The ultimate guide on how to choose, buy and install the right solution
The purpose of access control is to grant entrance to a building or
office only to those who are authorized to be there. The deadbolt
lock, along with its matching brass key, was the gold standard of
access control for many years; however, modern businesses want more.
Yes, they want to control who passes through their doors, but they
also want a way to monitor and manage access. Keys have now passed the
baton to computer-based electronic access control systems that provide
quick, convenient access to authorized persons while denying access to
Today, instead of keys, we carry access cards or ID badges to gain entry to secured areas. Access control systems can also be used to restrict access to workstations, file rooms housing sensitive data, printers, and entry doors. In larger buildings, exterior door access is usually managed by a landlord or management agency, while interior office door access is controlled by the tenant company.
People new to access control may think the system is made up only of the card and the card reader mounted on the wall next to the door. But there are a few more parts behind the scenes, all working together to make the magic that grants access to the right person. That’s what this guide is about. Reading it will give you a full and comprehensive understanding of how access control systems work and the language required to communicate with vendors.
Access control systems aim to control who has access to a building,
facility, or a “for authorized persons only” area. This is typically
carried out by assigning employees, executives, freelancers, and
vendors to different types of groups or access levels. Everyone may be
able to use their access cards to enter the main door, but not be able
to access areas containing secure or privileged information.
For clarity, we divide the components into three groups: user-facing components, admin-facing components, and infrastructure components. Let’s dive into the nuances of the three categories.
The most familiar parts of access control systems are the cards, ID
badges, and, more recently, the smartphone apps that elicit an OK beep
when presented at a card reader and unlock the door. These are also
known as credentials, since they bear the user's data that tells the
reader to grant you permission to be on the premise, or in other
words, that you are an authorized entrant.
Access cards are typically proximity cards that, rather than being swiped or inserted like credit cards, are held two to six inches in front of the card reader. The same procedure is followed for phone apps. The benefit of using credentials is that they are personalized, so any unlock event can be traced back to the person associated with it.
The admin-facing side is the management dashboard, or portal, where
the office administrator, head of security, or IT manager sets the
parameters of persons allowed to access the premises and under which
circumstances they can do so. This involves a management dashboard,
often in the cloud, and a way to provision access—such as a card
In more advanced systems, the manual operations aspect can be automated. For example, the provisioning (creating and deleting access) can be done automatically by connecting the access dashboard to the company directory of employees. When a new hire shows up in the system, new access is automatically positioned via an API or integrating database service like Google Apps, Microsoft Azure, SAML, or Okta.
The infrastructure components are the ones that rely on your building infrastructure in order to function. The most obvious parts are locks, but there are other components, such as the controller, server, and cables.
Electronic locks are used to electrically unlock the door on which
it's installed. They usually have a wire that powers them. Some
locks will lock when they are supplied with power, while others
unlock when supplied with power. The first ones are known as
fail-safe locks and the second ones are known as fail-secure.
The choice of which to use depends on the area being secured. Entry doors call for fail-safe locks, since they need to comply with building codes and fire regulations that call for people to be able to exit at any time, even in the event of a power outage. IT rooms should be wired fail-secure because they need to remain locked at all times, even in the case of emergencies. Fail secure doors also need to be equipped with electrified push bars to allow people to exit quickly in case of a fire.
Also known as the access control field panel or intelligent controller, the access control panel is not visible to most people in a facility because it's installed in the IT room or the electrical, telephone, or communications closet. The reason for this precaution is because all the locks are wired to it. When a valid credential is presented at the door reader, the panel receives its request to unlock a specific relay, which is connected to the specific door wire.
Every access control system needs a server where the permissions are
stored in an access database. As such it acts as the center, or
“brain,” of the access control system. It is really the server that
makes the decision whether the door should unlock or not by matching
the credential presented to the credentials authorized for that
door. The server can be a dedicated local Windows or Linux computer,
a cloud server, or even a decentralized server (when the permissions
are stored in the door reader). The server also tracks and records
activity and events regarding access, and it allows administrators
to pull reports of past data events for a given time period.
If a locally-hosted access control server is used, there is typically a dedicated machine that runs the access software on it. Managing it requires the administrator to be on-site. Since having to contend with several local servers can become complicated for multi-facility management, cloud-based servers are gaining a lot of traction in this area.
Cables are a critical part of access control and can prove to be very expensive if installed improperly, so they should never be overlooked in planning an access control system. When building out space, it's important that all the cables are specified so that the general contractor knows what to do. If the cables are not planned for at this point, they will need to be added in later:This means someone will have to drill into, or lay cables on, all the newly-painted walls.
Beyond the obvious reason of needing an additional layer of security in a facility, there are multiple other reasons why access control—in particular, cloud-based access control—should be an essential part of any business.
Let’s start with the most obvious advantage of access control, which
is security. Installing an access control system prevents undesired
people from entering your building, but not only that! It also makes
sure that other interactions are perfectly regulated, such as visitors
coming to your office or couriers delivering packages for your
Having an access control system also means that you have control over all areas of your facility and that you make sure that unauthorized people can’t access archives and server rooms (more to follow in the next paragraph about compliance).
