Acces Control Systems

Controlling access is one of the most important policies of any organization’s security, as it regulates who and when enters and exits the organization’s spaces, drastically diminishing the likelihood that unauthorized people can gain access to protected areas.

In addition, modern access control systems offer many more capabilities that dramatically improve the security of any organization. For example, they can also be used to restrict access to workstations or virtual space and to provide important statistical information (e.g. occupancy, traffic, etc.).

read more

How does an access control work

A user who is authorized to enter a specific area presents his credentials to an access control reader usually positioned next to a door. The reader transmits the credentials’ data to the system, which validates the credentials against its database of authorized users. If the credentials are valid, an electronic lock opens to grant access. If the user does not have permission for that door or time, the door will remain locked.

Access control functions

Access security has mainly five functions:

Authentication is the process of determining whether someone is who says he is. Usually, the system validates credentials against a database of authorized users.

In an access control system all users have assigned „access rights”, that clearly specify where a specific user can enter, when, and in what conditions. For example, all employees are authorized to enter the building all the time but are only authorized to enter restricted areas, relevant to their grade or job function.

When the system validates credentials against its database of authorized users (authentication) it grants access by opening a locked door.

Security administrators manage the access control database by adding or removing authorized users so that the access control devices only validate requests based on current information.

Reporting is one of the most important functions of a modern access control system, as provides valuable information to management.

Any event or activity within the access control system is recorded with details of location, time, user identity, type of event, etc. Based on these recordings an authorized user can generate reports in various forms.

For instance, a report of door activity history shows who opened a specific door and at what time, and/or how many times. Another useful report could be about Invalid access attempts, where users attempt to use their credentials at an unauthorized access point, doors forced open or doors left open too long, etc.

Access control policy

To impose the right level of security in controlled areas, system administrators must specify the rules that define the conditions under which access may take place, that is the access control policies.

Let’s analyze the five main access control policies used in access control systems:

Discretionary access control (DAC): is a means of assigning rights based on rules, specified by users, who define who is authorized to access the building or a specific area. For example, a Supervisor could grant authorized subordinates access to a training room during a session, then remove the access afterward.

DAC access control models are very flexible and easy to use because employees are responsible for granting access to their locations, so there is no need for additional system administrators. However, DAC systems provide minimal levels of security because of a lack of centralized control.

Mandatory access control (MAC): Mandatory access control (MAC) models regulate access to a protected area or information based on the sensitivity of the assets within, so the access is granted or denied based on the user’s security clearance level.

In other words, when a user tries to access a restricted area, the system automatically checks whether or not he is allowed access and his assigned category.

Compared with DAC models, MAC systems are regulated by a centralized system and are typically much more stringent with their policies, being mostly implemented in highly secure organizations such as the military, government, politics, foreign trade, healthcare and intelligence. However, they can also be used for regular companies who need this type of system to keep their sensitive assets controlled and protected.

Attribute-based access control (ABAC): This approach uses characteristics to regulate physical access to a building providing access to users based on their particular attributes, such as the user’s type, location, department or duties. In short, the employee access rights are based on who is he, rather than what he does.

Due to the granular nature of ABAC systems and their malleability, they are commonly used to protect sensitive technology and information from team members who aren’t approved.

Role-based access control (RBAC): Role-based access control systems (RBAC), sometimes known as non-discretionary access control, are dictated by different business functions or user job titles within an organization, rather than the individual user’s identity.

For instance, managers often have privileged access to sensitive parts of the building or information, while lower-level team members do not.

The separation of duties is a clean and efficient way to grant access authorization and develop access control lists.

An administrator defines rules that govern access to an area. These rules may be based on conditions, such as time of day and location.

Access Control System – components

Based on the „ classical Lock and Key” model, people new to access control think that an Access Control System consists only of a card reader, and the „plastic” cards. So, they are pretty confused when they learn about many other devices, whose functions are mostly incomprehensible to them: controllers, interfaces, power supplies, special locks, magnetic contacts, requests to exit and emergency buttons, and different software modules.
To dispel the „mystery” behind the convoluted structure of a modern access control system, let’s keep it simple, stupid, and focus only on the main four components that define any system:

In short, a credential hold the user’s data (user identity)  which is „read” by the reader, and sent it further to a „control panel -controller”, an intelligent device provided with a database. If the identity is found in the controller database, access is granted.

Six main types of credentials are used today, which offer different levels of security and convenience.

