Who, goes where, when … that is access control in a nutshell.  In this post we will discuss why we need access control, some of the variations in how it is applied and some suggested techniques on applying these systems.

Why Do We Need Access Control

All security systems start with a controlled perimeter.  As you learned in our earlier post on secure perimeters this means you have a contiguous set of walls that isolate and protect your assets and keep out  the bad guys.  But the problem with a controlled perimeter is that you have to provide openings so legitimate use of assets can occur.  So the dilemma is that you must provide access to something that is best protected when there is no access, thus the need for access control.

The most effective means of access control is to station security personnel at every door to the protected assets, provide them with information on all authorized personnel and require that everyone entering be screen by security.  Obviously this is very expensive and only used in the most critical security circumstances.  In more modest situations like a commercial business environment we can use access control devices that identify authorized personnel and allow only those individuals access to the protected space.

Access Control Devices

Access control devices have two basic components, a locking device and an identification device.  The locking device is usually an electric strike or latch, power magnet, electric panic hardware or other door locking device.  The lock is matched to the door based on the door and frame configuration, existing mechanical lock cutouts, egress requirements and other door characteristics.

Access control identification devices also come in a variety of configuration to match the application requirement.  The method of identification can be something the user knows, such as a code or something they posses like an identification card or something unique to the individual like a fingerprint, palm print or eye characteristic.  The least secure of these is the known code since it can be shared without control and easily acquired by unauthorized personnel through modest clandestine means. The most secure is biometric since it is unique to each person.  But biometrics are generally more expensive and more difficult to implement and maintain.  The decision on which type of access control device to use is not simple and requires a comprehensive view of all security needs in an organization with your security consultant.

Some Application Methods

There are cases where multiple access control methods are used in the same facility.  For example, research labs with controlled substances might have a vehicle radio frequency tag for entry to a parking lot to restrict the general public from their property and at the same time add a keypad to the same openings and give out the code number to visitors.  This code could be changed weekly so only chosen people will have access.

This same facility might have proximity card readers to enter the building and control movement throughout the facility.  Not all cards would work at all doors, cards would be authorized only for areas where the individual cardholder worked.  In some situations there may be more than one card reader on a door, one might be proximity for the employees and the other a magnetic stripe or bar code reader that reads paper cards for visitors.  Visitors would be assigned these paper cards for unescorted movement through the building and each card would have an “access path” allowing them to go only through those doors necessary for their destination.  Visitor cards would expire at the end of the day and could be thrown away.  Then once deep inside the facility a biometric device would be employed to control access to the select agents or substances.+

The most perplexing problem in building access control is “tailgating”, that is when an unauthorized person follows an authorized person through a controlled door.  There are ways to inhibit this movement but the discussion is too long for this post.  The most cost effective means of preventing tailgating is employee training.  Make sure the staff understands the problems tailgaters can create and establish a policy that no one is to be admitted without proper authorization.

System Management

The final thought on this topic is system management.  An access control system operates in an active environment, that is you can’t “set it and forget it” like a burglar alarm system.  Authorization levels change, people loose cards and new people are added.  If you allow the system to automatically lock and unlock certain doors during the business day, schedules change, special events occur, there are always changes.  An individual (with at least 1, preferably 2 backups) should become intimately familiar with the system and be the hub of all requests for changes and maintenance.  That person may have clerical support for keyboard work but they must know what the system is doing at all times.