Understanding Access Control Systems
The ultimate guide on how to choose, buy and install the right solution
01
What is Access Control?
The purpose of access control is to grant entrance to a building or
office only to those who are authorized to be there. The deadbolt
lock, along with its matching brass key, was the gold standard of
access control for many years; however, modern businesses want more.
Yes, they want to control who passes through their doors, but they
also want a way to monitor and manage access. Keys have now passed the
baton to computer-based electronic access control systems that provide
quick, convenient access to authorized persons while denying access to
unauthorized ones.
Today, instead of keys, we carry access cards or ID badges to gain
entry to secured areas. Access control systems can also be used to
restrict access to workstations, file rooms housing sensitive data,
printers, and entry doors. In larger buildings, exterior door access
is usually managed by a landlord or management agency, while interior
office door access is controlled by the tenant company.
People new to access control may think the system is made up only of
the card and the card reader mounted on the wall next to the door. But
there are a few more parts behind the scenes, all working together to
make the magic that grants access to the right person. That’s what
this guide is about. Reading it will give you a full and comprehensive
understanding of how access control systems work and the language
required to communicate with vendors.
02
Access Control Components
Access control systems aim to control who has access to a building,
facility, or a “for authorized persons only” area. This is typically
carried out by assigning employees, executives, freelancers, and
vendors to different types of groups or access levels. Everyone may be
able to use their access cards to enter the main door, but not be able
to access areas containing secure or privileged information.
For clarity, we divide the components into three groups: user-facing
components, admin-facing components, and infrastructure components.
Let’s dive into the nuances of the three categories.
User facing
The most familiar parts of access control systems are the cards, ID
badges, and, more recently, the smartphone apps that elicit an OK beep
when presented at a card reader and unlock the door. These are also
known as credentials, since they bear the user's data that tells the
reader to grant you permission to be on the premise, or in other
words, that you are an authorized entrant.
Access cards are typically proximity cards that, rather than being
swiped or inserted like credit cards, are held two to six inches in
front of the card reader. The same procedure is followed for phone
apps. The benefit of using credentials is that they are personalized,
so any unlock event can be traced back to the person associated with
it.
Admin facing
The admin-facing side is the management dashboard, or portal, where
the office administrator, head of security, or IT manager sets the
parameters of persons allowed to access the premises and under which
circumstances they can do so. This involves a management dashboard,
often in the cloud, and a way to provision access—such as a card
programming device.
In more advanced systems, the manual operations aspect can be
automated. For example, the provisioning (creating and deleting
access) can be done automatically by connecting the access dashboard
to the company directory of employees. When a new hire shows up in the
system, new access is automatically positioned via an API or
integrating database service like Google Apps, Microsoft Azure, SAML,
or Okta.
Infrastructure
The infrastructure components are the ones that rely on your building infrastructure in order to function. The most obvious parts are locks, but there are other components, such as the controller, server, and cables.
Access Control Locks
Electronic locks are used to electrically unlock the door on which
it's installed. They usually have a wire that powers them. Some
locks will lock when they are supplied with power, while others
unlock when supplied with power. The first ones are known as
fail-safe locks and the second ones are known as fail-secure.
The choice of which to use depends on the area being secured. Entry
doors call for fail-safe locks, since they need to comply with
building codes and fire regulations that call for people to be able
to exit at any time, even in the event of a power outage. IT rooms
should be wired fail-secure because they need to remain locked at
all times, even in the case of emergencies. Fail secure doors also
need to be equipped with electrified push bars to allow people to
exit quickly in case of a fire.
Access Control Panel (or Controller)
Also known as the access control field panel or intelligent controller, the access control panel is not visible to most people in a facility because it's installed in the IT room or the electrical, telephone, or communications closet. The reason for this precaution is because all the locks are wired to it. When a valid credential is presented at the door reader, the panel receives its request to unlock a specific relay, which is connected to the specific door wire.
Access Control Server
Every access control system needs a server where the permissions are
stored in an access database. As such it acts as the center, or
“brain,” of the access control system. It is really the server that
makes the decision whether the door should unlock or not by matching
the credential presented to the credentials authorized for that
door. The server can be a dedicated local Windows or Linux computer,
a cloud server, or even a decentralized server (when the permissions
are stored in the door reader). The server also tracks and records
activity and events regarding access, and it allows administrators
to pull reports of past data events for a given time period.
