Understanding Access Control Systems

The ultimate guide on how to choose, buy and install the right solution

What is Access Control

The purpose of access control is to grant entrance to a building or office only to those who are authorized to be there. The deadbolt lock, along with its matching brass key, was the gold standard of access control for many years; however, modern businesses want more. Yes, they want to control who passes through their doors, but they also want a way to monitor and manage access. Keys have now passed the baton to computer-based electronic access control systems that provide quick, convenient access to authorized persons while denying access to unauthorized ones.

Download our free PDF guide and get started with your access control project.

The Basic Parts of an Access Control System

Today, instead of keys, we carry access cards or ID badges to gain entry to secured areas. Access control systems can also be used to restrict access to workstations, file rooms housing sensitive data, printers, as well as entry doors. In larger buildings, exterior door access is usually managed by a landlord, or management agency, while interior office door access is controlled by the tenant company.

People new to access control may think the system is made up only of the card and the card reader mounted on the wall next to the door. There are a few more parts behind the scenes, all working together to make the magic of granting access to the right person. That’s what this guide is about. Reading it will give you a full and comprehensive understanding of how access control systems work and the language required to communicate with vendors.

Is it absolutely necessary that you learn about access control yourself? No, definitely not. But it will save you time if, in the middle of your project, a problem arises or an important choice must be made. You can seek advice from the installers but they'll likely answer in access control language; however, you don’t have to take a crash course or call a security-control consultant just yet. But when you do, it helps to have a basic grasp on the subject and your education is free when an online search turns up a resource like this.

Access control systems aim to control who has access to a building, facility, or a “for authorized persons only” area. This is typically carried out by assigning employees, executives, freelancers, and vendors to different types of groups or access levels. Everyone may be able to use their access cards to enter the main door but not to areas containing secure or privileged information.

Why Access Control?

Beyond the obvious reason, physical security, there are several reasons a business or medical facility might need an access control system.


  • Hospitals, doctors’ offices, and health insurance companies need to comply with HIPAA health data regulations.
  • Banks, insurance companies, and any business that accepts and processes credit cards is subject to PCI credit card data regulations.
  • SaaS providers, data centers, or any company hoping to maintain SOC2 cybersecurity standards.
Access Control Compliance
IP Data

IP Data

Businesses that deal with privileged data and intellectual property, such as software developers, entrepreneurs, startups, and pharmaceutical companies need to not only control who comes into their facilities, but which areas they are allowed to access.

Basic Components of Access Control Systems

Access control systems vary widely in types and levels of complexity; however, most card access control systems consist of at least three basic components:

User facing

Access cards, card reader and access control keypad.

Admin facing

Access management dashboard, integrations or API.


Electric door lock hardware, access control panels, and access control servers.

Access Control System

In addition to locally-hosted access control systems, where the server is onsite (as explained in the previous section), you have three other options:

  • Cloud-based access
    control systems
  • Mobile or smartphone-based
    access control systems
  • IoT-based access control

The easiest way to explain these modern types of access control is to compare them to Google Mail, where your email is stored on the cloud rather than on your computer. The cloud, of course, is another way to say a remote server hosted by a service provider. This gives you the convenience of accessing your emails from any browser, as long as you have the correct login credentials.

Major Options of Access Control Systems

In addition to locally-hosted access control systems, where the server is onsite (as explained in the previous section), you have three other options:

Cloud-Based Access Control:

In the world of access control the access permissions are not stored on a local server, but in the cloud. This means that the administrator can manage the permissions from home, or while on vacation anywhere, simply by using a browser. This appeals to security managers charged with overseeing multi-location facilities.

Continue Reading
Cloud Access Control
Cloud Access Control

Mobile or Smartphone-Based Access Control:

Mobile or smartphone access control works on the same principle as mobile accessed email, once an app has been downloaded, users are able to access and respond to their mail as long as they enter the correct sign-in credentials. The same is true for smartphone-based access control. Once authorized, and users have downloaded the access control app to their smartphones, they're able to do the same thing; namely, sign in with their user account, and as soon as their authorized keys appear, select which door to open. The difference with Kisi, for instance, is that they just hold their phone to a Bluetooth or Near Field Communications (NFC) reader, and the door will unlock, but the permissions (log-in credentials) are checked in the background, just like sending an email.

IoT-Based Access Control:

For this we turn to the smartphone’s technology as an example to explain Internet of Things-based (IoT) access control. If you can picture the pixel phone as being one of the most powerful sensors with auto-updating firmware, Bluetooth energy, NFC, internet connectivity, etc., it explains what an IoT door reader can do. Using Kisi’s IoT approach to access control, all the door readers are connected to the internet and have firmware that can be updated whether for security reasons or to add new functionality.

And for those who want to delve a bit deeper, let’s look at the access control paradigms.
IoT-Based Access Control

Three Types of Access Control

Three access control paradigms organize how people gain access: role-based access control (RBAC), discretionary access control (DAC), and mandatory access control (MAC).
Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

When this paradigm is used, permissions are granted according to roles and roles are assigned to users. This model is user-friendly because administrators can centrally manage and administer roles.
Discretionary Access Control (DAC)

Discretionary Access Control (DAC)

The user has direct control over all of the programs and files in the system, which is a complicated way of saying one method of access always opens all the doors.
Mandatory Access Control (MAC)

Mandatory Access Control (MAC)

This is the opposite of DAC. When MAC is the paradigm, a policy, hardware component, or software component is used to restrict access. This can be a password or keypad.

In our world of on-demand availability, access is extremely important and often assumed. While it’s easy to say, “I’d like to restrict and control access, that’s why I’m looking at access control,” the question should actually be, “How should we set up access control to least interfere with user behavior, yet provide the secure controls our business needs?” The answer is Kisi’s on-demand access. It gets everyone through the door while maintaining control.

