Originally published by Karyn Hodgson in SDM Magazine
Working in the Enterprise World
Any security integrator who has ever worked on an “enterprise-level” access control project will tell you it is not just standard access control, only larger. There are a host of requirements, challenges and issues that come with true enterprise access control. Today’s enterprise-level projects are more complex than ever, with an emphasis on integration with not only other security systems such as video, but also Active Directory, building control and even beyond — in some cases going to PSIM-level integration. Technologies such as mobile credentialing, PoE and convergence have all begun to greatly impact this space in recent years, requiring more technical expertise than ever before on the part of the security integrator. SDM recently spoke with four integrators — all of whom have extensive experience in enterprise solutions — to find out what makes the enterprise space unique, what trends they have seen and lessons they have learned: CHARLIE THIEL, general manager, CSi, Allentown, Pa., has seen a ramp-up in enterprise access control. He has done more enterprise access projects in the last seven to 10 years than in the previous 20 combined, he says.
JEFF HOUPT is president/CEO of Automation Integrated, Oklahoma City, and describes himself as an “engineer and serial entrepreneur.” His company is a national accounts systems integrator and software development firm focused on bringing new and legacy equipment into the “Web of Things.”
BRAD WILSON, CPP, president and COO, RFI Communications and Security Systems Inc., San Jose, Calif., has had extensive experience in the strategic planning and implementation of large-scale integrated electronic systems, from design standards to alliances with architects, consultants, engineers and general contractors for many top Fortune 500 companies.
JAY SLAUGHTERBECK, managing partner, Strategic Security Solutions, Raleigh, N.C., has worked in the industry since 1998 and prides himself in the ability to “think outside the box and create solutions for abnormal issues.”
SDM: What makes the enterprise space different than other access control sales and installations?
JEFF HOUPT: Some integrators think that the enterprise space just consists of large card reader counts. Nothing could be further from the truth. You could have a very small data center with enterprise access control requirements and a very large commercial office building with none. Can you have a single reader integrated with Active Directory, audited for Sarbanes-Oxley, identity management, and access control analytics and not call it an enterprise system? The enterprise space is defined by the use of physical access control system (PACS) data by more organizations inside a business entity (also known as the enterprise) than just the security department. As we see the convergence of IT, security, and IT security this is a very real market opened to integrators capable of servicing the need.
BRAD WILSON: The enterprise space or architecture is an exclusive integrated security management system solution designed to work using the server base operating system with a SQL or equivalent database. It has an enterprise master, regional, and database servers, which contain a copy of all data located at each regional server. It can support up to 100,000 cardholders and up to 128 card readers per region, depending on the make/model of the Enterprise Access Control System (EACS). It is a multi-site server deployment with data synchronization and can be configured as redundant EACS.
CHARLIE THIEL: On the enterprise side, talking about data and centralizing that becomes one of the key components. Depending on the vertical market, there is a lot of database integration people want to do, for example Active Directory. Secondly, some of the larger enterprise installations require much more engineering and project management. A lot of different aspects need to come together at the enterprise level that may not need to be addressed at a smaller level. Sales have become more of a consultative type of selling.
JAY SLAUGHTERBECK: Advanced feature sets are typically required (such as regional or redundant server implementation). When systems are spread out geographically, a consistent installation standard and a seamless support mechanism must be present for success.
SDM: Do enterprise solutions today look different than they did five years ago?
BRAD WILSON: Yes. Physical and logical security sides have increased level of identity verification, authentication factor, encryptions, and credentialing. The [continued] emergence of smart card and biometric technologies strengthen the verification factors, and IT professionals outlining policies and procedures strengthens passwords/access levels.
CHARLIE THIEL: I like to say what used to be electrons over copper are more and more packets over Ethernet. That is affecting everything in our industry today, including access control. One of the biggest changes would be the communication path from controllers to server. It used to be serial 485. Now the acceptance of power over Ethernet (PoE) at the door is a big change. This method aligns with the typical IT network structure, making it better for the installer as well as the end user because a consistent communications standard is being used.
