Access control cards/ tags/ fobs - Expert commentary

A secured entrance is the first defence against an active shooter
A secured entrance is the first defence against an active shooter

The statistics are staggering. The death tolls are rising. And those who now fear environments that were once thought to be safe zones like school campuses, factories, commercial businesses and government facilities, find themselves having to add the routine of active-shooter drills into their traditional fire drill protocols. The latest active shooter statistics released by the FBI earlier this year in their annual active-shooter report designated 27 events as active shooter incidents in 2018. The report reveals that 16 of the 27 incidents occurred in areas of commerce, seven incidents occurred in business environments, and five incidents occurred in education environments. Deadly active-shooter events Six of the 12 deadliest shootings in the country have taken place in the past five years Six of the 12 deadliest shootings in the country have taken place in the past five years, including Sutherland Springs church, Marjory Stoneman Douglas High School, the San Bernardino regional center, the Walmart in El Paso and the Tree of Life Synagogue in Pittsburgh, which have all occurred since 2015. Although these incidents occurred in facilities with designated entry points common to churches, schools and businesses, the two most deadly active-shooter events since 2015 were the Route 91 Harvest music festival shooting in Las Vegas that left 58 dead and the Pulse nightclub killings in Orlando where 49 perished. As Christopher Combs, special agent in charge of the FBI field office in San Antonio, Texas, said during a news conference following the August 31 mass shooting in Odessa, Texas that claimed seven lives: “We are now at almost every two weeks seeing an active shooter in this country." Active shooter incidents Between December 2000 and December 2018, the FBI’s distribution of active shooter incidents by location looks like this: Businesses Open to Pedestrian Traffic (74) Businesses Closed to Pedestrian Traffic (43) K-12 Schools (39) Institutions of Higher Learning (16) Non-Military Government Properties (28) Military Properties—Restricted (5) Healthcare Facilities (11) Houses of Worship (10) Private Properties (12) Malls (6) What the majority of these venues have in common is they all have a front entrance or chokepoint for anyone entering the facilities, which is why any active-shooter plan must include a strategy to secure that entry point. Situational awareness in perimeter and door security Preventing people with the wrong intentions from entering the space is the goal" According to Paul Franco, an A&E with more than 28 years of experience as a consultant and systems integrator focusing on schools, healthcare and large public and private facilities, that while active shooter incidents continue to rise, the residual effect has been an increase in situational awareness in perimeter and door security. “Certainly, protecting people and assets is the number one goal of all our clients. There are multiple considerations in facilities like K-12 and Healthcare. Preventing people with the wrong intentions from entering the space is the goal. But a critical consideration to emphasise to your client is getting that person out of your facility and not creating a more dangerous situation by locking the person in your facility,” says Franco. High-security turnstiles “Schools today are creating a space for vetting visitors prior to allowing access into the main facility. Using technology properly like high-security turnstiles offer great benefits in existing schools where space constraints and renovation costs can be impractical.” What steps should they be taken when recommending the proper door security to ensure the building is safe As a consultant/integrator, when discussions are had with a client that has a facility in a public space like a corporate building, government centre or industrial facility, what steps should they be taken when recommending the proper door security to ensure the building is safe and can protect its people and assets? For Frank Pisciotta, President and CEO of Business Protection Specialists, Inc. in Raleigh, North Carolina, a fundamental element of his security strategy is making appropriate recommendations that are broad-based and proactive. Properly identifying the adversaries “As a consultant, my recommendations must include properly identifying the adversaries who may show up at a client’s door, the likelihood of that event occurring, the consequences of that event occurring, determining if there are tripwires that can be set so an organisation can move their line of defence away from the door, educating employees to report potential threats and creating real-time actionable plans to respond to threats. A more reactionary posture might include such thing as target hardening such as ballistic resistant materials at entry access points to a facility,” Pisciotta says. Veteran consultant David Aggleton of Aggleton & Associates of Mission Viejo, California recommends that clients compartmentalise their higher security areas for limited access by adding multiple credential controls (card + keypad + biometric), along with ‘positive’ access systems that inhibit tailgating/piggybacking such as secure turnstiles, revolving door and mantrap if your entrances and security needs meet the required space and access throughput rates. Integrated solution of electronic access control Defining a single point of entry in some public facilities is becoming the new standard of care according to many A&Es and security consultants, especially in a school environment. This approach allows a concerted effort when it comes to staffing, visitor monitoring and an integrated technology solution. The bottom line remains: most buildings are vulnerable to a security breach A proactive stance to securing a door entryway will use an integrated solution of electronic access control, turnstiles, revolving doors and mantraps that can substantially improve a facility’s security profile. The bottom line remains: most buildings are vulnerable to a security breach, so it’s not a matter of if there will be a next active shooter tragedy, it’s only a matter of where. Enhancing access control assurance “There is no easy answer to this question,” says Pisciotta referring to how a secured entrance can deter an active shooter. “There have been at least two high-profile incidents of adversaries shooting their way into a facility through access control barriers. So, if the threat so dictates, a ballistic resistant might be required.” He concludes: “There is obviously no question that turnstiles, revolving doors and man traps enhance access control assurance. Electronic access control is easy to integrate with these devices and providing that credentials are secure, approval processes are in place, change management is properly managed and the appropriate auditing measures in place, access control objectives can be met.”

