Access control and management systems: Where are we going?.
Access control and management systems: Where are we going?
THE RUSSIAN ACS MARKET IN GENERAL
Currently, most specialists in the areas of development, production, sales and installation of access control systems (ACS) note, although not significant, but a steady growth in consumption volumes. Even during the crisis, the decline in this market segment was not catastrophic and was expressed mainly in a certain slowdown in the implementation of large projects, while the dynamics of compact installations remained virtually unchanged. Apparently, customers are increasingly aware that ACS is one of those few security tools that not only increase the level of resistance of an object to the implementation of potential threats, but also bring a direct and significant economic effect.
Positive trends in the development of the country's economy in 2011 make it possible to predict a further increase in demand for ACS. To the main traditional consumers — state security organizations, large industrial enterprises, banks, business centers — are added relatively new ones: educational, cultural, and medical institutions.
The overall increase in consumption of ACS will also likely be due to the expansion of the functionality of the systems themselves, the tendency to increase the requirements for equipping facilities with technical means of ensuring security due to the intensification of illegal activities, as well as the need to modernize systems installed more than 5 years ago.
FUNCTIONALITY
In recent years, a stable set of basic functions of ACS as a means of access control and automation of working time accounting has been formed. Now it is almost impossible to find a network system without a built-in or separately supplied module for generating and printing various reports on working time accounting and labor discipline control. Further development of this direction is integration with enterprise management systems (ERP, HR systems) and accounting at the level of exchanging information on personnel changes, personal data, powers and rules for passing through access points. Many ACS, especially those designed for equipping small and medium-sized facilities, are integrated with the popular family of 1C management programs. Most modern network ACS are equipped with open interfaces for integration into the enterprise management system. Projects are being implemented that involve integrating ACS with SAP, Boss and other systems. In the near future, the openness of ACS (as well as any automated control systems) to integration will apparently become a standard, the range of control systems they support, the level of automation and the depth of interaction will grow. The same applies to the integration of ACS with other security subsystems.
The competition of quantitative characteristics of ACS has shifted towards more “subtle” indicators. If earlier the main indicators were considered to be the number of users in the system and autonomously stored events in it, then the modern customer requires a significant number (hundreds and thousands) of access levels, time schedules and their component intervals, high exchange rates in the information highway, decision-making speed, the number and flexibility of programming the main and additional inputs and outputs, the presence and number of standard configurations for managing various types of access points (doors, turnstiles, gateways, barriers, etc.).
Advanced ACSs now include functions that are essential for large facilities, such as the automation of entering users' personal data and issuing passes, which are implemented based on automatic recognition of the contents of identity documents — passports, driver's licenses. To avoid the need to install too many specialized programs, web services for issuing and coordinating applications for passes are built into the ACS, allowing the use of regular browsers for this purpose. ACS user interfaces are being developed, in particular, there are opportunities to assign group access rights to employees of departments, and to work with multi-level tree structures of enterprises. The antipassback function is implemented in advanced ACSs using hardware and ensures the creation of several dozen levels of nesting of control zones. Recently, such functions of powerful ACS as counting the number of users in a controlled area and at the enterprise as a whole (which is especially important in emergency situations), searching for employees by the place where the card was last presented, monitoring the movement of users on the territory of the enterprise, monitoring the performance of security personnel when patrolling the facility, etc. have been in high demand.
Modern ACS provide effective control and management not only of personnel access, but also allow control over the movement of vehicles on the territory of enterprises, creating logistics subsystems of enterprise management systems. This is especially important in situations where several enterprises are located on a common protected territory, contractors and customers are allowed to enter the territory, and allows avoiding significant deviations from the specified route and schedule, thereby reducing the risks of illegal actions.
NON-SPECIFIC NEW TECHNOLOGIES
Being electronic information systems, ACS are constantly being improved, absorbing the achievements of electronics and informatics. Growing computing power of microprocessors, increase in the volume and reliability of memory elements are the basis for ensuring that ACS capabilities meet the growing requirements of customers. The emergence of powerful microprocessors with built-in reprogrammable memory has provided the ability to remotely update and develop the hardware of ACS without dismantling its elements, which allows maintaining the relevance of the system throughout its entire service life without additional financial costs. From the manufacturer's point of view, this approach provides additional competitive advantages and allows the system to be developed by introducing new equipment to the market and maintaining compatibility with old hardware versions.
