Search



AuthenticationWorld.Com

About

This page contains a single entry from the blog posted on July 6, 2009 6:09 AM.

The previous post in this blog was NERC and Identity and Access Management.

The next post in this blog is Security ops need for an integrated logical/physical security incident response system.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]

« NERC and Identity and Access Management | Main | Security ops need for an integrated logical/physical security incident response system »

Commoditization of physical security

Last week, I chatted on the phone with Terry Neely, CEO of PlaSec. His company produces standard interfaces which allow the enterprise to control different physical access control panels and doors and interface these to IT identity management systems. They are one of the first signs I have seen beyond Quantum Secure, of what I call "the commoditization" of physical security. That's what this blog is going to discuss.

Historically, physical security manufacturers produced their own door control, control panels, database and their own admin systems. There was competitive advantage for them in that there was a great different between how different systems worked. The manufacturers business model was to install their own hardware and the sales reps were accordingly given sales incentives to achieve this.

Then along came TCP/IP, digital convergence, off-shore manufacturers of access control devices, enterprise identity management and regulatory compliance. This is bringing to physical security what I call "commoditization".

Commoditization is the process of producing goods at low price points. Today, one can make a case that there is a different between cameras used BUT the differences are quickly diminishing. Thus no longer is the hardware used such a large difference between vendors.

When commoditization meets digital convergence, then you have what is commonly referred to as a market disruptive force. Now new protocols are emerging such as PSIM that allow physical security devices to interconnect with identity and access management systems. You also have companies like PlaSec appearing that can provide universal interfaces to different hardware components.

It is my own personal opinion that the physical security market is entering the very early days of a big shakeout. Many large enterprises are going to begin taking the decisions to purchase their physical security systems away from Facilities and transferring this over to CSO's and CIO's. They will do this because:
* Regulatory compliance - Quickly produce reports on who had access to what with one mouse click on an integrated identity and access management system that combines physical and logical security
* Reduce costs - Lower their overall on and off boarding costs by centralizing this function and linking it in the end to their identity and access management systems
* Security ops - Integrated physical and logical security systems to detect and respond quickly to combined physical/logical attacks

This means bad news down the road for physical security manufacturers. Those that keep to the past will go in the door to the Facilities Managers trying to sell them new hardware i.e. replace all that you have with my system. This argument will diminish over time as enterprises begin to swap out only pieces of a system with low cost generic parts.

Manufacturers will also face new competitors coming out of the IT space. Enterprises like Cisco are a new emerging competitive threat to physical security manufacturers. They have the ear of CFO's, CIO's and CSO's. They will provide their own physical security interfaces that easily connect to identity and access management systems.

Large physical security enterprises like ADT have advantages in that they provide 24 hour security services. However, for large enterprises, these services will come under increasing pressure to merge with IT security ops. In my long term view, these services will come under price pressure as combined physical and logical security services will be moved off-shore more and more.

I also think that over time, ERP vendors will move into this space. They control the identities, they produce access systems and they will be become responsible for integrated physical and logical security ops. This will be bad news for physical security manufacturers when this happens. They will not only face increasing pressure from the hardware side BUT they will also have to compete on price points with the likes of Oracle who can slash margins on their physical security side and then make them up from their database and many other vertical applications.

We are at the early days of the disruptive market place. Companies like Quantum were at the leading edge a few years ago. Now you have companies like PlaSec emerging and new protocols like PSIM. Cisco is on the move in this market. It is still the early adopters phase of the market.

However, over the next two to three years we will move into the beginnings of the wider portion of the bell curve. That means trouble for those physical security vendors who haven't repositioned. It also means lower operating and capital costs for their customers who will increasingly move to new vendors who offer them services at lower price points and allow them to easily integrate with their identity and access management and security ops systems.

Regards,
Guy

Posted by Guy Huntington on July 6, 2009 6:09 AM |

TrackBack

TrackBack URL for this entry:
http://www.authenticationworld.com/cgi-bin/blog/mt-tb.cgi/277

Comments (1)

John Honovich:

While I agree these forces are going to be significant, I think the process will take a long time - more of an evolution than a 'shakeout'.

A couple of reasons for this:

- Physical security systems are deeply entrenched. It's too costly to throw them out. I know many customers who hate their access control vendor but keep it because it's proprietary and so deeply integrated into their processes. [Indeed, this is why PSIM providers need to integrate and work with existing systems]

- Cisco has been coming since 2006. It was early days then for them in 2006. It's still early days now. There track record over the last few years in physical security is poor. Maybe they improve but it is, at least, an inauspicious start.

- PSIM is not a protocol. Physical security systems lack protocols forcing PSIM vendors to write custom drivers for each system. This is another element that is sure to slow down the convergence of systems.

- Off-shoring: Security system integrators like ADT make their money off of providing low-cost low-voltage techs to do physical work on-site (like card readers, panels, etc.). I am not sure how this is going to be off-shored or cost lowered through using IT.

- Large companies: As you mention in the post, this convergence will be most attractive to very large companies. Small companies will take much longer as logical security is much less important than keeping the doors lock for most small businesses.

Very informative and interesting post. Thanks.

Here are my comments back to you John:
The entrenchment of physical security is a good point but my point is that both Quantum Secure and PlaSec both offer solutions that allow the enterprise to keep their investment and then to go beyond it. In Quantum Secure's case they offer the ability to centralize workflow amongst disparate systems as well as to feed in real time ops feeds to a central source. PlaSec offers the ability, for a limited number of vendors, to keep their door and control panels but to allow a universal interface to be used. These are harbingers of things to come in the marketplace over the next two to three years.

Re Cisco, I argree that they have been on the doorstep for a long time. However, they are progressing. Here in Toronto where I am at the moment, they recently did a deal where they got a large enterprise to go with them over the traditional physical security vendors. Over the next two to three years, I expect them to move ahead in the marketplace.

Re PSIM, I agree it is not a protocol and stand humbly corrected. At Toronto Hydro, I implemented SPML (Service Provisioning Markup Language) in one physical security vendor's products (this is currently in test). However, as you pointed out almost all of the other vendors are not even talking about this and XACML (eXtensible Access Control Markup Language) let alone doing it. Good point.

Re off-shoring: I am not sure too how this is going to work out. My gut however tells me that more and more off-shoring of integrated physical/logical security will occur over time.

Finally re small companies: PlaSec is actually aiming at small to medium companies! There thinking is that they can provide an inexpensive solution for small businesses. However, as you inferred, most small to medium companies don't have identity and access management systems now. I agree that this will take time to develop.

Regards,
Guy

Posted by John Honovich | July 6, 2009 1:26 PM

Posted on July 6, 2009 13:26

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)