Why integrated access control is about more than security?
Why integrated access control is about more than security?

Rodrigue Zbinden, CEO at Morphean, discusses the business benefits from merging video surveillance and access control technologies as demand for ACaaS grows. The big question facing businesses today is how they will use the data that they possess to unlock new forms of value using emerging technologies such as the cloud, predictive analytics and artificial intelligence. Some data is better utilised than others: financial services were quick to recognise the competitive advantages in exploiting technology to improve customer service, detect fraud and improve risk assessment. In the world of physical security, however, we’re only just beginning to understand the potential of the data that our systems gather as a part of their core function. Benefits of ‘Integrated access control’ The first thing to look for is how multiple sources of data can be used to improve physical security functionsWhat many businesses have yet to realise is that many emerging technologies come into their own when used across multiple sources of data. In physical security, for example, we’re moving from discussions about access control and CCTV as siloed functions, to platforms that combine information for analysis from any source, and applying machine learning algorithms to deliver intelligent insights back to the business. ‘Integrated access control’ then looks not just to images or building management, but to images, building management, HR databases and calendar information, all at the same time. And some of the benefits are only now starting to become clear. The first thing to look for, of course, is how multiple sources of data can be used to improve physical security functions. For example, by combining traditional access control data, such as when a swipe card is used, with a video processing platform capable of facial recognition, a second factor of authentication is provided without the need to install separate biometric sensors. CCTV cameras are already deployed in most sensitive areas, so if a card doesn’t match the user based on HR records, staff can be quickly alerted. Making the tools cost-effective In a similar vein, if an access card is used by an employee, who is supposed to be on holiday according to the HR record, then video data can be used to ensure the individual’s identity and that the card has not been stolen – all before a human operator becomes involved. This is driving growth in ‘access control as a service’ (ACaaS), and the end-to-end digitalisation of a vital business functionThese capabilities are not new. What is, however, is the way in which cloud-based computing platforms for security analytics, which absorb information from IP-connected cameras, make the tools much more cost effective, accessible and easier to manage than traditional on-site server applications. In turn, this is driving growth in ‘access control as a service’ (ACaaS), and the end-to-end digitalisation of a vital business function. With this system set up, only access control hardware systems are deployed on premise while the software and access control data are shifted to a remote location and provided as a service to users on a recurring monthly subscription. The benefits of such an arrangement are numerous but include avoiding large capital investments, greater flexibility to scale up and down, and shifting the onus of cybersecurity and firmware updates to the vendor. Simple installation and removal of endpoints What’s more, because modern video and access control systems transmit data via the IP network, installation and removal of endpoints are simple, requiring nothing more than PoE and Wi-Fi. Of all the advantages of the ‘as a service’ model, it’s the rich data acquired from ACaaS that makes it so valuable, and capable of delivering business benefits beyond physical security. Managers are constantly looking for better quality of information to inform decision making, and integrated access control systems know more about operations than you might think. Integrating lighting systems with video feeds and access control creates the ability to control the lightsRight now, many firms are experimenting with ways to find efficiencies and reduce costs. For example, lights that automatically turn off to save energy are common in offices today, but can be a distraction if employees have to constantly move around to trigger motion detectors. Integrating lighting systems with video feeds and access control creates the ability to control the lights depending on exactly who is in the room and where they are sitting. Tracking the movement of employees Camera data has been used in retail to track the movement of customers in stores, helping managers to optimise displays and position stocks. The same technology can be used to map out how employees move around a workspace, finding out where productivity gains can be made by moving furniture around or how many desks should be provisioned. Other potential uses of the same data could be to look for correlations between staff movement – say to a store room – and sales spikes, to better predict stock ordering. What makes ACaaS truly exciting is it is still a very new field, and we’re only just scratching the surface of the number of ways that it can be used to create new sources of value. As smart buildings and smart city technology evolves, more and more open systems will become available, offering more ways to combine, analyse and draw insights from data. Within a few years, it will become the rule, rather than the exception, and only grow in utility as it does.

