Access control in the Asia-Pacific 2017 Legacy infrastructure, innovation and the Internet of Things

Posted by | Uncategorized | 0 |

Access control in the Asia-Pacific 2017
Legacy infrastructure, innovation and the Internet of Things

Sponsored by HID Global (APAC)

About HID Global Access Control
HID Global is the trusted source for innovative products, services, solutions and know-how related to the creation, management and use of secure identities for millions of end-users around the world. The company’s served markets include physical and logical access control, including strong authentication and credential management; card printing and personalisation; visitor management systems; highly secure government and citizen ID; and identification RFID technologies used in animal ID and industry and logistics applications.

The company’s primary brands include ActivID®, EasyLobby®, FARGO®, IdenTrust®, LaserCard®, Lumidigm®, Quantum Secure, and HID®. Headquartered in Austin, Texas HID Global has more than 2,700 employees worldwide and operates international offices supporting more than 100 countries. HID Global® is an ASSA ABLOY Group brand. For more information, visit the HID Global website (

3. Introduction
4. And key findings

5. Installed systems
6. satisfaction levels over existing deployments

7. Demand for new features

8. The mobile-access landscape
9. Challenges and barriers
11. Key drivers: moving beyond physical access control
11. User experience
11. Multi-factor authentication
12. Combined physical and logical access control
13. Mobile innovation

14. Decision-makers

15. About survey respondents

15. Conclusion (courtesy of Frost & Sullivan)

IFSEC Global surveyed hundreds of security professionals to gauge the capabilities of access-control infrastructure across the Asia-Pacific and demand for the latest generation of technologies. Sponsored by HID Global (APAC), Access control in the Asia-Pacific 2017: Legacy Infrastructure, Innovation and the Internet of Things.

Survey respondents – in a variety of sectors – answered questions on a wide range of topics, including, among others:

Installed systems
• The prevalence of various card-based technologies
• The technical capabilities of installed, operational systems
• Satisfaction levels with current systems

Demand for upgrades
• Intentions to deploy additional features
• Who decision-makers are when it comes to procurement

The emergence of IoT (Internet of Things) driven innovations means that any analysis of the access control market in 2017 is incomplete with a major focus on mobile access and applications like indoor-positioning services and security guard tour applications. To this end, we polled respondents on the following IOT-related areas:

• Prevalence of mobile access deployment
• Prevalence of deployment of other applications harnessing mobile devices
• Barriers to adoption of mobile access
• Demand for next-generation IoT and cloud-based innovation

The mobile phone is without doubt one of the most disruptive forces of the digital age. From the feature phone, through to smartphone, the pace of evolution in mobile has been matched only by our reliance on the technology.

In 2007, Farpoint analyst Craig Mathias predicted that by 2008 company-issued devices would become the de facto standard in corporate communications. “The purchasing of personal mobile communications technology will move away from the individual and into enterprise IT,” he wrote.

Mathias’ predictions couldn’t have been further from the truth. Mobile devices have proven themselves to be the bridge between the corporate and consumer worlds. Employees have become so enamored with their personal devices that organisations have had little choice but to incorporate them into their IT strategy.

This paradigm shift in corporate culture has not been without its challenges. IT departments have been forced to adapt their device management policies, balancing the demands of employees with the requirements of the business.

However, with the substantial challenges have come great rewards. Driven primarily by the consumer market, the avalanche of innovation in the mobile sector has trickled up to the enterprise.

At the same time, great strides are being made in intelligent building design. From CCTV and lighting to HVAC and energy management, the IoT revolution is connecting systems that were previously run on proprietary technology stacks.

It was only a matter of time before these two technological tsunamis found themselves converging. The concept of mobile access is not a new one. For nearly 20 years, mobile-access technologies have been trialed in one form or another. However, recent technological advancements, combined with the explosion in mobile usage, have made mobile access a legitimate challenger to traditional access control systems: cards, fobs and keypads. n

Key findings
• Respondents were most satisfied with the ease of use (53% were satisfied), total cost of ownership (39%) and price (35%) of their existing systems
• 57% of respondents either deploy mobile access or intend to do so within the next three years
• 57% of those who have deployed, or expect to deploy, mobile access say that mobile access has replaced, or would ultimately replace, their traditional card-based systems
• 52% of organisations use biometric systems
• Improving end-user experience and multi-factor authentication were seen as the two most important drivers for industry-wide deployment of mobile access control over the next three years

Installed systems
Respondents were asked which card-based technologies their business currently supports for physical access control. Nearly 60% reported that their organisations currently support card-based access control, and these are almost equally divided between low frequency and high frequency technologies. At almost 25% the next most commonly supported technology was contact chip cards.

