The Access Control Systems and Methodology domain details the critical requirements to establish adequate and effective access control restrictions for an organisation.
Access control protects systems, data, physical infrastructure, and personnel to maintain integrity, availability, and confidentiality.
Failure to design, develop, maintain, and enforce access control will leave an organisation vulnerable to security breaches. This applies to all types of violations, whether they are locally or remotely initiated. It is imperative that you, as a security professional, understand the classes.
The purpose of access control is to grant entrance to a building or office only to those who are authorised to be there. The deadbolt lock, along with its matching brass key, was the gold standard of access control for many years; however, modern businesses want more.
Yes, they want to control who passes through their doors, but they also want a way to monitor and manage access. Keys have now passed the baton to computer-based electronic access control systems that provide quick, convenient access to authorised persons while denying access to unauthorised ones.
Today, instead of keys, we carry access cards or ID badges to gain entry to secured areas. Access control systems can also restrict access to workstations, file rooms housing sensitive data, printers, and entry doors.
In more significant buildings, exterior door access is usually managed by a landlord or management agency, while interior office door access is controlled by the tenant company.
People new to access control may think the system is made up only of the card and the card reader mounted on the wall next to the door.
But there are a few more parts behind the scenes, all working together to make the magic that grants access to the right person. That’s what this guide is about.
Reading it will give you a complete and comprehensive understanding of how access control systems work and the language required to communicate with vendors.
Access Control Components
Access control systems aim to control who has access to a building, facility, or a “for authorised persons only” area. This is typically carried out by assigning employees, executives, freelancers, and vendors to different types of groups or access levels.
Everyone may be able to use their access cards to enter the main door, but not access areas containing secure or privileged information.
For clarity, we divide the components into three groups: user-facing elements, admin-facing parts, and infrastructure components. Let’s dive into the nuances of the three categories.
The most familiar parts of access control systems are the cards, ID badges, and, more recently, the smartphone apps that elicit an OK beep when presented at a card reader and unlock the door.
These are also known as credentials since they bear the user's data that tells the reader to permit you to be on the premise, or in other words, that you are an authorised entrant.
Access cards are typically proximity cards that, rather than being swiped or inserted like credit cards, are held two to six inches in front of the card reader.
The same procedure is followed for phone apps. The benefit of using credentials is personalised, so any unlock event can be traced back to the person associated with it.
The admin-facing side is the management dashboard, or portal, where the office administrator, head of security, or IT manager sets the parameters of persons allowed to access the premises and under which circumstances they can do so.
This involves a management dashboard, often in the cloud, and a way to provision access—such as a card programming device.
In more advanced systems, the manual operations aspect can be automated. For example, provisioning (creating and deleting access) can be done automatically by connecting the access dashboard to the company directory of employees.
When a new hire shows up in the system, further access is automatically positioned via an API or integrating database service like Google Apps, Microsoft Azure, SAML, or Okta.
The infrastructure components are the ones that rely on your building infrastructure to function. The most prominent parts are locks, but other features, such as the controller, server, and cables.
Choose effective passwords and avoid password limitations
- Password can be insecure
- Password is easily broken
- Multi-Factor authentication
- Two-Factor Authentication
- Three-Factor Authentication
The Methodology of Choosing an Access Control System Based on Features and Functionality
The increased functionality of modern systems has expedited the use of access control in business and residential applications.
While every access control process will include the ability to grant or restrict entry to a secure area, innovative technologies can also record access attempts, identify users, and customise authorisation standards.
Entry controls often utilise a combination of hardware, software, physical barriers, guards, and administrative policies to maintain the desired level of security.
To choose the most appropriate system for your application, you must understand the functions you need to accomplish and evaluate the available implementation strategies.
Access Control Locks
Electronic locks are used to unlock the door on which it's installed electrically. They usually have a wire that powers them. Some waves will lock when they are supplied with power, while others unlock when filled with energy.
The first ones are known as fail-safe locks, and the second ones are known as fail-secure.
The choice of which to use depends on the area being secured. Entry doors call for fail-safe locks since they need to comply with building codes and fire regulations that call for people to exit at any time, even in the event of a power outage.
