Understanding the Physical Access Control Security Schema
Designing an access control solution requires decisions on 8 fundamental questions. This in-depth guide helps you understand the options and trade-offs involved in designing an excellent access control solution
The eight fundamental questions are:
- Are the Benefits Worth the Cost?
- What Do You Secure?
- What Forms of Authentication and How Many Do You Need?
- What Kind of Reader Should You Use?
- What Kind of Lock Should You Use?
- What Do You need at the Door Besides a Reader and Lock?
- How Do You Connect the Reader to the Network?
- What Type of Access Control Management System Should You Use?
Today we are focuses on selecting and designing electronic access control system (using cards, pins, biometrics, etc.) rather than key based ones.
- Access Control Cost
- Access Control Benefits
- Access Secured Applications
- Four Verification Factors
- Electrified Lock Types
- Reader Selection Criteria
- What else do I need at the door?
- Door Position Switches
- What Type of Access Control System Should I Use?
- 3rd Party Controller Compatibility
- System Selection Criteria
- Special Considerations
Access Control Cost
While electronic systems are far more sophisticated and can be more secure, most people still use keys. The reason is simple: cost. While electronic systems provide many benefits over keys, they will cost thousands more per door than keys/locks. As such, you may determine the cost of electronic systems cannot be justified or that only certain doors are worth installing electronic access control.
Access Control Benefits
To determine if electronic access control is worth the cost, understand if the following benefits apply to your use:
- An access control system simplifies management of access to the building. Keys do not need to be made and distributed to employees or contractors. Credentials (either permanent or temporary) are issued to the respective party, and that is it.
- The potential risk associated with a misplaced or stolen key is significantly reduced. Typically, if a key to an exterior door is lost, best practice and common sense would mandate re-keying the facility, lest that key fall into criminal hands.
- Improved audit trail: With keys, no record is kept of who came and went through each door, and when. Intrusion detection and surveillance systems may provide some idea, but not as simply, or in as much detail.
- With keys, in many facilities, staff must manually lock and unlock doors at the beginning and end of business. This requires time and introduces the risk of forgetting or not properly locking a door. Doors controlled by an access control system, whether controlled by a card reader or not, may be automatically unlocked in the morning and locked at night on a schedule, or when the intrusion detection system is disarmed and rearmed.
Access Secured Applications
After answering the why, the second question when planning an access control deployment is what. What assets are to be secured? Doors which are infrequently used, or by a very limited number of staff, such as closets, typical non-critical offices, and mechanical spaces, typically are not worth the expense of adding access control, unless a legitimate risk to high-value assets is expected
Typical spaces we see access control applied:
- Exterior Doors
- Storage Areas/ Cabinets
- Server Room
- Key Control Closets
Typically, exterior doors are the first thing to be secured.
This simplifies access to the building, so staff do not need keys, while keeping unauthorized persons out of all entrances except those intended. Visitors may be directed to a particular entrance where staff can receive them.
Typically, this is done in one of two ways:
- Indirectly: In this scenario, visitors to the facility utilize an intercom (audio/video is most definitely preferred) to speak to reception or security staff, who then remotely release the door so they may enter.
- In-person: In this scenario, visitors simply enter the building through an unlocked set of doors and speak to reception staff. In both instances, the visitor may be kept outside of the facility entirely, or they may be allowed access into the building into a lobby or vestibule, which is secured by a second access controlled door.
Entry gates are commonly added to an access control system. This moves access to the perimeter, from the door, often desirable in high crime areas or high-security facilities. This is typically paired with surveillance and/or video intercom so staff may visually confirm who is requesting entry. The gate may then be remotely released for deliveries or visitors. Wireless interfaces make gate access control by avoiding trenching costs. The gate is usually controlled via interface to a gate operator or through specialized locks made for the application.
Cabinets, Storage and Warehouse Areas
Storage rooms, warehouses, and cabinets are easy targets for both internal and external threats. Securing entrances to these areas reduces access, provides a log of activity, and introduces an extra obstacle for anyone intending to steal supplies or equipment.
Along with network security becoming a bigger issue, access control of data centers and closets has increased. Considering the server room is often the brains of an organization’s operation, this is a good practice. Specialized systems exist for securing cabinets in larger, often multi-user, data centers.