Compliance has been a big driver for companies to switch to access control in recent years. Many security managers, when facing breaches, can encounter trouble if they have not been complying with a series of certifications. Having a certified access control system like Kisi increases your credibility, makes you safer and better protectes against malware and hackers, and ultimately leads to increased revenue. Some examples of cases where compliance flows into the need for an access control system include:
Hospitals, doctors’ offices, and health insurance companies need to comply with HIPAA health data regulations.
Banks, insurance companies, and any business that accepts and processes credit cards are subject to PCI credit card data regulations.
SaaS providers, data centers, or any company hoping to maintain SOC2 cybersecurity standards.
Some access control systems integrate with your directories, allowing
for automated user provisioning and de-provisioning. This means that
on and offboarding processes are automatically taken care of from an
access management standpoint. This reduces maintenance and manual
tasks for your admins and also decreases the chances of human error.
As we mentioned earlier, access control also streamlines your visitor management procedures by ensuring that no visitor has access to your facility without being previously authorized by an admin. Learn more about access control and visitor management here.
Businesses that deal with privileged data and intellectual property, such as software developers, law firms, entrepreneurs, and pharmaceutical companies, need to not only control who comes into their facilities, but also which areas these individuals are allowed to access and when. Modern access systems not only allow granular permissions based on group memberships, but they also provide insights and analytics, which are often required for both business and compliance reasons.
Driving revenue is not something that is often associated with access
control and, in general, with security systems. However, evidence has
shown us that our solution is an efficient driver of revenue in
multiple use cases. Having an access control system like Kisi, for
example, can help you to transform your business into a 24/7/365
facility. The efficient security level, mixed with privileged access
for people belonging to your directory, make sure that you can leave
your facility open even when there is no staff checking the entrance.
This leads to more open hours and more revenue, without additional
costs (more about
this use case here ).
Another situation in which access is a revenue driver is the case of shared workspaces. Having multiple meeting rooms in your coworking facility can be a burden in some cases. It’s all space that owners are not monetizing on, and it takes away space for more desks and more customers. Installing a Kisi reader at the entrance of every meeting room and adding a paywall can really make you get the most out of your square footage. This means that members now have to pay a fee to use phone booths and meeting rooms, and this ultimately leads to more revenue without additional staffing or marketing efforts. We’ve written an article about this use case that you can find here.
Modern systems allow for a higher degree of security not by adding additional barriers to how users access a facility, but by leveraging technology to offer a smooth access experience combined with higher control on the admin side. 2FA is an example of an advanced feature that ensures all users not only need access to the right credential (an authorized smartphone device), but to also authenticate themselves (by unlocking the phone before being able to unlock the door).
We have mentioned, at the beginning of the article, the fact that
modern businesses want more and more from their access control system
(and for a good reason). At Kisi, we pride ourselves on being creators
and trying to keep up with the latest developments in technology. This
is why we chose cloud as an infrastructure to work
with, and that is why Kisi is greatly appreciated by customers—but
mostly by admins.
Not all access control systems are cloud-based, and, in this section, we will go through two main types of technology for access control systems (cloud-based vs. legacy) and briefly touch upon three models used by every access control provider: role-based access control, discretionary access control, and mandatory access control.
The access control market had been relatively stable for many years,
with companies offering standardized products that relied on the same
technology. This was before the cloud disrupted the industry, creating a
duality of offerings: legacy on-premises solutions (which do not work
with a cloud infrastructure) and cloud-based access control systems.
The clear difference between the two is the usage of the cloud infrastructure. The latter has a big impact in terms of upfront costs, maintenance, and features of the two systems. As a matter of fact, legacy access control systems require a server for functioning, which implies having to hire a person for the server room maintenance, higher facility costs, and in general, slower innovation.
A cloud-based access control system, on the other hand, does not require space when installed and functions immediately after installation. The main pros are that cloud-based systems allow for mobile usage and are constantly updated by the service provider. Kisi, which belongs in this category, launches multiple over-the-air updates every month.This means that your system will never be obsolete.
We’ve summarized the main differences between legacy and cloud-based access control systems in the table below.
Legacy Access Control Systems
Requires own server/server room
Higher maintenance costs and need for hiring a professional for doing this maintenances
Lower recurring costs but higher upfront costs
Kisi Cloud-based Access Control Systems
Lower upfront costs
Updates regularly by itself (it’s never obsolete)
No need for hiring staff + dedicated customer service
Integrates with multiple software/identity providers/directories
Mobile app and credentials
In case you want to learn more about the difference between legacy and cloud-based systems, feel free to contact us
When this paradigm is used, permissions are granted according to roles, and roles are assigned to users. This model is user-friendly because administrators can centrally manage and administer roles.
The user has direct control over all of the programs and files in the system, which is a complicated way of saying one method of access always opens all the doors.
This is the opposite of DAC. When MAC is the paradigm, a policy, hardware component, or software component is used to restrict access. This can be a password or keypad.
Different access control systems can be integrated with different
software/hardware solutions, and it might be difficult to cover all
the different use cases. We can, however, talk about the main use
cases for access control integrations and how they raise your
facility’s security level.
