Physical access control can take many forms, but the basic idea is to create barriers to prevent unauthorised people from entering a physical space. In other words, physical access control ensures that only those who are allowed to enter an area can enter it.
Barriers to physical access can be either physical barriers – a locked door, a turnstile, a fence – or barriers of authority. A barrier of management is a person or a sign explaining any restrictions. Think of a restaurant with a sign on a door stating, “Only employees beyond this point,” or a hospital receptionist admitting visitors during or outside visiting hours.
When we talk about physical access control, we primarily refer to the system of physical barriers, which work in combination with authority barriers and authorisation plans to allow appropriate people in and keep everyone else out.
Physical access control is at the heart of any good security plan, ranking there with digital security. While digital security protects information – which can be used to damage a company or individual’s reputation, finances or performance – physical security protects people and equipment more viscerally. The evening news is full of the unfortunate consequences of a violent person walking into a workplace with a weapon. Less dramatically, physical barriers can prevent unknowing people from wandering into server rooms or other spaces with hazardous materials and equipment.
Theoretically, anything and everything from the abuse of workers (through natural disasters and industrial espionage) to terrorist attacks. Is our company prepared for this? Imagine the scenario, 2 am, nobody is around to hear the sound of breaking glass and quick steps.
The next day, the first employee appears at work and calls the police after spotting the mess. According to police, it was a random act of vandalism. Two weeks later, the president convenes a meeting; it turns out that the local newspaper is running a story about your product and has just revealed that the project has gone millions of dollars over budget. It turned out that a random act of vandalism was an act of industrial espionage. The intruder had attacked a bootable distribution of the Linux operating system and copied the files that belong to the victim company.
Of course, this situation could have been prevented if there were appropriate procedures in place. In practice, anyone who has physical access to a computer can take over your system in seconds. Therefore we will discuss some physical security procedures to try and minimise the risk of attack by introducing appropriate access controls. Each access control has three aspects: physical, administrative, and technological development.
Physical Security Schema
Physical security mainly focuses on the physical protection of information, buildings, personnel, installations, and other material resources. Additionally, physical security covers issues related to processes before criminal activities, espionage, and terrorism. What factors can develop into the biggest direct threats?
- Staff – dismissal, strikes, illness.
- Sabotage and vandalism.
- Hardware failures.
- Natural disasters – tornadoes, earthquakes, floods, and tsunamis.
- Unnatural disaster – terrorism, arson, bombings.
- Loss of access to electricity, air, and water.
Once we know what threatens us personally, we can begin to consider the best methods of protection. For example, in the case of a power outage, you should have a backup generator to maintain the critical elements of the system and lighting for employees, as well as a backup phone system. If there is a hardware failure, having certain spare parts on hand can be incredibly useful, as can having a well-designed service contract. In addition, it is a good idea to familiarise yourself with the industrial safety laws of the country in which you’re operating.
Physical access controls are mechanisms that are designed to minimise the risk of injury. A simple example is a good fit on the door lock, which will discourage many potential thieves. The installation of biometric sensors, such as iris scanning or fingerprint recognition, can make even the most determined intruder falter while trying to access a guarded place. Sometimes all that is needed to resolve the issue is a mechanism to provide enough time to contact the appropriate authorities. But the door is not the only object that should be closed.
We should consider closing off access to laptops, desktops, and servers. Like many employees, I do not know when an intruder enters the building and then runs away unrecognised with a computer under his arm. Such situations happen very often. More and more companies are taking the precaution of removing all drives from individual computers to prevent the use of USB, COM, LPT theft, and instituting additional BIOS password protection to prevent employees from installing personal software, gaining unauthorised access, and ultimately, participating in the robbery. One possible scenario to tighten security is to use the terminal server and a bootable Linux distribution. Also excluded are DHCP, preventing problems with spyware, malware, or viruses usually.
