Are the specifications reasonably accessible? Is it too restrictive to achieve desired goals? From my own perspective, I lean toward those standards that are more transparent in their mission and process. I also look at those that are democratic and engage a broader community, are less restrictive to access, and that implement, extend and reuse in a manner that is free of encumbrances.
PROGRESS The good news is that there has been a great deal of focus and progress in this area over the past few years, bringing tangible results. Not intended to be a complete list, here are just a few examples that illustrate
monize interoperability between network video vendors for the benefit of end users and integrators implementing the devices. It is a good example of an open approach in governance and leveraging existing IT standards, such as Web Services, as opposed to reinventing something new and obscure.
principles. OPACITY has the edge for adoption in the U.S. given its approach in alignment with existing U.S. government specifications and registration with ISO as an authentication protocol. It is currently under review by ANSI (American National Standards Institute) for standards adoption.
PSIA (Physical Security Interoperability Alliance) is focused more broadly on interoperability across various IP-enabled devices to achieve plug-and-play functionality and, in turn, enable a variety of services to be shared for greater actionable intelligence.
THERE IS STILL A CHOICE
PIV (Personal Identity Verification) is an initiative on the Identity and credentialing front, created by and for the U.S. government. PIV filled a void particularly in the
LOOK FOR STANDARDS THAT ARE TRANSPARENT IN MISSION, ENGAGE A BROAD COMMUNITY, AND IMPLEMENT, EXTEND AND REUSE IN A MANNER FREE OF ENCUMBRANCES cooperation and execution across a subset of the physical access community. OSDP (Open Supervised Device Protocol) is a specification that addresses key limitations of the legacy Wiegand communication protocol that defines data transfer between access control readers and systems. Using serial RS-485 cabling, it enables readers to communicate bi-directionally with a control panel. Where it was a laborious process to update firmware and settings locally at each door, it will be possible to do so centrally and remotely, as well as push out useful notifications, among other things. It also leverages Global Platform’s Secure Channel Protocol, a widely accepted secure communications method in smart cards for everything from readers to controllers, making up for where Wiegand increasingly falls short. It will also be extensible to allow transport over TCP/IP so it’s both backward compatible and forward capable. ONVIF (Open Network Video Interface Forum) was started back in 2008 to har-
smart card market where standards for interoperability had long been a barrier to adoption and maintenance. It also enabled a path to use PKI in physical access, which is valuable because it offers an alternative to symmetric key implementations. OPACITY (Open Protocol for Access Control, Identification and Ticketing with PrivacY) addresses the performance and complexity that PKI presents, but also provides the openness and security that the market increasingly demands on a contactless platform (such as leakage of identifiers). PLAID (Protocol for Lightweight Authentication of Identity) is a contactless standard developed by the Australian government to address its requirement for stronger contactless security. Both OPACITY and PLAID are open source – the source code can be downloaded and has flexible terms for use and reuse – and share similar goals and
So does all this mean that there’s no place for proprietary technology? Not at all. A vendor may have an approach that is patented and exclusive but is incredibly valuable to a given situation. Also, vendors that leverage standards can decide the manner by which they carry out the specification, how well they do it, as well as offer additional services and functions that, when used in conjunction, make a stronger value proposition. The choice is up to the customer. There is no right or wrong choice. In terms of security, open standards promote accessibility, and in turn, peer review and testing across a large and competent community. This process is very good at discovering and correcting vulnerabilities. Therefore, it would just be logical when considering proprietary approaches to demand similar transparency and make sure that claims can be validated versus being told to “just trust us.”
THE BENEFIT OF COMMUNITY Standards can, if executed properly, bring together a community wanting to solve the same problem. The individual standards development efforts are important, but more significant are the communities being built to solve the long-standing challenges that have prevented real progress and created the chasm between IT and physical access control. While we will have to wait and see which specifications are accepted and widely adopted, the participation of vendors, integrators, end users, trade organizations and others at the table is the new reality. This in itself will foster innovation and accelerate progress across an industry that had become complacent.
Summer 2014
65