Understanding Access Control Systems

The ultimate guide on how to choose, buy and install the right solution

Download PDF Guide
What is Access Control

The purpose of access control is to grant entrance to a building or office only to those who are authorized to be there. The deadbolt lock, along with its matching brass key, was the gold standard of access control for many years; however, modern businesses want more. Yes, they want to control who passes through their doors, but they also want a way to monitor and manage access. Keys have now passed the baton to computer-based electronic access control systems that provide quick, convenient access to authorized persons while denying access to unauthorized ones.

Download our free PDF guide and get started with your access control project.

The Basic Parts of an Access Control System

Today, instead of keys, we carry access cards or ID badges to gain entry to secured areas. Access control systems can also be used to restrict access to workstations, file rooms housing sensitive data, printers, as well as entry doors. In larger buildings, exterior door access is usually managed by a landlord, or management agency, while interior office door access is controlled by the tenant company.

People new to access control may think the system is made up only of the card and the card reader mounted on the wall next to the door. There are a few more parts behind the scenes, all working together to make the magic of granting access to the right person. That’s what this guide is about. Reading it will give you a full and comprehensive understanding of how access control systems work and the language required to communicate with vendors.

Is it absolutely necessary that you learn about access control yourself? No, definitely not. But it will save you time if, in the middle of your project, a problem arises or an important choice must be made. You can seek advice from the installers but they'll likely answer in access control language; however, you don’t have to take a crash course or call a security-control consultant just yet. But when you do, it helps to have a basic grasp on the subject and your education is free when an online search turns up a resource like this.

Access control systems aim to control who has access to a building, facility, or a “for authorized persons only” area. This is typically carried out by assigning employees, executives, freelancers, and vendors to different types of groups or access levels. Everyone may be able to use their access cards to enter the main door but not to areas containing secure or privileged information.

Why Access Control?

Beyond the obvious reason, physical security, there are several reasons a business or medical facility might need an access control system.

Compliance

  • Hospitals, doctors’ offices, and health insurance companies need to comply with HIPAA health data regulations.
  • Banks, insurance companies, and any business that accepts and processes credit cards is subject to PCI credit card data regulations.
  • SaaS providers, data centers, or any company hoping to maintain SOC2 cybersecurity standards.
Access Control Compliance
IP Data

IP Data

Businesses that deal with privileged data and intellectual property, such as software developers, entrepreneurs, startups, and pharmaceutical companies need to not only control who comes into their facilities, but which areas they are allowed to access.

Basic Components of Access Control Systems

Access control systems vary widely in types and levels of complexity; however, most card access control systems consist of at least three basic components:

User facing

Access cards, card reader and access control keypad.
Credentials

The most familiar part of access control systems are the cards, ID badges and, more recently, the smartphone apps that elicit an OK beep when presented at a card reader and unlock the door. These are also known as credentials since they bear the user's data that tells the reader to grant you permission to be on the premise, or in other words, that you are an authorized entrant.

Access cards are typically proximity cards that, rather than being swiped or inserted like credit cards, are held two to six inches in front of the card reader. The same procedure is followed for phone apps. The benefit of using credentials is that they are personalized, so any unlock event can be traced back to the person associated with it.

Card Reader

The card reader is mounted on the wall next to the door. It reads the data on the credential and sends a request to the server to unlock the door. Some access control systems use keypads requiring PIN or biometrics in place of the card and reader.

Read More

Admin Facing

Access management dashboard, integrations or API.
Management Dashboard

The admin-facing side is the management dashboard, or portal, where the office administrator, head of security, or IT manager sets the parameters of persons allowed to access the premises, and under which circumstances. This involves a management dashboard, often in the cloud, and a way to provision access—such as a card programming device.
In more advanced systems, the manual operations aspect can be automated. For example, the provisioning (creating and deleting access) can be done automatically by connecting the access dashboard to the company directory of employees. When a new hire shows up in the system, a new access is automatically positioned via an API or integrating-database service like Google Apps, Microsoft Azure, SAML, or Okta.

