Access Control in the Real World Part 3 – T&A and Membership

In the HR arena, there’s a very strong requirement to know who is working and who is not, so that you can pay them accordingly. This is where time and attendance systems come into the frame, and it’s very important with these systems to positively identify the user with a high degree of accuracy. “What you know” and “what you have” aren’t very valuable as authentication factors because I can give these to my buddy and he can sign me in while I stay in bed. So “what you are” in terms of your fingerprint, your palm print or your palm geometry has become very popular with T&A vendors. The comparatively high cost of these technologies is less of a problem than it might be in a physical access control system with hundreds of controlled doors throughout a building, because even the biggest offices only need a small number of “clocking in” points for the staff. There are issues with some of these technologies when used in more “industrial” environments or where hygiene is a particular issue, but for many office and light industrial applications they have proved to be effective.

I think there’s also a case to be made that the people who’re looking at the company balance sheet all day trying to see where money can be saved tend to be able to make the simple quantitative cost:benefit decision that often motivates the company to purchase this technology quite ruthlessly. Security managers would probably quite like to deploy biometrics all over the place too but it’s not really so easy to see where the cost:benefit balance sits, because the math is based on risk, and that’s a highly unquantifiable element unless you have specific finger-burning experience (if you’ll pardon the sort-of pun there).

It could be argued in these times of economic “concentration” that unless an office worker is in his cube counting beans then maybe he or she isn’t working at all, and this should have some influence on how they get paid too, and this is another place where we see an opportunity for convergence back to logical access control and the use of one authentication scheme to do more than one job.

Perhaps with the spread of networked appliances into the field we’ll eventually see a builder have to logon to his wheelbarrow before he can use it or safety helmets with built in biometric authentication systems that wireless-ly tell the foreman what crews are on site and how many cups of tea they’ve had.

It’s hard to make solid authentication systems work in difficult environments at low cost. I’ve been asked to look at systems for checking construction workers on and off buildings sites a few times in the past and it’s really hard to come up with a robust scheme that’s not costing more money to implement than the client is losing in absentee workers’ time on site. There are systems out there that claim pretty clear RoI cases but at the end of the day you’re asking a construction company to make a capitol investment with an associated ongoing operating cost, and just think how keen they’re going to be to do that right now, or any time soon.

There appears to me to be a market for pre-fabricated turnstiles units with built-in T&A systems that come in the form of something like a shipping container that a building company might lease, and have dropped on site for the duration of the contract. You need to combine the authentication scheme with things like turnstiles to be clear about who is on site and who is not, because these guys are going to be lazy or they might just be forgetful, and when there are 10,000 guys to manage in and out every day it gets to be a bit of a problem.

Clearly you can see that there might be a very close relationship between T&A and physical access control, because you can’t get into the building without using the PAC system to open the door, but there are problems here. You need to know when people are leaving as well as when they are entering, and you really need to prevent people from “tailgating” (i.e. one person opening the door, then ten people exiting all at once). These are problems that can be overcome, but it costs money. Reader-in/reader-out arrangements almost double the cost of the access control technology, and although they are very nearly 100% effective at preventing tailgating, turnstile/hidden gate systems are also very costly and simply won’t fit in many workplaces.

When it comes to the software associated with operating time and attendance we also hit a few speed bumps. In a straightforward nine-to-five operation with everyone working at a desk in the office and nobody working shifts things aren’t too complicated, but in the environments where these systems are often most beneficial you may have very large numbers of employees, perhaps working overlapping shifts, perhaps coming and going from the premises as part of their work patterns. A substantial organisation will probably operate a computerised payroll system sitting on an Oracle or SQL database, and the information from the T&A system needs somehow to get in there in a format that’s useable. Complexity ensues.

Most of the T&A system vendors actually provide physical access control “add-ons” for their systems, but they’re generally not nearly as powerful as mainstream access control systems that the security manager is going to want to secure his multi-billion dollar industrial complex. Likewise, all of the major PAC companies provide T&A features within their software, but again they’re often not up to complex situations, and the sensible guys have chosen instead simply to integrate to mainstream third-party T&A systems, and provide the integration links for hooking into the HR payroll system. But there’s a heavy reliance on some quite detailed integration during the setup phase, with the PAC company needing to have the ability to noodle around with the HR system database.