Among the trends in the development of access control systems, it is especially worth noting the general interest in the implementation of IP technologies. The ability to use local area networks (LAN) to transmit information has been present in some systems for more than 10 years. Their structure provides for the use of serial interfaces RS 485 or similar to combine linear controllers and special gateways or central controllers to combine equipment into a single information network via Ethernet channels. The main difference of the new generation of equipment is the complete rejection of the use of serial interfaces. Almost all leading manufacturers have launched or announced access controllers with the ability to directly connect to an Ethernet network. New technologies bring additional capabilities, which include ease of use of equipment and lower cost of implementing access control systems at facilities with a developed IT infrastructure. Manufacturers are able to organize direct information exchange between controllers and power devices from an Ethernet network using PoE (Power over Ethernet) technology.
It should be noted, however, that not all systems have the necessary Ethernet channel equipment, and purchasing additional equipment and laying the corresponding communications may be unprofitable if no other IP devices or computers are planned to be placed in the places where access points are organized. Limited load capacity does not allow using PoE technology to power controllers and actuators with a total power of more than 13 W, and its structure complicates the implementation of long-term backup of the system's power supply and increases the overall cost of LAN equipment. Issues of protecting the network from unauthorized access, ensuring sufficient bandwidth and proper organization of data packet routing also require careful consideration. Taking these points into account, it can be assumed that the most popular will be universal systems that provide the ability to use equipment with classic and Ethernet interfaces both separately and in the necessary combinations. Some manufacturers already have such solutions in their arsenal, and in some cases, to select one or another type of interface, it is enough to purchase the appropriate expansion modules for the ACS controllers.
USER IDENTIFICATION
The methods of identifying users of ACS can be divided into two groups. The first of these are methods based on the use of external identifiers in relation to the user — electronic keys containing a unique code that is recognized by the ACS and to which the user's personal data are assigned in its database. The second group is made up of identification methods based on the use of the biometric characteristics of the user himself.
Biometric identification is very attractive because the identification feature is inseparable from the user, it cannot be lost, forgotten, transferred, it is very difficult or impossible to forge, it does not need to be made, issued, updated, etc. That is why biometric identification is currently the fastest growing area in the security systems market. Even the historically first biometric identification technologies — by palm contours and fingerprints — are constantly being improved. Thus, contactless readers of these features have been created with the help of television devices (Fig. 1). Unlike traditional ones, they are more hygienic, since they do not involve finger contact with any surface, and therefore are much easier to maintain.
Fig. 1. Contactless readers of papillary patterns of the finger surface |
Television devices are the basis of 2D and 3D (Fig. 2) technologies for face recognition and identification, as well as well-known identifiers based on the pattern of the iris of the eye and relatively new ones based on the internal structure of the blood vessels of the finger (Fig. 3).
Fig. 2.3D facial geometry reader | Fig. 3.Finger vascular structure reader |
However, despite the high attractiveness, rapid development and, apparently, good prospects of biometric identification, the overall indicators of speed and reliability of recognition in such devices are still significantly inferior to devices with external keys, the overwhelming majority of which are based on RFID (Radio Frequency Identification) technology.
The most popular formats of readers and identifiers are still EMMarine and HID Proxcard II. Despite the lack of copy protection, their share in the total volume of identification tools does not decrease. This is due not only to the low cost of debugged solutions and support from most manufacturers, but also to the presence of a large number of already installed systems. When expanding or even replacing a system with a more advanced one, the consumer seeks to keep the cards in circulation to eliminate the processes of collecting existing and issuing new identifiers. For large enterprises with several thousand employees, this can lead to significant material and time costs, especially when using printing of information about the owner and the enterprise on the cards. To reduce the likelihood of unauthorized access using a copy of the identifier, a set of additional security tools is usually used — photo and video verification, access with confirmation, access by card and PIN code, access by two cards, etc.