IT rooms should be wired fail-secure because they need to remain locked at all times, even in the case of emergencies. Fail secure doors also need to be equipped with electrified push bars to allow people to exit quickly in case of a fire.
Access Control Panel (or Controller)
Also known as the access control field panel or intelligent controller, the access control panel is not visible to most people in a facility because it's installed in the IT room or the electrical, telephone, or communications closet. The reason for this precaution is because all the locks are wired to it.
When a valid credential is presented at the door reader, the panel receives its request to unlock a specific relay, which is connected to the particular door wire.
Access Control Server
Every access control system needs a server where the permissions are stored in an access database. It acts as the centre, or “brain,” of the access control system.
It is the server that decides whether the door should unlock or not by matching the credential presented to the certificates authorised for that door.
The server can be a dedicated local Windows or Linux computer, a cloud server, or even a decentralised server (when the permissions are stored in the door reader). The server also tracks and records activity and events regarding access, and it allows administrators to pull reports of past data events for a given period.
If a locally-hosted access control server is used, there is typically a dedicated machine that runs the access software on it. Managing it requires the administrator to be on-site.
Since having to contend with several local servers can become complicated for multi-facility management, cloud-based servers are gaining much traction in this area.
Cables are a critical part of access control and can prove to be very expensive if installed improperly, so they should never be overlooked in planning an access control system.
When building out space, all the cables must be specified so that the general contractor knows what to do. If the cables are not planned for at this point, they will need to be added in later: This means someone will have to drill into, or lay cables on, all the newly-painted walls.
The Importance of Access Control
Beyond the apparent reason for needing an additional layer of security in a facility, there are multiple other reasons why access control—in particular, cloud-based access control—should be an essential part of any business.
Let’s start with the most apparent advantage of access control, which is security. Installing an access control system prevents undesired people from entering your building, but not only that! It also ensures that other interactions are perfectly regulated, such as visitors coming to your office or couriers delivering packages for your business.
Having an access control system also means that you have control over all areas of your facility. You ensure that unauthorised people can’t access archives and server rooms (more to follow in the next paragraph about compliance).
Compliance has been a big driver for companies to switch to access control in recent years. Many security managers, when facing breaches, can encounter trouble if they have not been complying with a series of certifications.
Having a certified access control system increases your credibility, makes you safer and better protected against malware and hackers, and ultimately increases revenue. Some examples of cases where compliance flows into the need for an access control system include:
- Hospitals, doctors’ offices, and health insurance companies need to comply with HIPAA health data regulations.
- Banks, insurance companies, and any business that accepts and processes credit cards are subject to PCI credit card data regulations.
- SaaS providers, data centres, or any company is hoping to maintain SOC2 cybersecurity standards.
Operations & Visitor Management
Some access control systems integrate with your directories, allowing for automated user provisioning and de-provisioning. This means that on and offboarding processes are automatically taken care of from an access management standpoint. This reduces maintenance and manual tasks for your admins and also decreases the chances of human error.
As we mentioned earlier, access control also streamlines your visitor management procedures by ensuring that no visitor has access to your facility without being previously authorised by an admin.
IP and Data Protection
Businesses that deal with confidential data and intellectual property, such as software developers, law firms, entrepreneurs, and pharmaceutical companies, need to not only control who comes into their facilities but also which areas these individuals are allowed to access and when.
Modern access systems not only enable granular permissions based on group memberships but also provide insights and analytics, which are often required for both business and compliance reasons.
Driving revenue is not associated with access control and, in general, with security systems. However, evidence has shown us that our solution is an efficient revenue driver in multiple use cases. Having an access control system, for example, can help you to transform your business into a 24/7/365 facility.
The efficient security level, mixed with privileged access for people belonging to your directory, ensures that you can leave your facility open even when there is no staff checking the entrance. This leads to more open hours and more revenue without additional costs.
Another situation in which access is a revenue driver is the case of shared workspaces. Having multiple meeting rooms in your coworking facility can be a burden in some cases.
It’s all space that owners are not monetising, and it takes away space for more desks and more customers. Installing a reader at the entrance of every meeting room and adding a paywall can make you get the most out of your square footage.
This means that members now have to pay a fee to use phone booths and meeting rooms, which ultimately leads to more revenue without additional staffing or marketing efforts. We’ve written an article about this use case.