Time and attendance integrated with physical access control is very achievable, but it’s not for everyone depending on the scale of your operation or your working patterns, and depending on how much money you think it’s going to save you. You’re going to want to have a solid RoI case to back you up when the board is asking why you want to spend all that money on hidden gates and reader-in/reader-out arrangements and cameras overlooking the area to prevent “jump-overs” and “buddy” sign-on.

In a similar vein to T&A you have membership management. This industry has grown up alongside the explosion in sports and leisure clubs over the last couple of decades, and features some of the same issues as a T&A system, in that it wants to positively identify each individual to make sure the person coming in is definitely the person paying the membership fee, and it wants to make sure it records when you use the facility because it wants to know how much it can charge you for the privilege.

Turnstiles are quite acceptable in these applications to prevent tailgating, and because the vast majority of club locations have the entrance at a reception desk there isn’t such a requirement for the system to be particularly physically secure, because there is likely to be a receptionist present at the entrance location.

Once again, most membership management systems offer a physical access control add-on to control the entry turnstile or door, but they tend to be primitive, because membership management systems aren’t really designed to be distributed over a wide area, as are physical access control systems.

Physical access control systems don’t tend to be geared towards membership management either. In the majority of club scenarios there could be a very large number of members and perhaps just a single entrance. The credentials need to be cheap, because you don’t want the cost of the card to have to be factored into the cost of membership, so they frequently use optical barcodes in plain (photocopy-able) black and white on the membership card, and the barcode readers often plug directly into the same PC on the reception desk that’s running enrolment and creating the members’ invoices and all the other good stuff that reception desk PCs do (i.e. playing minesweeper and solitaire!!).

One of the things that I’ve found a little strange is that none of the hotel card access control companies have switched on to the fact that a significant number of hotels (in Western Europe, at least) now have a leisure centre or spa that offers membership to outsiders as well as providing the facilities to guests. These premises nearly all have membership management system as a result and have to put in horrible side-by-side credential readers to accommodate both the hotel guests and the club members (and sometimes they have yet another system for employees, but we’ll get on to the hotel rant later in the series).

Although these membership management systems generally offer some sort of data “import” facility, where you can export your database of club members in CSV format from one application and drag it into the membership database, they’re not really designed for integration – certainly not live integration, where you’ve got two databases communicating with one another.

I’m going to get on to biometric reading technologies later in the series and take a look at how they’re handled by the typical system – it’s not as straight forward or as sophisticated as it might at first appear…

Ok, so technologies of interest in this particular sector include :

The HandPunch palm geometry reader is very popular and really quite robust : http://www.handpunch.com/ and it’s available as a complete system-in-a-box T&A solution. If you want to look at it back at the mothership then it’s actually produced by Schlage http://recognitionsystems.schlage.com/.

Probably the most used fingerprint reader for access control is the Bioscrypt range from L1 http://www.l1id.com/pages/387-fingerprint-readers.

In the UK and Ireland, Mitrefinch are a very popular supplier of T&A systems http://www.mitrefinch.co.uk/.

Many of the larger physical access control companies choose to just offer strong integrations to third party systems – overall, not a bad idea. http://www.lenel.com/utcfs/Templates/Pages/Template-57/0,8066,pageId%3D8542&siteId%3D464,00.html

A number of companies are currently investigating vein reading technologies, and so far the ones I’ve looked at work quite well. Hitachi have launched a desktop reader that reads the veins in a finger http://www.hitachi.com/New/cnews/070720.html but they’re really just looking for people to buy and productize the technology.

Identica have a vascular reader that reads the veins in the back of your hand http://www.identicacorp.com/ It seems to work quite well, but I’m not sure it’s really ready for use in industrial environments.

I’m going to look at some of the more esoteric identification technologies later in the series too, so don’t be disappointed if I’ve missed your favourite.

Next time I’ve going to look at personal and vehicular entrance management systems and how they relate to this technology.

