What is access control

Why access control is important

The primary role of access control security, or the true access control security meaning, is to ensure the highest level of protection for a building and its occupants and contents by managing access to reduce risk. With 60% of companies using dated access control solutions that become more vulnerable every year, it is paramount for companies to regularly review their access control security (International Security Journal).

Unauthorized intruders can steal or damage property. If they gain access to areas such as server rooms or executive offices, for example, they could steal sensitive commercial or personal data, or launch cyber attacks from unsecured devices within the building. In extreme situations, intruders might try to disrupt normal activities or harm people within the building.

Access control techniques can provide other important benefits. For example, the data from access control devices can give useful insight into usage levels for resources, such as conference rooms or car parks where entry systems are in place. This can help facilities management teams to develop plans based on accurate data.

Access control in conjunction with surveillance also enables security teams to manage movement and limit access within busy areas to reduce the risk of overcrowding or maintain social distancing – a critical contribution to safety during the pandemic.

Identifying areas for access control

The starting point for an access control strategy is to identify areas that need to be secured and controlled. Some are obvious, like the main entrance to the building, turnstiles, elevators, car park barriers, or the door into a server room:

• Main entrance – This is a reception area where check-in is automated and employees and visitors must present credentials.

• Turnstiles – These can be located close to the main entrance as an access control mechanism where there is no other form of check-in. They may also be located on other floors or zones that need to be secured.

• Car park entrance – This may be secured by a gate or other form of barrier that limits access to authorized users or authorized visitors.

• Elevators – Access controls may be used to manage numbers of occupants or to control access to certain floors.

• Server rooms – All entrances must be secured, allowing only authorized users.

However, it’s essential to identify other areas that are vulnerable to intrusion, represent a security risk, or where it’s important to manage movement:

• Vulnerable areas – These include emergency exits, windows, or unsecured exterior doors where intruders could get access without detection.

• Areas with a security risk – These include offices, storage areas or meeting rooms where confidential information is held.

• Areas to manage movement – These include elevators, lobbies, stairways and passages where it’s essential to avoid overcrowding.

Access control policies

So, what is an access control policy? Well, as identifying areas to secure, it’s important to determine who has access to specific areas and who makes the decisions about access levels. These access control models fall into four types of access control security categories:

Discretionary access control

This model gives individual users access to specific areas at the discretion of one person, the owner for example. The weakness of this model is that the person with discretion may not have security expertise to allocate permissions based on full awareness of risks and access control vulnerabilities. However, where security risks are low, this may be a suitable model.

Mandatory access control

With this access control model, access permissions are determined by a Security Administrator – generally a professional with security expertise, such as a chief security officer or an IT director with security experience. This individual sets and manages permissions and is the only person with the authority to do so. The mandatory access model is essential for organizations where the highest level of security is required.

Role-based access control 

In this model, the security administrator determines a security policy or access control list that can grant access permissions based on the role of the end user. So, a senior manager might be granted access to most areas of a building while an employee may only be allowed access to areas necessary to do their work or hold meetings. An employee with a specialist role, like a design engineer or IT technician, would be able to access specific secured areas such as workshops, labs or server rooms, for example. Generally, individual users are only given minimum access permissions – an approach based on the principle of least privilege.

Rule-based access control

Rule-based access control uses a set of rules and policies to manage access to places or locations. This model is frequently used with other approaches such as role-based access control and can override other permissions.  For example, a user with role-based permission to access a restricted area may be denied access if the rule-based policy states ‘no access to any employee between the hours of 6pm and 7am.

Zero trust policies

While these three models can be used in different organizations to meet specific security requirements, they are increasingly supplemented by the adoption of zero trust policies. This is important because it recognizes that security can be compromised unintentionally by identity theft, or problems such as tailgating or the use of shared credentials.

To reduce the risk, security administrators can implement additional measures such as the use of one-time passwords, multi-factor authentication or biometric authentication.

