Access control system: Everything you need to know about upgrade assurance
Many systems, including most access control systems, contain software. These systems often use IP networks to which other systems are connected. In the IT world, it is common practice to upgrade a system when a new web browser or software application becomes available. The security sector now appears to be adopting this trend too. Upgrade assurance safeguards the availability, continuity and security of the access control system.
Bob Dijkman is Product Manager at Nedap Security Management, which makes the AEOS access control system. Dijkman and his team focus on turning customer requests into road maps for product development. These road maps are shared with the development teams within Nedap. ‘In addition, we also create new propositions and control and manage them in the market’, Dijkman says.
Then and now
Previously, security systems were connected using proprietary solutions. Nowadays, the lines of communication between components of (security) systems increasingly run over IP networks, says Dijkman. ‘In this case, the access control no longer has its own connections but is rather linked to an IP network as standard, just like employees’ laptops, printers and other equipment. These links offer the great advantage of flexibility. The disadvantage is that all IP components in the system are exposed to the same cyberthreats – for example, criminals who remotely break into and manipulate an access control system.’
As Dijkman relates: ‘The hardware in an access control system becomes less relevant because it’s all about the software. Previously, we had dedicated hardware units which communicated with each other; now we increasingly work specifically at server level. The hardware in the field – the controllers – are more generic. ’ The software is becoming more important because it manages the controllers, authorisation of people, your access control policy and more.’
These developments require proper protection, as well as keeping the access control system up to date. This need is fulfilled by upgrade assurance. ‘With an upgrade assurance contract, users always have access to the latest software’, Dijkman says. ‘As such, they are assured of receiving the following benefits:
- Optimum protection, now and in the future – the IP security is always up to date;
- Optimum functionality – besides the IP security, the functionality of the system is always up to date;
- Maximum ROI – a security system costs money but, by continuously keeping it up to date, the financial health of the system is secured;
- Guaranteed continuity – Through upgrade assurance, disruptions to a company’s continuity as a result of a fault in the security system are excluded.
Updates and more updates: Since the first tentative uses of IT applications in our sector, we have been inundated with updates. As a user, you need to make decisions with respect to keeping the access control system future-proof, even though you cannot properly predict the consequences of those choices. With upgrade assurance, Nedap aims to put an end to this uncertainty. Bob Dijkman calls it security for life or, more accurately, carefree security. ‘In many companies, numerous procedures need to be followed before an upgrade order can be given. That means a long administrative process and a lot of hassle. With upgrade assurance, we immediately eliminate the need for that hassle. We simply make sure that all necessary upgrades take place automatically whenever they’re needed. The company only has to deal with the operational part, such as deciding which is the best moment to execute an upgrade. Upgrade assurance therefore takes away all worries.’
Separate updates or a contract?
Aren’t updates supposed to be included free in the purchase of, for example, an access control system? Dijkman replies: ‘Compare it to an Office package. At a certain point, the user has to acquire an update, and the user must pay for that. Our product provides a number of patches – standard updates – which are free. However, if a “jump” is made from, for example, version 1 to version 2 – with new functionalities and new levels of protections – then there is a price tag associated with this. The user can purchase the new version as a separate update, or they can ‘receive’ it as part of the upgrade assurance contract.
Upgrade assurance refers to a separate agreement with the customer or to a part of a maintenance contract. These contracts are offered by Nedap’s channel partners. This enables the customer to have just one point of contact. The channel partner performs the update. All required software becomes part of the contract.
Mactwin Security is one such Nedap channel partner. René Janssen Steenberg, Contract Manager at Mactwin Security, explains: ‘For us, upgrade assurance is a logical part of a management contract which enables us to safeguard the level of security for a fixed annual budget. As a System Integrator, we identify in advance the necessity, benefits and risks of the software upgrade in relation to the other systems. Then we perform the update, often remotely. As a result, our clients can focus on their operational process fully and carefree.’
Bob Dijkman takes the view that the customer is in good hands with an upgrade assurance contract. Can the user then take a hands-off approach? ‘An IP network almost always includes connections to other systems. If the customer does not set up its network properly – for example, by failing to turn on a firewall – this can have significant consequences. Our share in the IP chain is optimally secured with upgrade assurance. But this does not mean that the entire chain is secure’, according to Dijkman.
Finally, Dijkman would like to point out the importance of a conscious focus on security and functionality. ‘With market upgrades – whether or not in the form of upgrade assurance – I often see that the sole focus is on functionality. The key argument used here is: “We have added a new, cool feature to our product!” Naturally, this can also be a reason for issuing an update, certainly if the feature offers added value for users. But, in my opinion, what occurs “below the surface” is just as important. For instance, in our access control system we use databases. These databases are provided by suppliers such as Microsoft or Oracle. If they discover errors in their databases, they need to correct them. Then we implement the latest version of the database in our product. The access control system will not function differently as a result of this update, but it has become substantially safer and better able to handle threats. In short, as a supplier of Security for Life, we look beyond just the functionality when performing an upgrade.’