Finding Open-Source Access Control for the Future
For a company like ACI Worldwide, international and regional guidelines like the European Union’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard, and related ISO standards are legal waters it must constantly navigate.
Headquartered in Coral Gables, Florida, with employees in 45 countries, the global software company provides support for real-time payment solutions for thousands of organizations and merchants—including 19 of the world’s 20 leading banks. So, when its corporate security department considered updating access control across all of its 36 locations, company leaders knew that the solution would need to adhere to strict auditing, reporting, and compliance requirements.
As Jeff Chubb, director of corporate security and safety and data center facilities for ACI, began searching for new solutions, he kept in mind that an open platform would be preferred because of the various regulations, standards, and stipulations that the company and its components are subject to.
“When you’re hosting customer data in today’s world—when you hear about breaches or releases of information from people across the globe who are attempting to hack in—while the Internet and technology and advancement have provided good tools for everyone, it has also provided challenges for those in the security realm,” he says. “It’s the ever-changing climate, and you’re trying to keep up with the bad guys.”
Although the previous access control system’s components met at least basic requirements for some of ACI’s data centers, they were not uniform across facilities.
“We knew that what we had wasn’t going to be able to provide what we needed moving forward,” he says.
While Chubb wanted a solution that could be centralized and support the company’s global reach, he also looked for something that could dovetail with and support other aspects of ACI’s existing security system—including video surveillance and identity management programs.
“What we were looking for was more of a platform that would cover our needs now and into the future globally, but we were also looking for something to be more open-faced,” Chubb says.
It’s the ever-changing climate, and you’re trying to keep up with the bad guys.
While the search focused on access control solutions operating on an open-sourced platform, the overall goal was to have a solution that would address specific needs and could adapt to “what is coming down the pipe,” he adds.
And it wouldn’t hurt if the roughly 4,000 access panels, 300 readers, and all the related hardware and firmware for access control would also pass any client audits of the company’s physical security system.
Chubb’s corporate security team and integrator were already familiar with AMAG Technology products, so the ACI security team took advantage of ISC West in 2019 to assess the company’s access control solutions up close on the tradeshow floor. After a demonstration, ACI eventually opted for AMAG’s Symmetry M4000 Intelligent Controller—which primarily operates as a door controller, although it also supports the overall security environment.
“The ability to update or upgrade those panels to meet the needs of the future is one of the things that really stood out,” Chubb says.
Installing the panels was a longer process compared to other updates since the legacy units needed to be ripped out and securely replaced with the new panels.
“Nothing is ever perfect,” Chubb says, adding that having the existing and trusted relationship with ACI’s integrator and a familiarity with AMAG meant that they were able to get the panels tuned and adjusted to the exact needs of ACI facilities.
At the simplest level, the panels operate as part of a two-part authentication access system, where an employee uses his or her identification card plus a fingerprint to access certain areas. The panels send data to a multilayer security system as staff monitor surveillance footage and access reports.
If someone triggers an invalid card swipe—such as with false or unknown credentials—or tries to otherwise sabotage the system, the access panel alerts the relevant security team and triggers a nearby camera covering the area, allowing members of the security team to immediately observe the activity.
“From a technology standpoint, it provides the information we need in order to see that,” Chubb says, as well as the integration with other security solutions that helps streamline his team’s observations and reactions to maintaining facilities’ security.
When they were installed, the panels were also incorporated into facilities’ map perspective, a virtual layout of the facility that includes surveillance cameras and other security elements. Connecting surveillance camera feeds to their corresponding points on the map helps security teams quickly locate the views they need. Chubb points out that these maps ensure that facilities have sufficient security coverage to pass muster for internal or external audits and to help in future security planning.
Despite its global footprint, one of the ways ACI manages to adhere to regional standards and regulations is by limiting storage of certain data. The biometric data that corresponds to each employee is only stored on the employee’s identification and access card.
ACI plans to either expand or tweak aspects of its new access control system. For example, it is considering leveraging mobile technology to help combine ACI’s access control with biometrics. Chubb notes that having employees use their phones may lessen some security risks since people seem to forget or lose their work ID cards far more frequently than their cell phones.
Another shift Chubb is considering—which could happen by 2023—is swapping out fingerprint biometrics for facial recognition to access more restricted areas within ACI facilities. If these functionalities are added, however, the company will need to be mindful of additional regulations, he says.
Otherwise, as ACI continues to keep up with present threats and attempt to counteract future ones, Chubb adds that he and his team plan to keep tabs on emerging trends.
“I’m sure that we’ll see something that we’re not even thinking of yet,” Chubb says.
For more information about AMAG, contact Kami Dukes, [email protected].