Card Reader

The card reader is mounted on the wall next to the door. It reads the data on the credential and sends the request to the server to unlock the door. Some access control systems use keypads, requiring PIN or biometrics, in place of the card and reader.

Read More

Infrastructure

Electric door lock hardware, access control panels, and access control servers.
Locks

Electronic locks are used to electrically unlock the door on which it's installed. They usually have a wire that powers them. Some locks lock when they are supplied with power while others unlock when supplied with power. The former are known as fail safe locks and the latter are known as fail secure.

The choice of which to use depends on the area being secured. Entry doors call for fail safe locks, since they need to comply with building codes and fire regulations, that call for people to be able to exit at any time, even in the event of a power outage. IT rooms should be wired fail secure because they need to remain locked at all times, even in the case of emergencies. Fail secure doors also need to be equipped with electrified push bars to allow people to exit quickly in case of a fire.

Access Control Panel

Also known as the access control field panel, or intelligent controller, the access control panel is not visible to most people in a facility because it's installed in the IT room or the electrical, telephone, or communications closet. The reason for this precaution is because all the locks are wired to it. When a valid credential is presented at the door reader, the panel receives its request to unlock a specific relay, which is connected to the specific door wire.

Access Control Server

Every access control system needs a server where the permissions are stored in an access database. As such it acts as the center or “brain” of the access control system. It is really the server that makes the decision whether the door should unlock or not by matching the credential presented to the credentials authorized for that door. The server can be a dedicated local Windows or Linux computer, a cloud server, or even a decentralized server when the permissions are stored in the door reader. The server also tracks and records activity and events regarding access, and allows administrators to pull reports of past data events for a given time period.

If a locally-hosted access control server is used, there is typically a dedicated machine that runs the access software on it. Managing it requires the administrator to be there on-site. Since having to contend with several local servers can become complicated for multi-facility management, cloud-based servers are gaining a lot of traction in this area.

Low-Voltage Cables

Cables are a critical part of access control and can prove to be very expensive if installed improperly, so they should never be overlooked in planning an access control system. When building out the space, it's important that all the cables are specified so that the general contractor knows what to do. If the cables are not planned for, at this point, they will need to be added in later— this means someone will have to drill into, or lay cables on, all the newly-painted walls.

Read More
Access Control System

In addition to locally-hosted access control systems, where the server is onsite (as explained in the previous section), you have three other options:

  • Cloud-based access
    control systems
  • Mobile or smartphone-based
    access control systems
  • IoT-based access control
    systems

The easiest way to explain these modern types of access control is to compare them to Google Mail, where your email is stored on the cloud rather than on your computer. The cloud, of course, is another way to say a remote server hosted by a service provider. This gives you the convenience of accessing your emails from any browser, as long as you have the correct login credentials.

Major Options of Access Control Systems

In addition to locally-hosted access control systems, where the server is onsite (as explained in the previous section), you have three other options:

Cloud-Based Access Control:

In the world of access control the access permissions are not stored on a local server, but in the cloud. This means that the administrator can manage the permissions from home, or while on vacation anywhere, simply by using a browser. This appeals to security managers charged with overseeing multi-location facilities.

Continue Reading
Cloud Access Control
Cloud Access Control

Mobile or Smartphone-Based Access Control:

Mobile or smartphone access control works on the same principle as mobile accessed email, once an app has been downloaded, users are able to access and respond to their mail as long as they enter the correct sign-in credentials. The same is true for smartphone-based access control. Once authorized, and users have downloaded the access control app to their smartphones, they're able to do the same thing; namely, sign in with their user account, and as soon as  their authorized keys appear, select which door to open. The difference with Kisi, for instance, is that they just hold their phone to a Bluetooth or Near Field Communications (NFC) reader, and the door will unlock, but the permissions (log-in credentials) are checked in the background, just like sending an email.