The prevalence of card-based systems is consistent with earlier findings in the global strategic business report on card-based access control systems (EACS) from Global Industry Analysts (GIA). The GIA report states that the Asia-Pacific region has witnessed “increased adoption of security systems, particularly the tried-and-tested card-based access-control systems,” suggesting that the “price-sensitive nature of the market also makes card-based systems a preferred choice for access control in the region”.

Which card-based technologies does your organisation currently support for physical access control? (Check all that apply)

Satisfaction levels over existing deployments
Respondents were asked which features and benefits of their existing access-control system they were most satisfied with. ‘Ease of use’ was the most highly rated benefit, with 53% of those surveyed satisfied with the convenience and simplicity offered by existing systems.

This was followed by total cost of ownership (39%) and capital expenditure (35%).

Interestingly, the lowest satisfaction levels were registered in areas where mobile access platforms can excel. For example, only 24% of respondents were satisfied with their system’s capacity to support new applications with minimal investment. Ease of credential issuance and revocation was another pain point, registering 22%.

No longer limited to legacy, proprietary systems, users can now deploy multiple applications using the latest mobile credential technology based on an open architecture. Credential issuance and revocation becomes considerably easier to manage thanks to the ‘always connected’ nature of mobile devices.

Looking at satisfaction levels with existing deployments, it becomes apparent that, in order to gain traction, mobile-access developers must not only address security professionals’ bugbears with legacy systems, but at least match the high satisfaction
levels found around ease of use and total cost of investment – after all, few things are more important to the end user. Only then can mobile access truly be considered a mainstream solution.

In which of these respects are you satisfied with your current access- control system? (check all that apply)

Ease of use by employees 53%

Total cost of ownership 39%

Price (initial investment/cost) 35%
Ease of integration with existing access system 32%

Maintaining end-user privacy 30%

Interoperability with future technologies 27%
Supporting new applications with minimal investment 24%

Ease of credential issuance and revocation 22%
Ease of maintaining mobile IDs 21%
Credential form factor options (wearables like watches, wristbands) 11%

None of the above 4%
Demand for new features
Respondents were asked whether they already deployed, or would like to deploy, a number of access-control innovations. The most popular – unsurprisingly, given that even the very earliest electronic access control systems offered this feature – was ‘time and attendance’, which was already deployed by 62% of organisations. Just as
unsurprisingly, physical access control was widely deployed too (by 58%). Only 15% and 14% respectively neither used nor wanted to use these technologies.

‘Indoor positioning services’ (IPS) was the most sought-after feature (by 50%), partly because so few (14%) organisations implemented it. Strong demand for IPS – which locates objects or people inside a building using radio waves, magnetic fields, acoustic signals or other sensory information – also reflects the ubiquity, processing power and connectivity of the modern smartphone. “IPS can be as popular as outdoor navigation systems when consumers see benefits in either their time or pocketbook,” predicts Leslie Presutti, senior director of product management at Qualcomm. IPS does offer a clear and compelling benefit during emergency evacuations.

License-plate registration and closed-loop payments – whereby consumers can pre-load funds onto a spending account associated with their access card or smartphone – were similarly deployed rarely but highly sought after.

It’s also noteworthy that some form of biometrics were installed in just over half of organisations polled (52%) – quite a breakthrough when as recently as 2014, Brian Parker, CIO at payments provider Cuscal, said that while “fingerprint technology has been around for a while [and] it’s getting better, […] the error rate is still relatively high […] The quality is probably enough for you identify yourself to a phone – but would you trust it as your primary identification mechanism when you don’t know the extent of how your fingerprint is being validated by a third party?” Meanwhile, in May 2016
Google declared plans to get rid of passwords altogether in favour of multiple biometric indicators by the end of the year.

Have you deployed, or would you like to deploy, the following features in your access-control system?

Answer Options Already deployed Would like to deploy Not interested
Time and attendance 62% 24% 14%
Physical access control 58% 29% 13%
Biometrics (fingerprint/facial recognition, etc) 52% 32% 16%
Identification (photo ID badge) 49% 37% 14%
Visitor management 44% 37% 19%
Parking/gate control 34% 37% 29%
Security guard tour applications 32% 41% 27%
Logical access (secure computer/network login/access to cloud/web resource) 27% 48% 25%
Print management/print on demand 26% 37% 37%
Licence plate registration 20% 40% 40%
Indoor positioning services (IPS) 14% 50% 26%
Closed loop payment (vending, cafeteria, public transport, etc) 13% 44% 43%

