Access control seems to be a simple concept – let the good guys in and keep the bad guys out. It’s a way to easily and securely grant access on a schedule, revoke that access and maintain a record of who was granted access and when. However, selecting an access control system can be confusing and many people are selling the same solutions with different labels, and some of those items can be 30-year-old technology that hasn’t caught up with the sophisticated methods used by hackers and other individuals with ill intentions.
There are a variety of options for access control systems, but the right choice will depend on your facility itself and its unique risk profile. Before you make any major decision, be sure to take the following considerations and unique threats into account.
Access Control Options:
Individuals looking to compromise access control systems have always used social engineering, such as borrowing or stealing someone’s credential, as a way around a system. To mitigate this risk, biometrics can be a smart solution as credentials cannot be shared, though there will likely be convenience and cost factors to consider as well.
Another option is to have a full-time guard checking everyone’s IDs every day or every time they go in or out of the facility. However, salary costs and logistical considerations for security needs may affect your ability to utilize this strategy.
Multi-factor authentication is another tool to consider, requiring occupants to use a credential and PIN number. While this option can reduce the threat of stolen credentials, it can become inconvenient in busy environments. One innovative strategy that many organizations have implemented uses people’s attentiveness to their smartphones to provide an easy authentication procedure. Because individuals have general hesitance toward sharing smartphones and quick reactions if the device goes missing, incorporating access control authentication procedures into a mobile-friendly format can be a win-win for facilities teams. You can maintain access control for occupants who may be hesitant to use biometric security or have trouble remembering their access cards.
Considerations for Card-Based Systems:
If you are considering a card- or fob-based system, make sure you do not have the number printed on the card. Systems can be easily compromised by duplicating that number either by going online and buying a card with the same number or using an inexpensive, off-the-shelf card/fob programmer to make duplicates.
Skimming is increasingly popular and easy to do if your reader is mounted on the outside or unsecure side of the door. Criminals can remove the reader from the wall, put an inexpensive skimming device on the data lines and replace the reader on the wall so no one knows it’s there. All they have to do is sit back and gather card information. Ideally you should never mount the reader on the unsecure outside of the door, however, older RF ID card/fob technology has such a short read range that you may have no other choice. If that is the case, make sure you use a product that encrypts the data before it is sent to the system and avoid any devices that simply send out the card’s unencrypted Wiegand data
If you are considering a smartphone access control system that uses Bluetooth, you can mount them out-of-sight on the secure side of the door to effectively eliminate the skimming threat. Just make sure your system uses encryption to avoid a “man-in-the-middle” attack.
Finally, hacking your IP network through an access control device can be a real threat if your device uses Wi-Fi and shares the local network. Make sure to talk about this with your IT manager as putting Wi-Fi access control devices on your network can be risky if they don’t comply with your IT security policy. Other alternatives are encrypted hard-wired systems or the newer encrypted Bluetooth-based systems that don’t use Wi-Fi at all.
Creating an effective access control program may seem complicated, but the easiest way to troubleshoot your system and find vulnerabilities is to put yourself in your adversary’s shoes: if you were trying to gain wrongful access to your facility, how would you do it? Are occupants properly trained to identify security risks and protect their access credentials? Could someone with a skimming device get close enough to defeat your protections? By taking a hard look at your facility’s access control procedures and identifying weak points, you can create a program that’s both resistant to attack and allows occupants enough autonomy to avoid making them feel locked down.
Paul Bodell is President and CEO of VIZpin.
Currently rated by 0 people