User Experience and Authentication
Modern systems allow for a higher degree of security not by adding additional barriers to how users access a facility but by leveraging technology to offer a smooth access experience combined with higher control on the admin side.
2FA is an example of an advanced feature that ensures all users not only need access to the correct credential (an authorised smartphone device) but also to authenticate themselves (by unlocking the phone before being able to open the door).
Types of Access Control
We have mentioned, at the beginning of the article, the fact that modern businesses want more and more from their access control system (and for a good reason).
Not all access control systems are cloud-based, and, in this section, we will go through two main types of technology for access control systems (cloud-based vs. legacy) and briefly touch upon three models used by every access control provider: role-based access control, discretionary access control, and mandatory access control.
Legacy Access Control Vs. Cloud-Based Access Control
The access control market had been relatively stable for many years, with companies offering standardised products that relied on the same technology.
This was before the cloud disrupted the industry, creating a duality of offerings: legacy on-premises solutions (which do not work with a cloud infrastructure) and cloud-based access control systems.
The clear difference between the two is the usage of the cloud infrastructure. The latter has a significant impact on upfront costs, maintenance, and features of the two systems.
Legacy access control systems require a server for functioning, which implies having to hire a person for the server room maintenance, higher facility costs, and in general, slower innovation.
A cloud-based access control system, on the other hand, does not require space when installed and functions immediately after installation. The main pros are that cloud-based systems allow for mobile usage and constantly update the service provider.
We’ve summarised the main differences between legacy and cloud-based access control systems in the table below.
Legacy Access Control Systems
- Requires own server/server room
- Higher maintenance costs and need for hiring a professional for doing these maintenances
- Fewer integrations
- Lower recurring costs but higher upfront costs
Cloud-based Access Control Systems
- Lower upfront costs
- Updates regularly by itself (it’s never obsolete)
- No need for hiring staff + dedicated customer service
- Integrates with multiple software/identity providers/directories
- Mobile app and credentials
Access Control Models
Role-Based Access Control (rbac)
When this paradigm is used, permissions are granted according to roles, and roles are assigned to users. This model is user-friendly because administrators can centrally manage and administer functions.
Discretionary Access Control (dac)
The user has direct control over all the programs and files in the system, which is a complicated way of saying one method of access always opens all the doors.
Mandatory Access Control (mac)
This is the opposite of DAC. When MAC is the paradigm, a policy, hardware, or software component is used to restrict access. This can be a password or keypad.
What to Look for When Choosing an Access Control System
There are several factors to take into consideration when comparing different providers. Below is an overview of some of the main questions you may want to look at, divided into three categories: compatibility, features, and maintenance.
Compatibility is essential when choosing an access control system. Making sure that the plan you want to purchase is compatible with your facility can save you time and money during the installation process. A highly compatible system also makes it easier to maintain the facility and ensure a high level of security. Some compatibility-related questions may be:
- Is it compatible with third-party hardware and free from lock-in?
- Does it integrate with surveillance and other security systems?
- How easy is it to use and configure?
- Does it offer an open API?
Features and Maintenance
Features are the deal-breaker when choosing any security system for your office. What can be more difficult, however, is understanding which features need to be prioritised to find a solution that not only covers your basic needs but also saves you time in the long run.
We recommend choosing a system based on cloud technology that gives you multiple unlocking options (not limited to only keycards or fobs).
This saves you time, as you don’t have to issue a new keycard every time there is a new visitor or employee. It also reduces the number of security issues caused by employees forgetting or misusing keycards and fobs.
Lastly, we would recommend choosing a company with solid customer service to quickly clear any doubts that might emerge during installation or everyday use of the system.
Some other feature-related questions you should consider:
- Is the hardware IP-based?
- Is offline mode supported?
- Is two-factor authentication (2FA) supported?
- Is lockdown supported? If so, is it at door or place level, or both?
- What communication channels does it run on (e.g., Bluetooth, NFC, RFID, PoE, and others)?
- Does it support multiple types of authentication input such as mobile apps, remote unlocks, cards, key fobs, and more?
- Are all access methods offering end-to-end data encryption?
- Is customer support included?
- What are access restrictions available (e.g., time-based access, role-based access, level-based access, count-based access, and others)?