The mobile-access landscape
“It is long past the time to leave outdated PACS architecture behind and move to next- generation PACS architecture. Not only is it technologically feasible, it is an indisputable requirement for fulfilling asset protection responsibilities in a world of advancing technology, persistent threats and evolving threat vectors.” Ray Bernard, security consultant

Mobile access has already made inroads into the access control sector, though the survey results suggest credentials residing on smartphones won’t become ubiquitous in a sector that is “inherently slow to adopt new technologies” (Blake Kozak, IHS) any
time soon. Of the hundreds of security professionals surveyed, nearly one in three (32%) said that not only did their system not support mobile access but they had no plans to deploy the technology either. At the other end of the spectrum, 50% said they already deployed mobile access or had systems that supported mobile access (and they had firm intentions of deploying within the next 18 months).

Taken as a whole, 59% of respondents either have deployed mobile access or intend to do so, whether in the next few months or 1-3 years. So while a big chunk of the market still hasn’t been persuaded of the technology’s merits (at least in terms of meeting their particular needs), it is likely that a majority of organisations will use mobile access to some extent three years from now.

Does your access-control system support mobile access and has it been deployed yet?

Also encouragingly for developers of mobile access platforms, 67% of those surveyed said their existing systems had the capacity to deploy mobile access. Combined with the fact that 75% have not yet deployed mobile access platforms, this means the scope for growth in this area is considerable.

Offered the chance to comment further, one security professional said that mobile access has to be driven at global level to implement in our location.” For another respondent “the user experience and convenience is definitely the driver: instead of sending staff out to lock/unlock doors it can just be done remotely.”

Of those who have deployed or would like to deploy mobile access, a majority (59%) said that mobile access has replaced, or would ultimately replace, their traditional card- based systems, with 16% indicating that the transition was, or would be, immediate; 41% said the changeover would be gradual.

Nevertheless, it is rather premature to consign the traditional access card to a museum.
Perhaps mindful of mobile phones’ notoriously short-lived battery power, 43% had no intention of fully replacing access cards with mobile access. A breakthrough in smartphone battery technology could really drive a shift in attitudes, however.

Even biometrics doesn’t necessarily spell the end for the conventional plastic access card. On the contrary, the two technologies have even merged. Zwipe AS, a Norwegian biometrics specialist whose products integrate with HID Global systems, developed a contactless smart card credential with on-card fingerprint reading.

Challenges and barriers
Of the respondents that had, thus far, chosen not to deploy mobile access, security was seen as the number one barrier to adoption. For many organisations, the default assumption is that greater convenience invariably comes at the expense of security.

Do you see mobile access as a replacement for, or a complement to, your existing card-based access control system?

But there is a strong case to be made for mobile access actually being more secure than its traditional counterparts. For a start, mobile-access systems can take advantage of the native security features built into smartphones. Anyone attempting to gain
unauthorised access to a building through this vector would first have to circumnavigate built-in security features, such as passwords, PINs and face or fingerprint recognition.
Smartphones also have the added advantage of being almost permanently ‘connected’. Administrators can access digital keys and revoke mobile identities across the network at any time. If a device is lost, administrators can shut down access capabilities in an instant.

However, security is only one barrier standing in the way of widespread deployment of mobile access technologies. “Mobile access is more expensive than physical card,” wrote one survey respondent. It’s “very hard to justify with management. Maybe a couple of years later.” Another of those who completed the survey intimated that they saw mobile access as a luxury investment: “Functions provided through mobile platforms are not
a ‘must’ for operations.” A quarter (25%) of respondents cited budget constraints as the primary reason they were not considering mobile-access solutions, while around the same proportion (24%) admitted to being unfamiliar with the technology. The data suggests there is still much to do in terms of educating prospective customers and better communicating the benefits of mobile access.
What is the most important reason why your organisation does not plan to deploy mobile access?

Security issues – we do not trust that mobile access will be secure enough 29%
Budget constraints. Cannot justify on cost grounds 25%

Not familiar with the technology 24%
Not familiar with developers – we don’t know how, or from whom, to get mobile access 14%

Other 8%

Key drivers: moving beyond physical access control
One of the key benefits of mobile-access technology is its ability to leverage devices’ native capabilities in order to provide auxiliary services and solutions.

It was apparent from some survey responses that many security professionals were looking beyond traditional physical access functionalities. Offered the chance to suggest other mobile-access applications they had deployed or would consider deploying, one respondent mentioned using it for email systems, while another cited a “document security” application as a “sensor-based, cost-saving solution”.

Respondents were also asked what they thought the single most important driver would be for industry-wide deployment of mobile access control over the next three years.