Open Supervised Data Protocol (OSDP): the gold standard for access control installations
Open Supervised Data Protocol (OSDP): the gold standard for access control installations

Today’s security industry technology standards create a common framework for achieving predictable performance. Systems are made more secure and easier to install, use and integrate with other devices. Standards are also intended to be living documents, open to continual refinements to benefit manufacturers, integrators and end users. An excellent example is the Open Supervised Data Protocol (OSDP), which is now the industry’s gold standard for physical access control installations. It was designed to offer a higher level of security with more flexible options than the aging defacto Weigand wiring standard. Updating OSDP-readers simultaneously One recent addition enables end users to push firmware and software updates to thousands of OSDP-enabled card readers simultaneouslyOSDP, first introduced in 2011 by the Security Industry Association (SIA), continues to evolve with significant manufacturer input. One recent addition enables end users to push firmware and/or software updates to a few or thousands of OSDP-enabled card readers simultaneously. Weigand technology requires updates to be made one at a time at each reader. Regularly changing reader encryption keys is an excellent way to enhance facility security. It’s easy using the OSDP file transfer capability and the latest DESFire EV2 credentials containing multiple encryption keys. You can transfer the next code on the card to all readers and the job is done. And there’s no need to create a new card for each user or reprogram each individual reader. AES-128 encryption ensures cybersecurity It’s time to migrate entirely away from Weigand technology. If greater security, convenience and reduced labour from the latest OSDP updates isn’t reason enough, here are a few more things to consider. The 40-year-old Weigand protocol provides no signal encryption, making it easy for hackers to capture the raw data transmitted between cards and readers. OSDP readers support AES-128 encryption while providing continuous monitoring of wires to guard against cybercriminals. Weigand reader installations require homerun cable pulls from the control panel to each peripheral device. OSDP readers can be daisy chained, providing additional savings on cabling and installation time. Weigand technology is simply too slow to work with today’s most versatile and secure card technologies. OSDP readers work with virtually all modern access control cards. The OSDP standard also works with biometric devices; Weigand does not. Meeting requirements of FICAM guidelines SIA is pushing to make the latest OSDP version a standard recognised by the ANSI, a move to enhance the global competitiveness of U.S. security businessesAlso, OSDP is becoming a must-have standard for organisations demanding the highest security levels. The standard meets requirements of the Federal Identity, Credential and Access Management (FICAM) guidelines that affect how the access control industry does business with the federal government. SIA is pushing to make the latest OSDP version a standard recognised by the American National Standard Institute (ANSI), a move to enhance the global competitiveness of U.S. security businesses. There’s still a large worldwide reader installation base that works solely with the Weigand protocol. Admittedly, changing them all at one time may be prohibitively expensive; however, standards should be viewed as a journey, not a destination. That’s why a measured migration is the right choice for many organisations. Begin by securing the perimeter. Replace only the outside-facing Weigand readers. As long as the walls are secured, the inside can remain a softer target until OSDP-compatible readers can be added indoors. The case for moving to OSDP as a standard is compelling. It offers our industry the opportunity to design access control software and products that provide what end users want most – greater security, flexibility and convenience.