With computers being a common target of theft in schools, locking classrooms is often desirable. Installing electrified locks on each classroom also provides lockdown capability, so in emergencies security staff may lock down the entire campus with a single action.
Key Control Cabinets
Many organizations, even those who use access extensively, still need to manage a certain quantity of keys, whether for vehicles, cabinets, or other purposes. Often, these keys are kept in a cabinet or on a backboard, which are conspicuous and an easy target for any criminal. Simply using a securely mounted cabinet with an electrified lock reduces this risk. More elaborate systems for key management exist as well, providing control and audit trail down to the level of the individual key.
Four Verification Factors
The primary goal of access control is to selectively let people in. To do so, you need to choose a credential technique for people to prove that they have legitimate access to an entrance. The practical options for authentication 'factors' cannot be all of the same types and are typically separately managed types of credentials. The 'factor groups' are commonly cited as:
- Something the User Has: A credential/permission granted administratively to the user. Typically an access control badge, token, or fob. Also includes a mechanical key, membership ID, or passport.
- Something the User Knows: Typically a code or password kept private by the user. Typically a PIN number, but also include 'Security Questions' or 'Last 4 Social Security digit' confirmations.
- Something the User Is: Biometric features only the user is able to possess. Typically finger or palm prints are used, but other readings possible including face recognition, heartbeats, retina/iris scans, and even gait
- Someone Trusted Verifies the User: Under certain conditions, another human positively IDs and vouches for the user. This could be a manned guard or even a receptionist that grants access based on familiarity.
You can use these in combination. Indeed, this approach, called 'multi-factor authentication' is very popular among security practitioners.
Systems often use dual or triple mode authentication where users are required to use a pin and a card or a card and fingerprint or all three together. If both or all do not pass, entrance is denied. The big plus for this approach is that it makes it much harder for an illegitimate user to get in. The big downside is that it becomes inconvenient to users who will be locked out if they forget one and will take more time and hassle to get in each time they check in. Because of this, the number of factors of authentication usually increases with the overall level of security or paranoia of the facility (e.g., condos are single factor, military bases can be triple, etc.).
Electrified Lock Types
There are a variety of locks that may be used on access controlled doors, all having their application.
- Electric strike: The electric strike replaces the strike plate in the door’s frame (the metal plate the door latches into), and will unlock when power is applied to it.
- Electromagnetic lock: The most common lock used for access control, electromagnetic locks, or mag locks, or simply “mags”, consist of a coil of wire around a metal core, which produces a strong magnetic field when energized. The mag lock is mounted on the door frame, normally, and the door is fitted with a plate which matches up with it. Under locked conditions, the magnet is kept energized, holding the plate to it. When the door is unlocked, power is cut, and the door releases. Mag locks are easier to install than other types of locks, since everything is surface-mounted, but they have certain trade offs required for convenience and life safety, which we will touch upon later.
- Electrified hardware: The most unobtrusive method of electrically locking a door, electrified hardware puts the locking mechanism inside the door hardware itself. These may come in either mortise or cylinder lockset forms, or in exit panic hardware. Either form retracts the latch when power is applied, unlocking the door. These locks may also build request-to-exit and DPS into the hardware, requiring even fewer devices at the door.
Reader Selection Criteria
Readers allow users to request doors to be unlocked and come in a wide variety of options. In general, reader selection begins with picking from units compatible with the primary credential format in use.
As detailed in our Selecting Access Control Readers Tutorial, credential readers come in a variety of form factors, from miniature to oversized, depending on the application.
For reader selection appearance is often a big factor. Mini-mullion sized readers may be used to be aesthetically pleasing on an aluminum-framed door, for example, while a 12” square reader may be positioned at the parking garage entry for better read range. Generally speaking, the distance at which a card can be read increases with the size of the reader.
A very simple form of access control, in which the user enters his or her PIN number at a keypad device to open the door. Keypads suffers from the inherent security flaws of PINs described above. See our: Worst Readers Ever post for more details.
