To effectively control and manage who goes in and comes out of a building is key to building management. Systems such as physical and logical access control, video surveillance and intrusion detection need to be installed and integrated. As demand for cost-effective solutions continues to increase, A&S takes a look at recent developments in integrated visitor management and access control.
Technology in visitor management only started developing about five years ago, said Eric Assouline, Export Sales Manager at CDVI. Popular verticals include residential, retail, industrial sites, commercial offices, banking, education, health care, military agencies and critical infrastructure.
The worldwide market for access control in 2009 is US$2.7 billion, said Assouline. Integrated access control solutions ensure higher security with better visitor management. To effectively control access to secured areas, integration of different subsystems is highly demanded, making building security more intelligent and proactive.
Who goes in and comes out of a facility is crucial for security and safety. Prevention of illegal access can no longer be guaranteed with a single proximity card at the entrance. Higher level of security management is required to secure areas of great importance, and visitor management is the answer.
Systems that have visitor management features allow tenants to manage their own employee list, preregister visitors and customize badge designs from their own computers. Package sand assets that are delivered to or loaned from the front desk can also be processed and tracked with management software, said John Murzycki, Director of Marketing at EasyLobby. Other than identifying unwanted visitors, systems can also identify VIPs based on internal watch lists for exclusive access rights.
Access rights granted for visitors can be limited to only specified access point s and definable periods of time. "Long-term" and "short-term" badges can be issued by the administration department, said Sandra Blersch, Marketing Manager at Primion Technology. Badge numbers for long-term visitors are selected from a prespecified range of numbers reserved for such visitors. Organizations can grant short-term access to certain visitors or contractors directly by activating a proximity card with freely assignable numbers.
Ad-hoc registration of visitors without appointments is available. After onsite registration, a visitor receives a proximity card from the security personnel, granting him/her certain access to the building. "Signature pads are optional with visitor management modules where users have the option to activate and deactivate access cards by requiring visitor to sign on writing pads before and after their visits to ensure higher security, " said Assouline. With such a system, a picture of each visitor has to be taken; visitor and host names, dates and times of appointments, and expected departure times all have to be keyed in.
Preregistration of visitors is another option. Authorized employees can preregister visitors before their arrival, making visitor verification upon arrival more efficient. Group visits are also made easier with visitor preregistration, said Blersch. Authorized personnel can log in remotely to the application site and generate a request for a visit. With relevant visitor information in the database, security personnel could run necessary previsit checks and generate visitor badges in advance, said Blersch.
In addition to submitting visitor information prior to the visit, some product platforms can also send visitor access codes or badges via e-mail, said Urs Andrin Lampe, VP of Product Marketing and New Business at Legic Identsystems. This feature enables the system to grant access and track contractors or other visitors who need to visit the facility during after-hours when there is no security personnel available to issue access cards.
Card readers' detecting ranges can be customized during setup, and technology for badges also shows great improvements. Users today can choose from a wide range of cards, such as 2.45-GHz active cards, UHF-900 passive cards, RFID proximity cards, Mifare cards, and three-in-one cards that combine all these different card technologies, depending on their specific needs, said Minghua Zhuang, President of Bluecard Software Technology.
2.45-GHz active cards have a detection range of 3 to 80 meters, good for tracking and location targeting. UHF-900 passive cards are used for close-range detection, with a maximum distance of 10 meters. Since detection of passive cards could be affected by human bodies, they are better used for access control cards or parking lot access control, said Zhuang. Mifare cards can be used for elevator access control, and three-in-one cards allow for both long-range and close-range readings.
"When visitors are outside of a building within 8 meters of where the door is, they can be detected by sensors with their profile information displayed on the software interface for security guards to see before they are granted access," said Zhuang. Sensors can be installed in the hallway to track where a visitor is and sends out warnings to the control room if the visitor has reached a restricted area.
If the visitor is a high-rank official or a VIP, visitor management helps avoid the awkwardness of the person being stopped by security guards for identity verification, said Zhuang. Security guards can read immediately on the display the identity of the visitor without the act of verification.
Today, with advanced card technology, users can choose the ideal credential if they already have a multifunctional card or access token to load the application to, said Lampe.