JEFF HOUPT: True enterprise access control systems have moved into a space I call “where people meet things.” That means appropriate flow of people from street or sidewalk to desktop or meet ing room and appropriate response to threats from gunshots to weather emergencies with management oversight and auditable reporting. That takes in a lot of blue sky, but all of those integrations are possible with a modern enterprise access control. From gate controls integrated with intercoms, CCTV, gunshot detection, Web subscriptions to weather services, identity management; it goes on and on. We’re seeing the first big time, Web-scale apps come to market right now. AMAG’s Symmetry Connect is a good example of that. Enterprise customers have grasped the paradigm shifting power of the technology.
JAY SLAUGHTERBECK: In the past 10 years, developments such as database integrations being included as native parts of applications, database partitioning, etc., have assisted from an administrative standpoint in the enterprise space.
SDM: What are your biggest challenges when designing or implementing enterprise access control systems?
CHARLIE THIEL: We have the capacity to do some of our cabling and door hardware on our own, but in larger projects we often work with other trades in doing that. The biggest challenge is coordinating the different trades. You need to have project engineering and coordination of the trades up front in the conversation so implementation goes as smoothly as possible. When that is out of sync on some of the large projects, we face some of our greatest challenges. But as long as engineering and project management is tight, that minimizes any exposure we have as integrator and eventually the end user themselves.
JAY SLAUGHTERBECK: With smaller companies, it is typical that a single source is able to provide the required information and allow immediate access to servers for installation, upgrades, etc. But at times, IT policies within larger organizations require more coordination.
JEFF HOUPT: At Automation Integrated we say, “We can do anything, just not everything.” We are becoming a national-scale player and have great internal IT and software development capabilities. Even with all of that, some of the services are so specialized that we might only do them every few years. Major enterprise rollouts almost always will require professional services from the manufacturer to be successful. In short, do what you do best and let the manufacturer’s professional services group do what they do best. Don’t try to carry the overhead of things that you’re only going to do once per year.
BRAD WILSON: Physical and logical access and security; identity verification; managing access privileges and credentials; passwords; database synchronization; replication; Human Machine Interface Error and malicious insiders; and integration to subsystem that requires special scripting or Web services.
SDM: What new or recent technology advancements do you feel have been the most beneficial in the enterprise space, and why?
JAY SLAUGHTERBECK: Technologies such as Multiclass readers allow for ease of migration when cards or disparate systems are in existence. Integrations with other systems, for example CCTV, have allowed system users to easily associate cameras with readers or devices connected to AUX inputs. Database integrations with thirdparty applications ease cardholder administration substantially. It also reduces the margin for error as human interaction is reduced. Additionally, the solution heightens security as a result of cards being deactivated when records from data sources such as Active Directory are made inactive. While the ability to do this has been present for quite some time, I am seeing modules being integrated within access control software to allow these integrations to occur without requiring the development of customer applications.
BRAD WILSON: Advanced smart card-based credentials paired with a strong process of identity selection and stringent policies and procedures for issuing the ID credentials or cards.
CHARLIE THIEL: This ties back to PoE at the door. Having that standard network topology that aligns with the IT industry has been really beneficial in the enterprise space. There has also been a real push today on the software side of access control to have some unified solutions. What I mean by that is having software that looks and feels the same across the security devices and hardware.
JEFF HOUPT: I think seeing products moving to cloud services and even using split APIs is exciting. It allows the big time players in the industry to use Agile Development processes to bring products to market rapidly and bring big value to our customers. As these products become less dependent on hardware and software at the edge it becomes a great opportunity to capture install and service business and to develop recurring revenue streams. Quite simply if you’re stuck in the model of capital project cash flows you’re playing the wrong game.
SDM: What future technology or upcoming trends do you see most affecting the enterprise access control space?
JEFF HOUPT: Big data. Apps. Cloud services. Not necessarily in that order. Not all enterprise customers have the need for credential authentication and compliance, but they might have very real needs for emergency preparedness and compliance and visitor management at even thousands of retail locations. All of the services hinge upon the same dataset.
BRAD WILSON: Virtualization, cloud-based smart card technology and smartphone as ID credential.
