Front Line of Security
Last year, two men dressed in uniforms similar to those of a national courier company walked into an office complex and removed several thousand dollars worth of computers from a shipping and receiving area. The computers had been delivered earlier in the week but had not yet been distributed in the facility. Upon investigation, it was learned that the thieves simply walked into the facility through open doors. Less than a month later, tenants on the 10th floor offices of a nearby downtown high-rise were victimized by an office “creeper” who took wallets from purses during the lunch hour. Both of these crimes could have been prevented by access control.
The basic concept of access control is simple: Decide who can come in, and keep everyone else out. By definition, access control is the use of barriers and recognition devices to restrict access into a controlled area. Access control can be overt and very obvious, but in most applications, it is better to be low key and unobtrusive.
An access control system is made up of two major parts: equipment (and hardware) and policies (and procedures). In order for any access control system to work, two things must occur. First, the building or area must be secure to the point that people cannot gain access except by going through a control point; second, there must be a specific list of people who are allowed access. The access list can be specific names or generalized groups. Once the decision is made on who is allowed access, systems can be put into place to keep everyone else out.
The overall design of the facility affects the ease with which access can be controlled. It is significantly easier to control access into a high-rise building than a facility complex spread out over several buildings. Access into a high-rise is almost always at ground level, effectively pushing everyone through an elevator lobby where a security or access point can be maintained.
In a multi-tenant facility, additional controls can be established within the building. One of the most common is card-controlled elevators, in which an access card is needed to stop the elevator on a specified floor.
New high-rise construction has the elevators for the garage and basement levels in a different area than the elevators serving tenant floors. This means a person must exit the garage elevator and re-enter a tenant floor elevator, passing through the lobby area on the way.
Facilities that are spread out are more difficult to control because of multiple entrances. A single access control system can be spread out over several buildings, or a single access point, such as a gate in a fence, can be established for the entire facility. Single-door access can be installed, but the cost can be high. It is necessary, however, in many applications. The cost of retrofitting existing facilities and running miles of wire can be overcome by using a single-door system or an off-line reader — a single-door system that operates independently and is not tied into the control system.
Types of Systems
Access control systems are based on one or a combination of four operating concepts: personal recognition, unique knowledge, unique possession and unique biometric.
- Personal recognition depends on the ability of an individual to recognize employees and authorize access. A small employee base along with a low turnover rate can make personal recognition very secure. The disadvantages are that turnover of the security staff wipes out the access control “database,” and turnover of employees can make it difficult for the security staff to keep track of who is and isn’t allowed in.
- Unique knowledge requires a person to have special information or knowledge to gain access, for example, a push-button combination lock. The advantage is that there is nothing to lose. The disadvantage is that it is possible for an authorized user to give a code or combination to an unauthorized user. Another common mistake is that individuals predictably write codes or combinations down. During security surveys, security specialists routinely look in Rolodexes under “safe,” “combination” or “door,” and very often find combinations or access codes. Codes also are often written under desk calendars.
Keypad access systems also require a person to have knowledge of the correct numerical access code to gain access. The combination or code is entered into a four-, six- or 10-digit keypad. Keypad systems can be electronic and tied into a system, or mechanical and stand-alone like a single-door, push-button door access system.
- Systems based on unique possession require a person to possess something that allows access. The most common unique possession system is a key and lock. A weakness in a unique possession system is that it will allow access to anyone who is in possession of the item, whether or not they are allowed access.
One increasingly common way to control access is through card readers. Each person who will require access receives a card. Each access card leaves an audit trail — a record of who enters and when. Most systems allow access “time windows” to be created, so that the time when each person has access can be limited. Remember, the system records what card opened the door, not who opened the door. Employees must be discouraged from loaning their cards to others, and it is very important for the user to protect his or her card.
- A unique biometric system generally is considered the most secure single method. These systems identify and verify a unique physical characteristic of a person, such as a fingerprint, voiceprint or retina. Biometric systems are secure because the requirement for access is a part of the body.
Most secure does not necessarily mean best choice, however. Biometric devices can be very expensive, and the technology involved makes some of the systems very temperamental.
The most secure access control systems utilize a combination of several of these methods at the same time for additional security. An example is card access with a PIN number: The user must have both the card and know the number to gain access. Photo ID cards can be a combination of unique possession (the card), unique knowledge (PIN) and personal identification (the photo on the card when viewed by a security officer).
Choosing the Right System
When choosing what system is right for a facility, many issues must be considered, including throughput time, imposter resistance, error rate, user compatibility, user acceptance, enrollment time and effort, storage, cost and reliability.
Throughput time and imposter resistance are critical considerations when selecting access control systems. Throughput is the time it takes a person to use the system and for the system to allow access. Throughput can take as little as a few seconds or as long as a few minutes. Throughput time becomes critical in situations when large numbers of people require access at the same time, for example, during a shift change.
Imposter resistance is the rate at which persons who are not allowed access can convince the system they are authorized. A simple key and lock has no imposter resistance, while biometric systems hold a high degree of imposter resistance. The need for imposter resistance is tied directly to the level of security required.
Access control systems also are judged by their error rate and effectiveness. There are four possible responses to a requested access: positive, false/positive, negative and false/negative. Positive is the rate at which persons who are allowed access are granted access. False/positive is the rate at which persons who should be denied access are granted access. Negative is the rate at which persons who should be denied access are denied access, and false/negative is the rate at which persons who should be allowed access are denied access. Remember, from a failure rate it is better to keep out people who should get in than let people in who should be kept out.
User compatibility and user acceptance are unique to each site. User compatibility simply means that the intended users must be able to use the access system. User acceptance is often a function of good public relations. Many people associate additional security measures with additional inconvenience, so it is important to keep access systems simple and to minimize the inconvenience whenever possible.
Enrollment time and effort considers the amount of time and effort to initially input everyone into the system. This is only a consideration when the system is first put into place. A biometric system compares the biometric feature of a person to the biometric feature on file. At some point the information needs to be entered into the system. Five minutes doesn’t seem like a lot of time to enroll someone into a system — unless the facility has several thousand employees. It would take more than 20 days to enroll 2,000 people into a system requiring only five minutes each, and that’s going non-stop for eight hours a day.
Storage is the amount of memory a system has. As recently as five years ago this was a problem, but today systems are available with virtually unlimited storage.
Lastly, the system must be reliable and fit within the budget.
Access control systems provide a significant increase in security. As with all security systems, any increase in the level of security brings with it an increased level of inconvenience. The trick is to balance the need for access control with need for facility protection and keep the inconvenience to a minimum.
Jeffrey Dingle, CPP, is director of protective operations at the Carter Presidential Center, which houses the office of former President Jimmy Carter. Dingle also operates the firm Security Publishing, which develops training manuals for security professionals. He is a member of the American Society of Industrial Security.