IoT-Based Access Control:

For this we turn to the smartphone’s technology as an example to explain Internet of Things-based (IoT) access control. If you can picture the pixel phone as being one of the most powerful sensors with auto-updating firmware,  Bluetooth energy,  NFC, internet connectivity, etc., it explains what an IoT door reader can do. Using Kisi’s IoT approach to access control, all the door readers are connected to the internet and have firmware that can be updated whether for security reasons or to add new functionality.

And for those who want to delve a bit deeper, let’s look at the access control paradigms.
IoT-Based Access Control

The Three Access Control Paradigms

The three access control paradigms organize how people gain access.
Role-Based Access Control (RBAC)

Role-Based Access Control (RBAC)

When this paradigm is used, permissions are granted according to roles and roles are assigned to users. This model is user-friendly because administrators can centrally manage and administer roles.
Discretionary Access Control (DAC)

Discretionary Access Control (DAC)

The user has direct control over all of the programs and files in the system, which is a complicated way of saying one method of access always opens all the doors.
Mandatory Access Control (MAC)

Mandatory Access Control (MAC)

This is the opposite of DAC. When MAC is the paradigm, a policy, hardware component, or software component is used to restrict access. This can be a password or keypad.

In our world of on-demand availability, access is extremely important and often assumed. While it’s easy to say, “I’d like to restrict and control access, that’s why I’m looking at access control,” the question should actually be, “How should we set up access control to least interfere with user behavior, yet provide the secure controls our business needs?” The answer is Kisi’s on-demand access. It gets everyone through the door while maintaining control.

The Five Phases of Access Control Methodology

The purpose of access control is, rather than allowing anyone off the street entrance to a facility, to make sure only people with permission can enter.
01

Authorization

Access Authorization
Stranger
Member
Authorization is the phase that turns strangers into members. The first step is to define company policy; determine what people can and cannot do. This should include who has access to which door(s), and whether members of the organization can share access.

The next step is role-based access control (RBAC), as explained in the previous section. By assigning roles to users, they get a certain set of assigned privileges. This comes in handy for administrators since they don’t have to individually update every user, should something change.

Most organizations use employee directories in tandem with RBAC, since these lists include all authorized employees as well as their access levels.
02

Authentication

Access Authorization
Member
Validated
Authentication goes one level deeper than authorization. In this phase, members present to a door reader whatever badge, token, or credential they were given upon being authorized. The reader will check its validation to determine whether or not it should unlock the electric lock on the door in question.
03

Access

Access Authorization
Val
Access
Now that the credentials have been authenticated, the access tools available at this stage make sure everyone gets in the right door, at the right time, faster and easier.
Unlock:
Upon validation, the presenter can unlock whatever she wants to access. This can happen by pushing a button, presenting an access card, fob, or badge that requests access.
Trigger:
Once the request to enter has been received by the access control system, the access is triggered, typically in the form of a door unlock.
Infrastructure:
If the door unlocks, multiple events are tracked at once: The user was correctly authenticated, the user triggered an unlock, the door opened and the door closed.
04

Manage

Access Authorization
Access
Monitor
This phase helps the administrator meet several challenges, including adding new access points, onboarding and offboarding users, maintaining security, and troubleshooting problems. Let’s examine some advantages.
Scale:
Cloud-based access control systems can help startups and small businesses when they expand to new offices or additional offices by providing flexible and modular extensions of the existing setup.
Monitor:
Online access control systems send real-time alerts to administrators or security should any irregularity or attempted breach take place at any access point, allowing them to investigate immediately and record the event.
Troubleshoot:
Modern access control systems allow administrators to remotely configure permissions, or seek support from the vendor, should access points or users have issues—a huge advantage over locally-hosted systems.
05

