Evolution of Access Control Credentials: 4 Reasons to Adopt OSDP

By: Rich Lyman, Manager of Global Technology, Netronix Integration and Ivan Golian, IT Director, Netronix Integration

The security industry is no stranger to combating vulnerabilities. Whether physical or cyber threats, security professionals must always anticipate what could go wrong and have a plan already in place to respond accordingly. Open Supervised Device Protocol (OSDP), first released in 2011, is one tool available to the industry that is beginning to gain much traction for both its ease of implementation and secure encryption.

OSDP is an access control communication standard developed by the Security Industry Association (SIA) that has gained global acceptance, replacing 40-year-old Weigand protocol. While Weigand is still prevalent in some legacy security systems today, it no longer meets the needs of consumers. Weigand is simply a binary set of data without room for evolution, but end users demand more. The industry must adapt to the changing needs of consumers, and OSDP is helping to accomplish this.

1. Encryption
OSDP supports 128-bit AES encryption, making it far more secure than Weigand. This encryption protocol is required in all U.S. federal government applications, and has been adopted by the National Institute of Standards and Technology (NIST). With encryption in place beginning with the access control card, “man in the middle” hacks are practically eliminated. In addition, increased encryption measures support companies’ compliancy with privacy laws, such as GDPR. Using Weigand puts data at risk, whereas OSDP protects it, and in turn keeps sensitive information secure.
2. Interoperability
OSDP works under an open architecture, which allows for system functionality to change as needs do. This makes system maintenance more economical, and provides the flexibility to update as needs change, without a costly price tag. End users can use equipment from most manufacturers that conform to OSDP protocols, allowing for a customized solution tailored to user’s unique needs and budgets. OSDP is also on track to become an International Electrotechnical Committee (IEC) standard, the world’s leading organization that establishes international standards across electrical technologies, further expanding its reach.
3. Bi-Directional data communications and advanced Smart Card Capabilities
Unlike Weigand, OSDP provides support for bidirectional communications and advanced Smart Card Capabilities (such as PKI/FICAM and biometrics), further enhancing the security of a system. With the ability to host multiple devices on the same wire, it reduces the risk of a compromise with badge-to-reader communication. Support for smart cards further enhances flexibility, while maintaining system integrity.
4. Evolving Protocol
In a world where hackers attack every 39 seconds, it is more important than ever to not only have a secure protocol in place, but one that can evolve as needs change. SIA has a working group dedicated to the development and maintenance of OSDP so that it matures at a steady pace and remains relevant. OSDP is a living, breathing, evolving protocol, so to speak, and advances on-pace with technology.

End users are engaging in conversations surrounding physical and cyber security more than ever, and in turn are becoming more active in the decision-making process, as it relates to their security system. It is the integrator’s job to educate end users on technology and standards available to them, and this includes OSDP.

For more information on OSDP you can visit SecurityIndustry.org

What is the average life expectancy of an IP camera?

By Dave Sweeney,

CEO, Advantech Incorporated

Analog cameras have had a reputation for standing the test of time, mainly because the technology behind them is relatively simple and has changed little over the years. With only periodic improvements, end users often had little reason to replace them and upgrade to newer cameras.

The introduction of IP technology, and the widespread adoption of IP-based cameras, has transformed the camera landscape. IP-based technology has rapidly evolved to introduce high megapixel cameras and H.265 video compression. Still end users want to know the average life expectancy of an IP camera.

For example, what is the failure rate of an IP camera and how often should these types of cameras be replaced? Because the technology is only 20 years old, there is not a significant amount of data on the average lifespan of these type of devices. It’s also difficult to collect data on the lifespan of IP cameras because these devices are being replaced long before they reach the failure point. The reality is that we find that many customers are so reliant on their systems today that they are upgrading cameras for the latest feature set or resolution long before the camera actually fails.

However, as a general rule, a new IP camera today should last two NVR cycles. So, if an NVR lasts between three to five years that means the IP camera on the network should last between six to 10 years. After that time, it would be wise to start to invest in newer camera technology to ensure software compatibility with your new NVR system and cameras that have capability to leverage newer features.