The show that almost wasn’t but really was.

I have a strict policy of only going to IFSEC about once every three years. It is, in fact, such a strict an unmovable policy that I’ve been there this year, last year and the year before…

But HONESTLY, I’m really going to try hard mext year.

Usually I just have to decide which day I’m going to go, a decision mostly governed by the price Ryanair decide to charge me to fly. It’s really good when you get the flights for one Euro each way (and the airport taxes for about 250…).

The dynamic was a little different this year, because the plan was to be at the show for about three days, and catch a couple of outside meetings during the trip too. Hey, if you’re going to take an 8 hour flight it better be worth it. Right?

And then there was all the scary stuff going on in the background. I mean, forget about the outbreak of swine flu on a pandemic scale, and the possibility that we might be the first to bring it back into the Emirates (and the probable jail sentence that would result), no, the scariest thing was the prospect of IFSEC with no Norbain!

Come monday morning and the drive up to the NEC from our *very* classy hotel, and we were getting worried. No queues for parking, empty seats on the shuttle bus.

I’d taken the time to preregister, and the touch-screen terminals were easy to get at and simple to use, so I had my badge and was ready to rock very quickly. My colleague, however, hadn’t had time to do the registration online, and the process to get him in without paying was typically fraught. It would almost have been simpler to dive into the nearest internet café and register online that jump through the hoops we had to.

Anyway, we were in…gulp.

The new halls were good. Much closer to the train station (I used to hate that walk. It seemed like about a mile and a half). They were smaller, which gave us the initial impression that we’d be around the place in half a day, but the layout was deceptive.

Not so many far eastern manufacturers of duplicate bullet cameras this year (or so it seemed to me), and although Norbain were absent there were few manufacturers who weren’t represented one way or another (even some of the people who I didn’t think were supposed to be there at all).

So, Monday was quiet. No crush. No panic. So we had an early finish for the day – just in case we found it hard to stretch the visit out for the three days we’d planned.

Tuesday. Different story altogether. So this is where all the people are! Lots of much happier seeming exhibitors around today, and when I tried to drop by the Milestone stand I found that I quite literally could not get in! It was jammed! But that didn’t stop me, I sought out all sorts of interesting things and got to chat to people from all over the place.

I’d have to admit, I wasn’t concentrating on cameras too much, so although there were lots of camera manufacturers there, and I know some of them had new products to launch, I was busy talking to lots of access control people and command and control types.

I noticed a real surge in the number of companies producing offline locking systems. The iLoq product looked good (http://www.iloq.com/). It appears to be both sturdy and flexible.

Quite a nice anti-tailgating product from SMACS (http://www.smacs.com/).

Really liked Praetorian’s video display system, merging camera views into google-maps 3D representations of the site. Nice. (http://www.l3praetorian.com/ ).

The guys from Veracity had some very useful little bits and bobs too. In addition to their network cable extenders and IP over co-ax products they also had a couple of little gadgets that were just plain handy, like their tap connector to allow an engineer to take an Ethernet tap off to his laptop for setting up a camera without breaking the PoE power to the camera, and the little device that correctly identifies the PoE class to the PoE switch when the end device doesn’t do that properly. I like them. (www.veracityuk.com).

 

Along the same lines, I thought the guys from MuxLab had some very handy little gadgets too (http://www.muxlab.com/), that enable you to squeeze just about anything down a piece of CAT5.

 

Of course, it’s always good to see the guys from Viseum and their intelligent tracking system. I like it too (http://www.viseum.co.uk/ ).

 

There was more – there certainly was. I barely got my stack of brochures through checkin without an excess baggage fee, and I’ve completely run out of space in my business card file. But for now that’s about all that springs to mind. I’ll mention other things as they occur to me, but for now let’s get this out of the way so we can get on with the access control series.

IFSEC Interlude #2

What a hectic week. I’m back from IFSEC with about 20kilos of brochures and sore feet.

Oddly, we had a problem with the hosting of the website while I was away, so ipvideo.ie was invisible for a few days there, but we’re back now and all will remain fine for the foreseeable future.

