Access control and identitiy management, IT infrastructure

 

In an economic environment where cutting costs is king, there is still an acknowledgement that access control is a necessary function in every business. In smaller firms, access control may simply be a security door that the receptionist opens when someone arrives, while in larger enterprises it could consist of significant investments in technology and human resources.

While you can’t beat the price of a security door, larger installations are more dynamic, complex and expensive. This is why access control doesn’t receive the publicity that ‘cooler’ technology solutions do; it is installed to be forgotten for a long time (with the exception of maintenance and expansion, of course).

When a company decides it’s time to revamp its access control, it will again be faced with a large expense for hardware, software and manpower. Today, however, there is an alternative to spending the big bucks and having everything installed and managed on site – Access Control as a Service (ACaaS), which promises to make the access control spending more manageable.

There are a few ways to implement an ACaaS solution depending on the requirements of the user. The common scenario is to have the access control software and data stored on a cloud-based server (potentially with a backup on site), where the integrator or service provider manages everything for the user. The management can simply be making sure the system is running and accessible (and secure), or the service provider can take over managing everything related to access control, including enrolment. In some cases, the integrator will also assist in financing or arranging financing for the hardware and rent or lease it to the customer on a monthly or annual basis.

Whatever the final agreement looks like, ACaaS is becoming more popular with end-user companies and with integrators as they have closer control over multiple clients’ solutions without having to be on site. IHS Markit expects cloud-based access control to grow at over 9% through to 2021, which is more than double the rate of growth expected from traditional on-site solutions.

Can we expect the same growth locally? Are local end-users looking from the same services and solutions from ACaaS? Hi-Tech Security Solutions asked two local ACaaS operators for their insights on cloud-based access. Our experts are:

• Johan Van Heerde from Skycom, and

• Vikki Vink from Impro Technologies.

Growing locally?

It’s not uncommon to hear that cloud services in various local industries aren’t taking off as they are in First World countries because of the poor local infrastructure and because large companies have a burning desire to control as much as they can.

However, things are looking up in some areas according to Van Heerde. “There is definitely growth in the demand for ACaaS services, but in our experience, it’s been more in the SME markets rather than the enterprise level companies. The larger corporates still prefer managing the IT environment within their network environments and thus prefer locally hosted systems which reside within the controlled realms of their respective IT and network policies.

“The SME market, on the other hand, does not want to maintain access control systems and prefers to outsource the solution as a whole and only use the functionality and output of the fully hosted and maintained system.”

Vink says ACaaS has yet to become a popular option in South Africa. “Part of this can be attributed to concerns around security and the traditional preference for on-site solutions. However, internationally there is growing interest in this solution as organisations become more accustomed to cloud solutions, such as with software services like SalesForce, Cisco WebEx, Google Apps, Office 365 and so forth.”

She adds that while the demand remains low, Impro expects this to change over the next two to three years because the benefits of ACaaS, when correctly managed, result in cost reductions, improved efficiency and rapid deployment.

“For example, there would be no requirement for onsite servers and the associated management of these. All access control software would be based in the cloud, with authorised users accessing the system through something as simple as an Internet browser. This means that deployment can be achieved within a few days. The only hardware would be a physical reader on the door.

Even credentials or tags can be virtual today. For example, at Impro Technologies we are able to offer customers the ability to have their access card securely embedded on their mobile device. This provides greater convenience for the user and ensures reduced loss of cards or duplicated cards (we always know where our cellphone, is but not necessarily our access card).

Where does it fit?

In an industry where one size does not always fit all, are there certain markets where ACaaS would make a better fit. Van Heerde has noted that the SME environment is one area where it is finding acceptance, and international research indicates industrial and manufacturing concerns are more inclined to adopt this approach, as are companies that want to centrally control access for multiple locations.

“It is already evident that the distributed model has been adopted by many industries where you have a small system presence in a remote or temporary work area,” says Van Heerde. “A good example of this would be the building and construction industry where you would ideally put down a temporary structure to manage and control your time worked, access to site and health and safety aspects like breathalyser and licence control.

“In these cases you would not want to deploy a fully fledged system to the temporary site only to remove it after work is concluded. It is here where the worth of ACaaS and distributed systems-as-services come into play. These can be broken down further where these construction companies can have a local, centrally-hosted system with distributed functionality within their network realm or the whole solution can be provided to the company as an ACaaS by a company that specialises in this field.”

Vink agrees that ACaaS is better positioned for multi-sites, simply because it reduces the cost of having multiple servers on each site and the potential complexities of installation and management. However, for large installations such as manufacturing or industrial sites, the main barrier to entry in the short term will be their significant investment in servers (and the associated infrastructure) as well as personnel.

“This will change, and enterprises will start assessing ACaaS when it’s time to upgrade and the technology is proven,” adds Vink. “ACaaS is ideal for medium-sized businesses, specifically because of the reduced investment. For these businesses, the expense of servers and the associated management of firewalls, virus protection, disaster recovery programmes, along with qualified personnel to manage this makes ACaaS a natural alternative.”

She adds that in addition to the cost savings, the biggest factor that will drive this is convenience. “Businesses will be able to focus on their day to day operations, without concern, knowing all the other considerations have been taken care of. They simply log into a secure portal that is already preconfigured and secured for them, and are able to quickly pull reports, enable or deny access, thus reducing a significant infrastructure headache.”

Cloud versus cloud

Some people have dismissed the idea of ACaaS as they believe they can host their own access control function in the cloud without having another service provider or vendor involved. While this is true, it is the ‘as-a-service’ part of ACaaS that makes it valuable to companies.

Simply hosting in the cloud can be done, but the company would still have to take responsibility for installing and running its hardware and software. Vink explains that current hosted solutions are generally more of an IaaS (Infrastructure as a Service) model where users are still responsible for managing the applications and updates etc.

“With ACaaS the application can be run directly from a web browser and, more importantly, the vendor manages everything – the applications, runtime, backups, networking, data, servers, storage etc.”

However, she warns that offline functionality is still non-negotiable in any installation. “This is crucial whether you have on-premise, hosted or ACaaS. In any of these instances, if a server goes down, the access control system must still be able to operate normally. This is one of the key differentiators that Impro provides – if your link back to the server (or associated infrastructure) is lost, people are still able to gain access. This is achieved by not being solely reliant on the server to provide the decision-making.”

Van Heerde notes that three-layer redundancy is a decisive factor when it comes to selecting your system in the long run. “Layer one core system benefits, as in the case with the XTime suite, lies in its capability to do full offline validation, meaning all validations takes place on the controller/access control unit even if it cannot connect to the main server at that time. At the same time all transactions are buffered and recorded and will be downloaded to the database once the connection has been re-established.

“For Layer 2, redundancy tools can be deployed onsite from a general laptop are of utmost importance to accommodate and mitigate worst-case scenarios. In Layer 3, controller backed-up data is directly accessible with software utilities.”

As with most technology solutions, the benefits and ultimate functionality of an ACaaS solution depends on the options one chooses, and this will naturally influence the price. And while the capex/opex argument makes a significant difference to many bean counters, one must ask whether the ACaaS route is actually going to save money in the long run.

The money question

“In my opinion,’”says Van Heerde, “the cost saving would not lie so much within the physical infrastructure and server costs, as server space is pretty much accessible and obtainable in various offerings from renting, to owning and hosting ,and infrastructure is a given whether hosted or local.

“I think the saving will be through the actual manpower required to maintain and manage these systems. With a locally hosted system you would require skilled resources to maintain and support the system and everything pertaining to it. A typical integrated system would require an administrator, IT support, database administrator, infrastructure support and management of all these aspects dependent on the size and geography of the system.

“At the other end, a fully hosted system would still require the above structure to support the system, but the structure and the cost would now be distributed among various clients, thus alleviating costs and in-house responsibility for the system.”

Vink echoes this thinking, noting that ACaaS also moves the problems from the user to the vendor, who is now responsible for guaranteed uptimes, server failovers and data protection. “As we all know, data protection and privacy laws are becoming more stringent, therefore to have a service that manages this for a business also reduces its legal liabilities.”

For more information, contact:

• Impro Technologies, +27 (0)31 717 0700, info@impro.netwww.impro.net

Access Control & Identity Management, Cyber Security

November 2017, 

Technology has done wonders for improving the security of people, organisations and assets, and it has also done wonders for criminals looking to inflict damage to the same. The problem with electronics is that those devices that communicate with a server or a control room were designed to secure people and assets, but until recently weren’t designed to be secure. And let’s be honest, even today there are many devices that pay lip service to security while offering very little in reality.

In the world of access and identity management, some may ask why it would be a big deal if something as simple as a card reader on a door gets hacked? Or if we go further afield, why would it matter if a security camera gets hacked and bad guys see your parking lot or the reception to your offices?

Apart from the inconvenience, those are not sensitive areas so it may not seem like a big deal. A common belief is that, at worst, the criminals can break a reader so people can’t log in.

But what if a criminal uses the hacked reader to gain access to your building after hours? If your reader is online and offline, that means everyone with access is stored on the reader and the database can be stolen. What if a criminal gang is monitoring your parking area and other parts of your business premises to find out the guard tour schedule or how many guards are onsite after hours? That’s a bit more serious.

The real danger in these scenarios is the connectivity. Once a device is hacked, the criminal is on your network and the possibility exists that, with a bit of patience and assistance from the thousands of hacking tools available on the Internet, they can gain access to servers and other digital areas of the business. If they gain access to payroll and the relevant logins, they also have access to your bank accounts.

In addition, with so many devices being connected to the Internet today, your hacked device may be infected with malware and become part of a botnet – a global network of infected machines that can be used to launch online attacks against anyone. So your infected reader now becomes more than an inconvenience.

Cybersecurity has become a reality for the physical security industry over the past year or two, and will become even more of an issue as the Internet of Things (IoT) grows. We will soon have billions of small devices with supposedly limited functionality vulnerable to attack. The original intent of these devices is not important, their ability to communicate unhindered over networks and the Internet is.

If one looks at the bad press Hikvision has received over supposed backdoors into its surveillance equipment you can easily see the brand damage being cyber insecure can cause. Hikvision seems to be a target for bad cybersecurity press these days, but the fact is there are no surveillance vendors that have not had vulnerabilities in their equipment – no matter which country they are manufactured in.

But what about the access control industry? Have we seen companies providing hardware, software and services related to access and identity adopting a stronger cybersecurity posture? Moreover, is it really necessary if your access control systems are all located within your building?

It’s all connected

HID Global’s Jaroslav Barton says that modern access control systems are not discrete products any longer. “They can be interconnected with other security systems, they can use and share data from IT systems, and access control data is increasingly moving to the cloud.

“RFID technology used with access cards and tokens is increasingly vulnerable to possible attacks if adequate security measures are not implemented. All this results in the need to provide robust protection against possible cyber attacks.”

“The current deployment of access control is still predominantly within a secured physical building, which is isolated on private networks,” says Impro’s Vikki Vink. “This reduces the risk of a cyber attack, but naturally relies heavily on the IT systems and governance procedures. For some access control systems, this suffices, however others, including Impro, provide additional security measures that further benefit from a well-defined security architecture typically found on enterprise networks.”

Tim Timmins from G4S Secure Solutions (SA) states quite simply, “All systems are under fire in this age of cyber attacks and there are various ways that solutions are trying to combat these attacks. One of our main approaches is edge encryption and decryption.

“This means we encode our message before sending it to the recipient and the recipient has the capability to decode and understand the message. Intercepted messages would thus not mean anything to the application or person that intercepted that message and it would be useless information.

“This is obviously an ongoing process as one has to safeguard many aspects of the system, one of them, and probably the most important one is the database.”

Leveraging proven IT security

From the HID perspective, Barton says the most vulnerable part of any access control system is the RFID identification. RFID has been used in access control for more than 25 years. “With the development of electronic and computer technologies, the early RFID technologies that used to be very secure decades ago cannot provide sufficient security today. Contactless smartcards introduced later with secured data storage and encrypted communication was a massive step forward.

“However, many smartcards were based on proprietary encryption algorithms which can be potentially dangerous. Not surprisingly, hackers have been able to crack many popular smartcards. Therefore the security trend today is using multi-layer security, open security standards for data protection and data transfer, and moving the security to a level similar to the one used in the IT industry.”

Vink adds that for those systems relying on an organisation’s back-end IT infrastructure should leverage global IT standards in protecting their access control systems as well. For example, changing default passwords, ensuring that there are no network points outside the physical building, making sure the server is suitably protected with the necessary firewalls and virus protection, and so on.

