An access control system (ACS) is an ultra-critical component in the chain of electronic security – however in India, even many large organizations do not give access control the credit that is due. This article enumerates ten must-have features that any modern access control system should possess.
While designing security systems, we are especially attracted to projects which consist of access control systems (ACS) – because only the discerning customer considers access control as a ‘security requirement’ rather than a ‘time & attendance’ requirement. In many premises, the convenience of recording attendance is given precedence to the necessity of preventing unauthorized entry at all times. This leads to the continued use of obsolete access control technology, making the entire campus vulnerable to intrusion, albeit unknowingly. Due to the lack of clear understanding of and expectation from an ACS, vendors often make the most of the situation, installing systems that have gaping loopholes.
The entry and movement of persons and/ or vehicles in a campus is of the utmost criticality for any security manager and a sound ACS must be the first step towards managing the same. Surveillance cameras may be the most visible element within security systems; however, they are reactive (mostly used after an incident has happened) – whereas an ACS has the ability to prevent that very incident.
Since all security systems are now IP or IP based, ACSs have also gravitated towards Internet Protocol. This is a great news for both the security and network administrators; however, it does open up possible vulnerabilities, especially if there is an intersection of the data and security networks. Security managers have to be tuned into the IT security demands of their organizations and have to ensure that their ACS over IP poses no risks of virtual intrusion.
Access control is a complex domain using multiple technologies – cards, readers, controllers, software, and the IT elements. Hence, it is best left to experts – however, here I lay down ten techno-functional parameters that must be considered when one decides to implement or upgrade to, a state-of-the-art ACS. While broadly any ACS can be judged by its adherence to these parameters, there are site-specific conditions that one must look into, to increase the efficacy.
Integrability with other systems is the first parameter to consider while designing an ACS. The first integration point for any ACS should be with the fire/ smoke detection system. This is mandated by law. Unfortunately, ‘mandated by law’ is not a very strong phrase in India! This has led to tragic accidents in many organizations, retail environments and homes, but the learning is still not evident. Further, organizations do not have a clear standard operative procedure (SOP) in terms of the modalities and eventualities of such integration.
Another integration point that can unlock the true potential of security systems is between video surveillance and access control. Though, modern video surveillance systems do have standard integration protocols with ACS (and vice versa) – these protocols must be harnessed to deliver better situational awareness.
Many other integration touch points with ACSs are already being practiced – such as the one with T&A and ERP systems (which we will not delve into). However, one element of tight integration to be considered is with visitor management systems. As I never fail to repeat, the visitor management system really manages all the unknowns in your campus – and hence seamless integration of the visitor management system with the ACS is strongly required. Without intruding into the privacy of the visitor, a visitor management system should be able to clearly define what is expected of the visitor in your campus and what is the protocol when those expectations are not fulfilled. Ultimately, it is the campus!
2. Card vs. biometric
Frankly there is no comparison at all – biometric ACSs are more secure, reliable and authentic than mere card based ACSs. However, this is a decision that involves change management and process re-engineering, which at times is difficult to achieve in brown-field projects. If card based ACS is to be used, multi technology smart card readers should be considered. It’s surprising to know that many organizations are still using proximity cards and readers, which have been proven to be eminently hackable.
The decision of the card itself is an important one as it literally is the key to your premises. Smart contactless card platforms such as MiFare, DesFIRE and iCLass SE offer significantly higher security and encryption standards.
3. Card formats
Organisations must ensure that they get completely involved in the important job of defining specific access card-bit formats. We have noticed that for the sake of manageability, security managers leave the task of card bit format definition to vendors, without perceiving the risk of vendor lock-in.
4. Information security
Since ACSs have now become completely IP based, they have to be essentially treated as IT systems – and all the information security standards that the organization adheres to, have to be satisfied. Access data has to be treated with highest confidentiality standards. ACSs must quickly adopt the IP v6 protocol and use high encryption standards (min 128bit AES). Similarly, the IT elements such as the operating system, databases, processing and storage should all conform to the latest available versions to guarantee better support and security.
5. Reporting, alarms & alerts
An ACS cannot be treated as a static system – it must have the capability to evolve as per the organisation’s growth. The software becomes critical in this sense, and hence it should have the ability to scale up, to be customized, and to be tuned to the growth requirements. This includes demands for varying report requirements that security managers will have for administrative management. Similarly, workflow based alerts and alarms are now a necessary feature for large campuses with a vertical security hierarchy.
Biometric ACSs are the best to negate any chances for false entry. Even biometric ACSs do require de-duplication to ensure complete identification. Card based ACS are prone to counterfeiting and hence, a robust card definition with two factor authentication in case of escalated risk perception will help organisations defeat this threat. Employees must also be sensitized to this threat and card inventory has to be reconciled at all times.
7. Visitor management
We have touched upon visitor management earlier – but it deserves a separate mention, because of its importance. Managing visitors, their visit times and patterns, and generating visitors’ white and black lists is an important job in security management. A tight and seamless integration of the visitor management system with ACS will help security managers breathe a bit easy. Also going forward, with biometric systems becoming better (especially face recognition), organisations may have to find a way to use them in managing visitor access, without disrupting their existing access control platform.
There are international standards already in place for ACSs such as IEC 60839 that deals with alarms and electronic access control systems. Other standards that a sound ACS should comply with relate to cyber security and information security (ISO 27001), component safety (UL), and privacy regulations such as GDPR. Specific organisations may have their own business standards that they would like to comply with.
9. Physical barriers
Physical barriers – turnstiles, flap or swing barriers, boom barriers, EM locks etc. – are as important as the electronic access control components. When designing an ACS, adequate care has to be ensured in installing physical access barriers that have been rigorously tested and have a good operational life. The fail-safe and fail lock mechanisms must be tested before the barriers are operationalized. Also, when installing EM locks, integration with the fire alarm system must be ensured.
Once an ACS is installed, it is useful to conduct periodic audits (at least annually) by undertaking penetration testing – logical and physical – so that the entire system stays true to the principles that it was initially designed. By engaging third party auditors, audits can present an honest scenario which can be utilized to plug loopholes and tighten procedures.
In summary, good access control systems are critical security systems and if well designed they can prevent security incidents and provide proactive security intelligence. In tandem with consistent operating procedures, an ACS can be a great ally to the security manager.
Prasad Patil, Director, MIPL & Chairman, SECONA