With the growing adoption of mobile access control for physical security applications, smartcards and phones used as credentials are converging into centralized identity management systems. Either of these form factors — or both — will be used to secure access not just to the door, but also to data and cloud applications, while providing a seamless user experience.
As converged physical and logical access control using both smartcards and mobile devices extends to a growing range of applications, security dealers and integrators find themselves moving into a new, expanded role. There is greater need than ever for them to act as trusted advisors, assisting their customers with more challenging decisions not just at deployment but over time with policy development and updating, as well as ongoing system and credential management.
As they grow into this role, dealers and integrators also have the opportunity to significantly expand revenues at deployment and throughout the credential lifecycle, across a growing range of access applications.
A Changing Landscape
The physical security market has been at the front lines of security convergence ever since video surveillance began transitioning from analog to IP. Meanwhile, IT department involvement in video surveillance has steadily grown to the point that the IT staff now heavily influences technology purchasing and daily oversight.
Now that ID cards and mobile phones are being used together for both physical and logical access, the convergence trend is accelerating even more quickly. With the latest solutions, the same card used to open a door can also have “tap” authentication capabilities for logical access control — it can be tapped to a laptop, tablet, phone or other NFC-enabled device to access data, cloud apps and web-based services. Plus, smartphones and other mobile devices can be turned into a trusted credential that can be used to unlock doors and open gates.
What does this mean for physical security dealers and integrators? In the past, a customer deployment might involve one major round of on-site card provisioning and periodic follow-on provisioning for new hires or to replace lost or stolen cards. This model will not go away anytime soon because of the visual identification capabilities that only physical cards can deliver; however, on top of this model, there is the new opportunity to remotely provision physical access credentials to smartphones and other mobile devices, and to provision credentials to both cards and phones not just for opening doors, but also for secure print management, time-and-attendance and cashless payment applications, among others.
The same ID card that is used for these physical security applications can now also replace dedicated one time password (OTP) solutions for permitting access to computers, data, applications and cloud-based services. In other words, what previously was a single credential per user for opening doors might now be a half a dozen, or more, remotely provisioned credentials for both physical and logical access control. Customers will need the dealers or integrators support not only for deploying the overall solution but also for provisioning and managing a broader range of credentials that can now be issued remotely for a wider range of applications.
These trends are also dovetailing with what the research firm IHS describes as new opportunities for system integrators to expand their recurring monthly revenue (RMR) while also becoming closer to end-users. “As equipment margins continue to edge lower for integrators — driven by price declines in the equipment itself — it is the services that integrators can offer, as well as the added value they are perceived to bring to the customer, that will ultimately prove to be the separator between the winners and losers in this market,” explains Paul Bremner, senior IHS analyst.
Moving forward, many think the role of the security integrator will become even more important across both physical and logical access control. According to IHS, “the physical space will continue to have a larger role within IT since access control can flag anomalies, which can create a chain reaction to protect intellectual property and other assets.” This ability to flag anomalies will become even more powerful as mobile access adoption increases. Security integrators will be able to provide analytics generated from smartphones that are connected and always delivering important data throughout the infrastructure.
Physical Access and Mobile
The first step toward realizing these new opportunities is for dealers and integrators to act as trusted advisors, helping customers evaluate their needs and build a roadmap that will support both current and future requirements. Only access control platforms based on open standards will enable the move to mobile access control, converged solutions, and web-based credential provisioning that will improve customer convenience while creating new revenue opportunities for dealers and integrators.
In some cases, the best route is to deploy gradually, upgrading readers on a phased basis. In other cases, it is more economical to upgrade everything at once rather than dedicating the time and expense to evaluate each reader and panel and make a case-by-case decision.
With the right platform in place, dealers and integrators must help their customers clearly understand their current deployment needs. For instance, not everyone in an organization will need mobile access on smartphones for opening doors. Another decision customers will need help making is whether to provision mobile access only to company-issued devices, or to support a Bring Your Own Device (BYOD) model, and how to do that.
Many organizations have a mobile device management platform where corporate Apps are published and run in a specific container on the mobile device. Making sure the mobile access solution is interoperable with the Mobile Device Management (MDM) platform can make sense, especially if security settings are controlled by that platform.