Another security challenge is to protect sensitive data from systems interceptors using electromagnetic waves that allow hackers to decode data and recreate it in a safe place. You can save yourself by using unique construction materials and absorbing materials for shielded computer enclosures. Another critical element is to protect the building itself. The ideal solution is to create a front desk staffed by individuals who have had appropriate training in security and protection. After the September 11 attacks, I think everyone is concerned about the right level of training for their staff security guards. I will not elaborate further on building construction, but it is essential to mount biometric sensors, motion detectors, and alarms when walls are breached. In addition, it seems like an excellent option to install high-powered moving lighting systems that will respond to any attempt to breach the walls. If a thief tries to break through a fence or wall, a sharp beam of light will target the intruder’s eyes and create a perfect silhouette of the person.
Unfortunately, in every company, there are people whom we trust that might one day endanger other employees. Employees’ safety should always be a priority. At the same time, we must remember that the human factor can break down almost anything, even the most intelligently designed security system. In addition, research shows that the most common types of attacks are internal attacks caused by disgruntled or even angry employees. That is why we also need to make an effort to properly train staff to be able to react in an emergency—not only in the case of natural disasters but also when technology is attacked through a mechanism that was socially engineered. Training of this type should never be a one-time event but should be repeated at regular intervals, i.e. every quarter.
Apart from purely theoretical knowledge, training should also include practical knowledge. Role-playing scenarios that illustrate a specific situation can be a good idea. Personnel inspections should be treated as a preventive measure in every company. Before hiring a person, it is a good idea to check references and other important information—such as whether a person has police records or is wanted by the government for any reason. Indeed this will allow you to determine whether a worker can become a potential threat in the future.
In addition, from time to time, individual interviews with staff may occur, and during these talks, we can be informed of planned changes or job rotations. Most certainly, regular discussions will prevent unethical actions from both sides and any accidental damage.
If an employee leaves the company, they should be escorted out of the company shortly after returning any company equipment. This will prevent the sabotage attempt made by a former employee.
Above all else, it is critical to have alternate power sources and access to television security systems. If unauthorised individuals try to access the company, television systems will undoubtedly allow individual intruders to be recognised and to have their actions recorded. Some systems also have built-in motion sensors and heat detectors. Once activated, an alarm signal is sent from these detectors. Installing a sound CCTV system also provides many other benefits. I met with companies in the insurance industry and learned that premiums could be reduced if a similar system monitoring was installed.
Another factor to consider is equipment failure. This is an inevitable scenario. Therefore, do not ask if a component will go down; ask when it will go down.
Many component manufacturers only consider an estimated time of repair and an estimated time between failures. However, another crucial element is the system backup. It is a necessity—any backup data should be stored in at least two different places to offer protection in the event of a disaster or failure.
Most companies currently use data vaulting, which consists of data compression, encryption, and storage of a remote, secure location. This technique is required in all safety planning, as well as in many forms of insurance. Companies also use RAID technology, which increases fault tolerance and limits downtime.
Now for the power. In addition to the electrical wires hidden from prying human eyes, we should also ensure access to a stabilised energy source. In this way, we prevent the risks associated with excess energy (breakdown, voltage spikes) or deficiencies (low voltage or current, no power). This can be done using UPS devices. Unregulated energy sources can also cause damage to electronic components, data loss, and faulty network connections.
Of course, we do not focus only on the energy supplied from the power plant. In addition to the standard cable from the power plant, you can also install windmills, solar panels, backup generators to collect excess energy, and additional power generators such as diesel generators. Nor should we forget that the computer network also operates based on power law: 0 means there is no pulse, and the vibration is generated. Thus, a combination of interconnected computers results in an electric circuit.
The number 0 represents the voltage to 0 volts and a voltage of 3 to 5 volts, so the information in the format 111 001 means the following tension – 3,3,3,0,0,3. Under ideal conditions, the signal flow should proceed without interruption. Hence the importance of proper grounding, which allows the dissipation of excess energy. Without good grounding, voltage spikes will occur, resulting in frequent failures. Thus, adequately installed ground wire provides sufficiently low resistance and a sufficient capacity to protect the system before the emergence of a dangerously high voltage level. Sometimes even a single outlet with a damaged cord or bulb screwed in badly can cause the grounding wires not to work.