Fig. 4.Antitailgating system based on a video camera |
Fig. 5.Antitailgating system based on infrared sensors |
Nevertheless, almost all participants in the ACS market understand the need to use identification technologies that are more protected from copying. Such mechanisms are implemented in contactless smart cards of the Mifare, iCLASS and other formats. Over the past few years, their cost has decreased several times and has come close to the cost of cards of the EMMarine and HID formats. Mifare cards of various designs are widely used in transport applications and as social cards in many cities of Russia.
The use of built-in smart card memory and its increasing capacity allow storing not only the identification feature, but also data about the owner, including biometric data, place of work, position, personnel number, etc., as well as his access rights. Due to the increase in the total volume of identification information, the situation of its coincidence in different cards is completely eliminated. At the same time, the functionality changes significantly and the cost of stationary ACS equipment decreases. The ability to store biometric data on the card facilitates the implementation of highly reliable and high-speed access points, reducing the recognition task (selecting one of all) to the identification task (comparison with a single sample).
There are, however, a number of arguments in favor of the traditional design of ACS. In such systems, personal data and access rights are stored in the system databases; they can be centrally and promptly monitored and adjusted in the event of loss or theft of a card, changes in personal data, work schedule, etc. Using cards from third-party organizations (for example, higher-level ones) to save money on purchasing identifiers is difficult, since it is associated with the need to disclose information about the structure of data storage on cards, and to coordinate the placement of additional information.
To read protected information, it is necessary to ensure that a unique data access key is stored in the reader. This is done by two-way exchange of information between the controller and the reader or by recording data access keys with a specially prepared master card when it is presented to the readers. The first solution is more convenient, but requires the use of special readers and controllers. The second solution allows the use of standard controllers with a Wiegand interface, but complicates the setup and modification of system parameters.
The introduction of secure code reading technologies is a matter of time and is only constrained by the general technical inertia of the systems. As for the division of information functionality between the card and stationary equipment, the most promising systems seem to be those with storage of identification features on the card and centralized storage of access rights (including the schedule) and personal data of users.
An intermediate option for using smart cards, allowing a gradual transition to modern identifiers without replacing stationary ACS equipment, is the use of their serial numbers for identification. Some manufacturers supply the market with corresponding readers with a Wiegand interface. Such a mechanism does not use secure modes and is subject to the risk of copying, like traditional EMMarine and ProxCard identifiers.
Long-range RFID identification systems with reading distances of several meters are increasingly used in the creation of vehicle access control systems. The main task solved in such systems is the handling of collisions, when several identifiers are simultaneously in the reader's coverage area.
In addition to the actual identification of users, definition and implementation of user access rights, modern ACS also include such additional functionality as identification of access conditions. In addition to the long-used restrictions on the number of users simultaneously in the access zone, restrictions on their biological characteristics (weight, height), there are now restrictions on entry for people with luggage, as well as anti-tailgating systems that prevent the simultaneous passage of two or more people using one identifier. The operating principle of such systems is based on the analysis using television (Fig. 4) or infrared (Fig. 5) detectors of the zone in front of the entrance to the access point and blocking the possibility of entry when more than one person is detected in the zone that ensures passage during the open state of the actuator. In the most critical access zones, as well as with limited zone sizes in front of the access point, such analysis is combined with the organization of entry according to the gateway logic.
EXECUTIVE DEVICES
The market offers a modern designer a huge variety of actuators that automatically implement the ACS decision to grant or deny access. Electromechanical, electromotor and magnetic locks, latches, drives are intended for installation on all types of doors, gates and wickets — from glass to bulk doors of cash vaults. Tripod turnstiles, rack and pedestal turnstiles, rotary half- and full-height turnstiles, airlock cabins, revolving and sliding doors provide ample opportunities for organizing various checkpoints. We note original solutions for stadiums that allow for tightly closing access to the facility during breaks between events (Fig. 6, 7), as well as a turnstile with an additional wicket for a bicycle that opens when access is permitted to the user and there is a significant mass of metal in the sensitivity zone of the corresponding sensor (Fig. 8).