“This greatly reduces risk and should be considered standard practice, unfortunately, in our experience many sites leave themselves open to problems by not adhering to the basics. You should look at your security as an onion with multiple layers. The more layers, the greater the security. So start with the basics outlined above, and then add additional layers (either as the end-user, or from the manufacturer).”

In the case of Impro, she says the company uses global IT protocols as standard, and adds additional layers. The management software operates on HTTPS and there is a directory-based authentication model for the software, which is coupled with an additional layer of operator security. In addition, Impro is launching new encrypted solutions using TLS (Transport Layer Security), which further enhances network security.

Timmins echoes this advice, adding, “Always ensure that any network connectivity exists within a controlled and managed LAN or WAN and a secured APN into that network for mobile devices. All devices with access to the network should be controlled by company IT policies which will greatly reduce risk. Needles to say, well managed DMZs (demilitarised zones), firewalls, VPNs and antivirus are essential to keep the threats out.”

Going mobile

The current trend to using smartphones for access control by including a credential on the device has proven a success. However, mobile devices are not restricted to only access control and are carried with the owner wherever they go, adding another potential security headache.

Depending on how mobile phones are used for mobile access, Barton says this technology can be very secure or quite insecure. Some solutions use simple card serial number (UID) emulation on a smartphone which obviously doesn’t meet basic security requirements. UID is unencrypted and can be copied and the credential cloned as easy as it can be done with cards that use UID as an identifier.

“If the mobile solution is based on highly secure technologies, like Seos from HID, the credential is stored in a secure application sandbox of the phone’s operating system and transferred in a secure encrypted manner. For mobile access solutions, it is also essential to evaluate the security of the process for provisioning mobile credentials. Modern, secure systems enable over-the-air provisioning and they do not allow transfer of credentials from one phone to another.”

“On the mobile side, the newest innovation that we’ve adopted is the ability to use your mobile phone as a secure credential in your access control system,” says Vink. “Naturally, security has to be extremely robust to ensure the protection of the site and this has been achieved through AES-128 encryption. In addition, these credentials can be revoked in an instant, thus ensuring that should someone lose their mobile phone, their credential is quickly and easily revoked and can no longer access the site.”

Cloudy access control

Another one of the growth areas in access control is supplying the access control functionality as a service – Access Control as a Service (ACaaS). In these scenarios, one’s access control system is managed by another company and you could even have the databases and applications residing in the cloud, which brings its own cybersecurity issues.

Timmons notes that even though it is in the cloud, that only means it is ultimately on a server sitting somewhere else, whether it is a physical or virtual instance of it, so in essence all the same rules apply. “Protect your data up and downstream by strong encryption when passing through unsecured networks like the Internet, and ensure that your endpoints are well protected against attacks in all forms.”

While many people still see cloud services as insecure, Barton explains that using the cloud in the right manner is more secure than storing data on-site. “Many people that are afraid of the cloud don’t realise that we rely on cloud solutions on a daily basis. Using the best practices of cloud storage is essential of course: data should be hosted in a secure server environment and industry standard advanced security technologies implemented to prevent interference or unauthorised access. To minimise vulnerability threats, two-factor authentication for data access should be used.”

Vink expands on this, noting there are a number of standards to follow depending on the cloud model. Many access control vendors simply move their system into a hosted environment, with a secure gateway device managing the communication between the premises and the cloud. This does provide acceptable levels of security for installations where IT governance is not a business priority, but can be a costly solution.

“The Internet of Trusted Things (IoTT) aims to promote secure communication standards for devices that were previously only connected on local private networks. This means adopting industry standards and accepted, secure communications which are built into the most basic components of hardware. However, this is a challenge faced by many industries, not just access control.”

What’s happening in the real world?

In theory there are many ways to ensure your access control systems are cyber secure, but are vendors making the effort to implement these theories in the real world? While we can’t speak for everyone offering access control products and services, we can ask our interviewees what their companies are doing in this area.

“At HID Global, we apply an holistic approach to information security by considering all threat vectors and aspects,” explains Barton. “We use industry best practice guidelines, frameworks, and standards. All our solutions consist of multiple layers of security and are based on Seos credential technology.

“Seos is standards-based for secure messaging, strong authentication and data confidentiality, including NIST-approved security and NSA Suite B Cryptography, AES-128 and SHA-256. Besides security, the Seos protocol supports strong privacy, meaning that it is not possible to track the identity of a device.”

G4S, as noted above, offers ongoing encryption enhancements and changes with regards to up and downstream data, while ensuring it makes use of the latest versions of IDE technologies. Timmins adds, “We also offer monthly system health status checks to our clients to ensure that they are on the latest versions and that they do have solid disaster recovery and backup plans in place and ready to deploy.”

Impro provides consultation services to assist its customers in specifying and designing sites, which includes IT considerations. “We also advise customers to ensure the physical hardware for their access control system is within a secured environment,” explains Vink. “For example, don’t use readers that include a relay on the outside of your door as this immediately is a risk. Easy access to the relay means that if someone shorts-out the relay, the door opens. We’d also recommend for medium to large sites that their IT personnel are part of the group managing the access control system.”

Finally, Vink adds that Impro promotes global best practices from the IT sector, since these are without a doubt at the forefront of cybersecurity.

For more information contact:

HID Global, +27 (0)60 988 2282, rtruter@hidglobal.comwww.hidglobal.com

G4S Electronic Specialised Solutions, +27 (0)10 001 4500, ess@za.g4s.comwww.g4s.co.za

Impro Technologies, +27 (0)31 717 0700, info@impro.netwww.impro.net

[/text_output]

Access Control & Identity Management, Integrated Solutions

November 2017

By Andrew Seldon.

Access and identity management is about trust. Who has access to your physical and logical properties and what they may or may not do there, when may they be there and are they qualified to be doing what they are doing?

Hi-Tech Security Solutions took the concept of trust and asked a few access control vendors for their take on the concept and how it translates into the real world of access. In this round table, we focused on the physical security vendors, leaving the digital access to a second conversation which is also published in this handbook.

The round table attendees were:

• Andrina Diedericks from IDEMIA (previously Morpho), focusing on the biometrics side of identity and access, where the company has over 30 third-party technologies integrated with its access and identity systems.

• Mike Kidson and Melville Frahm from Impro Technologies, a local manufacturer of software and hardware components, as well as a developer of integrated solutions.

• Leonie Mangold from Powell Tronics, a distributor and software developer focused on creating integrated third-party solutions for its two primary product lines, Morpho and Impro.

• Walter Rautenbach from neaMetrics, a distributor for Suprema in Africa and also a global software development specialist for the Suprema range of products.

• Greg Sarrail and Claude Langley from HID Global, representing the biometrics division (Lumidigm) of the larger HID group.

Assigning trust

When it comes to assigning trust in terms of an access control scenario, there has to be an initial point where a level of trust is associated with a person or device. For example, at some stage of the process, someone has to decide that this person or that vehicle should be trusted and allowed access to certain properties and areas within a company.

Frahm says this trust is established in the initial engagement and enrolment process. Companies are quite entitled to and should take the necessary precautions when collecting people’s credentials, whether it is a photograph, fingerprints, making use of identity verification services and so on. This initial process sets the scene for future interactions and privilege assignment for the individual. If you know you have it right on that first enrolment, you are off to a good start.

Within this process, Kidson says this trust assigned to an identity must tie back to some kind of non-replicable component to ensure accuracy. “And the most difficult thing to replicate is the biometric. So, be it a facial recognition component, a fingerprint, an iris, whatever the case is, when you integrate that element onto a credential I think you are heading in the right direction.”

It is too easy to copy or clone physical documents like cards today. A recent demonstration showed how almost any physical credential can be cloned in a few minutes. There are, for example, some cards that can’t be cloned as easily (or yet), but the criminal element is always on the prowl and it is a matter of time before they find ways to compromise the next secure credential. Therefore, we need something additional, and the best option right now is in the form of a biometric.

Kidson believes biometrics is how you tie the trust idea together. It’s a safety net that until now you could not replicate and it is the closest way of authenticating that this credential is being used by the appropriate person. Moreover, he says integrating biometrics with your access and identity systems is the starting point for more security and is an important aspect of the solutions approach instead of simply buying individual technology components. “Instead of a component you need an holistic turnkey solution where there are integrations on the various components for improved reliability and trust.”

Solutions are us

Rautenbach agrees, noting that integration, or solutions are critical in this space. “Take for example the criminal clearance solution: an employee or a prospective employee comes in and places their fingers on a reader. It gets sent to SAPS and they say there is no criminal record. This is fine, but did we ask the right person to put their fingerprint down? The prints match a record at SAPS (or hopefully don’t match in the case of a criminal record check), but is the identity associated with that fingerprint on their side the same as the person sitting here?

“One of the things happening now is adding to the service, a confirmation that those thumbs belong to the person sitting there. Now you have closed that loop because you know the person verified against the Home Affairs database and the criminal record for that person actually belongs to that individual.”

And that is where the integration comes in, but it’s also where we run into a problem because it depends on the client being prepared to spend a bit of money on that closed-loop service. Is allowing someone access to your building worth the expense, or is who that person is not really that important?

“If I work at the Reserve Bank, then it’s important to have all that information, but if you come to visit our office, I am not going to do all those checks on you,” Rautenbach adds. “However, it’s the ability of technology today to link all the different systems together that makes for a more accurate and reliable mechanism for obtaining a level of trust for that identity.”

Kidson adds that it is also important to note that the databases we use in these processes are often overlooked as they need a refresh cycle as well. Authentication has a sell-by date and there needs to be a renewal window depending on what information and trust is being assigned. He also believes we need to add different components to these databases to improve identification and authentication.

For example, licence plate recognition recognises the number; it does not recognise the colour of the car, the shape of the car, the make of the car, etc. An holistic solution needs to bring additional components into the mix for more accurate identification – for people and things.

“As a company it is going to cost me money to re-verify you every 6 to 12 months so it doesn’t happen, yet, in the meanwhile, the employee goes through a court case and is convicted,” notes Langley. “You do not know and you will never know it because there has not been a second verification.”

He adds that the problem at this stage is that linking to external data sources is still too expensive, and the infrastructure is not there. He gives a bank as an example: they will interact with the Home Affairs National Identification System (HANIS) initially to verify that it is me, but then they create their own database because of a lack of infrastructure, lack of trust and cost. And then, while they may have an up-to-date database, they are not going to share it or allow access.

This example again serves to highlight the importance of trusted integration throughout the access chain, whether for top secret operatives or just to allow an employee access to the car park. Mangold and Diedericks concur, noting it has become standard in today’s world to add value to the ‘boxes’ that are sold. Not only does this improve the identity verification process, but it also adds an improved experience for end-users at the end of the day.

And perhaps, given the latest South African breach where millions of identity numbers and other information was left exposed on the Internet (and obviously stolen), basically leaving the entire country potential victims of identity theft, this serves to highlight the fact that identity verification is too important to leave to a tattered card of ID book without additional, integrated components to ensure people are who they claim to be.

Kidson refers back to his comment on biometrics, saying it’s easy to replicate a physical credential, but when you combine credentials and biometrics you add a significant level of security.

And, adds Langley, this is where multi-modal identification is proving its worth. “It’s not just one single point of identification but multiple, and it provides more of a secure platform than just a single authentication method.

Sarrail expands on this, noting it’s a question of educating the customer of the dangers of not using good verification solutions. Most customers quite naturally want to buy a single point solution and to compare the price with other point solutions. But in the end, they want (or rather need) an integrated solution that works to solve the problem they are faced with and which could cost them dearly.

So while you may focus on what the end device (a card or fingerprint reader, for example) costs, this is not going to solve a problem without the full integrated solution. And it is the full solution that is going to be the problem solver, money saver and fraud preventer in the greater scheme of things.

What do you always have?

While it’s easy to speak about credentials and biometrics, even having biometrics on your physical credentials to prove that the person with the card is the person who is supposed to have the card, we are often faced with the question of what is the best credential to have that can offer various forms of authentication and identity verification, but without placing an unrealistic cost burden on the company.

Rautenbach has a clear answer here: What do you carry with you all the time?

“I think your mobile phone is the ideal solution. If you provide cards to people and they lose it, that means someone can find it and potentially use it. If your ‘card’ is on your phone, it can be assigned to you and deleted remotely in an instant.

