Getting Healthy with Cloud-based Converged Identity and Access Management

| 0 Comments | 0 TrackBacks
Converged Identity Management Creates New Revenue Streams for Brivo Systems Partners

Converging physical and logical identities, and using one credential for them both, makes a lot of business sense: many sources in our "One Person, One Identity, One Credential" article make an articulate case for the costs to be saved by streamlined management of physical access control systems as well as roles-based provisioning and swift, thorough de-provisioning across physical and logical spaces.

Some end-users are taking converged identity management a step further, using the process to create new revenue streams. That's the case with several of Brivo System's
RGBbrivologo.jpg clients that offer health club management software. These companies, eFit Financial and Shape.Net, use Brivo's Software as a Service (Saas)-based access control to enable their client health clubs to better manage not only security but also to offer their fitness customers different levels of service.

For example, the clubs can choose to offer 24-hour access to their facilities. Within the facilities themselves, the clubs can use the Brivo system to control access to premium fitness facilities, such as tanning booths, and sensitive areas like locker rooms and onsite childcare. The key to opening new revenue streams from controlling access is linking that access to customer payment data contained in the management company systems.

In June, Security Squared's Sharon J. Watson talked with Jerry Graciano (pictured), jgraciano.jpgmanager of development partnerships at Brivo, about how its clients achieved this integration as well as other SaaS-based security and business solutions. What follows is an abridged transcription of our conversation, edited for brevity and clarity.

**************
Jerry Graciano: We were working with a customer who had requested that Brivo [integrate] with its membership management software. This customer was a health and fitness facility using Brivo to control member access to its [24/7] unmanned facility, which is incredibly common these days. Pretty much anywhere you're bound to see a gym that says it is open 24 hours a day.

The goal was to be able to tie into this SaaS-based membership management system [provided by] eFit Financial. eFit Financial's market and industry is health and fitness membership management software as opposed to security management software. Their system and their competitors' systems in that market have all the billing information for a gym membership.

So John and Jane Smith have a membership, they're paid through to a certain date, they have access 24 hours a day to the gym until that date--that's where Brivo comes in. So by establishing an integration, we are able to, in real time, enroll a gym member through eFit Financial or through similar partners. Shape.Net for example, [offers] the same type of application.

You enroll a gym member in real time, assign them a credential, be it a card or key fob or fingerprint, and assign their privileges and their expiration date. Instantly, when that account is no longer paid through, their credential will stop functioning and their accesses are revoked.

Similarly, the next time a payment is successfully processed through the health and fitness [management] software, the member's credential's expiration date is updated and their privileges are updated as well based on any number of [health club sales] packages, such as 24 hour access to the front door--and now you also signed up for the tanning room.

There are layers of access now. We're being asked to integrate controls to locker rooms, onsite daycare facilities. About 90-95% of our gym end user customers...are unmanned at 3:00 or 4:00 a.m. So being able to segregate the men from the ladies is critical.

....We have several partners interested in HVAC integration and a few working on that right now, so eventually we will be able to distinguish that a director-level or C-level employee has entered the building and that would mean follow up with certain actions from the building automation system, such as detecting that a person has not provided a credential to access a specific site within the past two hours, so go ahead and turn off the lights and any sort of heating or cooling for the area.

SJW: What is the role of Extensible Markup Language (XML) in your being able to achieve this level of integration?

JG: XML is a bridge like any other, a way to exchange data in a platform independent manner without introducing security risks. You can send encrypted communications back and forth--it's the same as me going to my online banking web site. It's literally just a means to an end. Any other interface that could be used in the middle would be equally useful if it met those criteria.

However, XML was and continues to be one of the easiest and most adopted.

SJW: Talk me more through the Shape.Net deal. They wrote the integration, correct?

JG: That's right. In large, our partners write the integration, with support from Brivo.

SJW: What kind of a system did they integrate with yours?

JG: They use Microsoft .Net technology. However, we are platform independent. eFit Financial is not a .Net technology.

Shape.Net's data does populate Brivo's records as far as it pertains to card carrying members of a security system in real time. They are also keeping track of the data as it pertains to the billing identity in real time. So there's a link between our servers--initiated in real time as necessary. There's no pipe, no VPN, no extensive IT work.

SJW: It's just cloud to cloud.

JG: It's literally cloud to cloud. No VPNs, no open ports or security ports are introduced to Brivo's model for any of this.

SJW: The billing identity remains with Shape.Net.

JG: It's a matter of making sure they know what the balance due is, and there are certain rules that a gym owner can substantiate within Shape.Net's system. So if you owe more than $50, for example, you can be denied access.

SJW: So if I was going to translate this, what they have in their database are rules and policies around who can access what and those are being linked to the physical identity you maintain in your system.

JG: Yeah. That's exactly right.

SJW: Talk to me more about directories or databases underlying the synchronicities between the Brivo system and your customers' systems. Are you building [Lightweight Directory Access Protocol] based directories of these identities or are you linking into enterprise resource planning (ERP) software they're using?

