Understanding Access Control Systems

The ultimate guide on how to choose, buy and install the right solution


What is Access Control?

dot square

The purpose of access control is to grant entrance to a building or office only to those who are authorized to be there. The deadbolt lock, along with its matching brass key, was the gold standard of access control for many years; however, modern businesses want more. Yes, they want to control who passes through their doors, but they also want a way to monitor and manage access. Keys have now passed the baton to computer-based electronic access control systems that provide quick, convenient access to authorized persons while denying access to unauthorized ones.

Today, instead of keys, we carry access cards or ID badges to gain entry to secured areas. Access control systems can also be used to restrict access to workstations, file rooms housing sensitive data, printers, and entry doors. In larger buildings, exterior door access is usually managed by a landlord or management agency, while interior office door access is controlled by the tenant company.

People new to access control may think the system is made up only of the card and the card reader mounted on the wall next to the door. But there are a few more parts behind the scenes, all working together to make the magic that grants access to the right person. That’s what this guide is about. Reading it will give you a full and comprehensive understanding of how access control systems work and the language required to communicate with vendors.


Access Control Components

dot square

Access control systems aim to control who has access to a building, facility, or a “for authorized persons only” area. This is typically carried out by assigning employees, executives, freelancers, and vendors to different types of groups or access levels. Everyone may be able to use their access cards to enter the main door, but not be able to access areas containing secure or privileged information.

For clarity, we divide the components into three groups: user-facing components, admin-facing components, and infrastructure components. Let’s dive into the nuances of the three categories.

User facing

The most familiar parts of access control systems are the cards, ID badges, and, more recently, the smartphone apps that elicit an OK beep when presented at a card reader and unlock the door. These are also known as credentials, since they bear the user's data that tells the reader to grant you permission to be on the premise, or in other words, that you are an authorized entrant.

Access cards are typically proximity cards that, rather than being swiped or inserted like credit cards, are held two to six inches in front of the card reader. The same procedure is followed for phone apps. The benefit of using credentials is that they are personalized, so any unlock event can be traced back to the person associated with it.

Admin facing

The admin-facing side is the management dashboard, or portal, where the office administrator, head of security, or IT manager sets the parameters of persons allowed to access the premises and under which circumstances they can do so. This involves a management dashboard, often in the cloud, and a way to provision access—such as a card programming device.

In more advanced systems, the manual operations aspect can be automated. For example, the provisioning (creating and deleting access) can be done automatically by connecting the access dashboard to the company directory of employees. When a new hire shows up in the system, new access is automatically positioned via an API or integrating database service like Google Apps, Microsoft Azure, SAML, or Okta.


The infrastructure components are the ones that rely on your building infrastructure in order to function. The most obvious parts are locks, but there are other components, such as the controller, server, and cables.

Access Control Locks

Electronic locks are used to electrically unlock the door on which it's installed. They usually have a wire that powers them. Some locks will lock when they are supplied with power, while others unlock when supplied with power. The first ones are known as fail-safe locks and the second ones are known as fail-secure.

The choice of which to use depends on the area being secured. Entry doors call for fail-safe locks, since they need to comply with building codes and fire regulations that call for people to be able to exit at any time, even in the event of a power outage. IT rooms should be wired fail-secure because they need to remain locked at all times, even in the case of emergencies. Fail secure doors also need to be equipped with electrified push bars to allow people to exit quickly in case of a fire.

Access Control Panel (or Controller)

Also known as the access control field panel or intelligent controller, the access control panel is not visible to most people in a facility because it's installed in the IT room or the electrical, telephone, or communications closet. The reason for this precaution is because all the locks are wired to it. When a valid credential is presented at the door reader, the panel receives its request to unlock a specific relay, which is connected to the specific door wire.

Access Control Server

Every access control system needs a server where the permissions are stored in an access database. As such it acts as the center, or “brain,” of the access control system. It is really the server that makes the decision whether the door should unlock or not by matching the credential presented to the credentials authorized for that door. The server can be a dedicated local Windows or Linux computer, a cloud server, or even a decentralized server (when the permissions are stored in the door reader). The server also tracks and records activity and events regarding access, and it allows administrators to pull reports of past data events for a given time period.