“So I love the idea of mobile credentials. You can use it for logical access as well, since most PCs have Bluetooth so you can have a BLE interface. Most importantly, I am not going to leave my phone at someone else’s PC, or at home, and if I lose my phone I will realise it very quickly. So it’s the perfect device for access control. You can switch over from identification to verification, and you can take it further by making the credential more intelligent, building biometric-on-device authentication in to activate the virtual card.”

And it doesn’t stop at fingerprints. While fingerprints are the go-to solution for biometric access at the moment, Kidson says Impro ran a facial recognition pilot at an industrial site where employees worked with their hands and often had damaged fingerprints. The result was only two out of about 3000 workers could not be authenticated via facial biometrics, indicating this will become a biometric to consider in the future. He also notes that the question of the type of facial recognition used is important, as 3D recognition is far more accurate and reliable than older 2D technology that can be spoofed with an image of a person.

Diedericks again notes the issue of risk profiles come into play and that more secure areas will require additional security levels or layers before access is granted, which can all be controlled on the smartphone. She adds that, while smartphone facial recognition is acceptable in certain instances, IDEMIA’s facial recognition solution takes 40 000 3-dimensional points on a person’s face and creates a template from that, making the process more secure and less vulnerable to spoofing.

Standards and quality

It’s all very well talking about integration and the need for holistic solutions, but the average buyer, no matter how educated they are or how aware they are of the need for better verification and authentication processes, is till bound by a budget set by people who are, at best, unaware of the risks and realities.

When purchasing your technology (which is hopefully part of a solution), it is important to look beyond the price and consider the quality of the products and whether they adhere to internationally accepted standards. This is not only an indication of their reliability and security, but also an indication that they will be able to be integrated into future expansions to the solution the organisation requires. And when looking at the various ­technologies mentioned in the Access & Identity Management Handbook 2018, it’s clear that even your intercom system can and should form part of the broader solution.

One biometric standard, specifically related to fingerprint biometrics Diedericks mentions is FBI compliancy and certification which, if adhered to, will stand the organisation in good stead if it needs to take its access logs to court. She does, however, acknowledge that not everyone needs a high-end biometric reader. A smaller company may be satisfied with a cheaper brand that is good enough to allow access to the premises. When you look at a larger company with additional requirements, you then need to consider the speed of recognition, the database size you can work with, encryption, liveness detection and other factors.

Sarrail says it all depends on what you want to get out of your system. The FBI standard, while still relevant, is a 20-year-old standard. “New multi-factor authentication systems are out that are never going to be addressed by that standard. So there needs to be a new set of standards that relate to this new data that is available.

“None of us have seen the Apple facial recognition system in person yet [the round table was held before Apple’s new products reached South African consumers – Ed.], but apparently it’s pretty good,” Sarrail continues. “There is not a set of standards around that and Apple does not care. It is in their bubble and they are going to protect it and use it for their users. But that sure is going to drive the rest of the industry to say: If they can do it on a phone, why are we doing it elsewhere? And that is going to have to result in new specifications that deliver the quality and reliability industry requires.

“The use cases today are going to be the drivers of new technology and the standards you need to deal with current threats. As such, while standards are important, we need to ensure they cover where we are technologically today and the ways in which we build solutions.”

Once they’re in

Of course, access control is more than simply deciding who gets in. It must also include what they are allowed to do once inside. Mangold says companies need to be clear about and make known their right of admission policies. This is more than simply deciding who gets in the door, but what they are allowed to do once on the premises. This applies whether they are accessing a business location or a residential estate, or even just using Wi-Fi as a guest.

“With an integrated solution you can manage where people are allowed to go. So if you, for example, are a high care nurse that comes into a frail care facility, you only are going to have access to that frail care facility at the point where you are enrolled onto the facility. Through your access system, you can furthermore guide people into areas where they are supposed to go. So by incorporating all of that into your access control through integration, you can actually manage where people are going, you can know who is on site, where they are, are they still on site, should they be off site.”

It starts with access groups in your access control system, says Rautenbach, when you predefine specific access groups and then assign access to those privileges. “But that is not where it should end. I might limit a visitor to only come into the reception area, but did that visitor try and access different areas? That sort of reporting to proactively assess what that guy did is something that is lagging at the moment.”

He adds that you can then go further and link logical access control, but then it becomes a different ball game because it is not turnstiles that you are managing, but what actual data and PCs people can manage – and that becomes a little bit more tricky because then you normally have a separate credential system that manages that type of process.

Of course, we are looking at the capabilities of technology here, which is an ideal situation. Langley and Kidson both mention that no matter what technology you have in place, there is always the human element to consider. Whether it’s a guard or receptionist who doesn’t care whether you have access or not, or a too-polite person within a building who allows you to tailgate, the human element is always the weakest link in security.

Diedericks relates the human problem to the issue of convenience. When the human element gets involved in the process of verification or authentication, convenience beats common sense and if the process is not convenient people will simply not comply. Looking at the passwords people still choose today is a clear indication that no matter how important security is and how much people are educated, simplicity and convenience beats all.

However, while agreeing, Mangold says you need to draw the line somewhere and force compliance if you don’t want to expose yourself to extended risks. “All the technology is useless without procedure and policy. You can have the best technology and the greatest integration, but if you do not enforce policy and procedure, it is absolutely useless.”

Sarrail highlights the concept of risk profiles. Relaxed security may be acceptable in some instances, but if you are in a high-security environment then you will make it more cumbersome on the individual. The right policies and procedures must be put in place, and enforced, according to the risk profile for the environment.

Frahm echoes that it is critical to ensure your security employees are following the procedures and will not circumvent them in a situation where they feel it may be justified to ignore them. His reasoning is that the criminal element is always watching and waiting to discover weaknesses like this that they can exploit.

Looking ahead…

With the knowledge that integrated solutions are the way to go for reliable and secure authentication and verification, we ended the discussion by asking our attendees for their insight into what will be important in the industry over the next year or two.

Kidson, unsurprisingly, is sure we will see an even more significant move to mobile access technologies than we have seen this past year or two. “I think we will be utilising these devices more in every sphere of our lives.” In addition, he sees more, more complex and improved integrations across the board.

Mangold sees an increase in ‘one version of the truth’ in future. In other words, having a single database in an organisation where credentials are securely stored and distributed to physical and logical access systems, as well as other business areas where they are needed. The days of having a database in HR, as well as the security department and another for IT security are over. As an example, she says Active Directory is often used as the source for Powell Tronics’ installations and information required for access is pulled from there to avoid having to capture information twice, avoiding errors and conflicts later on.

Sarrail expects cloud services to take off in the near future. There are already identity management services based in the cloud, but these are not as common or as attractive to companies of all sizes as they will be, and especially not as integrated into various systems public and private enterprises require.

While the report on the round table can only highlight snippets of what was discussed, the overall impression is that innovation in the access and identity market is in no danger of slowing and the options for end-users are more plentiful than ever. There is still a need for educating users on best practices and processes, but the industry seems to be setting its own standards in terms of what works in terms of authentication and verification to ensure security in even the smallest companies.

Hi-Tech Security Solutions thanks all the participants for taking the time to join the round table discussion and for their contributions.

October 2017,
Access Control & Identity Management, Products

When was the last time you received something for free?

Something that could enhance your security, help manage your business, or put some extra money in the bank?

As a customer of Impro Technologies, you’re able to enjoy free software releases when using its Access Portal access control management software. This means customers continue to benefit through increased functionality and features, with each release of software.

Added to this, Impro Technologies charges no annual licence fee for Access Portal and provides free 24-hour technical support – making Access Portal one of the most cost-effective products in the industry.

The company’s latest software release focuses on reducing the configuration and installation time, as this is often the big risk factor for installers – the longer on site, the less profit.

One innovative feature that helps achieve this is the ability to configure a site with virtual hardware before going onsite. This reduces the installation time, as well as the risk of onsite problems, as the virtual hardware is simply replaced with physical devices when at the premises.

For the corporate office sector, which frequently use elevator and lift controls, the new version of Access Portal incorporates a purpose designed module that quickly guides users in the configuration and operation of elevators.

Another time saver is the new firmware upgrade tool to enhance your hardware. The tool makes upgrading devices quick and easy, with just one click.

For more information contact Impro Technologies,
Tel: +27 (0)31 717 0700, info@impro.netwww.impro.net

October 2017,
News, Conferences & Events

The Camprosa (Campus Protection Society of Southern Africa)

2017 conference, held at the picturesque Kwa Maritane Bush Lodge in the North West province’s Pilansberg area, was once again a successful networking event for both its sponsors and delegates.

Topical presentations included one from guest speaker David Bousquet – president of IACLEA (International Association of Campus Law Enforcement Administrators) – on the US campus security perspective. Of particular interest and perhaps a plausible idea for South African campuses, is the presence in the US of dedicated law enforcement precincts at each university. There is a highly synergistic relationship between the formalised police presence and the universities’ security forces, allowing greater control over risks.

Ken Annandale, founder of IntraSafe, was once again the master of ceremonies for the event and hosted the panel discussion – ‘Security within the new norm’, with participation by Dr Diane Parker (deputy director-general at the Department of Higher Education for Universities), Major General Mkhwanazi (SAPS), Roland September (acting executive director – properties and services at the University of Cape Town), Derek Huebsch (director – security services at Nelson Mandela University) and Paul Maritz (ex-SRC president at North-West University).

Leonie Mangold, senior key account and business development manager at Powell Tronics and chairperson of ESDA, was invited to present a paper which focused on the company’s customised integrated solutions aimed at the education sector.

The Powell Tronics display at Camprosa 2017.

The Powell Tronics display at Camprosa 2017.

ESDA Windhoek expo a success

October 2017Conferences & Events, Associations

The end of August saw ESDA taking its show on the road with the association’s first expo in Windhoek, Namibia. Any pre-show jitters were quickly resolved on the day, which turned out to be a great success for all concerned.

The expo was well attended and over 100 visitors walked through the exhibition area to see the latest security products and systems the various security distributors had on display. The visitors were made up from a variety of Namibian industry participants, from security industry installers, distributors as well as end users, all of whom appreciated the exhibitors coming to Namibia where they had the chance to see the latest products and meet with industry experts face-to-face.

Powell Tronics: Powell Tronics showcased Impro’s Portal product which can be accessed from your mobile device, with the latest RFID, Wi-Fi locks and biometric technology available.

September 2017,
News, Conferences & Events

The Elvey Ignite Expo

provided the company with the opportunity to roll out its partnership strategy. The events, which took place in Johannesburg, Durban and Cape Town between late July and late August, underlined the company’s intention to increase its interaction with its valued industry partners.

Gary Lowe, chief executive officer of Elvey, explains that the expo allowed the company to emphasise a number of critical elements that include the shift in user interaction towards mobile apps and the gradual shift in market direction towards the home automation sector. In addition, it highlighted the growing need for integrated security solutions and the continued shift of most technology towards IP convergence.

On show were a large number of security solutions from the company’s international suppliers including Risco, Networx, Impro, Permaconn, RDC, Dahua, Kedacom, Nemtek, Suprema, DSC, Fireclass, Optex, Fibaro, ET Systems, Fermax, Alarm Supplies, AccessLine and Sherlotronics. Fellow Hudaco Group company MiRO also exhibited a number of its IP wireless convergence products. All products were displayed on modular pods, allowing customers to easily view the various solutions and to interact with technical representatives from both Elvey and its suppliers.

The two-day programme in each city commenced with an opportunity to experience hands-on demonstrations of the technology solutions. The dinner at the end of day one, hosted by Lowe and Talk Radio 702 presenter, Aki Anastasiou, afforded Elvey an opportunity to showcase its new corporate video which articulates the company’s core values and direction.

Lowe furthermore outlined Elvey’s foundation of trust, partnership and innovation and stressed the importance of focusing on quality instead of price. “An alliance with a trusted partner such as Elvey allows customers and suppliers to leverage the multiple facets the company can offer. These clearly position Elvey as an active, dynamic partner in technology, supply chain, skills development, logistics and distribution, marketing and promotions, as well as technical support.”

Lowe emphasises that the future sustainability of companies will be assured when they adopt solutions that are designed for the long haul. “With a preponderance of low-cost copycat security products flooding the market, there will always be a temptation to compromise on quality for the sake of budget. This is however a very short-sighted attitude and its eventual failure as a business strategy is underscored by the endemic lack of pre-sale technical advice and aftermarket support these copycat suppliers are typically characterised by.