JG: We have good examples of all of those. In some cases, our partners are literally using our [Application Programming Interface] and creating their own SQL connectors and .Net connectors to connect to Brivo. In some cases, we are part of an LDAP integration where the end user or partner has written an integration to their own LDAP. Also, we do have a partner currently working toward an ERP integration where we will be able to track assets that are moving. That will be incredibly interesting. 

There really is a wide array of possibilities once you offer a platform-independent [solution]. We've had integrations through the Microsoft world as well as the Linux world. We've also had a few custom integrations.

SJW: What type of end user authentication device are these customers most interested in using? After all, they're letting people in their facilities after hours.

JG: First of all, you have to weigh risk versus reward here. Many times we find our integrator partners, especially within health and fitness, are focused on a wholesale solution and are driven by the cost of the credential. So a proximity credential or fob is already a step up from where the industry used to be, with bar codes or mag stripe cards that were easily duplicated.

From that point, however, restricting access levels and privileges is not just a feature of a security system but a feature of additional hardware. What I mean by security system, is we have features like anti-passback that will send an email alert that someone tried to get in twice without exiting first. That's a soft anti-passback feature put out to our customers.

On the physical side, there's also the capability to do fingerprints, do combination of fingerprint and card, and newer technologies that have become standard. We do combine that with card and PINs and any other combination. If you want to put a fingerprint reader on the ladies' locker room, you're more than welcome to do that and put a proximity card detector or reader somewhere else. You can do any combination that allows the end user to keep their capital expense low and maintain security of their system as they see fit.

SJW: Are you finding interest in using the same credential that gets you into the building to log you into the enterprise network?

JG: Yes, very much so. We have been seeing the want and need for combined logical and physical access. [Consider] a standalone single door controller that's powered over Ethernet, my laptop and my phone, and until I have provided my credentials, be it a fingerprint or card or PIN or all three, none of those devices will work.

SJW: In those cases, is Brivo first on the scene or are you tapping into a variety of PACS already in place?

JG: We'll work with any system that the partner or end-user requests that we work with. The Brivo hardware of course is the hardware that extends off the Brivo service model. However we do frequently access databases for other systems in the event of a conversion, for example, where Brivo's the replacement solution or in some cases where other areas are managed by other systems.

SJW: It's just my understanding, the more closed and proprietary PACS, the more difficult it is to get them to connect with [another PACS], let alone an LDAP.

JG: I didn't say it wasn't difficult. It's absolutely challenging in some cases. But it is possible.

###

Query: How might your enterprise be able to use converged identities to support or create new or enhanced services? How open would you be to the concept of identity management delivered as a hosted service?


Converged Identity Management Creates New Revenue Streams for Brivo Systems Partners

Converging physical and logical identities, and using one credential for them both, makes a lot of business sense: many sources in our "One Person, One Identity, One Credential" article make an articulate case for the costs to be saved by streamlined management of physical access control systems as well as roles-based provisioning and swift, thorough de-provisioning across physical and logical spaces.

Some end-users are taking converged identity management a step further, using the process to create new revenue streams. That's the case with several of Brivo System's
RGBbrivologo.jpg clients that offer health club management software. These companies, eFit Financial and Shape.Net, use Brivo's Software as a Service (Saas)-based access control to enable their client health clubs to better manage not only security but also to offer their fitness customers different levels of service.

For example, the clubs can choose to offer 24-hour access to their facilities. Within the facilities themselves, the clubs can use the Brivo system to control access to premium fitness facilities, such as tanning booths, and sensitive areas like locker rooms and onsite childcare. The key to opening new revenue streams from controlling access is linking that access to customer payment data contained in the management company systems.

In June, Security Squared's Sharon J. Watson talked with Jerry Graciano (pictured), jgraciano.jpgmanager of development partnerships at Brivo, about how its clients achieved this integration as well as other SaaS-based security and business solutions. What follows is an abridged transcription of our conversation, edited for brevity and clarity.

**************
Jerry Graciano: We were working with a customer who had requested that Brivo [integrate] with its membership management software. This customer was a health and fitness facility using Brivo to control member access to its [24/7] unmanned facility, which is incredibly common these days. Pretty much anywhere you're bound to see a gym that says it is open 24 hours a day.

The goal was to be able to tie into this SaaS-based membership management system [provided by] eFit Financial. eFit Financial's market and industry is health and fitness membership management software as opposed to security management software. Their system and their competitors' systems in that market have all the billing information for a gym membership.

So John and Jane Smith have a membership, they're paid through to a certain date, they have access 24 hours a day to the gym until that date--that's where Brivo comes in. So by establishing an integration, we are able to, in real time, enroll a gym member through eFit Financial or through similar partners. Shape.Net for example, [offers] the same type of application.

You enroll a gym member in real time, assign them a credential, be it a card or key fob or fingerprint, and assign their privileges and their expiration date. Instantly, when that account is no longer paid through, their credential will stop functioning and their accesses are revoked.

Similarly, the next time a payment is successfully processed through the health and fitness [management] software, the member's credential's expiration date is updated and their privileges are updated as well based on any number of [health club sales] packages, such as 24 hour access to the front door--and now you also signed up for the tanning room.