If a locally-hosted access control server is used, there is
typically a dedicated machine that runs the access software on it.
Managing it requires the administrator to be on-site. Since having
to contend with several local servers can become complicated for
multi-facility management, cloud-based servers are gaining a lot of
traction in this area.
Low-Voltage Cables
Cables are a critical part of access control and can prove to be very expensive if installed improperly, so they should never be overlooked in planning an access control system. When building out space, it's important that all the cables are specified so that the general contractor knows what to do. If the cables are not planned for at this point, they will need to be added in later:This means someone will have to drill into, or lay cables on, all the newly-painted walls.
03
The Importance of Access Control
Beyond the obvious reason of needing an additional layer of security in a facility, there are multiple other reasons why access control—in particular, cloud-based access control—should be an essential part of any business.
Physical Security
Let’s start with the most obvious advantage of access control, which
is security. Installing an access control system prevents undesired
people from entering your building, but not only that! It also makes
sure that other interactions are perfectly regulated, such as visitors
coming to your office or couriers delivering packages for your
business.
Having an access control system also means that you have control over
all areas of your facility and that you make sure that unauthorized
people can’t access archives and server rooms (more to follow in the
next paragraph about compliance).
Compliance
Compliance has been a big driver for companies to switch to access control in recent years. Many security managers, when facing breaches, can encounter trouble if they have not been complying with a series of certifications. Having a certified access control system like Kisi increases your credibility, makes you safer and better protectes against malware and hackers, and ultimately leads to increased revenue. Some examples of cases where compliance flows into the need for an access control system include:
Hospitals, doctors’ offices, and health insurance companies need to comply with HIPAA health data regulations.
Banks, insurance companies, and any business that accepts and processes credit cards are subject to PCI credit card data regulations.
SaaS providers, data centers, or any company hoping to maintain SOC2 cybersecurity standards.
Operations & Visitor Management
Some access control systems integrate with your directories, allowing
for automated user provisioning and de-provisioning. This means that
on and offboarding processes are automatically taken care of from an
access management standpoint. This reduces maintenance and manual
tasks for your admins and also decreases the chances of human error.
As we mentioned earlier, access control also streamlines your visitor
management procedures by ensuring that no visitor has access to your
facility without being previously authorized by an admin. Learn more
about access control and
visitor management here.
IP and Data Protection
Businesses that deal with privileged data and intellectual property, such as software developers, law firms, entrepreneurs, and pharmaceutical companies, need to not only control who comes into their facilities, but also which areas these individuals are allowed to access and when. Modern access systems not only allow granular permissions based on group memberships, but they also provide insights and analytics, which are often required for both business and compliance reasons.
Revenue
Driving revenue is not something that is often associated with access
control and, in general, with security systems. However, evidence has
shown us that our solution is an efficient driver of revenue in
multiple use cases. Having an access control system like Kisi, for
example, can help you to transform your business into a 24/7/365
facility. The efficient security level, mixed with privileged access
for people belonging to your directory, make sure that you can leave
your facility open even when there is no staff checking the entrance.
This leads to more open hours and more revenue, without additional
costs (more about
this use case here ).
Another situation in which access is a revenue driver is the case of
shared workspaces. Having multiple meeting rooms in your coworking
facility can be a burden in some cases. It’s all space that owners are
not monetizing on, and it takes away space for more desks and more
customers. Installing a Kisi reader at the entrance of every meeting
room and adding a paywall can really make you get the most out of your
square footage. This means that members now have to pay a fee to use
phone booths and meeting rooms, and this ultimately leads to more
revenue without additional staffing or marketing efforts. We’ve
written an article about this use case
that you can find here.
User Experience and Authentication
Modern systems allow for a higher degree of security not by adding additional barriers to how users access a facility, but by leveraging technology to offer a smooth access experience combined with higher control on the admin side. 2FA is an example of an advanced feature that ensures all users not only need access to the right credential (an authorized smartphone device), but to also authenticate themselves (by unlocking the phone before being able to unlock the door).
