterprise clients. “Having the presence that our national and multi-national/global clients have requires us building a reliable network of talent (including partners) and building a relationship of trust with the customer — every day, so they and their customers know we have their best interests at heart and are working to create value for them.”

Words of Advice

One of the trickier aspects of the integrator’s job when it comes to working with enterprise access control clients is managing expectations relative to budget and time. Often projects are protracted over months if not years, so it is paramount to future-proof as much as possible.

“Upgrading to include the latest technology allows our customers the ability to efficiently integrate with other solutions and future-plan by providing the opportunity for growth and scalability,” Widlitz says. “It’s critical for integrators to work closely with customers from the very beginning of an implementation to find out what they want their systems to do in five to 10 to 15 years so that they can deliver solutions that can evolve appropriately. For example will a customer want to transition from proximity credentials to smart cards or mobile credentials?”

“The phrase we have come up with is the least cost of deployment with the least cost of ownership,” Wilmas says. “What [integrators] should be doing is providing a solution that can introduce automation around unified security, access control, situational awareness, identity management, etc., because that is what is paramount to enterprise customers today. It’s about having something that solves problems versus creating problems.”

Wilmas suggests doing a “planning workshop” with clients. “You have to involve all these different stakeholders so you really understand how their organization works. You do that by tying all these people into that workshop where you start at the beginning with questions such as: ‘Tell me what types of identities you have?’ ‘How do they get in and who makes the decisions on access levels?’ ‘Who is monitoring and approving that?’ ‘What compliance initiatives do you have?’

“Understand what is important to that organization so when you are bringing in a solution you can tie it to each component of that problem and provide value to each of those stakeholders. In the past we just locked down a door with access control, but we never asked, ‘Why? What is the reason behind it?’ You don’t get that answer without having an intimate understanding of how that organization works.”

Justin Norris, access control product manager, DMP, Springfield, Mo., agrees. “One of the major hurdles in the enterprise access world is to understand what your customer is using currently, what you are bringing to the table and what the advantages of that [solution] are. That is what sets you apart between integrators.”

Schwab offers this advice: “Don’t be selling. Be a consultant and a resource. Don’t sell products; sell solutions to problems. The products themselves should never be the primary focal point. What value does your recommendation actually provide? What real world pain do you make un-painful?”

Truly enterprise projects often require partnerships beyond just the integrator and the customer. Sometimes this means working with other integrators or contractors in different parts of the world, says Carl Stark, president and general manager, global accounts division, Security 101, West Palm Beach, Fla. “If integrators are going to work with a global client, there will be an expectation for enterprise-wide service capabilities. You could install a system using a subcontractor, but when that sub completes the project, the warranty period begins and service and maintenance become very important. Don’t commit to install an enterprise-class access control system and not be able to provide the service and maintenance that follows. The customer relationship will quickly fail if the integrator falls flat on its ability to perform service.”

Rising Standards

One of the biggest laments for integrators when it comes to enterprise access control is the lack of industry-accepted standards, which are a hallmark in the IT space. While it is true that there aren’t widely used standards in the security space, organizations like SIA, PSIA, ONVIF and others are seeking to change that. Two standards in particular are having a growing impact on the enterprise space: SIA’s OSDP and PSIA’s PLAI.

Open Supervised Device Protocol (OSDP) is an access control communications standard developed by the Security Industry Association (SIA) to improve interoperability among access control and security products.

Security 101’s Carl Stark says OSDP is now the preferred choice of many enterprise customers, largely because of cyber security concerns. “Systems are being replaced if they are perceived as vulnerable. OSDP-compliant systems [offer] greater security, flexibility and convenience than aging Wiegand protocol wiring standards, which offer no signal encryption.”

Scott Lindley of Farpointe Data says, “OSDP takes solutions beyond the limitations of Wiegand and lets security equipment such as card and biometric readers from one company interface easily with control panels and equipment from another manufacturer … Interoperability can be achieved regardless of system architecture.”

Johnson Controls’ Rick Focke sees OSDP as one of the main drivers of enterprise-level upgrades today. “We have had a bunch of larger customers driven by that. They say ‘We need this. What will it take?’ Sometimes it is driven by what a penetration tester found that illustrates the vulnerability [of Wiegand] to the IT department.”

PLAI, or Physical-Logical Access Interoperability spec from PSIA, “provides a means for organizations to transfer and dynamically update relevant employee data and privileges from the ‘logical’ HR system to any Physical Access Control System (PACS), often being operated at different company facilities and sometimes disparate systems, according to the PSIA website. PLAI began in 2013 but in recent years is gaining traction among prominent manufacturers and integrators.

“We have entered into PLAI,” says Justin Wilmas of AMAG. “It adds a level of support and openness for our solutions in the marketplace. It has been over a year now and we are fully entrenched in it.”

Tony Mucci, director of product management and engineering, Johnson Controls, says PLAI is a great asset to enterprise customers, many of whom find themselves in acquisition situations where they might have two or more different access control platforms in different locations. “If you are a large company and you make an acquisition and inherit other platforms, we all know about rip and replace or how to work with software that can act as middleware and make everyone play nice together. But invariably when access control system A upgrades it can force that for system B as well. PLAI allows that middleware at a standard to stay in place without initial upgrades because both systems are playing nice to that PLAI standard … I am very high on it. I hope it gets adopted by [more] large access manufacturers.”

Enterprise projects sometimes require the integrator to stretch their envelope, Vahary says. “Enterprise customers have the widest array of expectations and requirements. In order to sell a system and keep a happy customer, the integrator must fully understand all facets of a system and exactly what a customer requires … This sometimes means working outside of their comfort zone and exploring new solutions and technologies instead of selling the status quo.”

One of their best tools for this can be their manufacturer partner, says Steve Wagner, president, Open Options, Addison, Texas. “They should rely more heavily on the pre-sales capabilities of their systems provider,” he suggests. “Build their services into your project pricing to ensure smooth system startup and an initial user experience. Be prepared and willing to share the customer with your manufacturer. The better care provided to the client, the longer they stay a client.”

This is advice Heisler takes to heart. “It’s our job to figure out how best to use new products to benefit our customers and track what the industry is saying about the new technology. Luckily in the realm of enterprise security, many manufacturers are more than willing to help facilitate with the sales/training and diagnostic process to facilitate the use and promotion of their products.”

But in the end it is ultimately up to the security integrator to deliver what the enterprise customer is looking for. If they can do that, they will be in good shape.

Lozano says that integrators should be a “strong source of expertise in any given room, and not be so quick to close a sale. Every integrator knows to survey a site and ask compliance questions, but the pivot is to figure out how the integrator and the enterprise will measure success. Establishing the metrics for the engagement is crucially important and often overlooked. What will we measure besides budget? How will we handle change management? How will we provide value to the enterprise? What other areas of the business can we help through security technology? At the end of the day, we know the technologies will come and go. But you solidify yourself in your client’s minds if they receive a level of expertise and adaptable services from you no matter which direction you want to go.”

Join us for an insightful webinar where we delve deep into the ever-evolving landscape of video surveillance. As the demand for robust security solutions continues to surge, staying ahead of the curve is imperative.

PSA Security Network is one of the nation’s leading sources for education, training, and industry networking events. With multiple settings and events throughout the year to meet and exchange industry knowledge, there is something for everyone.

The Bigger Picture of Enterprise Access Control

What’s changed in the world of enterprise access control? And how can security integrators make sure they are doing the most for their largest customers?