What Is Access Control?
Access controls authenticate and authorize individuals to access the information they can see and use, it is a method of guaranteeing that users are who they say they are and that they have the appropriate access to data, services and even the premises.
At a high level, access control is a selective restriction of access. It consists of two main components: authentication and authorization, says Daniel Crowley, head of research for IBM’s X-Force Red, which focuses on data security.
Every good access control system uses a combination of physical access control and logical access control. But what are the differences between physical access control vs. logical access control?
Physical Access Control
Physical access control is the restriction of access to a physical space within the business or organization. This type of access control limits access to rooms, buildings, and physical IT assets. In addition, physical access control keeps track of who is coming and going in restricted areas. This can help keep your assets safe and secure.
Examples of physical control access include password coded doors and fob controlled gates. Access card readers can track who is entering the facility. These readers only give access to special employees with the right credentials. Many systems incorporate alarms and lockdown features to prevent unauthorized access.
Logical Access Control
Logical access control involves authenticating and authorizing users. This is different than physical access control. Physical access control uses keys and badges. Logical access controls use advanced password programs and advanced biometric security features.
These features identify the employee. The system then determines whether the employee has appropriate authorization to access data.
There are many benefits to having logical access control. Yet, the main benefit is that an employer can immediately revoke or change an employee’s authorization. An employer can disable an employee’s badge access without gaining physical control of the badge.
Types of Access Control Systems
Access control systems can generally be classified in two categories.
Traditional Systems
The produces use a credential scanner near the door/access point and a control box, usually located above the door. The control box communicates with the credential scanner, the door locks, the computer that runs the system, and sometimes with cameras. Everything is wired together.
The benefits of traditional systems include:
- Dependability: These systems, often called legacy systems, have been in use for years. They work. They do the job. They rarely have trouble.
- Security: The debate is ongoing as to whether traditional systems are more secure than IP systems (the second type). The fact is, hard-wired, proprietary systems are less likely to be hacked, and are thus seen by some as being more secure.
Disadvantages include:
- Cost: Proprietary systems require proprietary hardware, and typically multiple control boxes. Most control boxes, due to the necessity of being within some proximity of the entrances, cannot control more than a few. It may be necessary to purchase one control box for each entrance.
- Location Specific: Again, the location of the control boxes means that each is specifically programmed for that location. Moving a control box requires extra effort to make it work for a new location.
- Installation Requirements: Many of these systems require both electricity and system-specific wiring.
- Self-Contained: Because of the nature of how many of these systems work, it is difficult to integrate the systems with other systems and functionality.
IP Or Cloud-Based Systems
Modern workplace access system is based on internet technology. They do not require a control box. Instead, verification is handled at the credential scanner which is connected to a network containing all the necessary information. The credential scanner will obviously need electrical power and network access, which can be delivered through the same wires.
IP-based systems can be further divided into two additional categories: network-based and web-based.
A Network-Based System is either hard-wired or wirelessly connected to the organization’s network. The software that controls it is stored on the organization’s servers and computers.
A Web-Based System, by contrast, is controlled by software that is managed, maintained, and stored on the manufacturer’s servers and accessed via the Internet.
Advantages of IP systems include:
- Cost: Less equipment to purchase per entrance usually means a lower cost for most organizations. Eliminating control boxes makes a difference.
- Scalable: Less cost to install means it is much easier to scale up if the organization grows.
- Greater functionality: Because the system is network-based, it is easier to upgrade, add features, and integrate with other software than its traditional counterpart.
- Security: Again, it is difficult to say with certainty whether IP systems are more or less secure than a traditional system. Some argue that a breach at a single point in an IP system leaves the rest of the doors intact, while if a multi-door controller fails in a traditional system all the doors it controls would fail.
- Mobility: Web-based systems offer the capability to change settings, or to lock and unlock doors from anywhere with an internet connection. Even network-based systems offer that capability, so long as the person has access to the network either by being on premises or via VPN.
Disadvantages include:
- Network Dependent: Many users are concerned that if the network goes down, the security system goes down with it. Considering organizations today are utterly dependent upon their networks, preventing or quickly fixing outages is a top priority. Still, downtime does happen, but most control systems are designed to store information in case of an outage.