04
Types of Access Control
We have mentioned, at the beginning of the article, the fact that
modern businesses want more and more from their access control system
(and for a good reason). At Kisi, we pride ourselves on being creators
and trying to keep up with the latest developments in technology. This
is why we chose cloud as an infrastructure to work
with, and that is why Kisi is greatly appreciated by customers—but
mostly by admins.
Not all access control systems are cloud-based, and, in this section,
we will go through two main types of technology for access control
systems (cloud-based vs. legacy) and briefly touch upon three models
used by every access control provider: role-based access control,
discretionary access control, and mandatory access control.
Legacy Access Control vs. Cloud-based Access Control
The access control market had been relatively stable for many years,
with companies offering standardized products that relied on the same
technology. This was before the cloud disrupted the industry, creating a
duality of offerings: legacy on-premises solutions (which do not work
with a cloud infrastructure) and cloud-based access control systems.
The clear difference between the two is the usage of the cloud
infrastructure. The latter has a big impact in terms of upfront costs,
maintenance, and features of the two systems. As a matter of fact,
legacy access control systems require a server for
functioning, which implies having to hire a person for the server room
maintenance, higher facility costs, and in general, slower innovation.
A cloud-based access control system, on the other hand,
does not require space when installed and functions immediately after
installation. The main pros are that cloud-based systems allow for
mobile usage and are constantly updated by the service provider. Kisi,
which belongs in this category, launches multiple over-the-air updates
every month.This means that your system will never be obsolete.
We’ve summarized the main differences between legacy and cloud-based
access control systems in the table below.
Legacy Access Control Systems
Requires own server/server room
Higher maintenance costs and need for hiring a professional for doing this maintenances
Fewer integrations
Lower recurring costs but higher upfront costs
Kisi Cloud-based Access Control Systems
Lower upfront costs
Updates regularly by itself (it’s never obsolete)
No need for hiring staff + dedicated customer service
Integrates with multiple software/identity providers/directories
Mobile app and credentials
In case you want to learn more about the difference between legacy and cloud-based systems, feel free to contact us
Access Control Models
Role-Based Access Control (RBAC)
When this paradigm is used, permissions are granted according to roles, and roles are assigned to users. This model is user-friendly because administrators can centrally manage and administer roles.
Discretionary Access Control (DAC)
The user has direct control over all of the programs and files in the system, which is a complicated way of saying one method of access always opens all the doors.
Mandatory Access Control (MAC)
This is the opposite of DAC. When MAC is the paradigm, a policy, hardware component, or software component is used to restrict access. This can be a password or keypad.
05
Access Control Software and Hardware Integrations
Access Control and Video Surveillance Integration
Different access control systems can be integrated with different
software/hardware solutions, and it might be difficult to cover all
the different use cases. We can, however, talk about the main use
cases for access control integrations and how they raise your
facility’s security level.
Kisi, just like other access control systems, has an active
integration with some video surveillance providers. Pairing access to
your cameras can really be an upgrade for your security system and
allow you to match access events from your access control dashboard
with screenshots from the security cameras. Through this, you can
always know who is accessing your door or a picture of who/what is
holding the door open.
Having this system in place will let you expand your security
ecosystem and ultimately make your facility a safer place.
Read more about our
video surveillance solution here .
Directories and Identity Providers
Kisi has integrations with multiple directories and identity providers. The main benefit of this solution is foradmins to save time on maintenance and to automate part of the onboarding and offboarding process, reducing the risk of human error. The principle is that new members that are added to or removed from your directory (could be stored with your SSO provider or your CRM) are automatically added/removed from the Kisi one when they sync. This keeps your office secure and up to date with no additional maintenance required from your admins.
CRM and membership management systems
Particularly important for certain types of businesses, like coworking spaces, fitness facilities, or recreational clubs, integrating access control with an industry-specific membership management system puts access control in the background, as everything is seamlessly managed through the CRM. Such integrations allow, for instance, to automatically revoke access to non-paying users or differentiate access restrictions by membership tier.
Hardware compatibility
Connecting your access control system to a fire alarm panel, an elevator board, or a temperature scanning device may be a requirement for a variety of businesses. Aside from the core features of a system, it is therefore important to also consider compatibility scenarios with the existing tech stack and existing setups in your building.
