printer friendly version

Open standards in access control

While the idea of ‘openness’ in access control is not as advanced as in other areas of the security market, there are moves to standards and common ground. OSDP is one of these, while ONVIF also has its access control standards (Profiles A and C, with D out as a release candidate as at the time of writing – see below).

Sadly, having standards available, no matter how useful they may be or how good the intentions, is of little use when the companies providing access solutions to the market don’t apply them properly, or still have proprietary hooks to keep customers locked into technology from their brand.

Some say there is little incentive for vendors or customers to drive the open standards concept because proprietary solutions have too many benefits: but what are the benefits in proprietary architectures for the end-user companies? And one should also ask, what are the benefits of open standards to users?

As the world becomes more connected and converged, we also have to ask if there is a place for proprietary solutions as the Internet of Things (IoT) connects more diverse systems and technologies.

So, what is happening in the real world when it comes to open standards and access control? Are companies satisfied with having their access system as a standalone system that does not integrate into anything else, or are they looking for solutions that can integrate into other applications, for example room occupancy, elevator control, etc. in the building management space.

The pros and cons

There are several pros and cons when it comes to systems based on open standards versus proprietary solutions, and in both cases these are hotly debated, says Nico Broodryk, head of systems design, technical support and training at Bosch Building Technologies.

“Proprietary solutions generally rely on the fact that in keeping the encryption algorithm private, it achieves an extra layer of security implying ‘security through obscurity’. These solutions typically have specific features and capabilities and tend to be easier to configure and provide greater functionality than open-standard solutions. It appeals to a specific audience and aims to provide a superior user experience.”

Additionally, Broodryk notes that proprietary solutions are constantly updated to detect and remove bugs and vulnerabilities, but these updates often come at a price.

“With a few exceptions, most proprietary platforms require licences and maintenance fees, so the costs add up. Plus, users depend on developers for support, updates and upgrades. Some features may add little to no value to the average user who may not have the skills and expertise to fully utilise the feature set. Therefore, the user may end up paying for features they do not really need or use.”

Another drawback is the inability to modify or customise the software used for access and identity systems. If additional features are required, the user must upgrade to a more advanced version – and pay extra.

Additionally, on the hardware side Broodryk adds that, for example with card, fingerprint or vein readers, the user is restricted to the functionalities of the product supplied by the manufacturer. “In some instances, a manufacturer will not have hardware available complying with the specifications of the customer and will not be able to offer a suitable solution. If the solution meets the requirements of the user though, proprietary based hardware can be the most stable and easy to install solution available.”

Moving on to open standards, he says a truly open standard is one that can be freely accessed, adopted, and improved upon. Software security is tested constantly and upgraded on a nearly daily basis by programmers; however, open standard solutions may be more vulnerable to hacking. New features and capabilities can be added or modified based on the user requirements fairly quickly, which allows for a software solution that appeals to any user.

From a hardware perspective, the main advantage of an open-standard solution is that nearly any specifications set by the customer can be met using third-party devices. A combination of bespoke user interface access control software and open-standard fingerprint readers, as an example, can lead to a satisfied customer experience. Configuring and commissioning can at times, however, take longer than a proprietary solution, he warns.

Acknowledged standards

Steve Bell, chief technology officer at Gallagher, states there aren’t many open standards in the access control industry, and the risk with those that exist is that they can drive the lowest common denominator and therefore may not be very functional or secure.

“There are some open standards that should now be considered legacy, for example the Wiegand interface for card readers which has been a de facto standard for card reader interoperability for many years and is still used in the majority of the world’s readers,” Bell explains. “It has zero security; there are several devices that can be attached to the cable anywhere to record and replay card badging.”

As an alternative to Wiegand, Bell says the Open Supervised Device Protocol (OSDP) has been developed for secured communication from the access control panel to the reader. “This is a good standard which has options for high security, such as encryption. More readers and panels today support OSDP.”

In the contactless card market, he continues that 125 kHz cards in a number of different propriety formats have, like Wiegand, been the interoperability standard ever since the adoption of contactless cards for access control. Also, like Wiegand, they do not offer any security and can easily be cloned.

“For access cards, the predominant card recommended for use today is the MIFARE DESFire card,” Bell says. “Although the card is a standard, between various vendors’ solutions there is no ability for a person to have one MIFARE DESFire card that can be easily used across access control systems from any number of system vendors. Due to the need to have secure authentication, sites should have a secret key that is not known to others and, as such, the card cannot provide access to other facilities.