I’m tempted to rant and rave about the reason for the outage, because it was something that could (should) have been sorted in a few minutes, but took several days because of the inconceived security procedures of my hosting company. But I’m too happy to be back in Dubai to have a bad word for anyone today.

A little sleep, a bit of food and a lot of ordering of my thoughts and I’ll post something interesting about IFSEC and the next access control article.

A brief Interlude for IFSEC

The question on everyone’s lips is “will I be at IFSEC?”, and the answer to that question is “yes, I will be at IFSEC”.

It’s a bit of a trek from here and I don’t know how many other people will be there, but we’ll see, won’t we…? Indeed we will.

I thought it was quite interesting that Norbain have announced that they will be back at next year’s show. It’s almost as if they intentionally didn’t do this year’s show just so that their name could appear in a gazzillion opinion pieces predicting the end of the world because Norbain weren’t doing IFSEC!! But nobody would try to pull a marketing stunt like that…would they…

Only kidding…

Anyway, I’m off. Packing my bags and heading for the airport with the usual pre-IFSEC trepidation. Can I hold out on a diet of bad coffee, stale sandwiches and blueberry muffins for three days? Will my feet explode? Only time will tell.

See you when I get back!

Access Control in the Real World Part 2 – Logical Access Control

Following on from the previous episode, in which I gave a short overview and introduction to the topic of access control and authentication, let’s begin looking at who is actually using identification technologies in real world applications.

In the ICT sector, we’re all familiar with the use of username and password for logon to our computers, our email accounts, our websites, online banking and a whole lot more. It’s two-step authentication but It’s not two-factor authentication, because you’re using two things that you know. However, the idea is that whilst your username may be fairly easy to guess, your password won’t be…except that it nearly always is, just in case you forget it yourself! So there is a move towards more secure methods of authentication that really do provide a second (or even a third) factor to prove that you really are you.

Lots of laptops and desktop keyboards are now available with fingerprint readers built-in to them, or with smart card readers in a PCMCIA slot or hanging off a USB port. One-time-passwords are becoming popular too for remote access, where you carry a little electronic fob on a keychain that has an LCD display showing a numeric password. The password changes every 30 seconds to another random looking number, so when you log in to your secure company mail server or whatever, you enter your username, your password AND your numeric OTP. The server can calculate what the correct OTP will be at any particular time of day and thereby verify that it’s really you. So then you have two factor authentication. What you know is your username and password, what you have is the little OTP fob or card.

Interestingly, there are a couple of companies now working on OTP cards/fobs with built-in fingerprint readers, so that you don’t see the OTP unless your print matches. This is reasonably strong two factor in-a-box, and it resolves the problem of someone just stealing your OTP fob and using it, but it doesn’t stop you having your thumb squeezed under duress!

The comparatively large chunk of plastic required to carry the display for the OTP device can easily accommodate a non-contact smartcard device, so it’s easy enough to produce a multi-element credential that can be used to also open doors or operate car park barriers, as well as supporting any other functions you might decide to implement as part of your site-wide identity management solution, but the OTP technology seems only to be available for remote login and not for local access. The vendors say “well, if you’re local then you can use other methods to authenticate yourself or to control access to the place where you have the opportunity to authenticate yourself”, which to some extent is true, but in a large organisation with a lot of machines it costs a lot of money to deploy smartcard readers on every desktop. It’s much less costly to give people an OTP fob, and embed their physical access control credential into the same thing.

The major physical access control players are switched on to all that’s happening in the ICT world, and will support single-sign-on, in what’s called “converged physical and logical access control” environments. One card lets you in through the door as well as letting you log in to your computer, and you can use the user’s physical presence (determined by the physical access control system) to determine whether or not they are allowed to be logged on or whether they should automatically be logged off.

There’s an awful lot of sense to this, and in these times of economic woe, businesses could actually derive a great deal of value from having their various systems tied together. There’s a real risk management benefit too, in that I can now disable a user from both the ICT system and the physical premises in a single action rather than having to rely on two different company departments trying to coordinate the removal of an employee and get it to happen at just the right moment.