What to Look for When Choosing an Access Control System
There are several factors to take into consideration when comparing different providers. Below is an overview of some of the main questions you may want to look at, divided into three categories: compatibility, features, and maintenance.
Compatibility
Compatibility is very important when choosing an access control system. Making sure that the system you want to purchase is compatible with your facility can save you a lot of time and money during the installation process. A highly compatible system, like the Kisi one, also makes it easier to maintain the facility and ensure a high level of security. Some compatibility-related questions may be:
Is it compatible with third-party hardware and free from lock-in?
Does it integrate with surveillance and other security systems?
How easy is it to use and configure?
Does it offer an open API?
Features and maintenance
Features are obviously the deal breaker when choosing any type of
security system for your office. What can be more difficult, however,
is understanding which features need to be prioritized in order to
find a solution that not only covers your basic needs, but also saves
you time in the long run.
We recommend that you choose a system based on cloud technology that
gives you multiple unlocking options (not limited to only keycards or
fobs). This saves you time, as you don’t have to issue a new keycard
every time there is a new visitor or employee. It also reduces the
number of security issues caused by employees forgetting or misusing
keycards and fobs.
Lastly, we would recommend choosing a company with solid customer
service in order to quickly clear any doubts that might emerge during
installation or during everyday use of the system.
Some other feature-related questions you should consider:
Is the hardware IP-based?
Is offline mode supported?
Is two-factor authentication (2FA) supported?
Is lockdown supported? If so, is it at door or place level, or both?
What communication channels does it run on (eg: Bluetooth, NFC, RFID, PoE, and others)?
Does it support multiple types of authentication input such as mobile apps, remote unlocks, cards, key fobs, and more?
Are all access methods offering end-to-end data encryption?
Is customer support included?
What access restrictions are available (eg: time-based access, role-based access, level-based access, count-based access, and others)?
Overview of Kisi’s product offering
As the highest-rated access control solution, Kisi has secured
thousands of businesses across the world, from high-tech companies
like Canva to U.S. Air Force facilities.
Our advanced features are setting new industry standards and are built
to provide an incredible access experience to both admins and
end-users.
Access methods
Elevator Access
Extend Kisi’s cloud-based security to elevator access.
Tap-to-Unlock
Unlock doors in less than a second by tapping the phone against the Kisi reader.
Mobile App Unlock
Let users access your space by unlocking doors with our mobile app.
Scheduled Unlocks
Set your doors to be open during specific windows of time.
Time-Based Access
Set time restrictions to grant access to both visitors and regular users.
Visitor Link Access
Allow non-Kisi users to access your space using a temporary link.
2FA Mobile Access
Add an additional layer of security by enabling 2FA on mobile unlocks.
Security and access management
Access Groups Management
Create different access groups to automate access sharing and enhance security.
Roles Management
Set different levels of management for your admins:per place, per group, or per door.
Access Restriction
Set granular access permissions and leverage our access group functionality
Automated Provisioning
Automate provisioning with Kisi’s directory integrations.
Event Export
Easily filter and export access events for specific doors, users, or access groups.
Event Log
See and filter access events by time, user, or access groups.
Global Management
Unlimited Doors and Places, all from a single dashboard.
In-and-Out Tracking
Use check-in and check-out functionalities to track ins and outs. (coming soon)
Intrusion Alerts
Set alerts for when a door is held open or forced open.
Lockdown
Secure any door remotely by using Kisi’s lockdown feature.
Remote Access Sharing
Share access with anyone, anywhere thanks to our remote management features.
Remote Management
Validate entries and manage your space remotely 24/7.
Offline Mode
Unlock doors even when your network is offline.
Visual Access Audits
Review and validate door entries with automatic video snapshots(requires cloud compatible camera).
Open API
Developers can use Kisi’s open API documentation (https://api.kisi.io/docs).
Access Teams Management*
Create different access teams to automate access sharing and enhance security across all your places.
SSO for Access Control*
Integrate door access with your SSO provider.
SCIM for Access Provisioning*
Seamlessly keep your user information up to date across all platforms.
* available on Organizations plan
Kisi allows us to have a fluid day, regardless of what office location we're working in, without slowing us down.