The Five Phases of Access Control Methodology

The purpose of access control is, rather than allowing anyone off the street entrance to a facility, to make sure only people with permission can enter.


Access Authorization
Authorization is the phase that turns strangers into members. The first step is to define company policy; determine what people can and cannot do. This should include who has access to which door(s), and whether members of the organization can share access.

The next step is role-based access control (RBAC), as explained in the previous section. By assigning roles to users, they get a certain set of assigned privileges. This comes in handy for administrators since they don’t have to individually update every user, should something change.

Most organizations use employee directories in tandem with RBAC, since these lists include all authorized employees as well as their access levels.


Access Authorization
Authentication goes one level deeper than authorization. In this phase, members present to a door reader whatever badge, token, or credential they were given upon being authorized. The reader will check its validation to determine whether or not it should unlock the electric lock on the door in question.


Access Authorization
Now that the credentials have been authenticated, the access tools available at this stage make sure everyone gets in the right door, at the right time, faster and easier.
Upon validation, the presenter can unlock whatever she wants to access. This can happen by pushing a button, presenting an access card, fob, or badge that requests access.
Once the request to enter has been received by the access control system, the access is triggered, typically in the form of a door unlock.
If the door unlocks, multiple events are tracked at once: The user was correctly authenticated, the user triggered an unlock, the door opened and the door closed.


Access Authorization
This phase helps the administrator meet several challenges, including adding new access points, onboarding and offboarding users, maintaining security, and troubleshooting problems. Let’s examine some advantages.
Cloud-based access control systems can help startups and small businesses when they expand to new offices or additional offices by providing flexible and modular extensions of the existing setup.
Online access control systems send real-time alerts to administrators or security should any irregularity or attempted breach take place at any access point, allowing them to investigate immediately and record the event.
Modern access control systems allow administrators to remotely configure permissions, or seek support from the vendor, should access points or users have issues—a huge advantage over locally-hosted systems.


Access Authorization
Auditing physical access control is useful for all types of businesses. In addition, it helps certain sectors meet special requirements.
Businesses can perform regularly-scheduled system reviews to make sure everything on the access control system is set up properly. It can also tell them if someone no longer employed by the company has been inadvertently left in the system.
Suspicious Events:
Since many access points are routinely tracked during any access event, auditing can prove useful to security officers when investigating unusual behavior. The data can be used to flag or highlight unusual access behavior or analyze it against historical data.
Compliance Reports:
Companies that process sensitive data like patient healthcare information, banking financial reports, or credit card payments must deal with audit requirements in the access control space when filing compliance reports in accordance with HIPAA, SOC2 or PCI. Some special categories like cyber security or ISO certifications also require managed and auditable access control. The audit phase can pull up the proper data for these periodic reports.
The technology landscape is changing fast in the physical-security domain, where access control systems, based on newer technologies are mushrooming. This can create confusion for anyone charged with outfitting their facility with one—but if they take it step by step, everything will come together.

The first step a company should take is obvious—do a count of all the doors that need to be secured; not just the entry doors, but also IT room doors where expensive equipment and security-related devices are installed, and for companies handling sensitive healthcare or financial data, the file rooms or offices where computers processing this data are kept.
Once this has been done, a team should be charged with looking into options, researching vendors, and getting bids. A reputable vendor, before quoting prices, will want to set up a site visit to look at the facility, and the doors, in order to be able to give an accurate quote. There are many ways to judge vendor or installer quality, and the quote is definitely one. Beware of any vendor who packs a lot of information into his quote but neglects to list line items.

Properties of a Quote:

The type and number of locking devices that will be needed and where they will be installed.
An access control panel to connect the locks to the internet.
Wiring to connect everything and set up the system.
A software license for management and support, which often includes hosting and a few accessory-credential materials.
Access Control Quote

It's also important to make sure the quote includes a Certificate of Insurance (COI). Many landlords and building management companies require this because it ensures that any possible damages incurred in installation will be covered.

And lastly, for those who want to go one step further with their access control education, we've provided a cheat sheet.

What to Look for When Selecting an Access Control System

  • Compatible with third-party hardware and free from lock-in
  • Support logical security
  • Be in line with local regulations and standards
  • Be capable of integrating with surveillance and other security systems
  • Be capable of Integrating with existing hardware to reduce capital costs
  • Support modern modes of communication like cloud/mobile access and especially the Internet of Things (IoT)
  • Should be highly robust with reliable networks
  • Support modern wireless and wire-based technologies like Bluetooth, NFC, RFID, PoE, and others
  • Support multiple types of authentication input such as biometrics, passwords, mobile apps, cards, key fobs, two-factor authentication, and others
  • Latest end-to end data encryption during transmission
  • Easy to use and configure
  • Affordable and powered by professional-grade customer support
  • Support all configurable features, like zoning, time-based access, role-based access, level-based access, count-based access, and other factors.

Starting a new project? Download our Physical Security Guide

Get the full guide and other great security content from Kisi.

Kisi Access Control Guide

Experts in Access Control

Kisi and Rhombus integration

Product Update: Kisi Integrates With Rhombus Cameras

We're proud to announce Kisi's integration with Rhombus cameras and new features that will maximize any security...

Kait Hobson
Kait Hobson
Leasing models

Equipment Leasing Models

Jay from ONTRAPORT shares his insight with regarding IT equipment leasing.

Jay Remotti
Jay Remotti
Remote IT Management

Remote IT Management

Remote management is tricky for IT managers. Here's how BIG manages several locations in different countries.

Alexander Bøegh
Alexander Bøegh
Kisi Reader
Regain Full Control the Easy Way

Join the best in access control system management from the comfort of your phone