Is a New Threat Emerging for Access Control Brands?

By Jim Dearing, senior analyst, access control and fire, IHS Markit

Is the rise of PIAM a threat to access control equipment manufacturers?

Physical Identity Access Management (PIAM) systems essentially add a decision-making identity management layer on top of access control systems. This is done by changing the authoritative decision-making database or location to a higher authority like an active directory or an identity and access management (IAM) system. This means the system is able to deploy identities (card holders) and credentials (cards) as well as assign access rights into one or more vendor-independent physical access control systems.

According to new research from IHS Markit, global PIAM market revenues, excluding Asia Pacific and Africa, amounted to just $136 million in 2016. However, this is forecast to grow rapidly to nearly $500 million by 2021.

Could PIAM be a threat to suppliers?

The projected high growth of PIAM is potentially alarming, as a PIAM system’s ability to link together and manage multiple brands of access control hardware essentially undermines the allure of some large manufacturers’ offerings. One of the unique selling points that large multinational access control suppliers tout is the fact that they can offer some of the functionality of a PIAM system across an enterprise installation – for example, central management of credentials and active directory integration. The catch is that the enterprise has to exclusively adopt that supplier’s brand.

Because PIAM makes it easy to control multiple brands of equipment across a single installation, it also makes it easier for the end user to change the access control equipment over time by using the PIAM to ease the transition. Historically, suppliers have always fought extremely hard for “greenfield projects.” The first access control brand deployed had a huge advantage over the competition because the easiest way to expand that system later on was to buy the same brand again. PIAM software, however, potentially eliminates this advantage for manufacturers.

What could happen as adoption of PIAM grows?

If the adoption of PIAM systems continues to grow as expected, larger suppliers may begin to see their grip on high-value projects from the transportation, corporate enterprise and utilities sectors weaken – especially considering that these high-value projects seem to be the earliest adopters of PIAM. For example, IHS Markit estimates that the number of transportation sector access control projects that include some form of PIAM system will quadruple during the next five years. End users from these industries are increasingly seeing the benefits of being able to automate credential management and comply with legislation. Additionally, they possess budgets large enough to afford implementing such a system.

Barriers to wider adoption

There are still a number of barriers that PIAM providers must overcome before true mass market adoption occurs. After all, just 2 percent of all commercial access control projects included some form of PIAM system in 2016. First and foremost, complexity remains the bane of PIAM system implementation. Early adopters often have a clear picture of what they would like the system to do. The problems arise when they start to realize that their pre-existing physical and logical security infrastructure is not able to meet their own requirements. This usually comes in one of two forms: access control hardware limitations or weaknesses in their corporate governance and workflows. Both result in delays to PIAM system implementation.

Due to their complexity, PIAM solutions currently require large commissioning and design efforts, not only initially but also post-implementation due to system maintenance needs. This means there is a cost involved for the entire lifecycle that the system is in place. These costs and the lengthy implementation process present a huge barrier to adoption in smaller projects.

Even for larger projects, other system implementation factors continue to stifle adoption. Installing and servicing PIAM software requires a high level of collaboration and communication between the enterprise’s physical security and IT departments. Historically these two departments tend to disagree on where the equilibrium lies for the conventional “security versus convenience” balancing act that every company faces. Working on a PIAM system together is often no different.

Integrating logical and physical security systems poses a variety of potential vulnerabilities on both sides of the equation. Connecting every access control system to the IT network and then also managing all the identities associated with the company via one system creates huge network risk. If the system is hacked, suddenly every identity associated with the company is compromised. As a result, IT departments want to be assured that PIAM systems are completely devoid of cybersecurity vulnerabilities. On the other hand, physical security managers want to be assured that the building’s perimeter is not left vulnerable following a simple network hack, or that that their system is rendered unusable due to a distributed denial of service (DDoS) attack.

Opportunity for physical access control suppliers

Despite these barriers and the threat of increased competition, PIAM also presents a huge opportunity for suppliers of physical access control systems. The addition of logical integration adds a variety of unique selling points to a standard access control system offering, allowing the supplier to become more competitive. Additionally, if a large number of suppliers add some form of logical integration to their offerings, it may help to slow market adoption of full PIAM systems. It is unlikely that a particularly cost-sensitive end user would opt for a bespoke solution when they are already getting some level of logical integration from the physical security manufacturer.

Furthermore, a traditional supplier that fully commits to developing its logical integration capabilities may be also able to provide a true “off-the-shelf” solution. This would be more affordable than the current PIAM systems on the market and would have the potential to drive greater adoption in small- and medium-sized enterprise (SME) projects.

For more information, refer to the IHS Markit Physical Identity Access Management – 2017 report.