Security training and awareness

As well as selecting the most appropriate access control policy, a security administrator should also develop and use security training and awareness programs to ensure that employees understand their responsibilities in using permissions and access control security models correctly. As well as general awareness, training should highlight specific problems such as:

• Sharing credentials with other employees

• Allowing unauthorized individuals to tailgate

• Accidentally or deliberately sharing of confidential information

• Weak or insecure passwords and logins

The access control process

When security administrators have identified areas for access control and established permissions for different users, the access control process moves through a number of interrelated stages.

Authentication –The user provides credentials using one of the different access control methods described later in this guide. The credentials must prove that the user is who they claim to be, and has permission to access a specific area or resource.

Authorization – A controller (also referred to as an ACU) compares the credentials with a database of authorized users or rules to ensure they have permission to access. Things that may affect authorization can include credential types, entry schedules, active lockdowns, and user permissions.

Access – Following authorization, the user can access the area or the resource. If the credentials are not valid, the system denies access.

Analysis – Security administrators analyze the data from access control devices to identify any patterns of irregular behavior that might indicate security weaknesses or attempts at unauthorized intrusion.

Identity management – Access control is a dynamic process where users and security requirements are likely to change. Employees might leave or change roles, for example, and that makes identity access management a critical part of the process. Security administrators are responsible for managing moves, adds, and changes to ensure that the database is up to date and accurate. Some access control security providers also have the capability to sync active users through identity providers to automate this process.

Audit – As an additional layer of protection, carrying out regular audits of access control data and identity databases reduces the risk of vulnerability through outdated credentials or system weaknesses.

To implement an access control policy, a number of different components have to be in place:

• Access control devices or methods for presenting credentials

• Access control readers

• Access control units

• Software

These components form the basis of an electronic access control system, which replaces traditional systems based on locks and keys. In the modern system, the ‘lock’ is the access control reader and access control unit, and the ‘key’ is the user’s device for presenting credentials.

There is also a growing trend towards the adoption of touchless access control technologies, which was driven by the challenges of the pandemic. To improve the analysis of data from access control systems, security teams are also now using artificial intelligence techniques.

Presenting credentials

Users can present their credentials in a number of different ways, using approved devices, codes or other credentials provided by the security manager.

PIN codes – The user enters a PIN code to a keypad to get access rights. The PIN can be a general code or a code that is unique to each user. Unique codes are essential for areas where higher security is required.

Key cards – Key cards incorporate embedded signals or codes on a magnetic strip. With a swipe card, users swipe the card through the reader. Cards with embedded codes are known as proximity cards; the user simply presents the card, which communicates with the reader using RFID technology.

Key fobs – Key fobs provide the same RFID functionality as key cards, but are more convenient for users.

Mobile credentials – Users download an approved app to their smartphones which validates their identity for keyless door entry. When they approach a door reader, they activate the ‘unlock’ function on the app to have access rights.

Biometrics – Biometric techniques include fingerprint reading, facial recognition and iris scanning to validate credentials. They can be used as the main method of authentication or used in conjunction with other methods of presenting credentials to add an extra layer of protection, particularly for high-security areas.

Access control devices and readers

The second essential component is the physical access control reader fitted to the door, gate, or other form of entry. The reader must be compatible with the methods or devices used to validate users. It’s important to select a reader that has the ability to support multiple existing and future types of credentials – not all readers have that capability. Replacing readers that are not future-proof can be costly and time consuming.

Keypad PIN readers – Users key in a PIN using the keypad. The system is simple and convenient but can be compromised by users sharing PINs or intruders using stolen credentials.

Swipe card readers – These readers work in conjunction with key cards that users swipe through the reader. Although these readers are secure, they may require frequent maintenance and card replacement if they are used in areas of heavy traffic.

RFID door lock readers – This type of reader responds to signals sent from a user’s RFID-enabled credential. They are also known as proximity readers, and respond when a user’s device is within range. However, they can be prone to accidental opening if a user with a valid card passes by within range, but doesn’t intend to enter the secured area.