Audit

Access Authorization
Monitor
Audit
Auditing physical access control is useful for all types of businesses. In addition, it helps certain sectors meet special requirements.
Scale:
Businesses can perform regularly-scheduled system reviews to make sure everything on the access control system is set up properly. It can also tell them if someone no longer employed by the company has been inadvertently left in the system.
Suspicious Events:
Since many access points are routinely tracked during any access event, auditing can prove useful to security officers when investigating unusual behavior. The data can be used to flag or highlight unusual access behavior or analyze it against historical data.
Compliance Reports:
Companies that process sensitive data like patient healthcare information, banking financial reports, or credit card payments must deal with audit requirements in the access control space when filing compliance reports in accordance with HIPAA, SOC2 or PCI. Some special categories like cyber security or ISO certifications also require managed and auditable access control. The audit phase can pull up the proper data for these periodic reports.
The technology landscape is changing fast in the physical-security domain, where access control systems, based on newer technologies are mushrooming. This can create confusion for anyone charged with outfitting their facility with one—but if they take it step by step, everything will come together.

The first step a company should take is obvious—do a count of all the doors that need to be secured; not just the entry doors, but also IT room doors where expensive equipment and security-related devices are installed, and for companies handling sensitive healthcare or financial data, the file rooms or offices where computers processing this data are kept.
Once this has been done, a team should be charged with looking into options, researching vendors, and getting bids. A reputable vendor, before quoting prices, will want to set up a site visit to look at the facility, and the doors, in order to be able to give an accurate quote. There are many ways to  judge vendor or installer quality, and the quote is definitely one. Beware of any vendor who packs a lot of information into his quote but neglects to list line items.

Properties of a Quote:

1
The type and number of locking devices that will be needed and where they will be installed.
2
An access control panel to connect the locks to the internet.
3
Wiring to connect everything and set up the system.
4
A software license for management and support, which often includes hosting and a few accessory-credential materials.
Access Control Quote

It's also important to make sure the quote includes a Certificate of Insurance (COI). Many landlords and building management companies require this because it ensures that any possible damages incurred in installation will be covered.

And lastly, for those who want to go one step further with their access control education, we've provided a cheat sheet.

What to Look for When Selecting an Access Control System

  • Compatible with third-party hardware and free from lock-in
  • Support logical security
  • Be in line with local regulations and standards
  • Be capable of integrating with surveillance and other security systems
  • Be capable of Integrating with existing hardware to reduce capital costs
  • Support modern modes of communication like cloud/mobile access and especially the Internet of Things (IoT)
  • Should be highly robust with reliable networks
  • Support modern wireless and wire-based technologies like Bluetooth, NFC, RFID, PoE, and others
  • Support multiple types of authentication input such as biometrics, passwords, mobile apps, cards, key fobs, two-factor authentication, and others
  • Latest end-to end data encryption during transmission
  • Easy to use and configure
  • Affordable and powered by professional-grade customer support
  • Support all configurable features, like zoning, time-based access, role-based access, level-based access, count-based access, and other factors.

Download Our Access Control Guide

For an in-depth analysis of access control systems.

Download Ebook
Kisi Access Control Guide

Experts in Access Control

Security, Scalability and Growth: Toward a Comprehensive IT Strategy

This is a guest post by Anoush d’Orville, CEO of AD.Visory Solutions. He provides strategy consulting and IT-managed services for businesses. In this article he shares his best practices for IT strategy.
Anoush d'Orville
Anoush d'Orville
Read

The IT Experience on Becoming a Certified Google Administrator

IT Manager and Systems Admin at Century 21 tells us how to become a certified Google administrator.
Trevor Jones
Trevor Jones
Read

Physical Penetration Testing Explained

Ryan Manship, the president of RedTeam Security Consulting, explains his suggested approach to physical security when it comes to penetration testing.
Bernhard Mehl
Bernhard Mehl
Read

On and Offboarding

Nick shares with us how he he made BetterCloud's on and offboarding process for employees straightforward yet comprehensive!
Nick Church
Nick Church
Read
Kisi Reader
Regain Full Control the Easy Way

Join the best in access control system management from the comfort of your phone