User experience
Edging out multi-factor authentication, an ‘improving, increasingly convenient end- user experience’ was top of the list when it came to key drivers, chosen by one in three (33%) respondents. The industry clearly needs to get the user experience right if the technology is to become truly ubiquitous. Rather than an over-engineered alternative to tried-and-tested credentials, mobile access must be both intuitive and convenient for the end users.

Multi-factor authentication
Nearly one in three (32%) of those polled said that multi-factor authentication and the increased security that it brings would be the key driver over the coming years. Multi-factor authentication combines any two or more of the following methods to authenticate a user: something you have (a trusted device, such as card or mobile); something you know (typically a password); and something you are (biometrics).

Often seen as cutting-edge tech and highly sophisticated, biometric systems have actually been used for access-control applications since the mid-70s. However, early installations were typically very expensive and therefore reserved for high-security environments, such as military or government applications. In recent years, the plummeting cost of sensors, combined with advances in microprocessors and advanced imaging, has made facial, iris, retina and fingerprint recognition systems a much more accessible technology. But even now, most organisations still eschew biometrics on account of the relatively high costs involved.

Which mobile-access applications have you deployed or would you be interested in deploying (check all that apply)

Biometrics (eg fingerprint, facial recognition) 50%
Time and attendance 46%
Visitor management 42%
Physical access control 39%
Identification (photo ID badge) 33%
Parking/gate control 28%
Logical access (secure computer/network login, access to cloud and web resource) 22%
Security guard tour applications 22%
Licence plate registration 20%
Indoor positioning services (IPS) 9%
Print management/print on demand 9%
Closed loop payment (eg vending, cafeteria, other payments, public transportation 8%
None of the above 5%
Other 2%

Mobile access technologies have the potential to accelerate innovation and adoption both of biometrics and multi-factor authentication. A growing number of high-end, and even mid-range, smart devices now include biometric technologies. Face Unlock, for example, was first introduced on Android Ice Cream Sandwich, and later refined with the inclusion of a feature called Trusted Face.

Meanwhile, Apple has successfully rolled out a fingerprint authentication technology known as Touch ID on all its most recent smartphones and tablets.

While neither of these technologies are infallible (indeed, Chinese mobile security firm Vkansee fooled Apple’s Touch ID with a mould made from play doh at the Mobile World Congress in February 2016), they have the potential to make biometrics a much more pervasive technology in the physical access control arena.

As previously mentioned, mobile access technologies can enhance rather than compromise security. Attaining ubiquity depends on the collaborative effort of vendors, developers and administrators to properly harness these security capabilities.

Combined physical and logical access control
“Despite the extent to which physical and cyber security depend on each other, it’s surprising how often we learn during US-CCU security reviews that the people responsible for one fail to give a thought to the other.” Scott Borg, director of the US Cyber Consequences Unit.

Just over one in five (22%) respondents saw the convergence of physical and logical access onto a single platform as the most important driver for mobile access technologies.

Most organisations still treat their physical and cyber domains as separate entities. Historically, there has been no technical way of integrating the two domains, with each security department maintaining its own systems and identity databases. However, technologies have evolved, and it is now possible to fully manage physical and logical security from a single platform. The largest remaining barrier is organisational and cultural, rather than technical, in nature.

Mobile access can ease organisational friction, by making both physical and logical access as seamless as possible. It also has the potential to cut total cost of ownership for both physical and logical domains. For example, small and medium-sized organisations that can’t justify the expense of strong logical access, can build logical capabilities on top of existing physical systems and credentials, reducing costs through consolidation.

In your view, what will be the single most important driver for industry-wide deployment of mobile access control over the next three years?

How appealing would the following features be to your organisation?

Answer Options Very appealing Somewhat appealing Not appealing at all
Connect a mobile phone to a tablet or laptop for secure computer login/access to cloud applications/web services 52% 34% 14%
Connect an access card to smartphone or tablet for secure computer login/access to cloud applications/web services 48% 37% 15%
Automate management and tracking of physical/mechanical keys using smartphones 46% 38% 16%
Automated guard applications that streamline and track security guard applications to prove presence via smartphone 47% 33% 20%
Determine and record high-traffic or heavily-used areas 43% 37% 20%
Use a wearable (watch, wristband, etc) to access buildings 37% 39% 24%
Carry your driver’s license on your smartphone 38% 38% 24%

Mobile innovation
At least three quarters of survey respondents were enthused about features specific to mobile access-control systems, with between 76% and 86% finding each one of seven innovations posed either ‘very appealing’ or ‘somewhat appealing’. Interestingly, the features with least appeal were those with an arguably greater benefit to the individual than to the organisation – for example, using wearables (such as watch or wristband) to access the building and carrying a driver’s license on a smartphone.