There are numerous card/fob technologies currently in use in the industry, both contact and contactless.
include magnetic stripe, PINs, certain biometrics, and barcodes. Despite being obsoleted long ago, magnetic stripe readers are still regularly used on college campuses and in other facilities, especially where cards are used for purposes other than simply access. However, a big drawback is contact readers are easily damaged by vandals, by inserting foreign objects, or even gum, into the slot. This is one of the reasons contactless proximity cards have become more common.
For contactless credentials , the reader emits a field which excites a coil on the card, which then transmits an embedded number to the reader.
For access control purposes, we typically see one of three or four biometric readers used: Fingerprint, iris, hand geometry, and retina, with fingerprint readers being by far the most common. No matter which reader you choose, there are several drawbacks to consider:
Access time is typically longer than when a card is used. In high-throughput areas, this may be a problem. You would not want to require an incoming shift of workers in a factory to filter through biometric readers for building access, for example.
Compared to card readers, biometric readers are expensive. While a card reader may be found online for $150-200, biometric readers routinely are priced over $800. This is offset somewhat by eliminating the expense of cards, but it must be taken into account.
If a door entry reader supports proximity cards, fingerprint scans, and keypad codes for 'multi-factor' support, two or more credentials would be required for entry, not just whichever credential option was convenient for the user to present at the time.
What else do I need at the door?
Activation of this sensor signals the access control that someone is exiting. Motion sensors are typically preferred for request-to-exit devices, for convenience although other forms of Request to Exit devices are used:
Logic programming is an important part of RTE use. For example, if the door opens (the DPS switch reports open state) without a RTE being sent first, the access control system interprets it as a forced door alarm. The devices above require power, of course, so power supplies are another consideration when designing an access control system. There are three methods by which door devices may be powered:
- A power supply centralized with the access control panel. This is the simplest method, requiring the least high voltage to be run and thus reducing cost. However, voltage drop may become an issue, so calculations must be performed to take this into account.
- A power supply local to the door. This is common in cases where electrified hardware is used. The power draw of an electrified device is normally much greater than a mag lock or electric strike, so local power is installed, to avoid voltage drop issues. The downside of this is that it adds another point of failure, as opposed to a single central power supply.
- Power over Ethernet. While adoption is still sporadic, Access Power over Ethernet is being utilized to power single-door or two-door controllers, which in turn supply power to many attached devices including RTE devices.
Door Position Switches
Because door position switched are used in a variety of systems, there are thousands of options available. Among those thousands, there are five or six basic types used in electronic access:
Many installers use the 'magnetic' bullet types in every situation and struggle with seemingly sporadic false alarms and system trouble ever after. Like other access components, choosing the right door position switch depends significantly on the door - which type of door it is, how often it is used, and even which direction it faces.
What Type of Access Control System Should I Use?
Three types of management exist for access control systems:
- Embedded: Also called web-based or serverless, the access control system is managed wholly through the access control panel, via web page interface or occasionally software. Typically functionality is limited in this method, due to the limitations of what can be done in a standard browser (without added plugins, Flash, ActiveX, etc.), which will work on all platforms: Windows, Mac, Linux. Enrollment and logging functions are easily available, but real-time monitoring is more of a challenge. Cost is reduced, since no server must be supplied.
- Server-based: The more common method, puts administration, management, and monitoring of the access control system on a central server. Client software installed on management or monitoring PC’s connects to this server to perform necessary functions.
- Hosted: Cloud-based access control systems are managed by a central server which manages multiple end users’ systems remotely. The primary hardware required on site is the access control panel with an internet connection. User interface is usually through a web portal, making hosted access a combination of web-based and server-based management. The hosting company must manage the system as a traditional server-based system would be managed, but to a user, all interface is via the web.
When selecting an access control system, consider what features you will need at the present time, and consider where the system will go in the future. Some questions to ask:
- Does it use standard card readers? While HID and NXP are well-known as access control industry juggernauts being OEM’d or supported by the vast majority of manufacturers, not every system utilizes compatible readers. Some manufacturers support only proprietary readers which would typically need to be replaced should the system be changed to a different vendor’s product in the future. Others utilize different cabling topologies, which usually require less cable to each door, typically a single cable, with all the devices at the door connecting to an intelligent reader or small controller. If future-proofing is a concern, as it typically is and should be, select systems which utilize standard wiring schemes.