  • PIN codes: Personal Identification Number. It is the most simple and cost-effective credential but requires users to remember the code (Personal Identification Number – PIN) when needed. PIN also provides pretty low security, and also is a slow authentication method, not useful in high-traffic areas.
  • RFID low-frequency cards –„Prox cards”: Users present RFID-enabled cards in proximity to a reader and the encoded ID on the card is quickly read. They were widely used at the beginning of the 2000s, but due to their security vulnerabilities (the code is not encrypted)  are not used anymore, but only with old or cheap systems.
  • Smart cards : Advanced plastic cards with a computer chip embedded that can store, besides the ID code, additional information, like biometrics, but not only. They are more secure than Prox cards, as the data within the card is encrypted, and can only be accessed with proper „reading keys”. Probably the most popular technology today.
  • Mobile solutions: the ultimate technology today. Users, after simply installing an app to their smartphone, can unlock the door, by just scanning the smartphone at the reader, or using an unlock feature in the app to gain access. Mobile credentials are more secure, cost-effective, and more convenient, being easily managed and used by normal employees, visitors, contractors, or service staff.
  • Biometric solutions: Used more as an additional layer of security, biometric solutions overcome the problems of lost or stolen cards, as the person becomes the „key”, which is, obviously, more difficult to copy. The most widely used biometric technologies include fingerprint, facial recognition, and eye scanning for retinas or irises.

The most „well-known” component of an access control system, the reader is usually installed, on the wall, next to the door, outside, and sometimes also inside the protected area.

As its name says, the reader reads the compatible credential types. It does not take any access decision, just transfers the data from the card to the control panel which is the „decision maker”.

There are several types of security readers in use today such as:

  • „Standard” Card reader: Usually of RFID technology, it detects credentials when they are within its magnetic field range, and reads the code written on the chip of the card. The more modern” standard” card readers use NFC and/or Bluetooth/Bluetooth Low Energy ( BLE)  technology to read the new mobile virtual credentials from the user’s smartphone. The user needs to bring his smartphone close to the reader which reads the credential from the phone.

Some BLE (Bluetooth Low Energy) readers only request the user to wave his hand in front of the reader, just to communicate to the system the intention of passing through that door.  The reader reacts and the ID is automatically read from the user’s smartphone, even if the phone is a pocket or purse. This is called touchless technology

Standard readers are suitable for heavy traffic areas.

  • Keypad readers: allow users to type their unique PINs on a keypad installed on the wall, next to the door. However, PINs can be shared, willingly or not, guessed, or used by intruders, especially when keypad buttons wear over time. Because of these security issues, they are not often used alone, but only in certain situations.
  • Card readers with Keypad:  Users present their cards to the reader and once the system reads their card ID, they are asked to „identify themselves”, by typing their unique personal code, PIN. It’s called two-factor authentication. This reader type, more expensive than a standard one,  is rather used in higher security areas, being less suitable for heavy traffic zones (the authentication procedure is slower).
  • Biometric readers: This technology, theoretically eliminates the use of all „standard” credentials. The person becomes „the credential”, as the system relies upon approved biometric attributes ( fingerprints, face, iris, retina) for validation against a biometric database.

Thanks to continued advancements in artificial intelligence technology and faster processing speeds, biometric solutions remain at the forefront of high-end access control solutions. However, the prohibitive prices and GDPR concerns, prevent many companies to adopt this technology on a large scale.

  • Video door readers: Video door readers have a TV camera built-in, giving security teams visual evidence of identity and any security issues. Practically, the TV reader camera replaces an extra TV camera, usually installed next to the controlled door, while it offers a better field of view.
  • Intercom readers: This type of access control device integrates a video reader, with two-way audio, and is very helpful in verifying visitors prior to granting entry.

The Control Panel, or Controller is the „brain” of any access control system, and therefore it is the fundamental piece of hardware in the system ( and the most expensive hardware component).

This is a self-contained intelligent device, with its local processing power and sufficient capacity to store a full database of cardholders and other information required. Actually, it is a specialized computer, installed in the field,  between the host computer and card readers.

The controller itself makes all of the decisions as to granting or denying access to a person, taking the processing load off the server access control app, and allowing the entire system to operate faster. This approach is called „distributed processing network architecture” (in contrast to a centralized architecture where decisions are taken by the host computer).

Due to this distributed structure, the access control system will continue to operate (lock and unlock doors) even if the communication line back to the host computer is interrupted, or the host computer is down.

An advanced powerful controller can support up to 64 doors (readers) but typically controller support between 2 and 16 doors. Bigger systems need more controllers.