Biometric readers – These readers incorporate sophisticated scanners that can validate a physical attribute, such as a face, fingerprint, or iris. They can also work in conjunction with smartphones that feature biometric login as a form of highly secure two-factor authentication.

Smart door lock readers – A new generation of smart door readers can increase flexibility and convenience for employees by operating in conjunction with a number of different devices, such as smartphones, key cards and key fobs. They can be used to enforce single or two-factor authentication by responding to multiple devices.

Access control units

Access control units are the ‘brains’ of the system. They are linked to databases or directories that include names and access levels of authorized users. When users present their credentials, the reader contacts the access control unit, interrogates the database and receives an ‘open’ or ‘deny access’ response that activates the reader.

The effectiveness of the control unit depends on the accuracy of the information in the database. That’s why identity access management is an essential part of access control.

Access control software

Software applications act as the link between the various components of an access control system. Applications can be supported with on-premise, browser-based, cloud-based or mobile platforms.

Security teams use the software to manage and update user credentials, as well as gathering data on entry events from the system for analysis and audit.

Access control software can also be used to monitor hardware performance and alert security teams to faults or other operational problems.

Towards touchless access control

The recent pandemic highlighted the importance of touchless technologies in protecting employees and visitors at work. Adopting touchless access control solutions can ensure that same level of protection, as well as maintain security.

Touchless technology can also improve the experience for both employees and visitors. For example, automating the reception process with touchless entry improves convenience. It also makes a great first impression, as well as reduces delays and minimizes non-essential contact.

Integrating access control with AI

Access control systems provide valuable data on usage and incidents. By applying artificial intelligence techniques which ‘learn’ patterns of behavior, security teams can quickly recognize unusual events that may represent a security risk. Teams can also use AI techniques to quickly analyze data and respond to real or potential incidents faster.

Managing the components – onsite or in the cloud?

To operate, manage and maintain an access control system, security teams have a choice of locating the system onsite or hosting it in the cloud.

Traditional legacy systems require servers for the system to be located and maintained in dedicated facilities onsite. This can take up valuable space and resources and ties up the IT team in routine day-to-day operation and maintenance. Updates have to be handled manually while upgrades take up further resources and can be very time consuming, depending on the scope of the upgrade. Legacy systems are also difficult to scale. If the system has to expand to cover more areas or support more users, it will require new installation and configuration before the system is fully operational.

Cloud-based solutions can eliminate many of these challenges. With a cloud-based access control system, the hardware remains on site but the software and database are managed and maintained by specialist cloud hosting companies.

The third-party cloud team manages day-by-day operation and maintenance of the system and takes care of any upgrades, which are rolled out automatically to reduce system downtime. Another benefit of cloud-based systems is that teams can manage moves, adds and changes using high levels of automation to ensure that credentials are maintained and up to date.

Using a cloud system frees the on-site team for more important duties and also allows them to handle any specific tasks remotely. The IT team can access the cloud system through a portal that allows them to make changes, place support requests or download reports.

The system can be configured to automate notifications of any incidents to the security team wherever they are located. Security teams no longer have to be on site to respond to incidents or make changes to the system if new threats emerge.

Adopting a cloud-based solution is also important to converge physical security and cyber security strategies. Cloud systems linked to threat databases can ensure that security teams always have access to the latest security information, enabling them to make a proactive response to any potential vulnerabilities.

Access control systems play an essential role in protecting a building and its occupants against threats from intruders, but they can also make a wider contribution to building management and the evolution of smart building technology, particularly if building access management systems are also managed in the cloud.

While the primary role of commercial access control systems is to monitor and control access to secured areas, data from the system can also provide greater insight into employee movement within buildings. Many types of door access control systems can provide valuable input into facilities planning to create safer and more efficient routing as well as optimizing space utilization. For example, analyzing traffic in spaces such as conference rooms or other busy spaces provides useful information on room availability, occupancy levels and the efficiency of access control.

