Enterprise customers often have unique needs and approaches to security. How will some of the top trends such as mobile credentials, cloud, big data, IoT and cybersecurity affect these larger customers?
by Karyn Hodgson, SDM Magazine
Large enterprise access control customers have been pushing for several years for more open, non-proprietary security systems. Many found themselves “stuck” when large manufacturers went out of business or a particular system reached end of life and there was no easy upgrade path.
Indeed, when Christopher Lessard, safety and security director for Nashua Public School District, Nashua, N.H., updated the district’s access control system in 2014, this was a primary consideration. “We felt very strongly about it being non-proprietary. Some systems we had in place were proprietary, and they tied our hands. They really got a chokehold on you and we did not want to deal with that anymore.”
At the same time, technology has offered many more connection options — such as wireless, PoE, Bluetooth — to customers large and small, opening up the possibility of adding on to systems in a more cost-effective manner.
As these trends continue to proliferate, they may help set up enterprise customers for the next big thing in security. But what will that be? Will it be the new mobile credential options? Is the cloud becoming a more viable option for larger customers? Big data and business intelligence have the potential to really help enterprise customers, but are they adopting it yet? Beyond that, the Internet of Things is another big buzzword lately. And lastly, none of these trends are happening in a vacuum; looming over any new technology purchase or decision is the specter of cybersecurity and making sure all these things that touch the network don’t open up vulnerabilities.
“The one trend I would say is not always spelled out in these discussions is the continued overlap and blending of network and physical security,” says Chris Hobbs, director of enterprise partner business development, ASSA ABLOY Door Security Solutions, New Haven, Conn. “When you are talking about security — the standards, the delivery, the support, the installation — you see how the definition for scope of work trends toward inclusion in the network security conversation.”
Access control systems need to evolve into a platform to manage the Internet of Everything (IoE), says Jerry Glynn, CIO, American Direct, Lenexa, Kan. “To be effective at this, it is essential that these systems connect to the IoT and have the ability to collect and correlate data of ‘big data’ type capabilities.
“The world is increasingly becoming connected over wireless networks and devices embedded in everything. This trend will result in a ‘tipping point’ where it will be possible to easily connect to and communicate with almost anything in our environment.”
As that happens, the following five trends will increasingly come into play for enterprise customers. Let’s take a closer look at how enterprise customers are reacting to them and preparing for the future.
1. MOBILE CREDENTIALS
Mobile credentials — placing the access control credential onto a mobile phone — are still in the very early phase of adoption for all types of customers. Because of scale, enterprise customers may face additional challenges adopting it; but this trend could ultimately help keep costs down.
“We think mobile credentials are the future, and it is only a matter of time until people get more and more comfortable with them,” says Derek Arcuri, product marketing manager, Genetec, Montreal. But there are challenges. “If I am an employee and I have to bring my own phone, do I want my phone to have to be responsible for that? It is a little bit of a mindset change. At the hardware level you have to have a Bluetooth or NFC chip enabled. Once those hurdles are passed and more and more manufacturers support enrolling, I think the market will head steeply upward. One day mobile credentials will be our future.”
Richard Goldsobel, vice president of Continental Access, Napco Security Technologies, Amityville, N.Y., sees mobile credentials starting to take hold already, but notes there are some challenges still. “It is definitely proliferating,” he says. “The tough part is consistency across implementation, even within one enterprise. Here at Napco we have mobile credentials we use with [certain locks]. And that is great for those locks, but we are in a mix-and-match situation with readers. Depending on the size of the enterprise and what they are after, the logistics and cost are still mind-boggling for end users to wrap their head around. But everybody asks about it and everybody wants it.”
That is because mobile credentials represent convenience. But it must be tempered with security, particularly at the enterprise level, says Justin Wilmas, senior director of sales, North America, AMAG Technology, Torrance, Calif. AMAG recently introduced its own mobile credential solution. “We know convenience is going to drive this market, but security is so important as well. I would say we are still in the early-adoption phase and it does present a lot of things they need to look at before they deploy them.”
Christopher Kieta, senior director of sales, Securadyne Systems, Dallas (SDM’s 2016 Systems Integrator of the Year), has an interesting take on what will prompt enterprises to adopt mobile credentialing. “This is a huge trend and it is going to be driven by millennials. It is about one thing, and that is the user experience. Go to any major university campus that is focused on growing their enrollment and attracting students and they are focused on being the campus of the future. People want their cellphone to be the answer to getting into their dorm room, and I think you will see increasing proliferation in that market. I don’t think it will jump in leaps and bounds but there will be a real steady uptick.”