Latest Apollo Security news

Apollo Security appoints security expert Reuben Rebullar as Director of Engineering
Apollo Security appoints security expert Reuben Rebullar as Director of Engineering

Apollo Security, a premier provider of access control and alarm monitoring solutions for over 30 years announces the appointment of Reuben Rebullar as Director of Engineering. Mr. Rebullar will be responsible for ongoing development and expansion of Apollo’s robust open hardware platform and feature rich software platform. Integrated security systems expert Mr. Rebullar joins Apollo with 12 years of experience in the hardware and software industry, most recently serving as Engineering Manager at Mercury Security in Long Beach, CA. He will oversee the development of Apollo’s fast-growing ASP Series Network Clustering Integrated Controllers as well as APACS software platform. While known primarily for integrated security systems, Apollo has been providing OEM hardware solutions for the entire life of the company and recently established ApolloEM as a division dedicated to sales and support for software developers and advanced system integrators. “We are delighted to welcome Reuben to the Apollo family and look forward to the new exciting innovations he and his team will deploy for our customers,” commented Clifford Crane, Managing Director of Apollo.

ADME of Apollo Security Access Control announces new division for Software OEM and Integration partners
ADME of Apollo Security Access Control announces new division for Software OEM and Integration partners

ADME, Inc., parent company of Apollo Security Access Control has announced creation of a new division for sales and support exclusively for its Software OEM and Integration partners. This new division, named ApolloEM, will be responsible to provide support for industry partners that use Apollo’s hardware platforms along with their own software solutions. “Providing hardware-only solutions to our partners has been a significant part of Apollo’s business since the very beginning,” explained William Lorber, Vice President of Sales and Marketing. “Establishing a separate division to strengthen our role as an Access Hardware OEM became logical as more partners are coming on board to utilise our new product line.” Lorber went on to explain that Apollo’s new ASP Series Controllers allow easy integration as well as post-factory customisation with App Scripting.” ASP-4 integrated controller/reader interface The flagship of the new hardware series, ASP-4 is a four-door integrated controller/reader interface designed for secure, high volume applications. In addition to expansion options via OSDP to support up to 20 readers, the ASP-4 can work in a network device cluster to support up to 128 doors working as a single management unit. Other features such as a native Open Platform SDK, on-board app scripting and 3rd-party serial device support make ASP Series an attractive choice for system integrators and software OEMs in the security industry. ApolloEM ApolloEM will provide support for existing partners as well as market to potential new partners. Upcoming events for 2018 include Security Essen and ASIS/GSX as well as product and technical seminars worldwide.

Apollo’s ASP Series Controllers set new standards for secure, scalable and customisable access solutions
Apollo’s ASP Series Controllers set new standards for secure, scalable and customisable access solutions