One interesting trend of note is that many early adopters of IP cameras are now gravitating towards the newer multi-sensor cameras. A single camera containing multi-sensor technology has the ability to capture 360 degrees of view. Each camera is equipped with a four-image sensor fixed lens, so essentially one camera can do the work of four individual cameras.

While cameras do fail from time to time, there really isn’t a scientific number that can be applied to the lifespan of an IP camera. It is best to review your surveillance needs on a regular basis and invest in the camera technology that helps you to achieve your security goals.

How to Manage Active Shooter Incidents in K – 12 Schools: Pairing Technology with Strategy

By Jamie Bumgardner, Prime Communications

As technological tools have advanced over the years, schools, retail establishments, government buildings and other venues are increasingly using technology to improve security and save lives.

Today’s best practices for school security systems are composed of three main elements: access control, event detection and response – all while feeding into a unified security platform. The key is combining technology with well-thought-out strategies and training.

  1. Access Control: Proactively Preventing Violence

Prevention is better than having to deal with an active shooter incident and should be the first element of any K-12 security and safety plan.

Controlling access is a basic, yet powerful way to prevent active shooter situations. Gone are the days of one-room schoolhouses with a single locked door for protection. Today, most schools have hundreds of students and faculty with multiple entrances.

Here’s how technology can help identify pre-access threats:

  • License Plate Recognition software (LPR) is sophisticated enough to “read” license plate numbers and associate them with filters/rules programmed into the system.
  • Use monitored checkpoints for traffic and place access control in critical areas such as offices, side doors and entrances to sports venues.
  • Monitor and control locked doors using a variety of coordinated security systems and door-lock controls.

Monitoring and controlling access is the foundation of a comprehensive security plan for any school. However, some threats may not be neutralized by access controls. So, the next step is to plan how technology will be used during an active shooter event.

  1. Active-Shooter/Violence Event Detection and Response

Seconds matter when it comes to saving lives. Event detection, response technology and strategy should focus on minimizing the time it takes to identify a crisis in progress – as well as the response time.

No one wants to believe an incident would happen at their own facility, but schools must be realistic and face the challenges head-on – putting security and safety technology into place and practicing responses.

Here’s how technology can help in an event situation:

  • Use audio detection software to identify threats
  • Work with security experts and law enforcement to create a plan that is automatically carried out to the best of your system’s ability – in concert with human responses.
  • Use threat detection software to create an access plan that makes use of cameras, audio detection and access controls using key cards and pin pads.
  • Technology can also be used to prompt automatic lockdown of every door in the school, including classrooms when the highest threat levels are reached.
  1. Automated Crisis Response through Unified Security Platforms

Automatic responses to school threats depend on different pieces of technology communicating with one another. Many schools in the United States do not have unified security platforms, which allow technology tools to “talk” with each other and carry out coordinated actions.

A proper automated system not only ensures student and staff safety within one school, but can automatically lockdown schools within a radius of the event, notifying proper staff so a shooter can’t go from school to school causing more damage.

In addition to preprogrammed software prompts designed to identify school threats, lock down doors and notify responders, a unified security platform can be coordinated with city technology to notify and support efforts of law enforcement. Ideally, schools, businesses and different city departments would use the same platform to aid in integration.

Whether it’s a scuffle or a life-threatening active-shooter incident, next time your K – 12 school faces a safety breach, it’s critical to be prepared. Schools cannot afford not to face these realities and take actions that give every life a chance.

To read more about how to pair technology and strategy to address active shooter incidents please visit this article by Prime Communications.



Where to begin: 3 Considerations when Selecting Your Video Management Systems (VMS)

By Bill Hogan, DA Central

As the security industry evolves to meet changing customer needs, so must the products that companies offer. Users are inundated with choices, ranging from products you can buy online or at big box stores to very complex security VMS platforms with state of the art functionality. It is important to recognize that every system is different; but, here are a few tips to keep in mind to make the process easier for your Video Management System selection.