When it does, enterprise customers will realize the other benefit to mobile credentials: efficiency and cost, Hobbs says. “Mobile credentials have become much more consumable, and that affects a number of things: It changes and improves overall business operations by allowing customers to more efficiently manage their workforce with how they distribute credentials. Mobile credentials also impact how enterprise customers utilize visitor management systems, contracted employees and their own mobile workforce. The functionality of sending a secure credential via email as opposed to having them report to an office dynamically changes how people can improve the security of their system and manage it much more effectively.”
The cloud has traditionally been relegated to small and medium-sized businesses, particularly where it can be hosted or managed by the integrator in place of an on-site security or IT person. However, as many other things go “cloud” from banking to IT systems, the enterprise is beginning to find ways to utilize it and still meet their needs.
“As a computing option, the cloud offers a whole host of benefits, including the ability for enterprises to access and use IT resources as a utility, as opposed to building and maintaining their own computing infrastructures in-house,” says Mitchell Kane, president, Vanderbilt, Parsippany, N.J.
“What we’re seeing is that clients like the idea of having a platform optimized to run in a cloud environment,” reports integrator Henry Hoyne, CTO, Northland Control Systems Inc., Milpitas, Calif. “However, not all want to pay the premium of having it cloud-hosted. Tech-savvy clients may have their own private cloud to which they could host and manage the platform on their own. But overall I do believe that cloud will continue to grow and have a prominent place in our industry.”
Cloud is becoming king, Goldsobel says, adding that for the right customer, it makes sense, but it is not for everyone yet.
Arcuri agrees. “We think the adoption of cloud is rather high in the enterprise market, but somewhat sporadic based on the configuration of the customer. I have found high adoption in oil and gas customers, for example. … Why these customers were interested was they have humongous corporate offices and a wealth of smaller sites with five to seven doors. Do you really want a server at all those sites?”
Kieta reports that there are an increasing number of enterprise customers from all industries heading in that direction. “Customers are warming up to the cloud because everybody understands the cloud now,” he says. “More importantly, this cloud proliferation is probably the single biggest needle mover in aligning the access control industry with the IT culture. You will see IT departments saying, ‘We have made a decision that we don’t want to buy any more applications that will run on a server here.’”
For larger enterprise customers, when they go that direction it will be reflective of whatever their IT culture is, Kieta adds. “The closer their core business is to the cloud, the more cloud-centric they will be when they are asking you for new security things. But legacy security systems can be like a boat anchor for technology and if they know they have this enormous investment, a lot of times it won’t even come up. But it is treated like a boat anchor and they are just waiting for the day they can do it.”
3. BIG DATA
Big data, or business intelligence, would seem to be a no brainer when it comes to the enterprise. But the usability and value have to be there first in order for them to take a serious look at it.
“I call this the untapped goldmine,” Hoyne says. “Nearly every device we deploy is generating some sort of event and log. It’s being able to correlate that data into something meaningful that is key. Some of our clients have built their own correlation engines using sources from security, IT and others. This data can be used to create a profile of an employee, determine workspace utilization and detect suspicious activity between physical and logical access.”
Access control data can be used to provide a bigger picture look at an organization, Kane says. “Analyzing the patterns of employees and visitors coming and going can allow enterprises to determine energy usage levels and better address if there are ways to save in the long run.”
Access control systems produce a lot of data, Wilmas adds. “Access control is the foundation of the enterprise security operation because it controls when and where identities have access.”
But all this relies on the data being useable. “If not stored with intelligence, customers can quickly find themselves swimming in data,” says Michael DeMille, senior director of product management, Mircom, Toronto. “Big data is good if it can be used precisely and efficiently. The data should be purposeful, concise and easy to retrieve.”
That is why the risk assessment business has started to build dashboards to join data and analytics and make sense of all of the information, says John Nemerofsky, president, national programs, CGL Electronic Security, a Security-Net member company, Westwood, Mass. “For example, if you have a large amount of people traffic in building 4, how does that impact the manpower for that building and what about parking? You can now make business decisions from the information gathered.”
Kieta agrees enterprise customers are headed in that direction, but it may take something beyond the security industry to reach fruition. “I think there will be a convergence where you are taking sensory data out of devices in the access control world and bringing them into a data collection engine to identify macro trends. Down the road it won’t be driven by the access companies, but a Google-style company that understands how to be a force multiplier for a customer’s business.”
Glynn thinks this will be further driven by the IoT or more specifically the IoE. “As the Internet of Everything brings more and more endpoints and systems together, there will be a corresponding need to manage and act upon that data. Artificial intelligence, advanced analytics and data management will be the keys to leveraging all of the connected technology.”
4. IOT OR IOE
As noted above, there is definite correlation between the business intelligence or big data and the Internet of Things, which allows machine-to-machine direct communication, potentially significantly adding to the amount of data available.
While the IoT has been around for a few years now, when it comes to the enterprise, several experts prefer the term Internet of Everything or IoE.