“By partnering with Elvey, you buy into a long-standing tradition that encompasses a healthy research and development budget, robust development pipelines and extremely high levels of quality control. Ultimately, our aim is to add more value to our customers’ businesses and their customers’ lives.”

Accredited Training on Access Control

Critical to the success of any access control solution is the transfer of skills and knowledge, so that you are able to reap the full benefit of your investment. To this end Impro’s Client Services’ division provides an extensive range of accredited training in all aspects of access control. Impro’s training courses consist of a number of modules that are outcomes driven, so delegates are able to proceed at their own pace. The training also comprises both lecture and practical aspects, to ensure a complete understanding of the topic.

Summary of training offered:
∙ Introduction to access control
∙ Access Portal sales training
∙ Access Portal operator training
∙ Access Portal hardware installation and configuration
∙ Access Portal software installation and configuration
∙ Advanced Access Portal features and configuration
∙ Integration of biometrics and modules
∙ Access Portal technical support

At the end of all training there is an assessment and/ or an examination, to ensure competency and certification. In addition, should one have specific topics or areas of training required, Impro is able to develop specialised courses to meet your needs. All training is offered on site at your premises, or at one of Impro’s fully equipped training centres in South Africa.

 

To find out more about Impro’s Training Courses click here

Shipton takes the reins at Impro

South Africa witnessed the end of an era and the beginning of a new one about two years ago when ASSA ABLOY bought Impro Technologies. Fortunately the transition was smooth and Impro and its customers and users were able to continue as normal without any unpleasant surprises.

July 2017 saw the end of another era as Errol East steps aside as the MD of Impro. It also sees the start of a new era as ASSA ABLOY has appointed Mike Shipton to take over the reins as MD. Hi-Tech Security Solutions spoke to Shipton and East about the changes.

The past three months have been a transition period in which East has handed over to Shipton and assisted him in getting to know the company and the people. With the transition period behind them, both are confident that the company is in good hands going forward.

A history of innovation

The company East leaves behind has a long history of innovation, being one of the first, many years ago, to identify the importance of RFID technology in the access control market. East and his team steered the company through a variety of market changes and were right on target to go to market with new solutions when the access and identity market moved from card-based access to biometrics, cloud and mobile technologies – where Impro is again leading the field.

Impro has proven itself as a top-tier local manufacturer over the years with its own engineering and development team keeping the company ahead of the field. When the company decided to change its approach and move into the cloud space before the launch of Access Portal, Impro’s engineers and developers spent 18 months undergoing specialised training to ensure they were able to come up with solutions that encompassed the latest technology.

In addition to this, East says the deal with ASSA ABLOY has provided the team with access to intellectual property (IP) from the ASSA ABLOY stable (such as cloud, mobile and SEOS IP), which will assist it in future developments. The new owners will also be able to assist in the further expansion of Impro into Africa and beyond. The company currently exports to 60 countries around the world.

Despite Impro’s history of success, Shipton adds that more is yet to come. While reticent to talk about new products the company will be launching later this year and in 2018, he says Impro is in a good position to leverage its current technology in different areas. Access Portal, for example, is a data gathering platform used for access control at the moment, but it can be expanded into different areas to provide additional value to users – such as intrusion, CCTV, building management systems and more.

Solid foundation

Shipton is well aware of the legacy of East and the team at Impro, and says he wants to keep the business operating with the norms and values of a family-run concern. Trust and innovation has always been a key element of the company and he intends to keep it that way.

He adds that the company has been run well and efficiently, making stepping into East’s shoes a little easier. He is also determined to keep Impro running as an independent brand going forward, and ASSA ABLOY is keen to support this endeavour while encouraging Impro’s expansion into Africa.

The company will be appointing partners in the region, and Shipton says the channel strategy of Impro will remain as is in South Africa where Powell Tronics, Elvey and Access & Beyond distribute the brand. Impro will be investing in its sales team to further empower its business development consultants to assist value-added resellers and distributors, but selling direct or changing its way to market is not on the cards.

Similarly, Impro’s South African manufacturing will continue as its efficiencies have given it a competitive advantage, even against countries renowned for cheap manufacturing. This while ensuring its products are able to stand up to the best in the world in terms of quality and reliability. In fact, the Impro factory already manufactures a number of products in South Africa that are sold by ASSA ABLOY companies (under their own brands) globally.

With a long history of innovation, and many employees who have been with the company for years (some over 20 years), Impro is set to take on the next decade with a focus on innovation and collaboration among its teams to develop the best products in the market. And while East is retiring from the company, he will not be retiring from business. He already has a new business opportunity in the pipeline which he will address after taking a break, although this will not be in the technology realm.

Impro releases S-Series

Impro Technologies has released the S-Series, a new range of hardware that seamlessly operates on the Access Portal management software. The S-Series is aimed at cost-sensitive markets and up to eight SIR readers can operate from a single module.

The simple plug-and-play design of the hardware ensures easy installation and the ability to hot-swap modules without impacting the system makes the maintenance of the series as simple as possible. The use of three-core cabling further reduces costs and installation time.

A key feature of the S-Series is the use of secure technology that provides enhanced protection against card cloning. Many traditional tag technologies have been compromised in the past, which can result in unauthorised users gaining access. With Impro’s 125 kHz RFID tags, this risk is reduced due to the proprietary communication protocol used.

The system further encrypts communication between the hardware components of the reader, module and controller for added security. End-of-line sensing provides additional protection against tampering with cables, and an alert can be automatically sent should an event occur.

Scalability is another feature of the S-Series as it can be used in businesses of all sizes, from two doors to over 2 000 doors. Installation flexibility is also ensured as the readers can be installed up to 150 m from the module, while controllers can be connected either via RS-485 or TCP/IP.

The system hardware comprises of a cluster controller, S4 reader module, SIR reader and S-Card encrypted tags. The software is either embedded in the controller or installed onto a PC/server depending on the installation size.

For more information contact Impro Technologies, +27 (0)31 717 0700, info@impro.netwww.impro.net.

The Access Portal software aims to provide customers with increased functionality,coupled with a user friendly interface.  In line with this Access Portal 2.0 introduces a revolutionary dashboard view, which makes monitoring your access control system, simpler than ever. We’ve also increased the flexibility of the reporting, giving you the ability to quickly access the information you need.
PERSONALISED DASHBOARD
Within a few clicks operators and other authorized personnel can create their own tailored dashboard, which becomes the default view each time they log in. Users can select the specific services (widget) they want to
view, where on the screen this should appear, the size of the widget and even the colour. Available widgets include:

• Live! transactions: view transactions in real time from the dashboard.
• Access group capacity: quick visualization of the number of people/assets tracked in an access group i.e. parking spaces available.
• IP camera: view the video feed from an integrated IP camera (CCTV).
• Commands: ability to enable threat level, resetting of APB (antipass back), or unlock a door.
• Quick enroll: enables the operator to quickly enroll a new person or asset from the dashboard.
• Monitor door: ideal for main entry visibility where remote unlock can be undertaken, or the threat level of the door changed in an instant. Also shows the latest transaction for the specified door.
• Monitor person: integrates with the scheduled tour feature to monitor an individual undertaking on tour.
• Shortcuts: just as in Windows you can create a quick shortcut to frequently used services, Access Portal now offers this functionality for fast access to areas of the software.

ACCESS GROUP CAPACITY
This new feature allows a maximum capacity to be set for an access group. This is an ideal feature if you have a shared facility, such as parking, whereby only three bays may be used by the one company (access group).
Should a fourth vehicle arrive, it will not be allowed access until another vehicle departs. In addition, this functionality is available as a quick view on the new dashboard function.

CLUSTER CONTROLLER ACTIONS
Along with the ‘new access group capacity’ function is the ability to reset a cluster controller’s access group count – returning it to zero – and to reset APB (antipass back).
This ensures that if people have left the area without tagging, perhaps by following a colleague out the same door, the count can be reset to zero in order for a security alarm to be automatically armed in the area.

DUAL TAGGING
Often high security facilities require more than one person to tag in, before a door will be opened.
Access Portal now allows up to five tags, from any five authorised users, to be required for the opening of a door. This means that a bank vault, for example, would require three authorized users to tag together, before access is granted.

BIOMETRIC ENHANCEMENTS
Access Portal is able to read and write secure encrypted biometric data to SEOS cards, on select Morpho Sigma SEOS enabled readers. This enables Impro to offer “biometric data on card” functionality for the specific Morpho Sigma devices.
In addition, through Access Portal, you are able to exclude specific biometric readers and/or tags from an upload, for example, where you want permanent employees fingerprints uploaded to all readers, but temporary staff will use biometric data on card instead.

ADDITIONAL FEATURES
Other features include:
• Move view: built in wizard to assist you in quickly moving a single, or multiple, person/asset from one site to another.
• Reports: we’ve added a new filter type that shows custom field values, such as open text fields, for quicker searching of custom data.
• WAN installation: you can connect to cluster controllers over a WAN, facilitating multiple sites communicating back to a central server.
• HID Omnikey: the Omnikey enrolment device has been integrated in Access Portal, enabling the system to read tag code numbers of HID SEOS, iClass and MIFARE® cards.
• Application Programming Interface (API): our API has been expanded to incorporate additional services such as injected transactions and lucene search, to further enhance 3rd party integrations
Please note:
• To ensure the latest changes are available after an upgrade, we recommend clearing your browser cache.
• There is currently no support for deleting a site that already has people and/or assets saved to it.
This intentional restriction enforces auditing requirements.

February 2017, 

News, Access Control & Identity Management, Integrated Solutions

Impro hosted a breakfast at the end of 2016 in which the company highlighted its history, the products and solutions it is bringing to market, as well as how the company is progressing since the buyout by ASSA ABLOY.

Impro’s MD, Errol East started proceedings with a quick overview of the company from the formation of Digital Controls in 1982 to the current business. He highlighted various products the company released over the years, showing how technology has advanced and how Impro has incorporated these advances into its products.

East touched on a few pertinent inflection points in the company, such as its adoption of the OS/2 operating system in the ‘90s, which turned out to be a mistake. He also mentioned the company’s development expertise and the move to Agile Development principles in the late ‘90s and early 2000s. Agile Development sees companies making continual improvements through small incremental changes instead of massive new releases at distant intervals.

He said one of the biggest lessons learned over the years is that one has to make products that are reliable and dependable. You can’t expect customers to remain loyal if they are continually facing poorly performing or breaking products.

The IXP range is an example of one of the innovations from Impro, initially released in 1999. Today, all its historical development and innovations are built into the company’s current Access Portal solutions. The new range was the result of a complete redesign of the company’s products a few years ago, part of Impro’s drive to keep pace with changes in the industry and the market at large.

At the same time, Impro is not abandoning its customers using older products which have a long lifespan as a result of the quality in the company’s design and manufacturing processes. East is adamant that Impro should continue to control its production to ensure the quality of the solutions ending up in customers’ hands.

This will not change with the ASSA ABLOY acquisition. East says the company’s new parent offers Impro access to a broad range of intellectual property and global expertise in a variety of fields, but it expects Impro to continue operations as normal. ASSA ABLOY buys into winning solutions, but then allows the company to continue its successful operations while giving it a broader scale in which to operate.

The power of Portal

Following East, Linda Glieman, head of client services at Impro took the floor to briefly discuss some of the newest solutions from the company. She highlighted the Portal solution and the benefits of real-time business intelligence it provides, as well as how the platform has been enhanced, for example, enabling clustering in larger installations. The customisable Portal Dashboard, a live web-based solution was also demonstrated, along with

Impro’s visitor management solutions

Impro’s ability to integrate with other systems in the market was also demonstrated, such as the work the company has done with Morpho readers, Nedap long-range readers and Aperio electronic locks. Impro has also adopted HID Global’s mobility applications which allow users to keep their access and identity credentials on their smartphones.

For more information contact Impro Technologies, +27 (0)31 717 0700, vikkiv@impro.net,www.impro.net

world-in-hands

Hi-Tech Security Solutions surveyed four leading local manufacturers to get their thoughts on the state of the South African security industry, and to catch up on their recent and imminent developments.

Cathexis, which specialises in video surveillance solutions, has been developing electronic and software systems for more than 18 years. With blue-chip customers the world over, the company serves numerous vertical markets, including but not limited to retail, manufacturing, banking, healthcare, mining, education, transport, residential estates, business parks, city surveillance, government, remote monitoring, shopping malls, commercial property and mobile in-vehicle fleet monitoring.