Increasingly people are looking for integrated identity management systems, where they use a single credential (a smartcard usually) as their means of accessing a whole range of different services. In campus type environments (universities for instance) you will commonly have a requirement for physical access control, logical access control, membership services (library, gym etc), cashless vending, banking, perhaps digital signature management and more. In the past, these varying functions may have been handled using a number of different credentials or a credential with a number of different identification technologies all clustered together but working independently (I’ve seen proximity cards with magnetic stripes, where two of the tracks on the stripe were used for different purposes, as well as having two different bar codes printed on the card for different purposes, as well as having the personal ID details and photograph printed on the card. It’s like an electronic handbag!!).

The typical smart cards (Mifare and iClass being the two principle non-contact technologies that are finding most applications) have a number of memory slots internally, each of which can have data stored and retrieved. A smart card management system manages what data is stored in which slot so that a single credential can be used. It’s a feat of coordination more than anything else, and it does need a fair amount of expertise and experience to get all of the various applications talking to the card management system, and all of the various outboard peripherals reading the correct data from the smart cards across the campus.

There are also some companies looking to use a similar arrangement to provide a number of services on a customer loyalty card, for instance.

The main problem right now, however, is that there aren’t too many companies in the physical security space who’re actually capable of handling the software integration work, and understanding the ICT side of the customer’s business. As a result, there’s no way that most company’s ICT managers would let the security company get at their systems.

I’m worried about this situation. If you look at ISO27001 (the “standard” for information security) you’ll see that there’s a chunk in their for “access control” (that’s from an ICT perspective) and identity management, and also for physical security. I’m pretty sure that most bright ICT guys could pick up a few salient points about physical security and do the necessary on their premises without including an outside physical security company, and in many ways I wouldn’t blame them. But this is a serious risk for security vendors and integrators if they don’t pull their socks up and join in the big boys’ games.

So ICT and physical access control are playing nicely together.

In the next episode, I’m going to take a brief look at time and attendance and membership systems and how they use identification and authentication technologies.

People worth taking a look at in the field of logical access control and converged physical and logical access control would include :

Lenel – http://www.lenel.com/utcfs/Templates/Pages/Template-53/0,8062,pageId%3D8518%26siteId%3D464,00.html

ActiveIdentity http://www.actividentity.com/products/activid__home.php

Imprivata http://www.imprivata.com/custom/microsite/adwords/2009/20_practical_tips/20_practical_tips.html?engine=google&keyword=imprivata&gclid=CMfQ7pLop5oCFYR_3goduGSx1g

RSA http://www.rsa.com/node.aspx?id=1156

Access Control in the Real World Part 1

Access control is big. It’s bigger by far than video surveillance in terms of the total unit installations across the globe, and it probably doesn’t get enough coverage in the mainstream security comment arena. I had intended to produce a relatively short rant about the hotel card lock manufacturers of the world, but the rant grew legs and became something a bit more substantial; much too substantial for anyone with a job to do to actually read it all in one big chunk.

So rather than post something huge and have lots of people read the first couple of paragraphs then wander off to the coffee dock, I’ve divided it into a number of sections which I’m going to publish over the course of the next week or so, in a “mini-series” of bite-sized chunks.

For today, I’m just going to set out the stall, and talk about access control as a general concept.

Next I’m going to take an overview of each of the various sectors or industries that are making use of authentication technology and how they relate to physical security. This will divide over a number of episodes, which will include logical access control, time and attendance, membership management and our favourite physical access control – with a special sub-section on the hotel scenario and the industry that has built up to supply it.

Last of all I’m going to take a critical look at physical access control as it manifests itself in the real-world, with a close look at some of what I consider to be the most important issues.

I hope it’s of value, and obviously I’d welcome anyone’s comments or observations.

More than any other security technology that exists, access control is the one that we all use all of the time, even when we’re not aware of it. Whether it’s the fancy smartcard or biometric system that lets you into the office or whether it’s just the coin operated lock on the locker at the gym, it’s everywhere; and it probably always has been since somebody rolled a rock in front of their cave to keep the tyrannosaurus from sneaking in and gobbling their bronto-burger (okay, I’ve been watching too many episodes of the Flintstones maybe…).