“For the enterprise client it’s about more than the IoT; it’s about the Internet of Everything,” Glynn explains. “The IoE is becoming more of a reality every day where people, process, data and things are connected.”
Enterprise customers are starting to explore the possibilities the IoT provides, Hoyne says. “Lately we’ve had a number of requests wanting to know if it is possible to monitor the IoT devices that reside on their networks.”
The real boost will come when the IoT demonstrates how it can solve real-world problems, Goldsobel says. “When something solves a real problem, that is what drives every business, all the time.”
Kieta sees great potential in the IoT for enterprise customers, as well as for the function that integrators play for their customers. “If you look at LAX airport, for example, in their operations center they are also monitoring social media feeds and the health and operating environment for things like the moving walkways, escalators and matching those against expected passenger loads. That is how they use [IoT]. But the real rubber meets the road in how they handle servicing the facility.” That is the meat of the IoT from the integrator perspective, he says.
“Responding to a service call is the Fred Flintstone approach. If you want to improve your customer experience today you have to service things before they break; but how do you do that? If the device is intelligent, it can tell me that. Now I am using my IoT and my data in a truly meaningful way. But it is also less about security and more about driving business. If security is part of that equation, now I am not just this overhead expense but something that helps business function more fluidly. If I am collecting that data, service becomes proactive and that drives costs down. Once people really understand that you will start to see things change.”
However, the potential of the IoT is dampened by the need for more cybersecurity, Hoyne adds. “The industry is changing from the old analog ways of doing things. In the past you just had to worry about someone breaching your outer perimeter and inner portals to get to sensitive data. Now IoT devices can be the breach point into corporations where that data can be copied, or worse, without ever having to step on-site.”
Arcuri agrees. “We were talking to one of our larger customers in Texas and any time something was proposed to be added to the network, they said, ‘not until you prove it surpasses the cybersecurity centers we have in place.’ All these new devices that add functionality and connectivity are great. But at what cost? Larger organizations are always trying to reduce their surface of attack and cyber has to be at the forefront of every conversation as it relates to IoT. All these devices that offer that impeccable convenience are great, but the question should always be how secure are these devices? IoT ties directly into cybersecurity.”
The big kahuna of trends that has the potential to impact — positively or negatively — everything else is the rapidly increasing awareness and concern of what all these cool new technologies that touch the network do to the cyber vulnerability of the enterprise. Enterprise customers today frequently demand that integrators or their manufacturers answer a host of questions about the cyber hardening before considering anything new.
“The RFP usually goes to the integrator and the RFI to the manufacturer,” Wilmas says. “The information security department usually has a whole spreadsheet with tons of information around cyber encryption. That has increased a lot.”
Kieta points to constantly shifting and changing needs — the more deeply the customer gets into the project — which can slow everything down and take more time to get right. “Where the policy isn’t clearly defined now I am subject to more changes during the selling process so as they are looking to migrate to a new system or put things online they might have general requirements for that; but as they start to look more specifically at each device and how it touches the network, now they might have special privacy concerns about that biometric reader that didn’t get identified when they first talked to you. … Now the customer is going to start to ask new and different questions that I as an integrator may not necessarily know the answer to.” While the end result is a better and more secure system, it can be painful for all involved, he says.
Right now the onus is primarily on manufacturers to harden systems, including those that work with legacy products, Kane says. “With the rise in cloud technology and increased connectivity, encrypting communications between devices is paramount — and it starts with manufacturers, especially when legacy, new and different technologies are used together. A single insecure system or poor deployment of a solution can deem the entire system vulnerable to an attack.”
Hobbs agrees that manufacturers are changing how they approach things in response to cyber threats and demands from customers, including enterprise ones. “Cyber threats cause us to blend logical access control with physical access control, both tactically and strategically. In today’s world, industry and consumers are looking for solutions that blend secure credentials and logical access with traditional access control hardware.
“It’s also creating a sharper focus on the vulnerabilities around the businesses that we all participate in and serve. It used to be people, places and things. But now the systems are becoming more dynamic out of necessity. We are seeing more and more from the consumer’s perspective that these solutions we provide must have intelligence and be able to adapt to the environment that is changing so quickly.”
Hoyne is glad that the topic of cybersecurity is getting the attention it deserves, from manufacturers and others. “I’ve been to many events where entire segments have been dedicated to this topic. It is probably number one, next to features. If the product isn’t secure enough to be on a network, then clients are not willing to take that chance. … I recently had a client who was interested in a new access control platform. The first step was to see which of those satisfied their cybersecurity needs. That list dwindled down rather quickly, even though some of those platforms had features that the security teams needed.”
That has been Nemerofsky’s experience as well. “We just worked with a financial enterprise access control client that replaced their global access control platform for another after a vulnerability assessment identified it was not secure. They took that threat seriously and many end user customers are making cybersecurity a top priority.”