Centurion Systems’ geographical footprint – eight branches covering all of South Africa’s main regions, one branch in Nigeria and a distribution network in over 50 countries worldwide – is matched by the diversity of access automation solutions it offers. Established in 1986, the company supplies sliding gate motors, swing gate motors, garage door operators, traffic barriers, remote controls, keypads, proximity access control systems and intercom systems.

“Some 30 years ago Impro Technologies was formed and the company has become a pioneer in the access control industry, having been one of the first in the world to develop RFID technology.”

Today the company still maintains its own R&D, design and manufacturing facilities. Impro has become a global player with offices in America and Europe, a network of distributors and partners that span four continents, and export markets over 60 countries.

From its inception in 1978, Radio Data Communications (RDC) established a reputation for VHF communication equipment for alarm monitoring, and to date has supplied over 2 million VHF transmitter units and has more than 500 radio networks in South Africa and abroad. In keeping with its pioneering use of modern communication technologies, the company has expanded its capabilities into GSM and SMS based systems, and offers a number of value-added services including 24/7 technical support the year round.

Made in SA, suitable for everywhere

With South Africa’s traditionally robust market demand for security solutions, there is never a shortage of business within the country. What’s more, the reputations earned by local manufacturers in this sector extend far beyond our borders, with all four of the companies consulted attributing a healthy portion of their sales to export markets.

Imported products are a constant headache for local manufacturers due to their usually low cost. However, locally made products do have an edge when it comes to such competition, as Centurion Systems’ Charl Mijnhardt explains. “Our products are designed and manufactured with the harsh African climate in mind,” he explains.

“Africa is definitely not for sissies, as the saying goes, and we ensure that our products are rugged, robust and reliable.’

Features such as weather resistance and battery backup for power failure autonomy are native to our products, and we use the hardiest of engineering polymers in the construction of these products. This has definitely given us a competitive advantage.”

Gus Brecher of Cathexis concurs with this sentiment, but with the proviso that it proves more relevant in certain sectors than in others. “In some market sectors, like mining, this is true because the software and product have been developed over many years to suit these particular verticals,” he says. “Probably more important is the fact that we have the local engineering expertise that is available for system design and implementation.”

RDC’s products are widely used on the African continent, with managing director Brent Andreka going so far as to say they dominate the market in the EAC (East African Community) region comprising Burundi, Kenya, Rwanda, Tanzania and Uganda. Last year the company installed its former technical manager, Maurizio Borsato, in Nairobi to service that market, and Andreka says his presence, combined with his many years of experience in Kenya’s security sector, are bearing fruit and proving beneficial to its customers.

However, Andreka believes strongly that the way to become a global player is to think local. “We have seen the power of this concept repeatedly in the history of our business,” he states. “Over the years, we have developed numerous firsts which were designed specifically for local conditions. The products were then adopted abroad and we now export them around the globe. The availability of our locally developed solutions has also spawned new local markets and industries which are still going strong 36 years after our company’s inception.”

Impro’s sales and marketing director, Barry East, also insists that his company’s focus remains squarely on the African continent. “We build for our home base of Africa,” he explains. “This means our products must be able to withstand extreme temperatures, humidity and ingress; they must be robust and hardy; they have to operate on unstable Internet backbones; installation environments can drastically differ and our products need to provide for that, whilst still being technologically advanced.

“This naturally gives international customers an advantage, as they are able to enjoy all the benefits derived from our home base. In addition, all our products go through rigorous international accreditations, which has enabled us to grow our exports to more than 60 countries, spanning four continents.”

Things are happening

Having taken the big step to move into a new facility (in Edenvale on Johannesburg’s East Rand) a year ago, RDC has reaped rewards in terms of not only productivity, but also morale. “A new environment with shiny new fittings is always a good staff motivator,” Andreka points out. “Our production staff really appreciate the investment we have made in their working environment, and particularly in their break room and bathroom facilities. Their tea and lunch area has a ‘coffee shop’ type atmosphere and bathrooms have the same quality fittings as our management facilities.”

RDC’s primary focus when planning its new manufacturing space was on creative workflow and facilitating natural communication. Improvements to this area are ongoing, and fall under newly appointed production manager and process engineer, Johan Smith. In terms of new manufacturing equipment, the company places an emphasis on quality when it made substantial investment in state-of-the-art testing equipment and jigs, which Andreka says has resulted in positive results that extend beyond quality to improvement in output and productivity.

As for Cathexis, Brecher says recent months have been less about upgrading and more about restructuring. The company has adjusted its strategy around providing the open platform CathexisVision video management software rather than DVRs, requiring greater investment in development. This goes hand in hand with a shift in manufacturing from DVRs to NVRs.

While it is still enjoying the benefits of an upgrade to its manufacturing facilities to adopt cutting-edge technology a few years ago and with no firm plans for upgrades in the near future, East says Impro continually endeavours to enable local job creation and provide real stimulus to the local economies within South Africa. The company offshored some of its manufacturing for a time, but reversed this as East says it was difficult to maintain a consistent quality level. “By retaining our manufacturing facilities we are able to provide our customers with consistently high-quality products, rapid turnaround times and the option to produce small custom volumes, whilst still ensuring cost competiveness,” he states.

To meet its requirements for additional capacity for the manufacture of in-house components, Centurion Systems recently installed and commissioned a CNC centre lathe, and will imminently begin installing a completely new electronic assembly line. This will include a solder screen printer, SMT machine, reflow oven, population stations and conveyor, wave solder machine and numerous new test jigs and fixtures.

Efforts have not been exclusively in-house, however, as the company has launched two brand new swing gate operators – Vert-X and Vantage – that Mijnhardt says have been very well received by the access automation market. The online platform used for administering Centurion GSM devices has also undergone a major facelift in terms of functionality and feature richness, and Mijnhardt hints that the company will soon be announcing more developments in the GSM arena.

Skills shortage is a mixed message

An issue never far from the thoughts of South Africa’s manufacturing sector is the often cited shortage of skilled labour. Messages in this regard are mixed, however, across the companies canvassed, with some normal discrepancies occurring on an individual basis and others being regional in nature.

“We don’t have any issues getting staff,” asserts Cathexis’ Brecher. With a focus on providing solutions, rather than software, the company requires hardware, systems and software expertise. “Our policy is to get young electronic engineering graduates who are at the top of their class, and train them in the best practices that our senior engineers have developed over many years,” Brecher says.

Andreka says RDC is also fortunate when it comes to the skills shortage. “There is no doubt that a skills shortage exists in SA, but it’s not that significant for our company,” he says. “We have actively recruited more skilled and technically qualified staff into our production area over the past 18 months. This means that we have more multi-skilled staff, which has many advantages including minimising the effect of absenteeism on our output. There are many quality and talented South Africans out there, and we often forget that we can and must grow our own timber. The trick is to recruit quality people, and create a working environment that they don’t want to leave.”

Mijnhardt concedes that the recruitment process is often very slow as technically skilled people are scarce, but adds that Centurion Systems is proactive about mitigating against the problem. “We have various programmes in place aimed at helping our existing staff upskill as well as diversifying their skills, while also empowering them to take on new roles in the technical environment,” he says. “Our access automation products are known for being incredibly reliable and of the highest quality, which requires only the most skilled and competent personnel.”

Being based outside of the hub of industry that is Gauteng poses its own challenges, according to Impro’s Barry East. “South Africa as a country faces a severe constraint on suitably qualified technical personnel, whether that is software developers, hardware engineers or production specialists,” he states. “On a local basis, this issue is further impacted by the migration of these skills from KwaZulu-Natal to Gauteng, where they are able to command higher incomes. Given the small pool of electronics companies in KwaZulu-Natal and the limited resources, it continues to be a challenge for the manufacturing sector and so a combined focus going forward must be on how we, as a province, can address this and build local talent.”

Just one wish

No industry is without its problems and, as with any other, the security sector does not exist in a vacuum. If they could be granted just one wish to make the going easier for their companies, the respondents’ replies were as diverse as the challenges they encounter.

East believes that first and foremost, strong partnerships must be built between government and business to address the skills shortages through educational initiatives. “This must be the foundation,” he asserts, “then to unleash job training opportunities, perhaps with tax breaks for creating internship opportunities, so these graduates can secure real experience in the industry.

“Finally – and I think this is a crucial issue – government entities should do more to buy locally manufactured goods. Too often there is a perception that international means better, while often that is not the case. Whilst government certainly endorses this philosophy, their actions don’t always conform. That can be extended outside our borders, to our embassies and missions abroad, where only South African manufactured goods should be used, where possible. That’s a strong message and endorsement of the highest level.”

Government also needs to do more to support local companies’ export initiatives, East says. “There needs to be true engagement on what business needs, and a combined effort to achieve that, quickly and efficiently. The world waits for no-one and, as we have already proven, the opportunities are there. Through targeted actions, great results can be achieved which will bring forex, but more importantly can create much needed jobs.”

Brecher echoes these sentiments in broad terms, saying “I think more emphasis should be placed on buying South African products – by both government and corporates. In other countries where we compete (for example Germany, France, USA, Russia, China and more), the mindset is to buy local and there are some significant government incentives. Unfortunately in South Africa this is not the case. Nobody is asking customers to compromise on quality, but to consider South African products before making decisions.”

Brief and to the point, Charl Mijnhardt’s message is all to do with the skills shortage. “Relax labour legislation. Strongly incentivise employers to engage in workforce training. Our current education system is in crisis,” he says.

Finally, Brent Andreka’s wish is wistful and easy for anyone to relate to: a time machine. “We find that we are bombarded with exciting opportunities daily and we want them all. I wouldn’t use the time machine to travel to other eras but just to create another hour in the day or another day in the week. The machine would however only be able to create time for fun, because we tend to be caught up in a cycle where getting ahead takes preference over having fun.”

expoEquipped with a good game plan, a driven team, amazing support from suppliers and customers; Elvey Security Technologies has once again succeeded in promoting customer centricity by bringing quality solutions personally to customers. Set on a backdrop of some of South Africa’s most spectacular sporting stadiums; this year’s Expo kicked off in Port Elizabeth at the Nelson Mandela Bay stadium, and the finale was held at the FNB Stadium in Johannesburg.

“We believe in providing the market with the most convenient ways of accessing the latest and best in electronic security solutions,” says Jack Edery, CEO of Elvey. “We have over 20 branches throughout sub-Saharan Africa that not only serve as our key distribution network in bringing our product offering to our customers, but also go the extra mile in providing premium service.”</h4

The Expo created a valuable learning and interactive experience for all involved. It provided a platform where Elvey could listen to customers’ needs and begin building tailored solutions for each unique request. Attendees had the opportunity of networking with highly knowledgeable sales staff and product specialists at information sessions that where held throughout the day.

 

New product launches

At this year’s Expo, Elvey launched a new in-house initiative called Blue Label. Blue Label is where Elvey offers additional services or product benefits to customers over and above current value added offerings. Wherever you see the Elvey Blue Label symbol you will find a commitment made to go above even their usual high standards of service and support. It’s a pledge that when you see the Elvey Blue Label symbol Elvey has gone above and beyond to deliver you peace of mind. Ultimately, that’s what the company strives for.

 

Intruder detection

Elvey welcomed RISCO to the intruder detection category late last year. 2015 was the brand’s début to the Elvey Expo experience. The RISCO Group are producers of high quality, reliable security products for every type of security installation. Their intrusion alarm systems cater for residential and commercial installations (eg financial institutions) including a full range of indoor and outdoor detectors. RISCO also offers a mobile application.

At this year’s Expo a Tyco company, ALARM.COM, displayed its new home automation capabilities using Z-Wave devices and easy to use APP to manage one’s security and home with full energy management functionality on the DSC Neo alarm panel range. The DSC Neo was on display. RDC showcased its new SMX Unit which demonstrated great programming flexibility and features. Nemtek introduced its new agricultural range and also its pet friendly (low voltage) energiser. Optex and Siemens also represented the Intruder category.

 

CCTV and IP surveillance

HeiTel joined Elvey for the first time at the 2015 Expo. This is a new brand that was added to Elvey’s CCTV range. HeiTel’s core competence is with the remote transmission and digital recording of CCTV systems.

VisionLine introduced its new NVR, video platform and great quality analogue camera range. Cathexis exhibited its improved Video Management System and integration opportunities. Dahua launched its new range of HDCVI cameras and visitors were highly impressed with the quality produced by this range.