Contactless smart card technology now allows multiple functions such as credit card, SIM card and logical access card to be integrated onto an all-in-one card as long as the card provider's applications are open to integrate with one another and the basic card technology is capable to do so, said Lampe.
Adding elevator control into access control is important because without a process to restrict access in the elevator, individuals can freely access both the "free-access" floors and the "controlled-access" floors without providing any credentials, said Peter Boriskin, Senior Product Manger, GE Security. This is especially problematic when an elevator opens up directly into the tenant's space without a vestibule.
The key to elevator and access control integration mostly has to do with the openness and availability of the data that is generated by the systems, said Boriskin. Technological improvements in this area include open and secured databases, published schema and well-documented APIs. The system now has the ability to feed many ancillary systems, such as evacuation and mustering systems (for emergencies) and real-estate management of particular locations, parking areas or store locations.
Depending on installations, there are different approaches to integrating elevator control into access control. To upgrade older elevator access control, one traditional approach is to interface with the cab controller through PLC-like relay logic, Boriskin said. For newer buildings that require an application level interface, a fully published API can be used to integrate at an application-to application level, and going forward, "we are going to integrate several high-level (API) interfaces into the product directly," said Boriskin.
With the advent of IP, sharing information and sensor signals among different subsystems and controllers has become easier, making integration possible.
Some systems offer small pieces of software that are freely programmable and can determine how controllers work, said Nancy Wanders, Business Development Manager for APAC, Nedap Security Management. The interaction among controllers can be quickly modified according to user requirements.
IP also paves the way for remote management. A Java-based system allows users to access and manage information on any PC with a Web browser, said Blersch.
A comprehensive access control solution has video technology, fire detection, intrusion detection, and elevator, turnstile and parking lot control integrated. Time and attendance, alarm management, visitor management, people counting, mapping and location tracking can also be integrated into the system.
Furthermore, if the installation requires, kiosk machines for self-registration are also available for visitor convenience in an unattended lobby, said Murzycki. The system also allows for better internal communication. Security personnel at the lobby can auto dial to anyone with one touch by phone, without having to look up their phone number, said Murzycki.
These features of integrated access control evidently show that access control is no longer just about controlling door access without keys, but to ensure better visitor experience and offer higher levels of security, said Assouline.
Integration of different subsystems requires an IP-based management platform for different network controllers to directly communicate with one another. Since input to one controller can directly generate output on one or more controllers, the operation of the system and the level of security are guaranteed.
Therefore, a decentralized system with peer-to-peer communication among subsystems creates a fast and reliable system, said Wanders. Communication protocols include TCP/IP, Ethernet and BACNet. SSL, which is generally seen as the safest method for IP-based data transmission, is used to secure data flows, especially in online banking applications. Security levels can be determined by the IT staff of the end user.
Antipassback, people counting and parking management are functionalities that are all dealt with in a decentralized way and are not dependent on a single server.
Further more, since PCs are typically networked, installation of integrated access control shares a central database, with SQL, Oracle and MSDE supported, said Murzycki.
Rules and Regulations
Occupational health and safety standards worldwide require organizations to take full responsibility for all people on their premises, both employees and visitors, said Siresen Naidoo, Product Specialist at Ideco Biometric Security Solutions. In some countries, legislation stipulates that if an organization cannot prove a person to be a visitor, that person is deemed an employee of the organization in the event of a disaster. This is one of the main reasons for organizations to deploy effective visitor management, Naidoo said.
In terms of hardware manufacture, there are no rules and regulations governing its developments, said Assouline. Standards of different regions, such as CE (Europe), FCC (U.S.), VdS (Germany) and GOST-R (Russia), can be followed if necessary. However, different verticals have their own specific regulations based on their environments. Especially in government and military installations, visitor management must support their security policies.
For example, real-time online screening of blacklisted visitors is a must. Access control systems should be able to identify and process personal identity verifications for HSPD-12 and TWIC cards with OCR scans, and read CAC cards that have 2D barcodes.
In health care, specific requirements such as HIPPA need to be met. The system must be able to manage the number of visitors to a particular patient and facilitate extended visits for family members.