Cybersecurity needs to become a whole mind shift for all customers, Arcuri says, and larger enterprises are starting to move on that quickly. “Cybersecurity used to be a technical conversation. All of a sudden CEOs are involved because their employees and customers are at risk. We think it is an incredible thing if the customer’s first question is, ‘How secure is this product?’ We are seeing more and more of that in the enterprise space.
“Cyber threats now come up in every conversation when it comes to modernizing. In fact, many will modernize because there are multiple vulnerabilities detected. Cyber is a major driver of change. Mobile credentials are convenient; business intelligence is a sweetener; the cloud is something the market is heading to; and IoT brings convenience but also ties back to cyber threats. Cybersecurity is what is really shaping the market. It is important for enterprise customers to make sure cyber is ‘business back’ as opposed to just ‘technology forward,’ meaning it is part of their business DNA.”
Impacts Today & Tomorrow
SDM asked its experts which of these five top trends — mobile credentials, cloud, big data, IoT and cybersecurity — will have the biggest influence on enterprise customers in the short term and the long term. Here are some of their responses:
“I think cybersecurity will have the biggest impact in the short term. Any device that does not adhere to industry standards or trends will automatically get written off. Longer term I see big data having the greatest influence. There’s enormous potential there. The key is gaining access to the disparate systems and knowing what to do with it. ” — Henry Hoyne, Northland Control Systems Inc.
“Mobile credentialing probably has the most immediate play because it is fun. If I was going to get behind a trend right now and build a sales campaign, that is the one I would pick because I can see what is going to happen. But the biggest, larger impact is probably going to be the IoT because it is potentially a force multiplier for you. It will help you build your business.” — Christopher Kieta, Securadyne Systems
“In today’s enterprise, they are already facing all five of these but to varying degrees. Cyber threats will just continue to rise. Big data will grow and be intricately linked with IoT. BYOD will only continue to grow and opportunities to secure these devices will continue to mature. The cloud will also continue to grow but enterprises need to use the same internal controls and measurements with their cloud decisions. IoT is in its infancy but will pose the biggest cyber threat depending on where the enterprise deploys it. Understanding how these various devices enter the network and what security controls are in place will be critical.’ — Daniel DeBlasio Jr., vice president of sales, North America, BQT Solutions, North Ryde, Australia
“The IoT has the most potential to be a long-term influencer in the market, providing a new capacity for connectivity that is proving to be a real benefit for enterprise customers. The IoT, in theory, has the potential to offer nearly endless opportunities for connectivity. — Mitchell Kane, Vanderbilt
“I think the biggest changes in security will be predictive analytics. In our opinion the access system is the foundation of a security department and everything is connected to the access control system. Using business intelligence and predictive analytics will be very important.” Justin Wilmas, AMAG Technologies
Advice for Security Integrators
With all these exciting (and sometimes concerning) trends affecting the enterprise, what can and should security integrators be doing to help prepare their enterprise customers — and themselves — for what’s next?
“The challenges for an integrator are to help clients understand the technical changes that are underway and how they can invest in and leverage them for new or improved capabilities,” says Jerry Glynn of American Direct.
ASSA ABLOY’s Chris Hobbs has three pieces of advice: “First, get the owners and IT or network administrators to the table very early. Learn what their needs, likes and threshold for network capabilities are. Second, start with the credential and make certain that both today’s needs and tomorrow’s ‘wants’ are addressed for the customer. Third, consider new and different places for access control. We are finding that clients’ needs have changed far beyond the traditional instances of main entry points and targeted high-value doors.”
It is critically important to involve IT departments from the beginning stages of a security upgrade, says Mitchell Kane of Vanderbilt. “The collaborative nature emerging from bringing physical and logical access control together is dependent on the ability of multiple departments to work together toward a common goal.”
One key is to stay on top of the tech game, adds Richard Goldsobel of Napco Security Technologies. “For any organization, including ours, keeping a core engineering technology solution dedicated resource is tough. Stronger integrators are more technically savvy and hire people for that. If they don’t, that limits the upside on their ability to do jobs.”
Derek Arcuri of Genetec recommends integrators ask more questions of their enterprise customers. “When they are visiting customers to provide the excellent service we know they do, ask questions about regulation changes. All of a sudden organizations, in order to meet code, have to replace things. That is something the integrator should be going to customers and talking about. That conversation can lead to perhaps modernizing cards, or something else.” He also recommends incorporating more cybersecurity into the conversation, and “getting them prepped for the cloud and mobile credentials because we think that is the future.”
Stick with preparedness, advises Daniel DeBlasio Jr., BQT Solutions. “Layered security will continue to be the correct approach. However, the biggest advice to the enterprise is to knock down the walls between security departments. You no longer can have separation of physical security and IT security. With the varying sources of threats growing from cyber as well as physical it is imperative that teams truly work together in their planning and execution.”