Arecont Vision, whose cameras have in recent times been praised for the clarity of their video output in identifying a criminal in Texas, was also present at the Expo showcasing its range of high-end products with unique cameras that offer 180- and 360-degree views.

 

Access control

Elvey Security Technologies recently announced the addition of Suprema’s range of biometric security technology to the access control portfolio. Its extensive range of products include biometric access control systems (fingerprint and facial recognition), time and attendance devices.

AccessLine introduced the Gramma Switch at this year’s show. This device is intended for use on the Jewish Shabbath and festivals and has been approved by The Tzomet Institute and is endorsed by the Beth Din of Johannesburg.

Impro Technologies played an important role in assisting with registration at all the shows. It showcased its Portal System Controller with touch screen and Visitor Portal Module amongst other technologies.

 

Fire detection

Elvey welcomed Tyco’s FireClass for the first time. FireClass joined Elvey’s fire detection category in the latter part of 2014.

Elvey Security Technologies would like to take this opportunity to thank its customers, first time visitors, suppliers, the media and last but not least; its team for the support they have shown at the nationwide Elvey Expo.

Biometrics for access control has evolved over the past few years and new trends are currently emerging as customer demand continues for increased functionality and user friendliness.

“We have seen a number of important and relevant growth nodes that provide an improved user experience and that drive efficiency in organisations. Biometrics started with the introduction of fingerprint readers and the technology continues to grow in popularity, with thousands of end users demanding adding functionality to pure access control and as a time and attendance tool,” says John Powell, MD of Powell Tronics.

Powell says that fingerprint technology continues to develop and recently took an exponential leap into the arena of contactless user interface. This technology is finding great favour in the pharmaceutical, laboratories, mining, high-technology facilities and banking markets where non-tactile interfaces are preferred.

Morpho’s MorphoWave is a frictionless biometric access control solution that captures and matches four fingerprints with a single hand movement. This touchless technology easily copes with dry and wet fingers as well as instances where there are no latent prints.

“The beauty of this technology is that it allows users to continue moving when passing through access control points. This results in rapid processing of users, without compromising security levels.”

 

The MorphoAccess Sigma dual fingerprint and vein readers have an extremely interactive user interface and provide failsafe security. The tablet-like user interface provides touchscreen convenience, with fake finger and face detection as well as duress finger capabilities.

The Morpho 3D Face Reader provides extremely fast, hands-free access to sensitive and high-security areas. The technology is tolerant to both face angles and motion, making it ideal for uninterrupted access. The 3D Face Reader analyses the three-dimensional structure of the user’s face and achieves extremely accurate matching, with high throughput. Enhanced accuracy enables a low false acceptance rate and will not allow conventional 2D images to be used to ‘spoof’ the system.

MorphoSmart Finger VP is a multimodal device capable of capturing and processing finger vein and fingerprint biometric data at the same time which gives greatly improved accuracy with enhanced anti-spoofing capabilities.

In addition to these on-site technologies, Powell Tronics also promotes mobile access technology with its ATOM software.

There are three variants of the Atom software – a basic entry-level biometric template distribution system for Morpho readers known as ATOM Core; the ATOM Charged module, which has all the functionality of ATOM Core, plus a time and attendance element; and the ATOM Fusion module which has been developed to provide integration with Impro software suites as a full T&A module.

The ATOM is ideal for use on the MorphoTablet, a touchscreen device running on Android, with a 7-inch display and cellular, Wi-Fi and Bluetooth connectivity. The MorphoTablet has two biometric sensors – a high-definition camera and a fingerprint reader, for increased functionality.[/text_output][/vc_column][/vc_row]

[container][text_output]powell-tronicsPowell Tronics continues to evolve from its humble beginnings as simply a supplier of standard access control systems to a provider of advanced integrated security solutions. Leveraging its extensive access control experience along with successfully surpassing the ongoing demands of end users, the company strives to provide current and innovative bespoke access control solutions that maximise utilisation of access security, and provide improved return on investment and sustainable operations.

John Powell, MD of Powell Tronics, explains that

“the days of adopting a silver bullet approach to access control are gone and customised solutions are becoming the new standard.”

By working closely with its customers, Powell Tronics has applied innovative thinking to its problem solving methodology.

An energetic and youthfully staffed design department is responsible for developing software and hardware that is technologically on trend and works synergistically with best practice systems provided by the company’s local and international suppliers. Capitalising on the features and functionality of well-known brands is a primary goal for the team and has resulted in a number of pioneering solutions that are proving extremely popular in the market.

Powell says that solutions like PT-GUEST, that use mobile Wi-Fi devices to control visitor access, the company’s ATOM time & attendance software and its cashless vending solution, are just some of the products that are experiencing high levels of uptake by end users.

He adds that the company’s best-kept secret to date has been the development of its PT-AD software that integrates MS Active Directory with access control. The software PT-AD seamlessly bridges the gap between HR, IT and security by automating users’ physical access based on their network access. So when a new employee joins a company and a domain account is created for them, the HR information is automatically transferred to the access control system so all that is needed to complete the cycle is to allocate them a tag. When the employee leaves the company and their domain account is disabled, their physical access rights will be immediately revoked.

Powell Tronics is not only the premier southern African distributor of Synerion workforce management (WFM) products for enterprise-wide solutions, but has also developed its own budget-friendly web-based time and attendance system – ATOM – for Morpho biometric sites or fully integrated into Impro access control systems.

The company distributes leading brands from Golmar, Impro Technologies, Safran Morpho and Synerion, from four established centres in Johannesburg, Cape Town, Durban and Port Elizabeth. To assist customers with improved support, the company has implemented a strategic expansion programme that will provide a fully interactive experience with a boardroom and pre-sales meeting area where customers, consulting engineers and developers can discuss issues in a collaborative workshop environment.

Powell Tronics places emphasis on improving skills in the industry and underlined its loyalty to customers by building a fully equipped training centre in Rivonia, to complement its existing Cape Town facility. In order to provide exemplary service to all facets of the security systems sector, training on biometric identification, certified Impro training and visitor management is provided. All products supported by Powell Tronics, including IP technology, electric locks, mobile solutions, intercoms, biometric fingerprint readers, 3D facial recognition and RFID readers form part of the training programme.

The company’s stand at Securex was highly representative of its entire range of both renowned supplier brands as well as its own bespoke solutions. The response to its ability to readily integrate with other systems, its energy efficiency and ease of use of the Powell Tronics range was extremely positive.

Powell emphasises that the sustainability of Powell Tronics would not be possible with the absence of any one of the most crucial elements. These include what he deems an ‘awesome team’ of employees that are committed to the growth of the company and the unswerving support of its customers; the company’s loyalty to the brands it markets; and the continued support of its major suppliers. These symbiotic components will form the driving force behind the company’s goal to triple its exposure in Africa over the next 18 months.[/text_output][/container]

[image src=”2004″]
[text_output]

Impro Technologies has launched Visitor Portal

an online Web-based visitor management solution that streamlines the process of managing visitors to your facility.

Barry East, sales and marketing director for Impro Technologies explained that as Visitor Portal is an online solution, it can quickly and easily be deployed anywhere in the country.

“Our goal with this solution is to do away with the old paper-based system, which has proven to be unreliable and frequently inaccurate.”

 

Visitor Portal can be accessed through any Internet-enabled device, such as a smartphone, tablet or PC. “This means that the reception area can quickly capture accurate visitor information and, at the click of a button, you are able to immediately know who’s on your site.”

In addition to registering visitors as they arrive on-site, the system makes pre-registering visitors quick and easy. Once registered, the visitor receives an automated email and/or text message notification, along with their single use access code. The notification automatically integrates into the visitor’s calendar for enhanced convenience.

“The person undertaking the pre-authorisation should be an employee of the organisation, as this provides an additional level of authentication because the visitor is known to that person. This also ensures rapid traceability in the event of an onsite incident,” said East.

Although technologically advanced, the focus was on keeping the system simple with an intuitive interface to ensure that no technical expertise is necessary to use the product. Visitor Portal seamlessly integrates into Impro’s Access Portal. This enables users to set up pre-defined access profiles and rule sets. In addition, all actions are recorded in the database for complete audit ability and reporting.

[/text_output]
[container][text_output]impro-spainSouth African based Impro Technologies, pioneers in the access control sector for almost 30 years, recently announced a further expansion into Europe with the opening of a new office in Spain.

Barry East, marketing and sales director of Impro said that pleasing growth in the European market had resulted in further investment in the region. “We have a solid footing in a number of European markets and the opening of the new office will further entrench our position, especially in Spain and Portugal.

“Globally, access control is becoming a critical business consideration and our experience in South Africa stands us in good stead within international markets. We are able to bring world-class solutions that have proven themselves in arduous conditions. Couple this with the local office and on the ground support, and customers have the best-of-both-worlds.

“This is the base of our growth strategy and our new Spanish office embodies this perfectly. We have a solid team in Madrid that have decades of collective experience in the access control industry, as well as an extensive product range to meet their diverse market needs,” said East.

Impro Technologies currently exports to some 60 countries, spanning four continents. The group has offices in the USA, the Netherlands and South Africa, as well as a partner network across the globe to ensure the philosophy of global player, local partner is achieved.[/text_output][/container]

[container][text_output]416hss53April 2016, This Week’s Editor’s Pick, Access Control & Identity Management, Cyber Security, Integrated Solutions, IT infrastructure in security

By Andrew Seldon.
One of the crucial aspects of commercial security is visitor management. The security of any location with a constant flow of people is to no small degree dependent on the careful and effective control of visitors, contractors and anyone legitimately coming and going throughout the course of a day.

A crucial aspect of visitor management, however, is privacy. In the past, companies paid scant attention to privacy and details collected from visitors, even details as sensitive as identity numbers, were handled carelessly. Today, privacy is becoming an important issue globally, and the introduction of the POPI Act, when it is eventually enforced, will have significant implications as to the collection, use and disposal of such information.

Hi-Tech Security Solutions approached a number of experts in the field of visitor management and asked them for some insight into the topic, especially as far as privacy is concerned. Our interviewees were:

• Mark Paynter from Ideco,

• Gary Chalmers from iPulse, and

• Barry East from Impro Technologies.

Hi-Tech Security Solutions: Privacy is a major issue today. Many visitor management solutions read very personal information, such as ID numbers from drivers’ licences and collect phone numbers and so forth. Is all this information really necessary for access to a location? Why do they require this information and what do they do with it?
Mark Paynter.
Mark Paynter: There are two crucial considerations to the above. Firstly, occupational health and safety legislation and the physical security and risk exposure of an organisation, and secondly the protection and risk exposure of visitors’ and organisations’ personal information.

Physical security and fraud: One of the biggest operational challenges faced by organisations in South Africa these days is physical security and fraud. Statistics show that incidents of armed robberies, intrusions and related occurrences continue to follow an upward trajectory. Commercial fraud also follows an upward trend year on year. This is forecast to increase with the current economic downturn. It is therefore vital that organisations mitigate and minimise their physical security and fraud risk exposure by implementing the latest solutions and proven best-of-breed crime prevention systems.

All crimes start somewhere, and generally a crime begins with someone giving out sensitive operational information and with a syndicate ‘scouting’ the target organisation via contractors, security guards, casual vendors or company staff. Having a crime syndicate associate or scout on your premises is comparative to having a Trojan Horse virus in your company’s ICT system. It is dangerous, malicious, unwanted and often difficult to detect. By implementing a system which accurately records and verifies the visitors’ personal details and information, an organisation’s exposure and risk is drastically reduced and criminals opt to rather focus on a more vulnerable target, where their fingerprints and ID numbers are not recorded or verified.

Occupational health and safety: The OHS Act states that organisations “shall keep a register of the entries and exits contemplated in sub-regulation (1) and that register shall be available for inspection by an inspector.

“Whenever in any legal proceedings in terms of this Act it is proved that any person was present on or in any premises, that person shall, unless the contrary is proved, be presumed to be an employee.”

So in terms of OHSA, an accurate visitors’ register is a legal requirement. Dependent on the environment, an organisation may be required by law to record and store all visitor information for up to 20 years.