Sometimes it is the entire buildings that need multiple grounds, which often is a massive problem because the potential of the various electrical circuits will never be equal. There is another crucial issue: If you have a separate computer system with a grounded network, you will witness the rise of an electric circuit. And remember that the current always runs from the negative charge of the positively charged system. This situation could, of course, effectively disrupt the digital signal and cause network failure, damage to the transmitted data, and even damage computer components.
What to Look for in Physical Access Control Systems
With recent advancements in security technology, physical access control systems are now available with many enhanced features and options. One choice you will need to make when planning and budgeting for a physical access control system is the type of credentials you want to use. If you are opting for a more budget-conscious credential selection, keycards seem like the right choice upfront. However, keycards may end up costing you more over time simply because they are frequently lost and need replacing.
Not to mention that a lost keycard can pose a security threat if it ends up in the wrong hands. If keycards or fobs are still the right choices for your business, make sure you purchase encrypted keycards or use two-factor authentication for an added layer of protection. For the best in security and value, a mobile credential gives your users the convenience of using their mobile phone to enter and exit the building, with multi-factor biometric authentication built right in. You won’t have to replace keycards, and smartphones are less likely to be lost, left at home, or passed around the office.
Another factor to consider when planning your physical access control procedures is maintenance and system management. Many legacy access control systems use cumbersome readers and on-site servers, which require in-person management and maintenance. Delays in system updates can put your system at higher risk of a breach, and older readers are prone to tampering. Plus, if credentials need to be reassigned or newly created, an administrator will likely need to be on-site to handle the request. If you anticipate needing access to your system remotely or want the latest security updates in real-time, you should consider approaches that use more modern software. When selecting a PACS for your building, there are added benefits to using a physical access control system that runs on a cloud-based platform.
How Physical Access Control System Works
- Industry-leading 99.9% reliability with patented Triple Unlock technology
- Unlock via touchless Wave to Unlock, mobile app, tablet app, NFC and RFID key cards and fobs, and Apple watch
- Instant mobile credentials and digital Guest Pass feature
- Open API supports unlimited integrations with all your software and business tools
- Fully remote, cloud-based management for all entries and sites on a single dashboard
- Effortless installation with standard wiring and tamper-resistant hardware for any door density
- Future-proof hardware and software with automatic updates and encryption at every level
What Is Physical Access Control That Runs on the Cloud?
With this type of PACS, your access control hardware (readers, hubs and control boards) communicates with software via the cloud for a more flexible, scalable security solution. Here are some benefits of using a cloud-based PACS:
- Ability to remotely control the hardware from anywhere, including triggering, unlocks and lockdowns.
- Instant credentialing for new users, as well as the ability to revoke access immediately
- Ability to receive real-time notifications for access events and potential threats
- Maintenance and troubleshooting can be done remotely in the cloud without needing to be on-premises.
- System updates are automatically downloaded from the cloud, meaning you always have the most up-to-date security measures in place.
- Real-time audit trails for all access activity, stored in the cloud so it can be accessed from any authorised device
- Ability to integrate your physical access control system with other building security software, such as video surveillance, visitor management, communication tools, and space management solutions
Planning Your Physical Access Control System
Before you start implementing a new physical access control policy in your building, there are a few questions to ask to determine if your current system meets your needs and what might be missing.
- What are your primary security concerns?
- How many buildings do you need to secure?
- Do you have ancillary structures like parking garages that need physical access control?
- How many entrances and exits will need physical access control?
- How many users will require daily or temporary access?
- Do you have different levels of access to accommodate in your organisation?
- What types of credentials do you need?
- Does your physical access control system need to meet any compliance requirements?
Once you have a new system installed, make sure your administrators, IT providers, and any staff that will use the system are well-versed in the new physical access control procedures.
Your physical access control system policies will likely change with a new system, requiring users to either download a new mobile app to activate mobile credentials or hand in their old badges and receive new encrypted credentials.
Likewise, additional training may be needed for administrators who will need to add and revoke access for users, as well as at the user level to demonstrate how to use new credentials. Proper training for physical access control procedures will prevent misuse of the new system once it’s installed. Also, communicating the updated physical access control policies before installation will help facilitate a smoother transition for everyone.