Access control technology: finding the right path to better security
Access control systems have benefited from innovation in two ways: more extensive use of existing technology and development of newer technologies. For example, optical turnstiles and personnel/package screening equipment are now being designed into many high-rise office buildings as well as virtually every government building and high-security facility. And emerging technology promises to make screening systems even more effective.
The same combination of gains in existing and emerging technologies holds true for a range of access control areas.
Optical turnstiles have proven themselves in building lobbies as a way to separate and clear employees carrying access control cards from visitors who must present identification and verification of their purpose in entering the building. The employee’s access card is read while entering the porthole; infrared beams ensure that only one person passes through the porthole at a time. An invalid card triggers an alarm sent to a security officer.
Screening Systems: From X-rays to T-rays
Personnel screening in buildings also has improved with portable and fixed walk-through metal detectors, as well as X-ray package inspection units with built-in explosive sniffers and biological sensors. Radiological and chemical detectors can also be incorporated into the X-ray package.
An emerging technology that will have a dramatic impact on personnel and package screening is called terahertz radiation, or T-rays. T-rays are able to easily penetrate many types of materials without the medical risks of X-rays. Because different chemical structures absorb T-rays differently, these systems can be used very effectively to identify hidden materials, weapons or explosives.
The prototype T-ray scanners resemble a photocopier where a package sits on the imaging window, but future versions could take many forms, including a large walk-through security screen or a mobile probe tuned to detect buried explosives in front of an advancing army. Because the machine can be set to detect the spectral fingerprints of different materials, future versions will contain an extensive database to permit a range of materials to be identified and detected.
Biometrics technology has made major strides and is being used for both logical and physical access control. Because of its reasonable cost, fingerprint technology is employed mainly for logical control to grant access to computers or specific databases. In physical access control applications, card technology such as proximity, smart cards and laser cards predominates, but fingerprint, hand geometry and facial recognition are gaining in popularity in high-security government and commercial applications.
In the past, biometric templates were stored centrally on a separate database that the access control system communicated with for biometric verification. Because each set of biometrics was compared against the database in a search for a match, the read times were very long — too slow to use biometrics efficiently on any large scale. Today, the cardholder’s biometric template or image can be attached to his or her personal record in the access control system field panels. Because the cardholder’s biometric is compared only to the cardholder’s record, verification takes seconds as opposed to minutes.
The cardholder’s biometric template can also be stored right on the card itself and then compared to the person holding the card. Smart cards with 64 kilobytes and laser cards with 128 megabytes of data storage are capable of performing that function. The drawback with putting the biometric template on the card is that technology could be developed in the future to allow counterfeiters to alter the biometric if they possess the card. As a result, keeping the biometric template on a secure database is still recommended.
In a secure world, positive personnel identification would require that the user possess three forms of identification: an access credential like an access control card; specific knowledge like a PIN; and a biometric template – fingerprints, hand geometry, facial scan or retinal scan – that matches one in a database. Validation of these three pieces of information should guarantee that the person requesting access is authorized.
That background helps to explain why using biometric technology in a stand-alone reader as the primary means of physical access control is risky at this point in time. Biometric technologies are based on a kind of numbers game. Biometric systems deal with the acceptable percentage of probability. What this means is that to speed up the process of matching biometric templates, the probability of a false positive or negative match must be reduced to a lower percentage. In the past, the probabilities were as low as 70 percent to achieve an acceptable time to transmit and receive a response to a biometric match request.
Today, most biometric readers offer a probability of somewhere between 92 and 98 percent. While this represents a significant improvement, it also means that between 2 and 8 percent of the template matches could be rejects. The probability of positively identifying a person with less than 100 percent certainty is simply not acceptable in most commercial and all government facilities. Using a biometric template to validate a card read with a personal identification number is much safer and more reliable. This method is not vulnerable to false reads, false fingerprints, altered hand geometry impressions and disguises.
Improved Visitor Management
Because of heightened security awareness, security officers must sign visitors in, give them some sort of badge, verify that they are expected and then ensure that enough personal information is collected from the visitor to maintain a reasonable level of security and tracking. All of these functions are necessary, but they take time, sometimes too much time for a busy visiting executive. Because of delays caused by increased screening, many organizations have looked for solutions to improve customer service.
Several visitor management systems automate the process so that much of the screening is accomplished before the visitor arrives. This system must be accessible to all employees so that they can pre-register individuals or groups of visitors. Some are offered by security system manufacturers as add-on modules to existing security systems; others are Web-based and independent of the security system.
Experience suggests that the security access control system modules can work well on smaller projects with a limited number of visitors. But on larger projects, with many visitors and potentially many buildings, the Web-based programs work better, are more cost effective and run much faster.
The modular approach requires that client software be loaded individually onto every user’s computer within the organization and that software licensing for each user be issued. Users also must be trained on the software.
With Web-based products, on the other hand, a browser is used to enroll visitors, speeding up the process. In many larger organizations, a Web browser is already available on employee computers, so the primary task is training.
On both modular and Web-based systems, a visitor’s valid driver’s license or business card should be scanned into the visitor record; a digital photo is optional. Obviously, both types of systems must be interfaced with the access control system.
Flexibility is Key
Today, security measures and systems need to be flexible so that the security level in a building can be increased when circumstances warrant — for example, when there is a threat against the building or the Homeland Security status changes to a higher level — and then decreased when the need passes.
For example, lobbies of high-rise buildings today must accommodate personnel and package screening equipment. That equipment does not necessarily have to be in the lobby all the time. But when it is needed, it must be capable of being positioned and made operational quickly and efficiently.
One way to provide flexibility is to use security officers in conjunction with the access control system to verify the identity of everyone attempting to enter a building. The access control system must include a digital photo of each cardholder. Security officers are stationed at kiosks in the lobby. When an access card is presented to a card reader in the kiosk, a digital photo is automatically displayed on an LCD flat panel for the officer. The officer can visually verify that the cardholder picture in the database matches the person. When security is more relaxed, the card readers in the kiosks can be unmanned, with a single security officer to intercept unauthorized entry attempts.
Wireless portable card readers and card reader interface modules also can be used during periods of heightened security. Current wireless technology is proving reliable and is being used creatively in numerous temporary and permanent security installations. The interface modules permit rapid deployment of access control at areas that may not normally require control.
For example, when the Homeland Security Advisory System raised its threat level from yellow to orange, a research and development facility in the Chicago area used portable wireless card readers to push its security checkpoint from the lobby to gate entry checkpoints. That increased stand-off distance and tightened access.
Back to Basics
The goal of every facility executive is to develop and maintain an effective and efficient security program that will protect people, property and assets, today and into the future. To accomplish this objective, it is necessary to follow three basic rules:
1. Design the security systems with proven products that are maintainable.
2. Plan a migration path to accommodate future technologies.
3. Create a program that reflects the right balance between the three core elements of security: physical security/force protection, technical systems and operational procedures.
It is also important to keep in mind that security is not static. It requires the facility executive to be ready for changes and new threats every day. The threat environment is different on a normal business day, as opposed to a day when a visiting dignitary and possible terrorist target is visiting a building or complex. The security program must be flexible enough to expand and contract based on changing risks.
Integrating Security Systems for Safer Facilities
Since Sept. 11, there has been an increasingly seamless and efficient integration of security sub-systems into nearly every kind of security system installation. Here are five ways systems are being integrated to ease monitoring tasks while increasing security.
— William Sako