Protection of personal information: The recent implementation of the POPI Act makes it imperative for visitors to record, manage, process and store visitor information in a responsible and compliant manner. In my opinion, this is a good thing. I would far rather allow my personal details to be recorded and managed by a POPI compliant system than by a redundant visitor register where my sensitive information is susceptible to fraud, manipulation and misuse.
Gary Chalmers.
Gary Chalmers: Most of the visitor systems in place today are outdated and stemmed from a safety requirement to know who was in your building, specifically in case of a fire or other emergency. However, in practice, the system most often translates to a ‘visitor logbook’, with information clearly visible to everyone, and in which most people submit inaccurate information at best. To add insult to injury, the completion of these log books is normally followed by someone manually opening a gate on the visitor’s behalf, thus losing any tracking information.

Since the introduction of the POPI Act, these visitor books are actually in contravention of a person’s right to privacy, and are not in any way compliant with the Act. While the information being collected is often valid in terms of security and the right of the building owner or tenant to have access to information about people who visit their sites, the manner in which it is collected is no longer legal, nor does it actually fulfil the ultimate requirements of increasing security and providing information about visitors.
Barry East.
Barry East: There is always a balancing act between security and convenience. The more security that is needed or wanted, the less convenience there will be for the visitor as more information will be collected to verify their identity. This information is also used in the event of a problem in order to contact and, if necessary, prosecute the offender.

Hi-Tech Security Solutions: When collecting this information, what privacy issues should organisations take into account? What problems do they expose themselves to if this data is lost or stolen? Can they protect themselves by outsourcing to a guarding company and letting them be accountable?

Mark Paynter: To collect and manage visitors’ information in a non-POPI compliant manner is not only illegal, but is also irresponsible and inefficient. The POPI Act carries penalties and even possible imprisonment for non-compliance. This is, in effect, a progressive legislative move, as it forces organisations to manage people sensitive personal information in a responsible manner.

Traditional paper-based systems are widely abused and are generally not trusted by visitors. Industry studies have shown that more than 75% of the time the information recorded is illegible, inaccurate or incomplete. Apart from this presenting a compliance risk to organisations, it is also a security and fraud risk, because criminals know that they can gain access to an organisation’s premises without their details being accurately recorded.

In terms of the POPI Act, an organisation must be able to prove consent by the visitor to store his/her personal information. This can be achieved via electronic biometric signature or digital signature pad, or may also be done via manual paper-based signature. The obvious challenge with a manual paper-based consent is that the consent documentation then also needs to follow a POPI compliant process, which in effect would defeat the objective of digitising the process. VM systems which claim POPI compliancy, yet have no proof of visitor consent, are in effect fraudulently misleading consumers.

In terms of OHS legislation, organisations are required to store visitor information for up to 20 years. This however needs to be done in a POPI compliant manner. Organisations need to properly understand the critical importance of this responsibility and the onus which they are then placed under to operate VM systems which are compliant. To ensure correct and compliant VM processes is, in my opinion, a very specialised and detailed process.

An organisation is ultimately responsible for compliance with POPI legislation, however, by outsourcing the process to a specialist service provider or security company, some of the risk and responsibility would naturally be mitigated. It is imperative to ensure that the company appointed to manage the VM process has a proven track record and that their system and process has been audited and approved by POPI experts.

Legislation around POPI is specific and comprehensive. There are many service providers and companies which claim (even in marketing) that their VM system is POPI-complaint when in fact a basic overview of the system shows one or more non-compliance issues. This is misleading for end-users and is false advertising. An example is a VM system which claims compliancy, yet has no record of the visitor’s consent for their information to be recorded and stored.

Gary Chalmers: As per the above, the POPI Act is very clear on the collection, usage, storage and disposal of information, amongst other items. Unless companies carefully and clearly stipulate their policies around all of these aspects of the data collection, storage and disposal, they are at risk, regardless of who is collecting the data on their behalf, and can be held personally liable (in the case of directors and officers of the company).

Barry East: All sites should ensure they have the correct legal counsel depending on the usage and storage facilities used, to ensure they adhere to the relevant legislation. Further, each site has unique requirements/elements which need to be taken into account and a solution tailored to those needs, while remaining mindful of the legal obligation to ensure data security, regardless of whether an on-premise or cloud-based solution is chosen. This is no different to the situation with employee data or contractor data that is also collected in the normal course of business – the same rules apply.

Hi-Tech Security Solutions: How can technology help in protecting privacy in the visitor management space? What proven solutions are available?

Mark Paynter: The POPI Act is regarded by privacy experts to be both progressive and also aligned with best global practices for protection of personal information. In my opinion, this is a pocket of excellence for a very troubled South Africa. By digitising the VM process, full compliancy is not only possible, but is already commercially available as a standard offering via the EVIM platform.

A VM service provider should be both knowledgeable and in compliance with personal information protection laws. Some visitor management systems take photos of visitors at time of check-in. If the photo is retained, it must be stored in a secured and protected environment. Hosting solutions and platforms should regularly be audited for compliancy and penetration tested for exposure and hacking. EVIM protects and secures visitor data not only in compliance with personal information protection laws but also in compliance with OHS act legislation.

The EVIM solution conducts a real-time ‘live’ check of a visitor’s identity against a national database. This live ID check is not done against the DHA database as is often incorrectly claimed. This Live ID verification drastically reduces an organisations exposure to crime and fraud, and organisations which implement the EVIM Live ID checking solution have to date all reported a 0% crime rate since implementation.

Gary Chalmers: iPulse provides a visitor management system called VisitorIQ, which when combined with our hosted database, BIOVAULT, provides a completely POPI-compliant solution for companies wanting to track visitors coming into or going off the premises. Used in conjunction with devices like our eSkan 250, vehicle registration discs and driver’s licences can be read to provide additional information about both individuals and vehicles entering and leaving the premises.

This differs from the current paper-based systems in two critical areas:

1. The information collected in this manner is accurate, up-to-date and reliable.

2. The data can be searched, tracked, used and disposed of in a measurable, audited manner.

Barry East: There are a myriad of different solutions available in the IT world, as on-premise or in-cloud security is not unique to visitor management, or even access control. The protection of personal information, whether that is business documentation, IP or personal credentials, all face the same risk in this day and age; and the extent to which you can protect the data is tightly linked to the budget you’re willing to allocate to that risk.

Hi-Tech Security Solutions: How will the current state of visitor management change when POPI is in effect?

Mark Paynter: In theory, organisations should be ensuring POPI compliancy already, because although the act is not yet being policed or enforced, it is already signed into legislation and is operative. I envisage that all manual and paper-based VM processes as well as non-compliant digital VM processes will be viewed as illegal and irresponsible in the not too distant future.

Gary Chalmers: This has been dealt with above. I believe that currently an estimated 95% of all businesses and property owners are in contravention of the POPI Act with their current visitor books and manual systems. Over the next few years this is ultimately going to become a major issue – especially once an example or two has been made, something I believe is coming shortly.

Barry East: Whether your site is on-premise on a traditional server, or on a VM server, or in the cloud in a hosted VM environment, the requirements to meet the POPI Act will be the same – there is no different rule for different technologies.

However, certain hosted environments have the option of additional security and protection as part of their extended offering, which go a long way to addressing the POPI need. A good example of this would be Microsoft’s Azure environment, cloud-based servers that provide guaranteed up time, data encryption and enhanced protection against such threats as hacking.

Hi-Tech Security Solutions: If you were to advise on a new visitor management project, what are the top three pieces of advice you would offer to the customer to ensure the final solution is effective, reliable, legal and safe for users?

Mark Paynter: Data security – does the VM service provider conduct independent annual third-party audits for data security and POPI compliance, and is regular penetration and breech testing conducted on their hosting servers? In this day and age, every service provider should be required to prove that they are handling data responsibly and securely and that they have completed an annual audit stating that they adhere to industry standards for data security and privacy. For SaaS (Software as a Service) VM service providers, have they passed a penetration test in the past 12 months? Do they have third-parties regularly perform penetration tests?

Live ID screening – does the VM system conduct a live compliant ID check? If it doesn’t then any fraudulent and fake details or ID credentials will go unchallenged making the system a toothless watchdog.

Watch lists/do not admit listing – does the visitor management system have a global ‘watch list’ or ‘do not admit’ list for all locations within an enterprise corporation or all companies in a multi-tenant environment, and is the service provider able to integrate with law enforcement and intelligence watch lists to ensure that high risk visitors and vehicles are flagged? Organisations with multiple locations and facilities down the road or in another province, need to be able to update and share a barred visitors list, in real time. Some visitor management solutions integrate with corporate HR networks to ensure that ex-employees, disgruntled ex-customers, and those that should otherwise be barred from your building are denied access.

Gary Chalmers: In general, the three key things to look for in any VM project would be as follows:

• A clearly defined collection methodology that ensures that you get clear and accurate data which is usable in the case of an event such as a fire or theft occurring.

• A clearly defined methodology for storing, retrieving, displaying and disposing of the data stored in the system that meets the requirements laid down by POPI.

• A system that meets the above criteria, but is convenient and not too overwhelming for first time, and especially returning visitors or contractors.

Barry East: My first question would be, do you have the in-house IT expertise to design, deploy, configure and manage a VM environment, whether on-premise or in the cloud? This is a crucial question as IT expertise is a must. Depending on the answer, it would dictate whether this function is undertaken in-house or outsourced.

The next focus would be on whether your stored data is critical to your operation, and if you’re able to comply with ISO 27001 standards. And finally that there should be an annual IT audit to ensure ongoing compliance, with a full risk assessment to ensure you meet changing circumstances.

In closing, data security is primarily an internal IT function. If the design and deployment of the IT infrastructure, whether on-premise or in the cloud, has not been carefully considered, loopholes well outside the control of the system vendor can exist and expose the end user to potential threats or legal complications. As more IP devices are added to the network, so the need to ensure the necessary level of IT competence and expertise increases. This trend will only grow as the technologies advance; what we see today in the business environment will be the future of home environments with elements such as the Internet of Things and IPV6 devices.[/text_output][/container]

[container][text_output]effective-visitor-managementBy Allyson Koekhoven.
Most people have encountered the dog-eared visitor logbook when visiting either a business or residential estate. Their role as a so-called security tool is however rapidly slipping into obscurity as estate managers realise that they are, for the greater part, totally dysfunctional and highly inaccurate. The advent of electronic visitor management systems provides a most welcome and noteworthy alternative to the archaic paper-driven system.

Added to the fact that the traditional visitor log book does not allow rapid look-up of visitor details, other issues have cemented its imminent demise. These include the fact that any information contained therein can be conveyed to potential criminals or covert marketing agencies when the book is purposely handed over, or it is lost or stolen.

Mark Paynter, Ideco business solutions executive, adds that on all the estates that have implemented the company’s EVIM biometric readers, there have been reports of zero crime. This he says is due to the fact that it is the only device on the market that offers the four-in-one solution of live ID checking, mobile management via a cellphone app, pre booking via web portal, as well as biometric fingerprint capture. The company runs a central EVIM database that provides flagging of suspicious number plates around the country which is available to select partners.
According to Barry East, sales and marketing director at Impro, the primary objective of a visitor management system is to add enhanced security to the estate in identified risk areas. He says that visitors represent a variable because of the level of potential crime they can perpetrate.

Estates therefore need to be able to establish the validity of the information being submitted by the visitor and be able to trace the visitor when they are on site and after they leave the estate. It stands to reason that the more credible the information that is collected, the greater the possibility that estate management will be able to track the visitor.

Impro’s Access Portal system provides a variety of plug-in visitor management solutions, including third-party visitor management products and biometric devices, to tailor-make solutions for residential estates.

Free movement and security

John Powell, MD of Powell Tronics, believes that a good visitor management system will effectively bridge the gap between efficiently improving the movement of visitors in and out of premises, and providing a heightened security offering, as it verifies that the visitor is the person they claim to be. He adds that a visitor management system should be geared around improving the visitor experience, but at the same time offer the estate and its residents the peace of mind that security measures are in place to regulate visitor access and have the backup of valid information should an incident occur.

Powell Tronics has successfully implemented its standalone PT-SCAN and integrated PT-Guest products into numerous large established premier residential estates, newer residential communities with increasing occupancy, as well as on sites where the residential component of the site is a fairly new addition to the venture, for example wine, equestrian or golf course estates. These two visitor management solutions range from straightforward electronic capturing of visitor details to sophisticated solutions that incorporate advanced integration access control on sites.

Paynter says that a visitor management system must clearly indicate who is on the property, must provide an accessible list of visitors and, most importantly, must deter crime. Management should also be able to extrapolate accurate information after events and be able to readily refer back to the evidence log. In most instances, a visitor management system is geared around the security of the residents, rather than as a health and safety tool. Although it can be used to provide this function when estate events are taking place, such as wine tasting or concerts, the ability to conduct live (real-time) identity checks is critical.