If a locally-hosted access control server is used, there is typically a dedicated machine that runs the access software on it. Managing it requires the administrator to be on-site. Since having to contend with several local servers can become complicated for multi-facility management, cloud-based servers are gaining a lot of traction in this area.

Low-Voltage Cables

Cables are a critical part of access control and can prove to be very expensive if installed improperly, so they should never be overlooked in planning an access control system. When building out space, it's important that all the cables are specified so that the general contractor knows what to do. If the cables are not planned for at this point, they will need to be added in later:This means someone will have to drill into, or lay cables on, all the newly-painted walls.


The Importance of Access Control

dot square

Beyond the obvious reason of needing an additional layer of security in a facility, there are multiple other reasons why access control—in particular, cloud-based access control—should be an essential part of any business.

Physical Security

Let’s start with the most obvious advantage of access control, which is security. Installing an access control system prevents undesired people from entering your building, but not only that! It also makes sure that other interactions are perfectly regulated, such as visitors coming to your office or couriers delivering packages for your business.

Having an access control system also means that you have control over all areas of your facility and that you make sure that unauthorized people can’t access archives and server rooms (more to follow in the next paragraph about compliance).


Compliance has been a big driver for companies to switch to access control in recent years. Many security managers, when facing breaches, can encounter trouble if they have not been complying with a series of certifications. Having a certified access control system like Kisi increases your credibility, makes you safer and better protectes against malware and hackers, and ultimately leads to increased revenue. Some examples of cases where compliance flows into the need for an access control system include:

  • Hospitals, doctors’ offices, and health insurance companies need to comply with HIPAA health data regulations.

  • Banks, insurance companies, and any business that accepts and processes credit cards are subject to PCI credit card data regulations.

  • SaaS providers, data centers, or any company hoping to maintain SOC2 cybersecurity standards.

Operations & Visitor Management

Some access control systems integrate with your directories, allowing for automated user provisioning and de-provisioning. This means that on and offboarding processes are automatically taken care of from an access management standpoint. This reduces maintenance and manual tasks for your admins and also decreases the chances of human error.

As we mentioned earlier, access control also streamlines your visitor management procedures by ensuring that no visitor has access to your facility without being previously authorized by an admin. Learn more about access control and visitor management here.

IP and Data Protection

Businesses that deal with privileged data and intellectual property, such as software developers, law firms, entrepreneurs, and pharmaceutical companies, need to not only control who comes into their facilities, but also which areas these individuals are allowed to access and when. Modern access systems not only allow granular permissions based on group memberships, but they also provide insights and analytics, which are often required for both business and compliance reasons.


Driving revenue is not something that is often associated with access control and, in general, with security systems. However, evidence has shown us that our solution is an efficient driver of revenue in multiple use cases. Having an access control system like Kisi, for example, can help you to transform your business into a 24/7/365 facility. The efficient security level, mixed with privileged access for people belonging to your directory, make sure that you can leave your facility open even when there is no staff checking the entrance. This leads to more open hours and more revenue, without additional costs (more about this use case here ).

Another situation in which access is a revenue driver is the case of shared workspaces. Having multiple meeting rooms in your coworking facility can be a burden in some cases. It’s all space that owners are not monetizing on, and it takes away space for more desks and more customers. Installing a Kisi reader at the entrance of every meeting room and adding a paywall can really make you get the most out of your square footage. This means that members now have to pay a fee to use phone booths and meeting rooms, and this ultimately leads to more revenue without additional staffing or marketing efforts. We’ve written an article about this use case that you can find here.

User Experience and Authentication

Modern systems allow for a higher degree of security not by adding additional barriers to how users access a facility, but by leveraging technology to offer a smooth access experience combined with higher control on the admin side. 2FA is an example of an advanced feature that ensures all users not only need access to the right credential (an authorized smartphone device), but to also authenticate themselves (by unlocking the phone before being able to unlock the door).


Types of Access Control

dot square

We have mentioned, at the beginning of the article, the fact that modern businesses want more and more from their access control system (and for a good reason). At Kisi, we pride ourselves on being creators and trying to keep up with the latest developments in technology. This is why we chose cloud as an infrastructure to work with, and that is why Kisi is greatly appreciated by customers—but mostly by admins.