Regardless of the mobility strategy that is chosen, the access control platform will need to support the broadest possible range of smartphones, tablets and other mobile devices without the need for additional sleeves or other accessories, and should deliver an equally smooth experience on different mobile platforms. Today’s most versatile solutions support various read ranges and enable phones to open doors not just by tapping them to a reader but also by twisting them from a distance as a user drives or walks up to it.
Customers will need help determining the types of doors to be mobile-enabled, what kinds of features to incorporate, and which entry points will benefit most from various capabilities. Parking garages, main entrance doors and elevators can all benefit from a longer read range by increasing convenience for the employees. Areas where many readers are in close proximity to one another should use a tap experience to minimize risk of opening the wrong door, a capability that both NFC-enabled and Bluetooth-enabled readers can support.
Logical Access and Mobile
Using this same access control platform, the dealer or integrator can also help customers assess their logical access needs. This includes looking at tap authentication as a more secure and convenient way for users to access network resources, cloud apps and web-based services using the same ID card that opens doors. Tap authentication is a faster and more seamless and convenient solution than using dedicated OTPs and display cards or other physical devices. It reduces the need for complex passwords and diminishes password fatigue in today’s enterprise environments — where 20 or more logins each day may be required to access data and services. The model also makes it easier than ever for users to leverage a single smart card to seamlessly access data, login to cloud resources and open doors.
Tap authentication is particularly attractive for mobile device users. In today’s mobile-first world, employees expect access to corporate cloud applications, data and services anywhere, at any time, from their preferred mobile device. This anywhere, anytime access can potentially make corporate networks more vulnerable to security breaches, significantly impacting their top and bottom lines. Reliance on passwords, alone, is also dangerous. Tap authentication solves these security problems while also providing greater user convenience.
To help deploy tap authentication, dealers and integrators can walk customers through the simple process of installing authentication system software and device apps, synchronizing users with the authentication cloud service, and notifying them when they can begin using the system. They can also give their customers the option of deploying conventional card reader accessories on logical access endpoints that do not have built-in NFC readers.
For logical access control, dealers and integrators can help their customers implement and manage a simple, three-step process for using ID cards to access data and cloud services using their mobile devices. First, users open a browser on their NFC-enabled device and then type the application URL they wish to access. Next, they enter their corporate username and password. Finally, they tap their access control card to the back of their NFC-enabled mobile device or tablet to provide the second authentication factor.
More Credentials, More Revenues
Along with their expanded role comes new revenue opportunities for system integrators in credential provisioning —helping customers manage a broader set of credentials on an ongoing basis for a broader range of both physical and logical access control applications.
For physical access control applications, dealers and integrators can increase the efficiency of security administrators by helping to implement a robust mobile identity management system with proven processes for managing users and the entire life cycle of mobile identities. For instance, HID Global’s Security Identity Services offering enables integrators to help manage the entire process of how an employee is on-boarded and issued a mobile identity. Simply adding a user’s name and email triggers the process to send out an invitation email to the employee with instructions on how to install the Mobile App. When the App is installed and configured, the correct mobile identity is provisioned to the mobile device and the security administrator is notified when the process is complete. For larger organizations it is possible to mass upload user data from a file.
Provisioning a combination of both physical and logical access credentials significantly increases revenue opportunities for dealers and integrators. For example, in yesterday’s world, issuing a single credential might bring in, say, $5 per-user revenue for the dealer/integrator. Today, the possible addition of a phone credential for each user brings in incremental new revenue, and the dealer or integrator can double this number if the user is issued both a personal and business phone, each needing a credential. On top of this, there is the opportunity to sell cloud authentication services for logical access control at a per-user annual rate. It is not hard to see how a dealer or integrator that offers credential management services in a converged access infrastructure featuring both cards and mobile IDs used for physical and logical access control could triple or quadruple revenues per user.
The value dealers and integrators can bring in this area is considerable. As both physical and online access applications merge onto a combination of cards and phones, organizations will need help managing multiple ID numbers for multiple applications on multiple devices. It will no longer be feasible, for instance, to assign a single ID number to each user for all applications. The identity management system will need to support multiple application identities with different lifecycles, while also enabling different groups within an organization to independently take responsibility for their own application and identity lifecycle needs.
Bassam Al-Khalidi is Co-CEO, Principal Consultant and Founder of Axiad IDS, a Platinum partner of HID Global. Brandon Arcement is Director of Product Marketing for HID Global. To request more info about HID, visit www.securityinfowatch.com/10213866.