If you go back and look in Ronald V. Clarke’s wonderful book “Situational Crime Prevention – successful case studies” you’ll find in Mr Clarke’s introduction a table of the “sixteen opportunity-reducing techniques” effective in crime prevention, one of which is actually “access control”, and another six or eight of these techniques involve approaches that could include access control as an element. So really, it is very important.

Perhaps I haven’t mentioned it before but I’m big fan of the Situational Crime Prevention methodology/philosophy. Go read the books.

If we tear away some of the wrapping from access control, it generally involves some means of identifying a person or a thing, then doing something on the basis of a positive or negative identification. There are lots of different identification technologies out there, and they fall into classes or factors. The three common factors are :

- “what you have” – such as a key or a card
- “what you know” – such as a PIN number or a password
- “what you are” – such as your fingerprint or your iris pattern

The stronger authentication systems demand more factors so as to be absolutely certain that it’s really you who is trying to get in. Common two factor authentication systems are PIN+prox readers. They’re actually recommended in EN 50132 for external doors; and that’s not a bad idea, because so many companies now also use the access control card as an ID card that if you find a lost one out in the street you’re very likely to be able to guess exactly which building and office you can break into without any effort at all.

I think that everyone would agree that if you’re going to have a system that’s designed to let “nice” people in and keep “bad” people out, it should actually be based on “what or who they are” and not on something easily steal-able like a key or even a password; but despite what you see in the magazines, biometric reading technologies remain either so flaky, so expensive or so socially unacceptable that the added level of certainty they offer comes with a hassle factor and a price tag that many end users just don’t need.

In general, people are attracted to the *idea* of biometric authentication, but even the main stream biometric technologies (finger print, palm print and palm geometry) remain expensive, they often suffer from user-error or environmental issues and the complexity of the biometric “template” that they produce requires special consideration over and above what you’d usually need for a non-biometric system.

The problem of moving biometric templates around has resulted in many of these readers also incorporating a smart proximity card reader/writer. It’s not there solely for the added security of two factor authentication, it’s mostly so that the card can be used as a convenient way to transport the templates around rather than having to install a separate network between the readers and a template server (the simple but ubiquitous weigand interface isn’t up to such a complex job).

Of course, there is a forth factor of authentication, namely “how you behave”. All of the other three factors including the biometric linked identification technologies do not prevent either an authorised rogue attacker or a person under duress from authenticating him or herself. A system that prevents a user from authenticating himself if he acts inappropriately helps to reduce these risks, but you have to put the time and effort into setting them up. Simple forth factor techniques that can be used today are things like time profiles and calendars, which prevent you from authenticating yourself when you aren’t supposed to be accessing the door. These often aren’t even set up on systems because “they’re too complicated and time consuming”, and they don’t allow for much flexibility.

In the commercial world, one of the biggest risks in all authentication related systems is that when a person leaves an organisation or their role changes, their authentication rights are not automatically changed to suit. Employees walk out of offices every day with access cards, passwords and PIN numbers that stay valid until someone remembers to delete them…which frequently is never!

In the next post, I’m going to take a close look at logical access control and the role of authentication in the ICT world.

Have we hit bottom yet?

I was just over at www.ipvideomarket.info and noticed the massive list of posts from the various manufacturers that are showing up there in the feed list. Maybe John’s made a change or something…or maybe there are a lot of people in those companies with nothing else to do but generate press releases, update their websites and catch up on documentation and software fixes.

Each morning on my drive to the office I listen to the business breakfast show here in Dubai, and I hear all these people saying that the worst is over and that “green shoots of recovery” are beginning to appear in the financial markets. That’s not too surprising. I don’t think that anyone here in the UAE ever actually admitted that there was a problem in the first place, despite all the cancelled and down-scaled projects. But as I drive along over the Business Bay Crossing and I look around, there are still lots of cranes, and lots of buses full of guys coming in from the labour camps. And in the middle of the night down in the marina you still see all the unfinished towers lit up like christmas trees seven days a week with the sound of jackhammers and generators 24 hours a day.