Commercial VMS is not a one size fits all proposition. Basic functionality is built into all serious VMS solutions including recording of video and audio, camera management and administration, search options and playback. For larger systems with more intense users, the video management system needs to be capable of saving evidence quality video for prosecution, managing multiple monitors and/or for multiple locations. Remote accessibility for mobile devices is expected today. Other considerations are managing low-bandwidth environments, storage on the edge, frame rate needs and storage calculators to determine your server requirements. Cloud solutions for storage are another option. When choosing a VMS, it is important to assess your needs, so you receive and pay for only what you need, rather than wasting money on unnecessary and expensive features. Many people purchase VMS systems with features they’ll never use. Or, alternatively, users buy an inexpensive system that cannot propel them into the future. It is important to have a long-term view of your purchase decision to ensure you are installing a system that is future proof and allows for an expansion of capabilities, extra storage, or analytics features, should there be a need for them in the future. There is a delicate balance between needs vs. wants and therefore, it is something that should be evaluated early in the process by the corporate security team. Start with a features checklist to compare system offerings.

Proprietary vs. Open Source
An open architecture allows a security project to incorporate multiple cameras from a variety of manufacturers. This can provide cost saving benefits, as users are not locked into single manufacturer agreements. This means that if a camera breaks or malfunctions, it can be replaced with a temporary, cost-effective solution without worrying about integration difficulties. Even so, some cameras that are open source have robust analytics built in that are proprietary by nature. So, even though these cameras can integrate with cameras from other manufacturers, choosing to do so may result in the loss of some of those built-in features. In order to retain feature sets between cameras from different manufacturers, it requires the integrator to know different camera types and nuances. It is also important to note that manufacturers will often say that their system is compatible with thousands of cameras, or that they can use ONVIF cameras to alleviate any compatibility issues. While this is partially true, most VMS systems typically sell their own cameras, and in turn are more thoroughly integrated.
Proprietary systems usually function out of the box. They integrate with their systems seamlessly, in turn speeding up the installation process and ensuring that the analytics you want in your system are streamlined and always available. There are real tradeoffs here, so it’s important to keep in mind your needs, both current and future. Remember though, all systems need configuration to take advantage of their features, especially analytics and storage set up.

Licensing varies widely between VMS systems. Many VMS platforms are available virtually free for the first handful of cameras. After that, depending on the features of the camera or whether they are used at an enterprise level, the cost per camera license can become very expensive. Some are up front, one-time costs, but others require annual fees. One VMS system might charge a nominal fee per camera, whereas another might charge over $400 for a single camera license for all of the Enterprise level features you may need. If you are operating at an enterprise level system with multiple sites and advance features needs, it may require an investment of over $100,000 in licensing. By keeping in mind that every company is different, you can ensure you are making a financially responsible decision from the beginning.

From choosing features to determining licensing requirements, selecting a VMS system is no easy task. Ultimately, it comes down to realistically assessing your needs, and choosing a trusted integrator that can walk you through the process.

3 Reasons to Adopt Mobile Credentials

By J. Matthew Ladd, The Protection Bureau

Over the past four years, the adoption of mobile credentials for access control has increased significantly, and is expected to account for 20% of all credentials by 2020. While it will be some time before mobile credentials replace the tried and true plastic card completely, the industry is beginning to embrace this new technology and implement it in a way that provides more secure data exchanges in the long run. In an industry where old habits die hard, it is important to examine the advantages of all possible solutions and decide what is best for you.

  • 1) Mobile credentials are less likely to get lost
    The largest security risk, as it relates to access control, is if a credential gets into the wrong hands. There is no easy way to identify when this happens, or even to track where the credential ends up. By the time a user realizes their credential is missing and reports it, it could have already been used to access secure areas. If this card is replaced with a mobile credential, the likelihood of it going missing decreases significantly. There are few daily tasks that can be completed without a cell phone. From tracking calendars, taking conference calls and checking emails on the go, a busy professional is never without their mobile device, and if they are, they typically know where they left it. The same cannot be said for a credential card. People could leave it on their desk, in their car or at home without a second thought. Try hiding someone’s cell phone versus their credential card and see which one they notice is missing first.
  • 2) Mobile credentials offer more than traditional credentials – and are more convenient
    While mobile credentials get you in the door, they have the power to accomplish so much more. Already, mobile devices have multifactor authentication built into them, with fingerprints, pins and facial recognition technology. If an access control system utilizes these built-in features, users can gain the heightened security of multifactor authentication without the need for new hardware, which can be costly and time consuming. In addition, mobile devices also have location services built into them, alleviating the need to scan an actual badge by using proximity servers to identify when a person is near a door they need access to. When juggling coffee, laptops and breakfast in the morning, the last thing an employee wants to worry about is digging around for a credential card.
  • 3) Mobile credentials can save money
    Mobile credentials already seem like the easiest choice, but the real selling point is that they can be far more cost effective than the traditional access control badge. They are easily upgradable and eliminate the cost associated with issuing a physical badge or access control card to every employee. Because employees are already using their cell phones, it makes sense to leverage the technology everyone already carries in their pockets. This is especially useful on college campuses or hotels, where key cards are replaced frequently.