Recently, various anti-ram devices have been used as actuators, which are especially effective when used in pairs and activated according to the gateway logic.
Fig. 6. Stadium turnstile in open position | Fig. 7.Turnstile for stadiums in closed state |
A relatively young class of actuators are automated storage facilities with restricted access to the contents of the cells. In addition to various designs of «key boxes», the items of storage are personal radio stations (Fig. 9), laptops (Fig. 10), weapons, etc.
Fig. 8.Turnstile with a gate for a bicycle |
Fig. 9. Automatic storage for radio stations | Fig. 10. Automatic storage for laptops |
CHANGES IN THE REGULATORY FRAMEWORK
Over the past five years, there have been a number of changes in regulatory and legislative acts that in one way or another concern the ACS market. I would like to especially note two new documents, especially since the market reaction to the appearance of these documents is different.
The introduction of the state standard — GOST R 51241-2008 «Access control and management tools and systems. Classification. General technical requirements. Test methods», which finally legalized the transition to terms and definitions actually used in the ACS market — was generally assessed positively by the market. In fact, the replacement of the conceptual apparatus in the new standard is its main difference from the previously valid GOST R 5124198.
But the adoption of Federal Law No. 152 «On Personal Data» was practically ignored by the ACS market, and in vain. As unique data inherent to the access subject, ACS operates with information about the subject's last name, first name, patronymic, position, work phone number, registration address, time of entry/exit, etc. According to the definition of the law (No. 152FZ «On Personal Data»), ACS is an information system of personal data (PD), and the PD themselves processed by ACS are subject to protection by the methods and techniques determined by regulators in this area (FSB, FSTEC and Roskomnadzor of the Russian Federation).
The responsibility for protecting PD is imposed on the PD operator (a legal entity that processes PD). In addition to organizational measures to protect personal data (security policy, provisions, regulations, orders, job descriptions), the law also provides for technical measures to protect personal data. They are implemented in the implementation of certified means of protecting personal data.
Unfortunately, most manufacturers, installers and users of ACS are far from the subject of information protection and, in particular, personal data protection. Therefore, in the process of creating an ACS, the customer, a potential personal data protection operator, is often not informed about the need to create a personal data protection system, and the functionality of most ACS is insufficient to implement the requirements of the law.
The seriousness of the situation will probably be assessed by the market after the end of the time allotted for bringing personal data processing systems into compliance with the requirements of the law defined by the government and the entry into force of sanctions for its violation.
The design of the personal data protection system must be carried out simultaneously with the design of the access control system, which allows optimizing the access control system configuration in terms of the cost of the corresponding information security system and ensuring significant cost savings. Moreover, the simultaneous design of the access control system and the access control system protection system is a requirement of regulatory legal acts in the field of information security. Commissioning and operation of an access control system that processes personal data but is not equipped with a personal data protection system is a violation of current legislation by the operator (owner of the access control system).
Information security tools (ISS) implement the functions of access control to personal data, registration and accounting, ensuring integrity, ensuring secure inter-network interaction, anti-virus protection, intrusion detection, and security analysis.
In addition to the information security tools “built on” the ACS, the ACS itself must implement a set of functions for monitoring and managing manipulations with the user database, as defined by regulatory documents.
Confirmation of the ACS’s compliance with the requirements of legislation in the field of personal data protection is the certification of the ACS for compliance with information security requirements. Only organizations that have the appropriate license from the FSTEC of Russia are authorized to perform work on technical protection of personal data (implementation of protection tools), as well as certification of the protection system.
Without claiming to be complete and the ultimate truth, we hope that the points and trends noted in the article will serve as food for useful reflection and conclusions for all participants in the ACS market.
_________________________________
I. Rakov
Ph.D., CEO,
P. Shmelev
Director of Development,
Yu. Sukonshchikov
Head of Department,
O. Bat'manov
Chief Designer,
Research and Development Center «Fors»