I feel a little isolated from the real world out here. It’s hard to judge what’s going on out there. I get the feeling that all these people who’ve lost their jobs probably aren’t factoring into the equation so much yet. It’s probably a predictably slow time of year for retail anyway, but what’s it going to look like at Christmas? Maybe a lot of those people who’ve lost their jobs have already bought and paid for their holidays, so maybe we won’t even begin to see the impact until after the summertime. I don’t know.

It’s still busy here, though, and there are still a fair number of pink English holidaymakers appearing on the beach!

So now I’m back…

…from outer-space. I just walked in to find you here with that strange look upon your face…

Ah, there’s no song like a disco song!

The strange thing is that it’s almost as if I’ve never been away. It’s weird the way that happens.

For you (dear reader) who may have been wondering, I’m back in fighting form again, having had unspeakable and unthinkable things done to my eye. Much to my relief they were, however, successful, and I can see again enough to start griping about the state of the industry once more.

For reasons that make perfect sense to me (but nobody else) I returned to Ireland to have the necessary surgery performed and to recover. Principally this was because there was nobody to feel sorry for me here in Dubai, so I went home to be “looked after”. As a result, I am somewhat rounder than I was when I left, but we’ll gloss over that little point quite rapidly.

I’d hoped (because I’m always hopeful) that during recovery I’d be able to catch up on a number of work related projects that I’ve been unable to keep in my sights (no pun intended) for the last while. As it was, I couldn’t see anything for much of the time, or suffered from weird headaches when using the PC, so all my hopes came to very little, but I did manage to visit Ireland’s premiere security exhibition whilst there, to make sure that the industry was ticking along without me.

It may be…but not at the ISEC. The downturn was much in evidence – I’d have to say – with the country’s main distributors entirely absent from the show (and apologies to REW and Scott & O’Shea if you think I’m being harsh, but I do reckon Borsatec turn over more than you guys annually, so that’s who I’m talking about).

I was met with the blurred vision of a *horde* of Garda recruits fresh from Templemore leaving the venue as I went in. I say a *horde* because I can’t think of a better word. It looked like an outing from St Trinians (if the aforementioned educational establishment had begun accepting both boys and girls), with the accompanying bottles of red lemonade and bags of Tayto much in evidence (apologies to those of you who are not familiar with the staple diet of the culturally significant TJ and TJ, but it’s an Irish thing…and Irish police thing…).

Besides the fact that it was bitterly cold for the whole time I was in Ireland, I was also reminded where I was by the frequency of reported murders and shootings on the local news, and stories of Bernard McNamara and the varying number of armed bodyguards he currently employs to stave off the ever lengthening brigade of creditors currently baying for his blood (Polish mafia included, or so the potentially urban style myth informs me).

At least I was home for Paddy’s Day, and a decent pint…the doctor didn’t mention that I couldn’t drink, so I assumed that I’d be fine so long as I didn’t pour Guinness in my eye…

Bizarrely, there was an apparant gang-land assasination here in Dubai last night – but I suspect this is some strange space-time continuum effect resulting from my return, because it’s raining here too. So I’m assuming that the weather and the mob shootings have somehow temporarily followed me.

I have to mention the lightening here. It’s been quite amazing.

A couple of things that struck me from the Irish ISEC show while I’m thinking of them :