Overall, mobile credentials are making a good case for themselves. From convenience, to increased security, to long-term cost savings, it simply seems like the logical direction for the industry to go. As implementation has picked up in past years, time will tell if the industry adopts mobile credentials exclusively.

Looking to the Future of Access Control

By Eva Mach

When we think of access control, the first thing that comes to mind for most is a badge that gives entry to authorized individuals. There is, of course, technology behind it, but compared to the rest of the industry it may seem that access control is lacking as far as innovation and new solutions go. However, what many do not realize are the growing number of solutions now available to end users, and wireless access and mobile credentials are part of this evolution.

The widespread development and increasing adoption of wireless access and mobile credentials have opened the door to future development. Looking more deeply, there is far more innovation happening that goes beyond a door simply opening. For example, Apple is running a prototype using Apple Pay and iPhones on college campuses. By connecting user’s phones to access control portals, there is a possibility to integrate the access control system with other systems. In this case, your wallet.

Access control options that are being adopted more widely on campuses include wireless locks. Wireless locks are replacing legacy locks, in turn allowing multiple wireless enabled devices and locks to communicate between each other. Criteria and conditions can be set, such as doors only being accessible to certain students on a college campus during certain times of day (i.e. class times). With editable criteria like this, security professionals on a campus or any other sector can ensure only the right people will have access to areas at the right time, including vendors making a delivery to an office or second shift employees for a warehouse.

While wireless connections make things easier and more controllable, there is concern involving the cyber security of these systems. Many end users in high security areas opt for multi-factor authentication rather than just knowledge of a pin or presenting a badge to enter a premise. A pin might be the first level of security, but a more advanced access control system could also require users to present an access control credential, including biometrics. The beauty of the innovation in access control is that it can be as simple or as complex as the user requires.

Overall, by opting for a wireless access control system, end users are given more flexibility, data backup and risk mitigation. There has not been a lot of new areas in access control for many years, but that has begun to change with the introduction of managed services with a cyber security emphasis along with blue tooth enabled devices that provide a better user experience more secure environment and ease of use for the security personnel.

This, along with increasing adoption of wireless and mobile credentials, is giving the industry an opportunity to bring access control to the forefront when talking about risk management. In addition, the deployment of sensors and analytics will allow the end users to gather information about comfort level within a building resulting in better customer experience and cost savings through adjusting the use of power.

Defining Cloud-based Solutions

By Bill Hogan

Cloud-based security solutions have been all the buzz in the industry for the past year, with many video surveillance and access control manufacturers jumping on the bandwagon to introduce their latest cloud-based offering to the market.

As the number of products called cloud-based increases, as a security professional have you ever wondered what defines a true cloud solution and how does one determine the difference between a solution that claims to be cloud based from one that really is?

While many security manufacturers state they offer a cloud-based solution, the reality is that very few, an estimated four percent, are a true cloud-based solution. A true cloud-based solution is defined as one that offers a fully scalable architecture that not only lives in the cloud but was also born in the cloud. It can be accessed from anywhere, any device and on any modern web browser.

For example, social media platforms such as Twitter, LinkedIn and Facebook, are cloud-based solutions. So too is Netflix, even though it requires an app to provide intellectual property protection on mobile devices. A majority of true cloud based solutions require that little to no software be installed on client devices.

It’s time for security professionals to start to pay attention to cloud-base solutions because the benefits far outweigh the downsides. For example, both small and large companies have the ability to seamlessly scale up their systems with a cloud-based solution. It can be timely, costly and a painful experience to take down every server, upgrade servers, update field panels and put them back online every time a new software version is released. A well-designed cloud-based solution using AI (Artificial Intelligence) can initiate an update once every two weeks, eliminating downtime and the expensive cost often associated with system upgrades.