“The only truly interoperable card format in use that I’m aware of is the US government’s FIPS201-2 standard card, often called PIV. It uses certificates on the card and certificate authorities that can indicate when the card has been revoked. Systems that the card has been enrolled in can remove privileges within hours of when a card is no longer trusted.”

Mobile credentials are another example of a new area for the access control industry where there is no open standard and various vendors are delivering their own technology, warns Bell. However, he notes that there are open standards for authentication that can be relatively easily adjusted to meet the needs of physical access control, such as standards from the FIDO Alliance (www.fidoalliance.org).

Focus on functionality and features

From the perspective of a local access technology manufacturer, Tim Timmins, sales director at Impro Technologies, says there is an increased demand for open standards internationally and the company sees more specifications in Europe written around OSDP with Secure Channel Protocol (SCP), but this has yet to spread broadly into Africa.

“There are a number of benefits in adopting OSDP, such as the enhanced security, bidirectional communication between the controller and reader, as well as the ability to change reader configurations more easily. Further, by the industry adopting a single open standard, a customer has greater flexibility in selecting the components of a solution – safe in the knowledge they are interoperable.

“From a manufacturing point of view, it reduces the development burden where funds are split across different platforms – rather have those resources focused on one platform, driving innovation and convenience. The open standard becomes the foundation, and manufacturers focus on features and service as a differentiator, which drives the collective industry forward. No longer are you competing on what platform is the best, but rather the product and features on that platform.”

He adds that a key threat, or challenge, would be the lack of a global adoption and certification process/body to ensure conformity. “The last thing the industry wants or needs is some manufacturers adopting the standard to its full degree, whilst others simply do a ‘patch and pray’ approach, as this would negate all the benefits mentioned above – especially interoperability because if products don’t work seamlessly together, it would quickly erode end-user confidence and trust.”

Standalone or integrated?

While the discussion about standards versus proprietary solutions can continue forever, the important factor every vendor must focus on is what customers want today and what their requirements in the future will be. Part of these requirements is to integrate various systems and technologies for simpler and more secure management.

Broodryk says the IoT is changing how we live, work, travel, and do business. “We want to be connected all the time in all aspects of our lives. Today your mobile phone has hundreds of technologies combined into one device, ensuring these technologies are always immediately available at the press of a button.

“The African market has seen the same approach in the past few years and building management systems are becoming increasingly popular and buildings are designed with this in mind. CCTV, access control and visitor management, intrusion, communication and fire alarm systems, heating and many other technologies can be controlled by one central platform.”

The benefits users obtain are a lower total cost of ownership as fewer employees need to be employed and trained, and management has easier access to the security and other aspects of the building.

Integration in the past was a ‘nice to have’ and is now becoming a ‘must have’, agrees Timmins. Gone are the days of people being happy to jump into multiple systems, pull different reports and collate them for a full view – it’s about convenience and simplicity for the user and this means an integrated and easy-to-use system. Customers want a mix of readers, systems and services all pulling into one cohesive dashboard where they’re able to see and act on all information in real time.

“The most common integration requirements are still between access control and video management, with expansion into other building fire and safety systems,” Timmins explains. Although he notes that “the demand for building management and/or automation integrations remains almost zero in Africa, despite much hype.”

Bell believes that standalone access systems are limited as to where they can be applied today. Top-end high-security solutions may be standalone systems, or perhaps on a small business level security may still be standalone. “For the majority of enterprise customers, physical access solutions are seen as part of the top five business systems. With an emphasis not so much on security, but on health and safety and business compliance, there is a need for access privileges to link to IT, identity management, and entitlement systems, creating one point of truth for data.

“We find the market is looking to link access solutions to systems including video, business compliance, business management, payroll (time and attendance), contractor management, visitor management, and enterprise data systems.”

The cybersecurity question

As access solutions join the digital platform, cyberattacks become a real concern and ensuring your access systems are secure is key to protecting the digital infrastructure of the business as a whole. Many believe proprietary systems have an advantage in this scenario as the source code is closed and (potentially) better protected.

“Digital transformation, also known as 4IR, has been gathering steam since early this decade and as more organisations undergo digital transformation, cybersecurity challenges underpin many of the decision-making processes,” notes Broodryk. “Cybersecurity concerns in the access and identity market are frequently more of an afterthought. However, what is the main aim of access control and identity solutions? Security. Therefore cybersecurity should always be the top priority.”