- Hackers: Like concerns about network downtime, an access control system is only as secure as the network itself. If a hacker can gain access to the network, likely, they could also gain access to the door lock system. This may be especially concerning for web-based systems since information is theoretically traveling through the internet at large. At the same time, web-based systems may have greater security than a company’s own network; makers of these systems know they need it and that their customers expect it.
How Access Control Works
- Access control readers give access to the building based on established credentials. Things like key card, key fob, or biometrics like fingerprints are all considered established credentials.
- Door readers are connected to a network. Every person who needs access has a code tied to their credential and the system recognizes that they are authorized to be in the building.
- Software tracks who enters and exits the building and can alert security supervisors, business owners, etc. when someone enters the building after hours or there is a break-in.
Access control systems come in three variations:
Discretionary Access Control (DAC), Mandatory Access Control (MAC), and Role-Based Access Control (RBAC).
- Discretionary Access Control (DAC)
Discretionary Access Control is a type of access control system that allows the business owner to decide which people are allowed into a specific location, physically or digitally. With DAC, an individual is given total control in deciding all security engagement.
The drawback to Discretionary Access Control is the fact that it gives the end-user complete control to set security level settings for other users and the permissions given to the end-user are inherited into other programs they use which could potentially lead to malware being executed.
- Mandatory Access Control (MAC)
Mandatory Access Control is more commonly utilized in organizations that require an elevated emphasis on the confidentiality and classification of data (i.e., military institutions). MAC does not permit owners to have a say in the entities having access in a unit or facility, instead, only the owner and custodian have the management of the access controls. MAC will typically classify all end users and provide them with labels that permit them to gain access through security with established security guidelines.
- Role-Based Access Control (RBAC)
Role Based Access Control (RBAC) is the most demanded regarding access control systems. RBAC has become highly sought-after in the business world and households.
In RBAC systems, access is assigned by the system administrator and is stringently based on the subject’s role within the household or organization and most privileges are based on the limitations defined by their job responsibilities. So, rather than assigning an individual as a security manager, the security manager position already has access control permissions assigned to it.
RBAC makes life much easier because rather than assigning multiple individuals’ particular access, the system administrator only has to assign access to specific job titles.
When it comes to protecting your home or business, as well as the building’s occupants, access control is one of the best ways for you to achieve peace of mind. But access control is much more than just allowing people to access your building, access control also helps you effectively protect your data from various types of intruders, and it is up to your organization’s access control policy to address which method works best for your needs. Places of business with small or basic applications will probably find Discretionary Access Control to be less complicated and better utilized. If, however, you have highly confidential or sensitive information on your business platform, a Mandatory Access or Role-Based Access Control system are two options you may want to consider.
What to Look for In an Access Control System
Here are some things to look for as you consider what you will need for years to come.
- Ease of Use: How difficult is it to manage the user interface? Will users need vast amounts of training, or is it straightforward? How involved is the setup process?
- Integrations: Will it integrate with your organization’s directory or HR system? With video surveillance systems and equipment? With your visitor management system?
- Hardware compatibility: Does the system work on third-party hardware (e.g., cameras, door locks, controllers, etc.) or does it require proprietary hardware?
- Mobile: Is there a mobile app, allowing authorized users to make changes from anywhere?
- Types of Authentication: There are multiple types of authentication, including a pin entered into a keypad; a card or fob that is swiped or scanned; a mobile app; or biometrics, i.e., fingerprint, eye scan, voice recognition, etc. The most secure systems require two types of credentials. You will want to determine which kind of authentication works best for your organization, and how secure you need to be. Does the system you are considering support multiple types of authentication?
- Reporting Capabilities: What kind of reports can you generate from the system? Can you generate a report on a single person and their entries/exits? Or on a single point of entry? On the system at large? Are the reports easy to create?
- Scalability: Is it easy to add more hardware if your organization grows?
- Updates: As time goes by, how will software updates be communicated/installed? Is it an automatic process, or will it require staff to complete?