IP based Physical Access Control
Five reasons to adopt this technology now
- By Dan O’Malley
- Oct 01, 2011
Organizations of all sizes are migrating from analog to
IP-based physical access control solutions, drawn by
increased security, increased operational efficiency
and better availability. The shift to IP reflects what’s
already happened in voice communications and, more recently, in
video surveillance.
Shifting physical access control from analog proprietary serial
communications to IP provides five main benefits:
- Protecting access control data;
- Accelerating response to alarms;
- Helping to ensure business continuance;
- Streamlining operations; and
- Lowering door cable costs.
Protecting access control data. Analog physical access control
systems make it relatively easy for someone with a little knowledge
and widely available tools to create a working card to impersonate an
employee. Most card data is not encrypted, neither over the air nor
from the reader to door-control panels. Someone who taps the link
can read badge data.
A related issue is that most analog door controllers use the Wiegand
protocol, which is one-way only from reader to door-control
panel. That means the card reader can’t tell whether it’s connecting to
a legitimate door-control panel or a snooping device.
IP physical access control systems use digital encryption technologies
to help protect identity information, making physical access
control systems less vulnerable to attacks.
For example, new IP-based controllers support a challenge-response
function, a secure way to protect card data sent over the link.
When you present your card for access, the card does not immediately
turn over its data. Instead, it first authenticates to the system
by sending a public key and listening for a signed response from the
system. The system signs the credential and sends it back to the card.
Only after receiving verification that the system at the other end of
the connection is legitimate, not an imposter, does the card transmit
its encrypted data to the reader.
New standards in access control interoperability will increase security
and interoperability while driving down system costs. One is
the Federal Information Processing Standards (FIPS) 201 for personal
identity verification (PIV). FIPS 201 defines a back-end public key
infrastructure (PKI) system to manage public keys and user identities
through a certificate authority. Other standards include Physical Security
Interoperability Alliance (PSIA) and the Open Network Video
Interface Forum (ONVIF). Card-reader vendors, in turn, are moving
toward adopting an encryption standard to protect data traveling
over the wireless and wired interface.
Accelerating response to alarms by integrating with video surveillance
and incident response systems. Traditionally, a security
officer who received a forced-door alarm on door 47 would have had
to turn to another console to view video feed, look up which camera
monitored that door, and then spend valuable time finding the relevant
alarm video. Meanwhile, an intruder could cause harm or flee
the property.
The process is more efficient when the physical access control and
video surveillance systems are tied together. Integrating physical security
systems with IP video is far simpler than it is with analog systems
because all servers and endpoints connect to the same network.
For example, suppose someone kicks in an exterior door. An IPbased
access control system can transmit the forced-door alarm to
the IP-based incident response system. Receipt of the alarm invokes
predefined policies, such as sending an alert to a security officer’s preferred
device—say, an iPhone—along with real-time video or video
associated with the alarm. This saves valuable minutes compared
with the old situation, where the guard had to weed through alarm
screens and search for the right video cameras. In addition, instead
of being tethered to the desk, security officers can receive alerts on
mobile devices while patrolling the property, helping prevent crime
or fear of crime.
The benefits multiply if you add an IP dispatch system. Multiple
agencies or teams—physical safety, local police, human resources and
others—can join a virtual talk group on any device, including desk
phone, mobile phone or any type of radio.
Helping business keep going if the network goes down. If
physical access control is essential to business continuity, the traditional
physical access control system might be the weak link: If the
proprietary network goes down, so does the ability to let authorized
people in and keep others out. Business continuity is especially urgent
for governments and critical infrastructure organizations such
as energy plants.
IP physical access controls give you options to increase availability.
For example, instead of placing the intelligence in a central server
that connects to all of your doors over the WAN, you can place intelligence
at the network edge. This helps the business keep going even
if the WAN goes down because of hurricane, tsunami, power outage
or another disaster.
This approach is used today by a gasoline distribution company in
the Midwest. Truckers present their Transportation Worker Identification Credential (TWIC) to the badge reader, which sends a message
to a local system that Chris Johnson is at Gate 2, for example. Then
the local gateway sends a URL action to the local system, which sends
a work order to the card reader display, such as “Chris Johnson—Fill
up on Pump 47.” The benefit to the company is faster truck dispatching,
plus increased worker productivity because workers don’t need
to wait around for orders.
In general, URL actions are a simple, effective way to integrate disparate
systems because they do not require complex programming.
For even higher availability, implement redundant physical access
control management servers, either one of which can take over if the
other fails. The servers share a common IP address and are continuously
synchronized. This practice is much cleaner than implementing
tiered databases—for example, at the local, regional and national levels.
Streamlining operations by integrating with the IT or HR database.
Many organizations separately maintain databases for network
access, HR records and physical access control. The drawbacks are
data duplication and redundant processes. Separately maintaining
the database used for employee access control also can create an unsafe
situation if terminated employees or vendors with limited-time
access are not promptly removed from the system.
With an IP-based physical access control system, changes made
to your central Microsoft Active Directory or SQL databases can be
automatically propagated to the access control system.
Here, too, IP gives you choices. One option is to implement oneway
communication between the central database and door gateways.
The other is using a Web Services API. A public university in the
South uses a Web Services API to allow building administrators to
set their own lock schedules on a webpage. The API also is useful for
organizations that give out large numbers of one-day visitor badges.
Lowering door costs. Traditional physical access control systems
require bringing power to each door reader and lock. Some IP gateway
readers, door locks and readers can receive PoE from network
switches over standard Cat-5 or Cat-6 cabling. This can reduce installation
costs by up to several hundred dollars per door.
A single unified physical infrastructure and managed cabling system
can also increase availability, because you can use commercially
available uninterruptible power supplies for backup power. The central
UPS eliminates the need to install batteries by each door.
The right IP-based physical access control system can reduce risk
and help the business continue to operate in the event of a disaster.
Look for a solution that:
- Encrypts credentials and identity in the server, over the air and
over the wire;
- Unifies your security system with IP video surveillance and IP incident
response systems;
- Provides high availability, both at the edge and on the network;
- Integrates the network edge with local systems, using URL actions;
- Takes advantage of your existing IP network with networked controllers
and a common database;
- Reduces door cabling costs by connecting to Cat-5/Cat-6 cabling;
and
- Supports network power such as PoE.
This article originally appeared in the October 2011 issue of Security Today.