Not all access control systems are cloud-based, and, in this section, we will go through two main types of technology for access control systems (cloud-based vs. legacy) and briefly touch upon three models used by every access control provider: role-based access control, discretionary access control, and mandatory access control.

Legacy Access Control vs. Cloud-based Access Control

The access control market had been relatively stable for many years, with companies offering standardized products that relied on the same technology. This was before the cloud disrupted the industry, creating a duality of offerings: legacy on-premises solutions (which do not work with a cloud infrastructure) and cloud-based access control systems.

The clear difference between the two is the usage of the cloud infrastructure. The latter has a big impact in terms of upfront costs, maintenance, and features of the two systems. As a matter of fact, legacy access control systems require a server for functioning, which implies having to hire a person for the server room maintenance, higher facility costs, and in general, slower innovation.

A cloud-based access control system, on the other hand, does not require space when installed and functions immediately after installation. The main pros are that cloud-based systems allow for mobile usage and are constantly updated by the service provider. Kisi, which belongs in this category, launches multiple over-the-air updates every month.This means that your system will never be obsolete.

We’ve summarized the main differences between legacy and cloud-based access control systems in the table below.

Legacy Access Control Systems

  • Requires own server/server room

  • Higher maintenance costs and need for hiring a professional for doing this maintenances

  • Fewer integrations

  • Lower recurring costs but higher upfront costs

Kisi Cloud-based Access Control Systems

  • Lower upfront costs

  • Updates regularly by itself (it’s never obsolete)

  • No need for hiring staff + dedicated customer service

  • Integrates with multiple software/identity providers/directories

  • Mobile app and credentials

In case you want to learn more about the difference between legacy and cloud-based systems, feel free to contact us

Access Control Models

Role-Based Access Control (RBAC)

When this paradigm is used, permissions are granted according to roles, and roles are assigned to users. This model is user-friendly because administrators can centrally manage and administer roles.

Discretionary Access Control (DAC)

The user has direct control over all of the programs and files in the system, which is a complicated way of saying one method of access always opens all the doors.

Mandatory Access Control (MAC)

This is the opposite of DAC. When MAC is the paradigm, a policy, hardware component, or software component is used to restrict access. This can be a password or keypad.


Access Control Software and Hardware Integrations

dot square

Access Control and Video Surveillance Integration

Different access control systems can be integrated with different software/hardware solutions, and it might be difficult to cover all the different use cases. We can, however, talk about the main use cases for access control integrations and how they raise your facility’s security level.

Kisi, just like other access control systems, has an active integration with some video surveillance providers. Pairing access to your cameras can really be an upgrade for your security system and allow you to match access events from your access control dashboard with screenshots from the security cameras. Through this, you can always know who is accessing your door or a picture of who/what is holding the door open.
Having this system in place will let you expand your security ecosystem and ultimately make your facility a safer place.

Read more about our video surveillance solution here .

Directories and Identity Providers

Kisi has integrations with multiple directories and identity providers. The main benefit of this solution is foradmins to save time on maintenance and to automate part of the onboarding and offboarding process, reducing the risk of human error. The principle is that new members that are added to or removed from your directory (could be stored with your SSO provider or your CRM) are automatically added/removed from the Kisi one when they sync. This keeps your office secure and up to date with no additional maintenance required from your admins.

CRM and membership management systems

Particularly important for certain types of businesses, like coworking spaces, fitness facilities, or recreational clubs, integrating access control with an industry-specific membership management system puts access control in the background, as everything is seamlessly managed through the CRM. Such integrations allow, for instance, to automatically revoke access to non-paying users or differentiate access restrictions by membership tier.

Hardware compatibility

Connecting your access control system to a fire alarm panel, an elevator board, or a temperature scanning device may be a requirement for a variety of businesses. Aside from the core features of a system, it is therefore important to also consider compatibility scenarios with the existing tech stack and existing setups in your building.

What to Look for When Choosing an Access Control System

dot square

There are several factors to take into consideration when comparing different providers. Below is an overview of some of the main questions you may want to look at, divided into three categories: compatibility, features, and maintenance.