Electronic visitor management solutions bring a host of benefits to residential estates. East says that not least amongst these is the fact that one no longer needs to comb through pages of scrawled, often inaccurate or falsified information. Instead, one is able to quickly access data in real time and all information is verified when scanning identity books, driver’s licences and vehicle registration plates.

Furthermore, electronic data can build a reliable timeline on the visitor’s record in terms of the frequency and nature of their visits. This information also provides the ability for it to be used in authorisation processes to determine whether a person is eligible to enter the estate. Since pre-registration can be performed prior to the visitor arriving on site, the validity of their registration and whether they are directly linked to a specific resident can be determined.

Overcoming challenges

Even with the best intentions and strictest guidelines, estates are often faced with unannounced visitors who have neglected to follow the correct pre-registration channels. Unannounced visitors are the most time consuming so estates are advised to speed up the access process using prearranged visitation. This implies that the visitor needs to undertake a pre-registration process using various methods that include online web (cloud) registration or by receiving an automatically generated PIN code via SMS which they enter on a terminal keypad when they reach the estate.

East recommends that estates automate the data collection process to populate the database. Some of this information can be linked to a third-party database that provides confirmation of their identity and adds credibility to the process. It is critical that estates should close the loop by confirming that the visitor is actually expected at the estate by a resident and is not arbitrarily visiting the estate. In addition, the system should be able to establish the visitor’s exact whereabouts on the estate to ensure that they are visiting the correct person.

In most cases, on sites on which Powell Tronics has implemented PT-Guest, using the P-Tron handheld verification devices, the security at the estate perimeter entrances can capture new visitor information and double up on the pre-authorised visitor authentication, by simply scanning their ID or driver’s licence and vehicle registration and inputting any other additional information required such as contractor company, telephone number, number of passengers and in-lane biometric enrolment.

Powell adds that estates are considered to be private property, so the right of admission can be reserved by the facility. Estates and gated communities are advised to carefully evaluate their policy documents to ensure that there are no loopholes in this regard, with zero tolerance being the appropriate course of action.

One way to avoid any confrontation or issues in this regard is to ensure that on the pre-registration form or confirmation email/SMS, a clause is added that stipulates that the presentation of identity documents and driver’s licences is mandatory.

After-hours emergencies are another exception to the rule which need to be handled with discretion and subtlety. In general, residents should inform the estate security that an emergency vehicle will be arriving to attend to their particular emergency. However, East says that it is always good practice to verify the identity of the emergency vehicle driver to ensure that they are not criminals in disguise.

Technology to the fore

A number of products are available to streamline the process of registering visitors, with Internet based pre-registration being the most popular. Residents and visitors who are concerned about the protection of their information can rest assured that the encrypted access code provides complete information security.

The information gathered remotely is then downloaded to an on-site system which means that when the visitor arrives at the estate their information is already in the database and a simple verification process is all that is required, using their ID book and driver’s licence. This will drastically reduce on-site visitor registration times.

Powell says that in instances where a visitor regularly visits the estate or will be spending an extended period of time, they can be enrolled as a long stay visitor on the access control to further speed up the entry process as in this way they will not be required to register as a visitor every time they arrive on site. As per the physical registration process with identity documents, the data will be captured on to the estate’s database.

Biometric enrolment has in fact grown in leaps and bounds as an access control tool on residential estates. However, it is advisable to offer two cautionary notes here. Firstly, a valid identity document should always be used to verify the biometric element. Secondly, estates do need to factor in the initial time required to biometrically enrol a visitor. Paynter points out that the EVIM system supplied by the company records fingerprint as a digital signature and therefore can provide live identity authentication, coupled with other forms of identification.[/text_output][/container]

[container][text_output]tailor-made-access-control

One of the greatest challenges facing estates today is

“ensuring a balance between increased security and minimum inconvenience.”

This philosophy resides as the heart of Impro’s Estate Portal solutions.The modern estate management solution needs to quickly provide a picture of who is in the estate and their inter-relationships, for example the residents and their vehicles, or residents and their domestic employees, or visitors. Add to this contractors, estate employees and visitors for events or sporting activities, and the picture can quickly become blurred.

Estate Portal’s detailed approach to creating profiles, and the linking of these profiles, allows a single system to deliver an holistic estate management framework that quickly gives the information required. For example, a domestic worker can be linked to a specific resident in the estate, and access rights given for certain times and days. At the click of a button, this information can be quickly accessed, for example to produce a list of all domestic workers on site, or all people associated with a particular property.

[/text_output][/container]
[container][text_output]

visitor-and-contractor-managementA key concern on any estate is the granting of access to unknown people, whether they are visitors, contractors or a resident’s employee. This is further complicated by the need to validate the information they provide –

simply because a person says they work for a particular resident, does not automatically mean it’s true.

This understanding is the cornerstone of Impro’s visitor and contractor management module, which seamlessly integrates into the Access Portal access control platform. In order to validate the information given, Access Portal performs a check of the visitor’s credentials from a known source, such as the resident or homeowners’ association. Through a cloudbased pre-authorisation module, residents are able to pre-enrol expected visitors and/or contractors through a standard web browser or a smartphone app.

The system is further enhanced as information can be accessed in real time, or retrospectively, through specially tailored reports which show the relationship between the resident and visitors or contractors. A key feature includes the ability to quickly view the number of visitors or contractors on site, those that have left the site, are no-shows, or have overstayed their allotted time in the estate.

[/text_output][/container]
[container][text_output]cloud-workerHosting is in. In almost every market and industry around the world, companies and individuals have been persuaded to host many of their systems and applications with a service provider. The idea is that you no longer have to worry about technology, but simply use whatever you need as a service.
Accounting software is a good example of this. In the past, companies would have their own accounting software installed on site, probably on the accountant’s computer, from where the financial person or people would manage the business’s money.
Today these same accounting packages are not sold on a CD, but as a service. To use the software you log onto a site on the Internet and away you go.

“No updates are required, no hardware specifications, all you need is a web browser and faith that your service provider can protect your sensitive financial information.”

 

In the security world, things are going the same way. Hi-Tech Security Solutions has regular features on remote monitoring and hosted services. Many companies out there are looking to rent you a surveillance solution (or any number of other solutions) for a monthly fee. In return, they promise to look after the hardware and make sure it’s working, while often also providing monitoring services.
The benefits they offer are impressive. You don’t have to lay out a large chunk of cash or get a loan to pay for the solution as you rent it month to month. All the additional costs one often forgets, like maintenance and repairs are included so there are no surprises. And you get tax breaks.

What’s not to like?
When discussing hosted solutions, the question of privacy often comes up. Who has access to your data or to your video feeds etc.? To get under the hood of a hosted solution from a local company, Hi-Tech Security Solutions asked Barry East, sales & marketing director of Impro Technologies for some insights into the company’s solution.
Impro has a long history in the South African market and manufactures locally as well. So, what is it doing in terms of hosting and how have clients reacted to the option of paying for a service?
East explains that Impro’s access control software, Access Portal, is available as a single site installation in the cloud. The traditional access hardware, such as the door controllers and readers are still installed on site naturally, however the operator and management software is hosted in the cloud.
It is also where one enrols personnel, such as employees, into the system. All configuration changes and tag holder details are downloaded to the hardware on the site as and when they happen. The hardware then requires no real-time interaction with the server to operate 100% as configured – a critical factor in an environment where connectivity may not be reliable.
“This software is at the heart of the access control solution, East says. “This is where the rules for access are created, or where operators are able to view live actions on the site. Authorised personnel at the client’s business can access reports from the site as well.”
Where there are bandwidth issues, Impro’s solution can also make use of high-speed GSM connectivity. “Through the continued investment and drive of the GSM sector, it has had a strong ripple effect onto other industries such as ours because we are able to use GSM as a backup solution for our cloud services.
“For example, a customer may have a fixed line connection, however, we’ll install a dual SIM GSM backup system so that if their fixed line should fail, they’re still able to access their system 24/7. In addition, Impro’s hardware has been designed so it’s not reliant on a live connection to the server, allowing it to operate in environments with intermittent connectivity.”

Different, but the same
While the service provided may carry the ‘hosted’ tag, the result isn’t really any different to a traditional onsite solution. East says that the service is the same as the traditional onsite solution in that customers receive the same functions and features. The benefits, however, are that the client doesn’t require a full IT infrastructure, servers and the associated skills to maintain and manage that infrastructure.
“In addition, the service can be rapidly expanded even if there is no fixed line infrastructure in place – often a challenge in more remote locations, or when going into certain African locations,” he notes.
When it comes to security, East says the threat to security data is the same as it would be for any Internet connected server – whether in the cloud or on premise. The key is to ensure the correct measures are taken to mitigate and prevent any illegal breach. This is where a cloud or hosted solution may be a better option for some customers, as they are able to pass that responsibility onto their service provider.
“At Impro, we take the security of data very seriously. To this end, we use high security servers within the Microsoft fold, which provides customers with guaranteed server uptime. These are also coupled with a service level agreement, so in the instance of a problem, customers are assured of resolution within an agreed framework.
“Further to this, we use industry-leading security frameworks for the database. To further enhance the data protection, client connectivity to the cloud server is through HTTPS with security certificates.”

Some like it, some don’t
East has found that the market is split over the utility or desirability of a hosted solution. He says the market segment is quite specific. At the entry level, companies enjoy the convenience of a hosted cloud solution, however, at medium to large sites they still prefer on-premise solutions.
This is slowly changing as the world evolves with more products going into the cloud. For example, Microsoft Office 365, a cloud based office software suite; or there’s Salesforce.com which is a cloud CRM system.
“Big global companies are adopting these technologies and so in the next two to five years I expect we’ll see a lot more large companies in South Africa doing the same as they become more accustomed to and trusting of cloud services.”
[/text_output][/container]

[text_output]biometrics-in-universities

Biometrics-based access control and authentication could help universities and colleges to improve on-premise security, while forming the foundation of more efficient student management systems.

This is according to Nicolas Garcia, Senior Manager at Morpho South Africa, who notes that security is a top priority at all international higher education institutions, but possibly more so in South Africa, where protest action, violence and arson (among other concerns) have posed risks to students’ safety and university property in recent months.On campuses around the country, protest action has caused extensive damage to a number of institutions. Minister of Higher Education and Training Dr Blade Nzimande said recently that 2015/16 protest action had cost universities at least R300 million in damage to property.

In addition, curbing the risk to students’ and staff safety meant institutions has to invest in additional security services. After student protests early this year, University of Johannesburg (UJ) vice-chancellor Ihron Rensburg said that some Gauteng higher education institutions had been forced to spend up to R2 million a month on additional security.

Garcia says:

“The biggest threat to tertiary intuitions today is controlling access to unknown individuals.”

To curb the risk of attacks and protests instigated by outsiders, institutions must know who accesses the campus, at what time, and event where they are and when they leave.
Linda Glieman, GM Client Services at Morpho partner company Impro Technologies, says: “The problem with traditional card access is that anyone carrying that card is able to enter the campus. Students lose their tags and often go for days without reporting it or needing to access the facility, which creates a security risk.

“Managing access effectively for the vast number of students is challenging, and the only way to ensure that the correct person enters the campus is via biometrics, because biometrics can’t be shared, lost or forgotten,” says Glieman.

Not only does biometrics allow for foolproof access control, it also presents opportunities for tertiary institutions to build on biometrics authentication systems for systems beyond security, such as payments and exam control.

Glieman says: “Exam entrance control is still in its infancy when it comes to biometric access, but educational institutions are starting to embark on implementing solutions to control access to these venues. The problem historically has been that these are not fixed venues and therefore installing hardware in the venue for exam purposes was not practical, speed of access is another barrier to adopting a controlled solution. However, with the introduction of mobile biometrics in the form of mobile readers and tablets this can now become a reality.”

However, to deliver value and effectively secure campuses, the biometrics systems in use must be world class, she notes.
“When selecting a biometric product, one needs to select a supplier that has a number years of experience and offers reliable accurate results. Using a lower grade supplier presents a risk to your entire security system. The access control system behind the biometric solution also requires some very unique features to facilitate fast and accurate enrolment and control. Integration with the university student management systems is a critical factor to ensure success in managing who has access to the facility,” she advises.

[/text_output]
Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Not readable? Change text. captcha txt
0