- there was a lot of IP video there. A lot more than usual, which is odd given the current environment, and I’m surprised there weren’t people there promoting alternative analogue solutions
- the visitor numbers seemed low, but there were a lot of small installers’ vans in the car park from outside of Dublin (I don’t think I saw a single 2009 registered vehicle, come to think of it, which is significantly unusual)
- bad planning from the Mobotix dealers. I know it was a small show, but they were pitched opposite one another showing the same cameras. Oops.
- Simmons Voss exhibiting their locking technology which I like. I got a flyer in the post from one of the Dublin locksmiths promoting it while I was home and saw another similar (though not very convincing) technology from another US supplier I’d never heard of. A real shame Abloy couldn’t get their Cliq technology to *really* work, because I think this is a very interesting opportunity area
- Saw a nice ANPR camera from ICRealTime embedded in a speedbump. Nice idea. I wonder how resilient it is? They had a lot of other flashy looking cameras on show, but they all felt flimsy I’m afraid
- Lots of training and certification bodies in evidence but no symbolic anti-PSA showing as I thought there could be, given the amount of actual PSA resentment there’s been in the press and on the web lately
- Interestingly, (but probably not entirely unexpectedly) the hot topics in Dubai are not the same hot topics in Dublin. Nobody making any fuss about IT/Security convergence, combined physical/logical access control. No significant biometric showing either. Like I say, this probably isn’t much of a surprise but I think it’s interesting that the show is beginning to take notice of the real world, because I’m fairly sure that you wouldn’t have a hope of selling those technologies in Dublin (in previous years I’ve seen plenty at the show that also wouldn’t sell in Dublin, but people still wasted their time and money presenting it).

So anyway, that’s about it for now. I’m really just getting my feet back under the table, and there’s a lot of stuff *on* the table that needs sorting out, but I’m really glad to be back, and looking forward to getting my teeth into it all again.

Critical Failure, Camera #1

Talk about a lapse in risk management…

Around a month ago I suffered a detached retina in my one good eye. I didn’t know immediately what the problem was, and because it wasn’t a catastrophic failure I muddled along for a while until a little Goodle-self-diagnostics made me scared enough to go see a specialist. He sent me directly for surgery (do not pass GO, do not collect $200).

The operation was the easy part. The two weeks spent face down in a hospital bed was less pleasant.

I’m home now, and can just about look at a PC screen for a little while. It’s uncomfortable, and I’m wearing shades all the time – not just to look cool, for a change.

You spend all your time trying to eliminate single points of failure for other people and neglect the ones you’ve got built-in.

Anyway, hopefully all is on the mend now, but the world is a strange place when you can’t read and write.

The evolving IP video sales environment and its relationship with the economy

 I wonder what the sales process was like a couple of hundred years ago when there was relatively little technology involved. I wonder if it was simpler back then.

Buyer : What do you have for sale, merchant?
Seller : I have a cow
Buyer : Interesting. What does it do?
Seller : It eats grass and delivers milk, and may be slaughtered to provide meat
Buyer : I’m not sure I’d like one of those, is there anything else I might have that will do the same thing?
Seller : Well, I could get you a goat, but it’s not quite so good…
Buyer : Oh. Okay then, I’ll take the cow…here are some magic beans…

Nowadays, the process seems to be evolving more and more rapidly – even though the products themselves remain almost the same – and I’m constantly revising the way I present these same products to customers to reflect the market’s changing perspective and my own understanding of what that perspective is.

This is certainly the case with IP video, and it’s probably not helped much by the fact that nobody’s *really* got their heads around the whole situation yet.

I find myself talking about this so much that sometimes when I hear an idea come out of my mouth in the course of a conversation, it’s actually the first time I’ve heard it!

I’ve now refined my classification of the people who are buying IP CCTV technology to place them into one of two groups defined as follows :

1. People who need some feature that cannot practically be achieved with analogue cameras and DVRs – in other words, their decision making process is based on functionality
2. People who have decided they are going to buy IP CCTV – in other words, their decision making process is based on policy

In short, the people who are buying IP-CCTV are people who *cannot* buy analogue CCTV. All those who *can* are continuing to do so.

The budget-limiting factors of the current climate are forcing more and more people to look at their functional requirements and their policies to see if perhaps they could change them, and – you know – it’s interesting how “must-have” features and “company values” can be cast aside in times of short arms and long pockets!

I’ve also realised that many of the *old-chestnut* sales arguments trotted out by IP camera manufacturers to persuade us to buy their wares (you know all the ones that we’ve taken to pieces in this blog? The ones about reusable cable infrastructure, megapixel cameras and increased RoI for instance) are actually the arguments that companies who *have* purchased an IP based system use to justify why they did so.

I think there’ll be a few of those boardroom conversations had over the coming year, with some poor guy’s job on the line, trying desperately to justify why he blew double what he needed to on cameras.