Cloud-based architecture should enable a single database to span across the entire product for every client, which ensures product version control. Every client is then on the same version and has access to the same firmware / software version.

Cloud-based video storage also provides added protection, ensuring that video evidence cannot be destroyed by tampering with an NVR. Once the video is pushed to the cloud, regardless of what happens to the NVR, that video has been captured and saved.

The technology market is going through a tremendous evolution, as more of the everyday solutions and devices we use in both the home and business become IT and network centric. The security industry is no different, with cloud-based solutions paving the way for more streamlined, secure, resilient and redundant systems.

Buyer Beware: Why DIY Camera Systems Are Not Designed for Commercial Applications

By David Alessandrini


The “Do it Yourself” video security systems are all the rage in the residential market, enabling home owners to easily monitor who is coming to the front door, watch when children come home after school or to track package deliveries.

While these easy-to-deploy and use surveillance systems have introduced surveillance technology to the residential market, it’s important to remember that these systems are not suitable for enterprise and corporate level surveillance needs.

First, DIY camera systems do not allow you to switch out the camera that comes as part of the DIY surveillance kit. All components in the kit have to be by the same brand in order to work together.  This means that if you need a camera to provide clearer images at night and the cameras in your system do not do that, you are stuck with using the camera included in the box.

Second, these kit-based surveillance systems do not offer scalability. It’s important to ensure that any surveillance system installed can grow as security needs evolve and grow. Should a location need an additional camera to provide increased coverage in a parking lot, for example, many of these systems cannot accommodate even one additional camera.

Another area not typically taken into consideration is storage needs. The DIY surveillance kits often have limited storage capabilities, especially when trying to ensure that the system records usable, quality video. Many of these systems also do not provide enough storage needs to follow best practices for archiving surveillance.

Many people think that the DIY surveillance kits offer more features, but business and commercial users of these systems actually lose capabilities. Often it will also cost them more money by investing in a surveillance system that doesn’t fully meet the needs of their business.

While it may be tempting to install a DIY surveillance system, it’s best to work with a professional security systems integrator to design and install a commercial grade surveillance system customized for specific businesses’ needs.  Commercial clients have greater requirements than residential surveillance system users, where the lack of video to show a staged slip and fall incident in a parking lot can mean the difference between winning or losing a lawsuit.

Securing the IT Closet

By Craig Jarrett

Silicon Valley was ahead of the curve 15 to 20 years ago when it recognized the importance of securing the IT closet. Today, the rest of the business world is finally catching up, understanding that it is critical to ensure the servers that run a business are just as secure as the front door or business itself.

Securing the IT room has become top-of-mind for companies both large and small. It’s important to only grant access to those who are to permitted to enter into these areas as they contain sensitive information on customers, employees and the business itself.

Only a few years ago it was not uncommon for a company to locate servers out in the open, sometimes in a mailroom or another common area that could be frequented by employees or delivery people. This all began to change with the introduction of government compliance requirements such as Sarbanes-Oxley and HIPPA, which were implemented to protect privacy and data.

Now, publically traded companies need to show compliance with securing their data. This includes providing an audit on who has access to the IT room, even a technician who may be accessing the IT room to set up a system.

The systems now in place to protect the IT room can vary dependent upon the business and their specific security needs. Some implement a simple card reader or keypad on the door, both of which can easily manage and monitor who gains access to the room and at which specific time. Others, such as financial institutions and online retailers, have invested in two-factor authentication or require two people to enter and leave the room at any given time.

Beyond access control, some businesses have even taken securing their IT closet to another level by also installing surveillance cameras to visually monitor the area or vibration and sound sensors to detect an attempt to drill into the room from an adjoining location.

As part of the checks and balance process, it is also a good practice to have a reapproval process every six months, thereby ensuring that if a person no longer requires access to the IT closet it is removed from their credential.

At a bank, a person cannot get into the bank vault unless there is a real need. The IT closet is much the same, containing valuable information, and as such are now protected in a very similar manner.