Access control systems can also be integrated with other elements of building management systems. For example, access control data on room occupancy can support better planning of heating, lighting, ventilation and other facilities by automating the allocation of resources in line with actual occupancy. This can improve resource efficiency and reduce overall costs.

Selecting access control security for your business

There are many types of access control available. So, when it comes to selecting the most appropriate access control operating system, there are some important factors to take into consideration.

Performance – The most important factor is security. Will the system provide adequate protection for areas of the building that contain sensitive information or resources and facilities that could harm the business if they were damaged by intruders? Access control models must provide the right level of protection, right up to maximum for the areas of highest risk.

Reliability – Reliability is closely linked to performance. If a reader or access control unit is not reliable, it reduces the level of security. Downtime for repair or maintenance also increases risk and inconvenience for users. The equipment should have guaranteed levels of uptime and incorporate back-up or failover solutions for high-security areas.

Convenience – Although access control models are designed to deter unwanted intruders, it should not be inconvenient for authorized users who require ongoing access. When it comes to access control best practices, the system should be quick and easy to use and, where practical, employ touchless technologies to maintain an environment that is safe as well as secure.

Management – As well as convenience for users, the system should also be convenient for a system administrator to manage. Operation, configuration, management and maintenance should be straightforward, and can be simplified even further by adopting a cloud-based approach that offers remote and mobile-based management capabilities.

Flexibility– System components should be customizable so that a system administrator can configure them to meet specific requirements for different areas and individual users. The system should also be quick and easy to reconfigure if security requirements change.

Scalability – For growing businesses, it’s important to have a system that can be easily scaled to cover more access points or support additional users. If an organization operates across multiple sites, it can improve operational efficiency if a system on one site can be scaled via the cloud to other sites. This will ensure a consistent security model across the organization and reduce overall costs.

Compliance – The system should enable the business to comply with any customer security requirements, data protection requirements or industry-specific regulations. For example, customers may require data relating to their business to be secured by special measures as part of a contract. For example, companies providing outsourced technology services may have to comply with SOC1 or SOC2. In some industries, compliance with an international security standard such as ISO 27001 is essential for doing business, while business in sectors such as healthcare or financial services require even higher levels of security compliance. In general, it’s essential to provide a robust security model for personal data to comply with data protection regulations, such as Europe’s GDPR regulations or US state laws, such as California’s CCPA. Companies that supply access control hardware must comply with UL294 and FCC regulations, while readers must achieve IP65 rating.

Though-life costs – Cost is one of the most important factors in selecting an access control model, not just the initial costs, but the total through-life costs for operating, managing and maintaining the system. The initial cost will be based on the number of access points to be covered, the type of components required and the cost of installation and configuration. The ongoing costs will include operation, monitoring and management, and the costs of maintenance, repair and upgrading. Costs can be lower with a cloud-based solution that rolls the cost of maintenance and upgrading into a monthly subscription.

Features – As well as providing the essential security functions, it’s important to select systems that include access control features that save time or improve efficiency. For example, automated notifications from the cloud ensure the security team has the latest information on threats. A wide range of reports will enable security administrators to provide different stakeholders with the specific information they need for their role. Remote access management capability improves convenience and flexibility for the IT team, enabling them to manage systems and respond to incidents from any location.

Upgrading – Manufacturers regularly introduce new features or upgrades to protect against new security vulnerabilities or improve system performance. That makes it essential to select a system that makes it easy to roll out new access control features with a high level of automation, rather than replacing hardware or obtaining new software licenses.

Advice and guidance

With the right system in place, organizations can be confident that they are providing the highest level of protection for people, property and data.

However, selecting and implementing the right access control model can be a complex, time-consuming task. It’s important to work with a supplier with expertise in security technology and a track record of providing successful solutions. Suppliers can also provide a range of professional services including initial consultancy as well as planning, design, installation and ongoing support services.

To take the next step in selecting the right access control solution for your business, contact Liquid Video Technologies to arrange a security consultation and schedule a site audit with a trusted security integrator.