He adds that proprietary solutions are normally extremely secure as the developers do not share their source code. With every upgrade, new security patches are written to take care of threats that have been identified since the last release. The biggest threat, he states, is internal.

Bell agrees that cybersecurity is one of the most important issues for access control today. “At the top levels of cybersecurity, proprietary systems provide a more secure result between access control devices.”

He advises that cybersecurity and the protection of data and privacy must be key considerations with any open standards. “The problem with open standards is that they are designed for the average vendor to be able to implement and may therefore employ only the simplest cybersecurity mechanisms.”

From the Gallagher perspective, Bell says the company’s factory loads device authenticity secrets into every edge device, which can be validated by the system. The operational keys are generated securely by the system, so there is no opportunity for a bad actor to insert known keys or share keys with other parties. The system can also regularly and securely change the operational keys for a communications channel without the risk that somebody monitoring the communications can learn the key.

With the above in mind, Timmins believes “it is critical that customers plan and budget for necessary upgrades along the way. As an example, an access control system deployed ten years ago may still operate efficiently and undertake its primary function, but in today’s world, it’s not safe or secure.

“Consider the legacy 125 kHz cards, many of which are extensively used today. These cards can be easily cloned to give unverified access. There is also the known vulnerability of being able to use protocol sniffers on unencrypted communication between controllers and readers.

“By adopting a high-security platform such as Seos, this risk is removed while getting the benefit of new technology adoption, such as mobile access where a mobile phone becomes the credential, or cloud solutions and similar. Users also have the benefit of an open, reliable access control technology that has support for a wide range of credential technologies and global developments on the platform with regard to controllers, readers and software.”

The way forward

On the topic of mobile access, Timmins says mobile-based solutions will become the way forward, with IoT access control as the main driver. “Smart locks, door contact, credentials, software and ancillary services will all communicate with each other as an IoT device. Take it a step further: why not use your smartphone as a facial reader to open your door and as voice activated devices expand into new areas, we’ll see voice being a new medium of engagement with devices and software.”

“Open standards remove unnecessary barriers and give everyone access to the format’s definitions,” says Broodryk. “Little or no assumptions have to be made when implementing the standard and the transfer of information via an open standard is made more efficient and error-free because no interpretations or transformations are required. In addition, a clearer path is paved for those who still wish to map an open solution to a proprietary solution. Markets will therefore move more to open standards going forward.”

However, as noted above, theory is one thing, but what really matters is what customers want at the end of the day and vendors will listen to what their customers are saying. “In general, the security industry is relatively slow to move in adopting new standards,” says Bell. “As a manufacturer, Gallagher listens to our customers when road mapping priorities for technology.”

In the end, everyone wants their systems to be secure, but the driver to improved security and secure products must come from the users who pay for these products. The old problem of opting for the cheapest solution on offer will not offer security, while abdicating the responsibility of security to the vendor (at any price) will also result in compromises.

ONVIF access control profiles

Profile A: Profile A is for products used in an electronic access control system. A Profile A conformant device can retrieve information, status and events, and configure entities such as access rules, credentials and schedules. A Profile A conformant client can provide configurations of access rules, credentials and schedules. The client can also retrieve and receive standardised access control-related events. Find out more at https://www.onvif.org/wp-content/uploads/2017/06/ONVIF_Profile_A_Specification_v1-0.pdf

Profile C: Profile C is for products used in an electronic access control system. Profile C conformant devices and clients support site information, door access control, and event and alarm management. Find out more at https://www.onvif.org/wp-content/uploads/2017/01/2013_12_ONVIF_Profile_C_Specification_v1-0.pdf

Profile D (Release Candidate): The Profile D Release Candidate specifies the interfaces for peripheral input devices such as token readers (for cards, keys, mobile phones or bar codes), biometric readers (for fingerprint recognition), cameras (for iris, facial or licence plate recognition), keypads, sensors (for lock status, door status, temperature or motion), and output devices such as locks, displays and LEDs.

The Profile D specification enables a conformant client to configure a conformant device with the necessary data such as which door and access point the device is responsible for, as well as configure a list of allowed or blocked credential identifiers in a device that supports this capability.

Profile D complements Profile A and Profile C in enabling standardised communications in an IP-based electronic access control system. Profile D devices — such as an IP camera with a relay output connected to a lock — can also support other ONVIF profiles such as Profile T for an integrated video and access control system using ONVIF interfaces.

For more information go to www.onvif.org/profiles

Share this article:

Further reading: