Access Control Systems: Its Time to Move with the Times!
An access control system (ACS) is an ultra-critical component in the chain of electronic security – however in India, even many large organizations do not give access control the credit that is due. This article enumerates ten must-have features that any modern access control system should possess. While designing security systems, we are especially attracted to projects which consist of access control systems (ACS) – because only the discerning customer considers access control as a ‘security requirement’ rather than a ‘time & attendance’ requirement. In many premises, the convenience of recording attendance is given precedence to the necessity of preventing unauthorized entry at all times. This leads to the continued use of obsolete access control technology, making the entire campus vulnerable to intrusion, albeit unknowingly. Due to the lack of clear understanding of and expectation from an ACS, vendors often make the most of the situation, installing systems that have gaping loopholes. The entry and movement of persons and/ or vehicles in a campus is of the utmost criticality for any security manager and a sound ACS must be the first step towards managing the same. Surveillance cameras may be the most visible element within security systems; however, they are reactive (mostly used after an incident has happened) – whereas an ACS has the ability to prevent that very incident. Since all security systems are now IP or IP based, ACSs have also gravitated towards Internet Protocol. This is a great news for both the security and network administrators; however, it does open up possible vulnerabilities, especially if there is an intersection of the data and security networks. Security managers have to be tuned into the IT security demands of their organizations and have to ensure that their ACS over IP poses no risks of virtual intrusion. Access control is a complex domain using multiple technologies – cards, readers, controllers, software, and the IT elements. Hence, it is best left to experts – however, here I lay down ten techno-functional parameters that must be considered when one decides to implement or upgrade to, a state-of-the-art ACS. While broadly any ACS can be judged by its adherence to these parameters, there are site-specific conditions that one must look into, to increase the efficacy. 1. Integration Integrability with other systems is the first parameter to consider while designing an ACS. The first integration point for any ACS should be with the fire/ smoke detection system. This is mandated by law. Unfortunately, ‘mandated by law’ is not a very strong phrase in India! This has led to tragic accidents in many organizations, retail environments and homes, but the learning is still not evident. Further, organizations do not have a clear standard operative procedure (SOP) in terms of the modalities and eventualities of such integration. Another integration point that can unlock the true potential of security systems is between video surveillance and access control. Though, modern video surveillance systems do have standard integration protocols with ACS (and vice versa) – these protocols must be harnessed to deliver better situational awareness. Many other integration touch points with ACSs are already being practiced – such as the one with T&A and ERP systems (which we will not delve into). However, one element of tight integration to be considered is with visitor management systems. As I never fail to repeat, the visitor management system really manages all the unknowns in your campus – and hence seamless integration of the visitor management system with the ACS is strongly required. Without intruding into the privacy of the visitor, a visitor management system should be able to clearly define what is expected of the visitor in your campus and what is the protocol when those expectations are not fulfilled. Ultimately, it is the campus! 2. Card vs. biometric Frankly there is no comparison at all – biometric ACSs are more secure, reliable and authentic than mere card based ACSs. However, this is a decision that involves change management and process re-engineering, which at times is difficult to achieve in brown-field projects. If card based ACS is to be used, multi technology smart card readers should be considered. It’s surprising to know that many organizations are still using proximity cards and readers, which have been proven to be eminently hackable. The decision of the card itself is an important one as it literally is the key to your premises. Smart contactless card platforms such as MiFare, DesFIRE and iCLass SE offer significantly higher security and encryption standards. 3. Card formats Organisations must ensure that they get completely involved in the important job of defining specific access card-bit formats. We have noticed that for the sake of manageability, security managers leave the task of card bit format definition to vendors, without perceiving the risk of vendor lock-in. 4. Information security Since ACSs have now become completely IP based, they have to be essentially treated as IT systems – and all the information security standards that the organization adheres to, have to be satisfied. Access data has to be treated with highest confidentiality standards. ACSs must quickly adopt the IP v6 protocol and use high encryption standards (min 128bit AES). Similarly, the IT elements such as the operating system, databases, processing and storage should all conform to the latest available versions to guarantee better support and security. 5. Reporting, alarms & alerts An ACS cannot be treated as a static system – it must have the capability to evolve as per the organisation’s growth. The software becomes critical in this sense, and hence it should have the ability to scale up, to be customized, and to be tuned to the growth requirements. This includes demands for varying report requirements that security managers will have for administrative management. Similarly, workflow based alerts and alarms are now a necessary feature for large campuses with a vertical security hierarchy. 6. Anti-duplication Biometric ACSs are the best to negate any chances for false entry. Even biometric ACSs do require de-duplication to ensure complete identification. Card based…