Kisi, just like other access control systems, has an active integration with some video surveillance providers. Pairing access to your cameras can really be an upgrade for your security system and allow you to match access events from your access control dashboard with screenshots from the security cameras. Through this, you can always know who is accessing your door or a picture of who/what is holding the door open.
Having this system in place will let you expand your security ecosystem and ultimately make your facility a safer place.
Read more about our video surveillance solution here .
Kisi has integrations with multiple directories and identity providers. The main benefit of this solution is foradmins to save time on maintenance and to automate part of the onboarding and offboarding process, reducing the risk of human error. The principle is that new members that are added to or removed from your directory (could be stored with your SSO provider or your CRM) are automatically added/removed from the Kisi one when they sync. This keeps your office secure and up to date with no additional maintenance required from your admins.
Particularly important for certain types of businesses, like coworking spaces, fitness facilities, or recreational clubs, integrating access control with an industry-specific membership management system puts access control in the background, as everything is seamlessly managed through the CRM. Such integrations allow, for instance, to automatically revoke access to non-paying users or differentiate access restrictions by membership tier.
Connecting your access control system to a fire alarm panel, an elevator board, or a temperature scanning device may be a requirement for a variety of businesses. Aside from the core features of a system, it is therefore important to also consider compatibility scenarios with the existing tech stack and existing setups in your building.
There are several factors to take into consideration when comparing different providers. Below is an overview of some of the main questions you may want to look at, divided into three categories: compatibility, features, and maintenance.
Compatibility is very important when choosing an access control system. Making sure that the system you want to purchase is compatible with your facility can save you a lot of time and money during the installation process. A highly compatible system, like the Kisi one, also makes it easier to maintain the facility and ensure a high level of security. Some compatibility-related questions may be:
Is it compatible with third-party hardware and free from lock-in?
Does it integrate with surveillance and other security systems?
How easy is it to use and configure?
Does it offer an open API?
Features are obviously the deal breaker when choosing any type of
security system for your office. What can be more difficult, however,
is understanding which features need to be prioritized in order to
find a solution that not only covers your basic needs, but also saves
you time in the long run.
We recommend that you choose a system based on cloud technology that gives you multiple unlocking options (not limited to only keycards or fobs). This saves you time, as you don’t have to issue a new keycard every time there is a new visitor or employee. It also reduces the number of security issues caused by employees forgetting or misusing keycards and fobs.
Lastly, we would recommend choosing a company with solid customer service in order to quickly clear any doubts that might emerge during installation or during everyday use of the system.
Some other feature-related questions you should consider:
Is the hardware IP-based?
Is offline mode supported?
Is two-factor authentication (2FA) supported?
Is lockdown supported? If so, is it at door or place level, or both?
What communication channels does it run on (eg: Bluetooth, NFC, RFID, PoE, and others)?
Does it support multiple types of authentication input such as mobile apps, remote unlocks, cards, key fobs, and more?
Are all access methods offering end-to-end data encryption?
Is customer support included?
What access restrictions are available (eg: time-based access, role-based access, level-based access, count-based access, and others)?
As the highest-rated access control solution, Kisi has secured
thousands of businesses across the world, from high-tech companies
like Canva to U.S. Air Force facilities.
Our advanced features are setting new industry standards and are built to provide an incredible access experience to both admins and end-users.
Extend Kisi’s cloud-based security to elevator access.
Unlock doors in less than a second by tapping the phone against the Kisi reader.
Mobile App Unlock
Let users access your space by unlocking doors with our mobile app.
Set your doors to be open during specific windows of time.
Set time restrictions to grant access to both visitors and regular users.
Visitor Link Access
Allow non-Kisi users to access your space using a temporary link.
2FA Mobile Access
Add an additional layer of security by enabling 2FA on mobile unlocks.
Access Groups Management
Create different access groups to automate access sharing and enhance security.
Set different levels of management for your admins:per place, per group, or per door.
Set granular access permissions and leverage our access group functionality
Automate provisioning with Kisi’s directory integrations.
Easily filter and export access events for specific doors, users, or access groups.
See and filter access events by time, user, or access groups.
Unlimited Doors and Places, all from a single dashboard.
Use check-in and check-out functionalities to track ins and outs. (coming soon)
Set alerts for when a door is held open or forced open.
Secure any door remotely by using Kisi’s lockdown feature.
Remote Access Sharing
Share access with anyone, anywhere thanks to our remote management features.
Validate entries and manage your space remotely 24/7.
Unlock doors even when your network is offline.
Visual Access Audits
Review and validate door entries with automatic video snapshots(requires cloud compatible camera).
Developers can use Kisi’s open API documentation (https://api.kisi.io/docs).
Access Teams Management*
Create different access teams to automate access sharing and enhance security across all your places.
SSO for Access Control*
Integrate door access with your SSO provider.
SCIM for Access Provisioning*
Seamlessly keep your user information up to date across all platforms.
* available on Organizations plan
Kisi allows us to have a fluid day, regardless of what office location we're working in, without slowing us down.