Compatibility is very important when choosing an access control system. Making sure that the system you want to purchase is compatible with your facility can save you a lot of time and money during the installation process. A highly compatible system, like the Kisi one, also makes it easier to maintain the facility and ensure a high level of security. Some compatibility-related questions may be:

  • Is it compatible with third-party hardware and free from lock-in?

  • Does it integrate with surveillance and other security systems?

  • How easy is it to use and configure?

  • Does it offer an open API?

Features and maintenance

Features are obviously the deal breaker when choosing any type of security system for your office. What can be more difficult, however, is understanding which features need to be prioritized in order to find a solution that not only covers your basic needs, but also saves you time in the long run.

We recommend that you choose a system based on cloud technology that gives you multiple unlocking options (not limited to only keycards or fobs). This saves you time, as you don’t have to issue a new keycard every time there is a new visitor or employee. It also reduces the number of security issues caused by employees forgetting or misusing keycards and fobs.

Lastly, we would recommend choosing a company with solid customer service in order to quickly clear any doubts that might emerge during installation or during everyday use of the system.

Some other feature-related questions you should consider:

  • Is the hardware IP-based?

  • Is offline mode supported?

  • Is two-factor authentication (2FA) supported?

  • Is lockdown supported? If so, is it at door or place level, or both?

  • What communication channels does it run on (eg: Bluetooth, NFC, RFID, PoE, and others)?

  • Does it support multiple types of authentication input such as mobile apps, remote unlocks, cards, key fobs, and more?

  • Are all access methods offering end-to-end data encryption?

  • Is customer support included?

  • What access restrictions are available (eg: time-based access, role-based access, level-based access, count-based access, and others)?

Overview of Kisi’s product offering

As the highest-rated access control solution, Kisi has secured thousands of businesses across the world, from high-tech companies like Canva to U.S. Air Force facilities.

Our advanced features are setting new industry standards and are built to provide an incredible access experience to both admins and end-users.

Access methods

Elevator Access

Extend Kisi’s cloud-based security to elevator access.


Unlock doors in less than a second by tapping the phone against the Kisi reader.

Mobile App Unlock

Let users access your space by unlocking doors with our mobile app.

Scheduled Unlocks

Set your doors to be open during specific windows of time.

Time-Based Access

Set time restrictions to grant access to both visitors and regular users.

Visitor Link Access

Allow non-Kisi users to access your space using a temporary link.

2FA Mobile Access

Add an additional layer of security by enabling 2FA on mobile unlocks.

Security and access management

Access Groups Management

Create different access groups to automate access sharing and enhance security.

Roles Management

Set different levels of management for your admins:per place, per group, or per door.

Access Restriction

Set granular access permissions and leverage our access group functionality

Automated Provisioning

Automate provisioning with Kisi’s directory integrations.

Event Export

Easily filter and export access events for specific doors, users, or access groups.

Event Log

See and filter access events by time, user, or access groups.

Global Management

Unlimited Doors and Places, all from a single dashboard.

In-and-Out Tracking

Use check-in and check-out functionalities to track ins and outs. (coming soon)

Intrusion Alerts

Set alerts for when a door is held open or forced open.


Secure any door remotely by using Kisi’s lockdown feature.

Remote Access Sharing

Share access with anyone, anywhere thanks to our remote management features.

Remote Management

Validate entries and manage your space remotely 24/7.

Offline Mode

Unlock doors even when your network is offline.

Visual Access Audits

Review and validate door entries with automatic video snapshots(requires cloud compatible camera).

Open API

Developers can use Kisi’s open API documentation (https://api.kisi.io/docs).

Access Teams Management*

Create different access teams to automate access sharing and enhance security across all your places.

SSO for Access Control*

Integrate door access with your SSO provider.

SCIM for Access Provisioning*

Seamlessly keep your user information up to date across all platforms.

* available on Organizations plan

Kisi allows us to have a fluid day, regardless of what office location we're working in, without slowing us down.

Dillon Okner

Head of Global Workplace at Enjoy

Businesses of every size and industry use our hardware and software to secure their space, streamline operations and build a vibrant office culture.

Estimate Quote