CHARLIE THIEL: NFC/mobile devices being used as credentials will have a serious effect on the industry. The younger generation is expecting that today with home automation on the rise and the ability to unlock doors with Bluetooth. That is really driving a strong desire among consumers of enterprise access control to have that same capability within their buildings. For enterprise customers particularly, managing credentials through software might be easier than through cards or fobs.
JAY SLAUGHTERBECK: Credentials seem to be evolving in the access control market. Technologies such as NFC and (HID) SEOS are reducing the number of physical cards distributed and offering a higher level of security and convenience for users.
SDM: What was the most difficult enterprise access project you ever did?
CHARLIE THIEL: Years ago we did a very large project where, unbeknownst to us, their IT department was writing scripts into the access control database to tie it in with another piece of software. We didn’t know that going into it and didn’t address that up front so it wound up becoming a huge challenge on the back end of project. Basically they were trying to do part of our job without telling us they were doing that. Eventually we were able to fix the situation. We wound up getting the manufacturer involved. Nowadays we take much more of an IT approach than we did then. Absolutely you cannot have an enterprise-level access project without IT involved at some level. Sometimes it is just a matter of understanding the expectations.
JAY SLAUGHTERBECK: A large industrial complex. It involved hardened equipment for the harsh environment as well as a large amount of custom fabrication was required to fit the customers’ requirements. IT was outsourced, which caused a delay in acquiring information which was required for system functionality.
BRAD WILSON: A large government application requiring UL2050 compliance. These are typically conversions with minimal or zero down time.
JEFF HOUPT: It definitely wasn’t the largest access control project we’ve ever done, but it was by far the most integrated. We delivered a 200-plus door access control system for a Fortune 500 company in three months from award of contract. The project management piece was a matter of multiplying tasks times quantities to get man-hours and dividing by project duration to determine staff. That’s not as simple as it sounds in an occupied high-rise tower. That was complicated by simultaneously delivering all of the other building systems fully integrated for monitoring into the security operations center. To accomplish it, we had to break the project in phases based on the customer’s delivery requirements. We had to have engagement with IT, security, facilities, and HR early on to develop and document requirements. A considerable amount of software development was required to make each system operate with the others. The single repository for all the data was crucial for future requirements. The customer is reaping the benefits of it now.
SDM: When enterprise projects go smoothly, to what do you generally attribute that?
BRAD WILSON: Collaboration with all stakeholders — especially IT.
JEFF HOUPT: Early engagement with IT is always beneficial. Sometimes a customer doesn’t know exactly what target they want to hit with the integration. Start small. Deliver only the bare essentials and see what the customer’s experience is like. Probably the single largest lesson we have learned is to do one of everything top to bottom before adding duplicates. That ensures you’ve solved all the problems before you make them big problems. All the communication paths are open, protocol issues dealt with, database access issues solved, back-ups, development standards, change controls, etc.
JAY SLAUGHTERBECK: Planning and fact-finding prior to implementation.
CHARLIE THIEL: Creating real expectations for that the end user is looking for. We try to stay away from strict bid projects unless we can get in front of end users. Taking a consultative approach, having those conversations up front and make sure it works on paper so expectation is clearly articulated and really having an IT conversation in the midst of this is crucial. Begin with the end in mind. How is the customer going to use the system? That becomes the more important aspect of creating a smooth enterprise project.
SDM: What was the best piece of advice you were ever given about the enterprise market?
CHARLIE THIEL: Garth Dehoff, a business development manager for Honeywell, told me to “start with the data.” Where we have gotten burned and seen things become much more valuable is on the data side where we have the IT conversation with enterprise security people, understanding what they are going to do with the data and how they are going to use it. If we start there, the conversation becomes much more valuable than just locking doors and allowing people to open them. That other stuff is important, but the data is what people use.
JAY SLAUGHTERBECK: Providing prompt and quality service is key.
BRAD WILSON: Plan accordingly, identify physical and logical problems, select the correct platform that will meet hard and soft technologies, and full coordination with owner and/or decision maker, IT professionals, manufacturers, and security SME or consultant.
JEFF HOUPT: We started on this process 10 years ago. Nobody was giving out advice back then. But my best advice for others is: It’s a slow sales cycle. Solve the big problems first. That’s how you close.