Most of the controllers can be also, optionally, provided with digital inputs/outputs interfaces, which allows also for the connection of various devices like switches, buttons, motion detectors, etc, or sounders, beacons, small relays, and most anything that can be powered from a small DC voltage.

Almost all modern controllers are now directly connected to a company’s computer network, either through cable or wireless.  Newer systems are taking the network connection all the way down to the reader interface or even the reader at the door ( lower wiring costs).

The Access control application has three main functions: to monitor, to configure and to manage the access, alarms and outputs in the security system. It is the glue that holds a complex system together and makes it work.

The software for access control systems is a vital tool for managing the database of authorized users. The database holds the details of the network of access-controlled doors and authorized users together with their access levels. To maintain security, it’s essential to keep the database up-to-date by adding new users and removing users who have left or who no longer have permission to access specific areas.

There are two options for hosting access control software:

  1. on-site in servers (when the systems are called “on-premise”)
  2. hosted in the cloud accessible via the Internet, where the access control app is installed in a cloud and there is no hardware and software on-site anymore.

 

1 On-Premise systems

Small „on-premise” access control systems usually have the access control application installed on a simple desktop/laptop computer, which is used as the host computer, but often is also used as a client workstation for entering cardholder information, programming the system, and making status reports.

In larger systems, as access control devices can produce high volumes of data, there is needed one or more dedicated servers, which are high-speed computers able to perform several thousand operations per second: essential for controlling the flow of data back and forth across the system. Mission Critical systems usually use a secondary server that is kept on standby to act as a redundancy for the primary server should it fail or need periodic maintenance.

As the servers are quite expensive, there are systems that allow installation on company’ virtual machines.

 

2 Cloud-based systems

What are cloud access control systems? While the field hardware ( controllers, readers, etc) will be still on-site, the software (database, logic) is hosted in the cloud, so there is no need for local servers, clients operating systems, databases, etc.

Cloud-based systems offer the same basic functionalities of on-premise software, and even more, without the operators or system administrators necessarily needing to be in that physical workspace to utilize the system, so they are no longer restricted to reviewing data onsite but from any location using an Internet-connected fixed or mobile device.

Also, cloud-based systems are more scalable and reliable; additional capacity is available on demand for a higher subscription, and the maintenance and updates are usually handled by the hosting company as part of the subscription.

For more information click here.

In short, all of the above components work in the following way:

The access control system has one central host computer (or more in complex systems), one or more access controllers, and many downstream readers with possibly many ( tens/hundreds) of input and output alarm points.

The server/host computer stores information for system administration, and downloads device configurations, users IDs, schedules, etc to the field installed control panel(s) which makes all local access decisions, and uploads, to the server, event information from the downstream readers and alarm points for monitoring alarms and events.

Benefits of access control systems

Simplified Management

Managing and replacing a large number of individual „classical” keys proved complicated and expensive in any building with several different entrances.

Modern access control systems have the ability to simplify the management process of handling employee credentials, and entrance security, and provide you with the ability to track and monitor all entryway activity from one or more remote locations.

Keep Track of All Activity

When you have an access control system in place, it is much easier to keep track of all activity, whether from your own employees, contractors, or visitors.

Data generated by access control requests can be useful for analyzing real-time access activity as well as providing input for security audits, and management reporting. For instance, if a break-in or theft incident occurs, the system provides you detailed information about who has accessed the building and each individual room where the access control system is activated and in use.

This type of information can also help security teams assess the efficiency of access control and refine best practices over time.

Easily Adjust Access Times

With modern access control systems, one can easily set specific access times, and schedules for employees, contractors, visitors, and even entire groups of people. Whether there is a need to set access times for employees during work hours or if the management hosting guests for a day-long gathering, the access control system allows you to adjust access dates and times remotely with just a few steps, within seconds.

Conclusion – Superior Security

Transitioning to the use of an access control system is a must for any business, as it is one of the fastest ways to boost security regardless of the size of the business.

Using an access control system, there is no longer a need to keep track of keys, or whether a key has been stolen or copied, or shared with others. Electronic credentials are more difficult to copy and they require validation before a user can gain access, which gives security teams greater ability to control access.

Implementing access control systems not only helps to keep better track of who is coming and going to your place of business, but it also provides in-depth details of who is always accessing individual rooms and locations, for significantly increased security.

Access control systems are incredibly helpful with any criminal investigations involving theft, burglary and break-ins.

contact us