Although the survey drew responses from a wide spread of industries, the most highly represented were distribution, IT, cyber security, finance and banking – all of which, save for distribution, need to take security more seriously than most sectors and wearables may fall outside of their comfort zone.

Still not available in every country, smartphone-displayed driving licences are likely to follow the pattern of digital payment and become the norm once they are more widely available. Nevertheless, in both cases, only 24% ticked the box saying ‘not appealing at all’.

The most appealing feature overall (86%) was the ability to connect a mobile phone to a tablet or laptop for secure computer login/access to cloud applications/web services. This finding suggests that the convergence of logical and physical access will play a critical role in the evolution and adoption of mobile access.
Who makes the final decision to deploy mobile access in physical access control within your organisation?

This report’s findings have hopefully clarified the challenges facing developers of access-control hardware and software – especially mobile-driven solutions – in persuading organisations in a wide range of sectors to upgrade or replace their existing systems.

But to whom, ultimately, do they direct their marketing efforts?

Despite the acknowledged convergence of physical and logical systems, the IT department still rarely has ultimate authority on procurement, with only 11% of organisations saying that their IT team had the final say-so. For the rest there was a fairly even split between security or facilities management and a shared decision
between security/facilities and the IT department. So with IT professionals having an equal say in procurement in 45% of cases, the impact of convergence on the power dynamics within organisations is clearly apparent.

45% A shared decision between security/ facilities and IT departments

12% IT security only

43% Security and/or facility management only

Here are some comments explaining the decision-making process over access control procurement within the organisations we surveyed across the Asia-Pacific:

• “Board of directors makes final decision based on recommendations from IT senior officer and compliance officer”
• “IT security people are heavily engaged in reviewing risk exposures with application, architecture, encryption etc”
• “While in the era of IoT the roles of IT and facility manager get blurred and conflicts may ensue, it is ultimately the end user organisation’s responsibility to bridge the two and have them work together to move the organisation’s security forward”
• “We have a separate ISD department that takes decisions based on business requirements given by us”
• “Should be on initiative from organisation’s management and they should hold responsibility in the final decision-making”

By Robert Haddon, security industry analyst on aerospace & defence, Frost & Sullivan.

About survey respondents
The survey was completed by professionals involved in the management, operation or procurement of access-control systems, including security professionals, facilities managers and IT professionals.

Only survey respondents based in the Asia-Pacific region – including all parts of Asia and Australasia – were included in the data, with a significant number of responses from India, China, South Korea, Malaysia, Pakistan, Taiwan, Singapore, Hong Kong
and Australia.

Responses came from a wide range of sectors – from office-based environments to retail and manufacturing – and from organisations of various sizes. ■

How many employees are in your organisation?
Under 100 employees

101-500 employees

501-1,000 employees

1,001-5,000 employees

Over 5,000 employees

By Robert Haddon, security industry analyst on aerospace & defence, Frost & Sullivan. Persuading security professionals to replace access control solutions remains a difficult
proposition, especially when organisations might look to standardise the system across a number of locations, which raises the investment level substantially. Solution providers
must better translate the benefits of new technologies over legacy options to the customer, particularly in terms of financial and efficiency savings.
Smartphone and other digital devices are increasingly trusted as identification devices, giving organisations the ability to manage access credentials on an ongoing
basis. Connection to a physical device combined with biometrics information gives organisations a better idea of the risk associated with a log-on attempt.
Cloud-based service offerings will sit at the centre of these new solutions and their use should be expected to grow. However, concerns around the security of systems
will continue to curb market growth in the short- to medium-term. Ultimately, some customers will continue to want sensitive information on premises to minimise
exposure, but improvements to cloud offerings will change this attitude gradually.
The industry must address several issues if they are to convince end users that they should adopt mobile access. First, companies must drive home not only why this type
of system is more convenient than a traditional smart-card solution, but also what it gives back to customers in terms of real-life ROI. With security budgets under increased
scrutiny it’s never been more important to demonstrate both a security and financial impetus for new investments.
The industry in general needs to do a better job of reassuring customers that mobile access systems aren’t in themselves a security risk. With the security of connected
devices and phones being called into question by the general media, systems need to prove their resilience to misuse or being undermined at a digital level.
Some organisations are still trying to understand how best to manage remote devices in terms of allowing access to networks, let alone how to manage a solution that grants
the user access to physical locations. With biometrics offering customers high levels of access-control security with a lower opportunity for lost or misappropriated credentials,
mobile-access solutions must make it clearer what sets them apart from other systems vying for customer attention and spending.
Frost & Sullivan is a consultancy and market research firm.