In the education sector, access control systems with visitor management should be able to provide real-time, online screening of sex offenders that generates results fast. Features such as tracking students who went on a field trip, granting high-school seniors off-campus lunch hours and managing visitors to student housing facilities and dormitories are needed.
There are also specific compliance issues that cut across verticals, such as the PCI DSS and the FDA Bioterrorism Act. The PCI DSS is a set of requirements for enhancing data security. The regulation requires compliance from all companies who either process or store customer account data, and is very specific in terms of visitor management.
In late 2004, the FDA Bioterrorism Act was enacted to ensure safety in food. The regulation requires the entire manufacturing chain for food products to be aware of every visitor coming in and going out of their facilities.
Before choosing an access control solution with visitor management, it is important to note that different installations have different requirements. Therefore, the best solution is a customized one catering to that specific environment, said Murzycki.
When selecting an access control system with visitor management, there are several criteria needed to be taken into consideration. First of all, the system should enable a smooth transition from pre-enrolled visitors, to active visitors, to ex-visitors and then to re-enrolled visitors on their next trip/visit, said Wanders.
Second, the tenant must have access to the database and make sure all of the peripherals needed for the particular job are supported, said Boriskin. The system should also generate a track record that shows all changes that have occurred with licenses, IDs, passports and so on.
The tenant should also consider people flow in the building and if the system allows for wide-range of data registration, visitor tracing and accuracy at the access points. The system must be able to manage not only the company's own employees, but also temporary employees, contactors and visitors. Visitor management should be in line with safety and security policies, and local regulations such as privacy acts should be complied, said Wanders.
A high-end visitor management platform should have applications that can ensure accurate enrollment, authentication of visitor data and integration with access control, said Wanders. For instance, the system should be able to trigger an automated action upon the use of an unauthorized visitor badge and send a notification via SMS or pager to the security guards.
Furthermore, the software interface must be user-friendly for both visitors and security personnel, said Assouline. Badge creation should be flexible and helps accelerate administration, said Blersch.
Integrators should understand the core activities of a company, its security and safety regulations, and the way the company's reception and security desk operate to successfully integrate a visitor management application, said Wanders.
To make sure whether a subsystem is scalable for integration is crucial. Integrated access control is often highly customized by different user needs, so each subsystem must be very open for different system combinations, said Assouline.
An access control system shows no image, and its quality and reliability cannot be observed as easily as video surveillance. Other than a good reputation on the market, manufacturers who provide good after-sales support add value to their systems which is irreplaceable by a cheaper price, Assouline said. After all, for most end users, the bottom line on integration equals dollars — getting more functionalities from their security equipment at a lower cost, said Murzycki.
Providing openness without sacrificing security is always one of the biggest challenges, said Boriskin. One way for solution providers to overcome this challenge is to work with a number of different technologies to ensure that its systems' communications are available for third-party applications while they are protected by encryption, permission, partition and more traditional single sign-on requirements.
Dealing with proprietary communication protocols and different system architectures is another challenge of developing a truly integrated access control solution. Since an integrated solution needs to combine different companies' technologies, the system must be able to work with each company's standard, said Lampe. Various systems should be able to communicate effortlessly with one another. However, not all installations have achieved that in reality, said Wanders.
Promoting integrated access control is also challenging. Many users do not know access control has so many useful features, said Assouline. More market education is needed to inform users of how they could better secure and manage a building with a well-integrated access control system.
Moreover, many visitors consider visitor management to be invasive and a breach of privacy. This is why inaccurate information is often provided in traditional visitor logbooks, said Naidoo. Therefore, it is important to communicate security protocols and policies to visitors clearly.
Systems openness will continue to grow in importance. Solution providers will need to continue to improve their integration capabilities at the application level and harden both the physical and logical perspectives of systems, said Boriskin.
IP knows no boundaries. A key development will be a generic security controller which can drive various software applications to meet different functionalities, such as intrusion detection, access control, intercom and video surveillance, said Wanders.
A guard tour module could be added to access control, enabling security guards to patrol floors more effectively, said Assouline. Portable readers and hardware standards also need to be developed and established to allow for integration with third-party systems. Access control using SIM cards as access cards could be materialized in the future, and a business model that is close to mobile-phone providers and operators is required, said Lampe.