There are layers of access now. We're being asked to integrate controls to locker rooms, onsite daycare facilities. About 90-95% of our gym end user customers...are unmanned at 3:00 or 4:00 a.m. So being able to segregate the men from the ladies is critical.

....We have several partners interested in HVAC integration and a few working on that right now, so eventually we will be able to distinguish that a director-level or C-level employee has entered the building and that would mean follow up with certain actions from the building automation system, such as detecting that a person has not provided a credential to access a specific site within the past two hours, so go ahead and turn off the lights and any sort of heating or cooling for the area.

SJW: What is the role of Extensible Markup Language (XML) in your being able to achieve this level of integration?

JG: XML is a bridge like any other, a way to exchange data in a platform independent manner without introducing security risks. You can send encrypted communications back and forth--it's the same as me going to my online banking web site. It's literally just a means to an end. Any other interface that could be used in the middle would be equally useful if it met those criteria.

However, XML was and continues to be one of the easiest and most adopted.

SJW: Talk me more through the Shape.Net deal. They wrote the integration, correct?

JG: That's right. In large, our partners write the integration, with support from Brivo.

SJW: What kind of a system did they integrate with yours?

JG: They use Microsoft .Net technology. However, we are platform independent. eFit Financial is not a .Net technology.

Shape.Net's data does populate Brivo's records as far as it pertains to card carrying members of a security system in real time. They are also keeping track of the data as it pertains to the billing identity in real time. So there's a link between our servers--initiated in real time as necessary. There's no pipe, no VPN, no extensive IT work.

SJW: It's just cloud to cloud.

JG: It's literally cloud to cloud. No VPNs, no open ports or security ports are introduced to Brivo's model for any of this.

SJW: The billing identity remains with Shape.Net.

JG: It's a matter of making sure they know what the balance due is, and there are certain rules that a gym owner can substantiate within Shape.Net's system. So if you owe more than $50, for example, you can be denied access.

SJW: So if I was going to translate this, what they have in their database are rules and policies around who can access what and those are being linked to the physical identity you maintain in your system.

JG: Yeah. That's exactly right.

SJW: Talk to me more about directories or databases underlying the synchronicities between the Brivo system and your customers' systems. Are you building [Lightweight Directory Access Protocol] based directories of these identities or are you linking into enterprise resource planning (ERP) software they're using?

JG: We have good examples of all of those. In some cases, our partners are literally using our [Application Programming Interface] and creating their own SQL connectors and .Net connectors to connect to Brivo. In some cases, we are part of an LDAP integration where the end user or partner has written an integration to their own LDAP. Also, we do have a partner currently working toward an ERP integration where we will be able to track assets that are moving. That will be incredibly interesting. 

There really is a wide array of possibilities once you offer a platform-independent [solution]. We've had integrations through the Microsoft world as well as the Linux world. We've also had a few custom integrations.

SJW: What type of end user authentication device are these customers most interested in using? After all, they're letting people in their facilities after hours.

JG: First of all, you have to weigh risk versus reward here. Many times we find our integrator partners, especially within health and fitness, are focused on a wholesale solution and are driven by the cost of the credential. So a proximity credential or fob is already a step up from where the industry used to be, with bar codes or mag stripe cards that were easily duplicated.

From that point, however, restricting access levels and privileges is not just a feature of a security system but a feature of additional hardware. What I mean by security system, is we have features like anti-passback that will send an email alert that someone tried to get in twice without exiting first. That's a soft anti-passback feature put out to our customers.

On the physical side, there's also the capability to do fingerprints, do combination of fingerprint and card, and newer technologies that have become standard. We do combine that with card and PINs and any other combination. If you want to put a fingerprint reader on the ladies' locker room, you're more than welcome to do that and put a proximity card detector or reader somewhere else. You can do any combination that allows the end user to keep their capital expense low and maintain security of their system as they see fit.

SJW: Are you finding interest in using the same credential that gets you into the building to log you into the enterprise network?

JG: Yes, very much so. We have been seeing the want and need for combined logical and physical access. [Consider] a standalone single door controller that's powered over Ethernet, my laptop and my phone, and until I have provided my credentials, be it a fingerprint or card or PIN or all three, none of those devices will work.

SJW: In those cases, is Brivo first on the scene or are you tapping into a variety of PACS already in place?

JG: We'll work with any system that the partner or end-user requests that we work with. The Brivo hardware of course is the hardware that extends off the Brivo service model. However we do frequently access databases for other systems in the event of a conversion, for example, where Brivo's the replacement solution or in some cases where other areas are managed by other systems.

SJW: It's just my understanding, the more closed and proprietary PACS, the more difficult it is to get them to connect with [another PACS], let alone an LDAP.

JG: I didn't say it wasn't difficult. It's absolutely challenging in some cases. But it is possible.

###

Query: How might your enterprise be able to use converged identities to support or create new or enhanced services? How open would you be to the concept of identity management delivered as a hosted service?


No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/69

Leave a comment