3rd Party Controller Compatibility
Another consideration when discussing “openness” of a system is whether the selected manufacturer uses open platform control panel hardware or their own proprietary panels.
If the system runs on open hardware, most, if not all, of the head end panels may be reused when changing to a competitive system. Selecting a system that utilizes open hardware can save an organization thousands of dollars when changing to a different system in the future.
We cover 'openness' in our Axis vs HID vs Mercury Access Controllers note.
System Selection Criteria
In the case of a small organization with a handful of doors, open platform hardware may be a non-issue. If the required featureset is small, and the likelihood of moves and expansions is low, a proprietary web-based platform will suffice. However, for enterprise-level systems, non-proprietary hardware is highly recommended to avoid becoming trapped by a single vendor.
- Do you require integration to other systems? Integration of surveillance systems (or other systems) with an access control system has grown in popularity in the past few years. For our purposes, we are specifically discussing software-based integration. Integrations via inputs and outputs or RS-485, has been in use for many years and are very functional, but is not true software integration. Some features you may expect via software integrations:
- Integrating surveillance with access control allows access events to be presented to an operator with corresponding video. This reduces investigation and response time of the guard force. Integrated systems may also slew PTZ cameras in the direction of a forced door or access denied event.
- Integrating intrusion detection with access control allows for arming and disarming of the system via card swipe. Sometimes this is based on the first person in/last person out, using people counting features of the access control system.
- Integrations are rarely very “open”. Most commonly, the video management, intrusion detection, and access management systems must be from the same manufacturer. At best, an access control system will support a handful of video platforms. Intrusion integration has historically been strictly limited to the same manufacturer.
- While intrusion and surveillance integrations to access are the most common, other systems may be integrated to the access control system as well, depending upon the capabilities of the access platform. If the intent is to use the access system as a full security management platform, displaying and correlating all alarms, fire alarm, building automation, perimeter detection, or other systems may also be considered for integration. The capabilities of some access management system are beginning to approach those of true PSIM platforms, though typically without the procedure element common to PSIM.
- Many systems, especially web-based varieties, feature only integration to video, if any integration exists at all. This is especially common among the smaller access-control-only manufacturers. Integration to third-party systems is usually not a free feature of the software, either, and buyers should beware of licensing fees before making purchasing decisions. The only integration commonly free is with a manufacturer’s own video management or DVR systems.
- How will the system be used? If all the system must do is unlock doors when a card is presented, simply to replace keys, make sure that the enrollment features of the system are simple to use. Chances are that live monitoring will not be crucial in a system such as this. Access logs should be simple to review, as well.
- If the system will be used in a live-monitored scenario, it should offer all relevant information in a streamlined fashion, without clutter. Typically this will consist of an event list, in which all system events scroll through as they occur. Map views may also be useful, depending on the facility. This way an operator may see exactly where an alarm is occurring, speeding response. Cameras and other integrated system devices are also commonly shown on the map for ease of use.
Outside the typical door access scenario, there are some special use cases of access control:
There are two methods of restricting access to an elevator
- Call the elevator car upon a valid card read, instead of pushing a button. This method puts a single reader outside the elevator. A user presents his or her credential to call the car. Once in the elevator, the user has access to any floor he or she chooses. This is a simpler and less costly method of restricting access, since only a single card reader must be installed, but may not be applicable in all scenarios, if access to individual floors is desired.
- Allow selection of individual floors based on the credential presented. In this scenario, when the user enters the elevator, the floors he or she is restricted to are lit, and floors they’re not allowed access to remain unlit. They will only be allowed to take the elevator to floors they’re given access to. There are multiple drawbacks to this method, although it may be unavoidable if this sort of security is required. First, it requires a card reader be mounted in the car, which requires interfacing with the elevator’s traveller cable, or wireless transmission be used. Second, it requires an input and output for each floor to activate and deactivate each of the buttons, which may be labor intensive depending on how many floors there are in the building.
When utilizing access control in harsh environments, all of the devices in the system must typically be intrinsically safe, also called explosion proof.
What this means is that the device will not spark and potentially create an explosion. While there are card readers specifically produced for these environments, typically they consist of a standard card reader mounted in an explosion-proof instrument enclosure, readily available from electrical distributors, and easily fabricated in the field