Everyone can agree the convergence trend is in full force in the electronic security industry and organisations are pushing more and more for integrated solutions that can not only enhance ROI but also solve problems that have traditionally been out of the realm of electronic physical security systems. This leaves system integrators and other solution providers in a difficult position as they scramble to be competitive especially when faced with an industry dominated by a few power players. Tackling this problem can now be a matter of survival for small to medium players especially in regional markets. To address this need, Apollo Security Access Control has introduced the new ASP Series Controllers that promise to set a new standard in for secure, scalable and customisable solutions. For 30 years, Apollo has been known for producing some of the most robust hardware in the industry and with the ASP series a new layer of flexibility has been added by allowing ‘post-factory’ customisation in addition to many other feature upgrades. This will have the effect to put more control in the hands of integrators and even end-users so they are not locked into hardware solutions that are ‘off the shelf’ and don’t provide any ability to adapt to customer specific needs for the present or the future. The flagship of Apollo’s new controller series, the ASP-4 is an intelligent access controller designed to provide a high performance security solution Intelligent access controller The flagship of Apollo’s new controller series, the ASP-4 is an intelligent access controller designed to provide a high performance security solution with the ability to solve non-standard problems. Natively, the ASP-4 can support four readers and four doors, but when clustered with 32 other ASP devices it can secure up to 128 doors in one management unit by utilising inter-device communication across standard IT networks. Each ASP-4 can also support up to 16 additional readers by utilising OSDP Secure Channel communications, supporting configurations such as 4 Doors with In/Out (8 Readers) or even more doors by adding input/output modules for door control. Enterprise capacity of 250,000+ cardholders, 300 access levels with up to 50 access levels per card is provided at each device, providing total cardholder and access rights database redundancy, preventing reduced functionality modes such as ‘facility code check only’. The ASP’s real power lies however with the ability to customise the functions of the controller by loading customised App Scripts and third-party protocols. Using industry standard ‘C-like’ programming language, the ASP can have new functions designed by the integrator. Running customisations at the hardware level instead of in software offers the benefits of drastically reduced time/cost of implementation as well as superior reliability. Whereas before if an organisation wanted to integrate a new device such as an alarm panel, fire system or similar they would have to request software customisation which can take months and cost tens of thousands of dollars, with the ASP such a task can take days or weeks and be completed with a budget of hundreds of dollars. An example of how effective this customisation works was provided by a subsidiary of a large multi-national Corporate access control solutions An example of how effective this customisation works was provided by a subsidiary of a large multi-national that was struggling to comply with strict labor regulations. Under these rules, workers in their factory can only work six consecutive days, requiring the seventh day for rest. The HR department struggled to keep track of this as each employee’s rest day could be prior to when six days was expired; in addition to workers switching shifts and other complications the tracking was too difficult to be done manually, so an automated solution was necessary. The current access control solution the company was using didn’t provide any solution for this so the only possibility was expensive customisation which would take 3-4 months and then provide no guarantee in the future what would happen if needs changed. With ASP-4, Apollo’s local partner was able to offer a much more rapid solution. The requirements were programmed into a logic script that was loaded to the controller. This script checks every cardholder at time of access for any violation of the rules and will deny access if necessary, then displaying a reason on an LCD display as well as flash an indicator light so that the cardholder will know it is not simply an access level error that has denied their entry. This customisation took less than one man-day to program and was tested over the course of one week and was then ready to be deployed. The ability to do this customisation gave the partner the edge needed to provide a timely, cost effective solution to a problem that could have cost the company greatly if a work-related accident resulted in legal action. In the future, the logic script can be easily changed for example if the company would like to move to a five-day work week in the future. Additional customisation possibilities are possible using the serial connections of the ASP Real-time monitoring Additional customisation possibilities are possible using the serial connections of the ASP. This allows integration of input devices such as scales or barcode scanners, or interface to any device that has a serial interface such as displays, mimic panels, entry phone systems and more. Protocols for these devices can be embedded in scripts and the devices can assume alarm input/output functions or even new card reader types can be supported such as wireless locks or long-range RFID readers. In addition to being customisable, the ASP of course is designed with security in mind. With all communication channels being secured with 128-bit TLS encryption which prevents attempts to intercept or forge data. Security goes all the way down to the reader using OSDP Secure Channel to protect card reader data transmission lines. Being able to communicate simultaneously with up to five software hosts also gives the ASP ability to be monitored in real-time by redundant systems, ensuring that important alarms are always delivered in time for the security team to react. Software OEMs and System Integrators The ASP Series has been designed from the ground up to be friendly to Software OEMs and System Integrators using other systems in place of or in addition to Apollo Security’s software platform. A native Open Platform SDK allows tight integration with all the ASP’s standard features in addition to the customisations available through scripting and embedded software. The SDK comes with several integration pathways including .NET and Python and includes sample code, tutorials and online developer support. To better support Software OEM partners, Apollo Security’s parent company, ADME INC., has recently announced a new division, ApolloEM which will provide support for partners that utilise the ASP hardware platform in their own software solutions. William Lorber, Vice President of Sales and Marketing said, “Establishing a separate division to strengthen our role as an Access Hardware OEM became logical as more partners are coming on board to utilise our new product line. We are excited to see the solutions that our partners develop on this platform.” Lorber added that partners will be able to share and market their solutions on the upcoming App Script Library platform that Apollo will roll out later this year to expand the effectiveness of ASP solutions.

Related white papers

OSDP is the strongest access control for your business

Is your access control as effective as you think?

Making universities safer with wireless access control