Risk Management: Upgrading the Approach to Access Control

‘If it ain’t broke, don’t fix it’ is a mantra that often describes the best course of action for many situations in life, writes Nick Smith. It’s a phrase that’s probably best suited to something like a bookcase or an oven, but it also often describes the approach taken towards physical security and, most notably, access control. For many, access control is viewed as something that’s purely functional. Something that lets them in and out of a building or grants entry to a site. It ticks along day-by-day and year-by-year and goes largely unnoticed. Access control is seldom considered for an upgrade, but unbeknown to many it’s a treasure trove of data that can be used by administrators or exploited by malicious actors.

The traditional access control system is essentially just a digital lock and key for a door. A sensor reads an input signal from a key card or number pad and, if that information matches, the door is unlocked. As technologies have grown more sophisticated, access control systems have become more feature-rich. They’re now capable of permitting or restricting access to certain personnel at certain times, or they’re able to keep a log of comings and goings.

As the Internet of Things has grown in prevalence, so too has its integration within access control, but therein lies the issue. The moment that a device is attached to a network, it becomes an access point to anything on that network and exposes both the network and the device. You could have an incredibly secure server with top-of-the-line protection and protocols, but a panel on the front of a building that’s not secure affords hackers a way in.

Simply put, a key card reader is the most vulnerable point in a physical security regime. It’s the one point where the outside world has an input into the network inside. A poorly set up wall reader can give hackers an ‘in’ – either through manipulation or brute force. From there, they will then be able to dig around the network and potentially steal data, infect it with malware or hack into other security systems in order to perform covert surveillance without the administrator even knowing.

Keeping the hackers out

You might say that you’ll forego the connectivity of an access control system to the Internet and just opt for one that feeds directly into the door and nothing else. To that I’d say these systems are arguably more vulnerable. With a network-attached reader, it’s possible to keep it up-to-date with the latest security protocols (more on that anon), but a purely local system can be a cakewalk to hack.

In fact, a hacker can easily create a duplicate card for under £100. A small and inexpensive Bluetooth attachment can be installed in any card entry system using the Wiegand protocol (the most widespread protocol for proximity card reader systems) in under one minute. Any data read by the wall reader can then be transferred to a nearby device like a mobile phone or a laptop. In practice, someone could walk up to a wall reader, install this set-upin a few seconds, hang around near the door until someone scans in and then go away to produce a replica card using the stolen data.

At that point, it’s only up to the imagination as to what happens next. What’s more is that, due to the access control system being isolated in this scenario, it’s impossible for administrators to have any kind of insight into how it’s being used (or abused).

The above example could involve any kind of keypad, network-attached or not. However, when an access control system is part of a wider network it’s easier to upgrade, update and improve upon existing components rather than the ‘rip and replace’ approach that has traditionally been commonplace. ‘Rip and replace’ is often the easy answer when modernising, but it isn’t the most cost-effective or reasonable approach. It’s a dramatic contrast to the ‘If it ain’t broke, don’t fix it’ school of though and one that’s equally as ill-advised.

Questions to be asked

Many security vendors can actually work within the parameters of older access control and video surveillance systems and encourage an approach of incremental and regular upgrades. When considering whether to continue working with an existing access control system or upgrade, there are several questions that should be asked. These should include whether the system is still being installed and used around the world, whether anyone is still buying it, whether the company is investing in development and holding on to its installed base and if the hardware is open and able to integrate with more modern systems. Of course,the system’s security must also be considered.

End-to-end encryption should be a requirement for any access control system. By encrypting the data between the card and the reader and the reader to the server, you can ensure that communications are secure and synced between client and server apps as well as door controllers. Not only does this mitigate the earlier example of cheap external ‘tech’ intercepting the data between the wall reader and the server, but it also serves to protect the rest of the network as well. There are many benefits to end-to-end encryption (probably too many to list here, in fact), but generally speaking it’s an effective and relatively easy way to ‘keep your own house in order’ and protect your organisation from outside threats.

Upgrading your access control is not just about shoring up security. There are a great many benefits of migrating to an IP-based access control system. Access control doesn’t just stop at the front door. Using smart analytics and the data of the access control system, administrators can do everything from manage the flow of people in public spaces to tracking the attendance of employees. IP-based access control systems also make it easier to synchronise cardholders across different locations, meaning that users can be issued with one single card to access multiple sites.

Who says that access control just means doors? Security systems have typically been working with doors, but more modern approaches and technologies have seen systems open up to a wide range of other security needs as well. Examples include securing server racks, medicine cabinets and retail display cases.

Taking this notion one step further, an access control system can complement time and attendance systems as a means of ensuring Human Resources compliance, as well as monitoring traffic-dense areas to enhance efficiency.

Integration: a key consideration

There should also be serious consideration put into how access control is integrated with other security systems. With such a system, all access control events, alarms and reports can be synced with recorded and live video. This would make it much easier to keep track of any incidents such as break-ins, which are then able to be managed by restricting access immediately.

An example for this in practice might be someone with a stolen card breaking into an office at night. The security administrator will be alerted of unusual activity, be able to see what’s going on with their smart phone or tablet and then, remotely, lock all the doors and restrict access (even for a card that has the appropriate credentials).

Nick Smith

Nick Smith

Access control systems can become very feature-rich, but it’s vital that they’re not overly complicated. The operator experience should always be front of mind. If a system’s too complex, it will lead to human error and confusion. Modern access control solutions must commit to focusing on the operator’s perspective, empowering them through a unified and dynamic approach towards security and access rights management. This will ensure that, in the event of crisis situations such as those described above, the operator has a clearly defined and simple way of neutralising threats at a moment’s notice.

Access control is the first point at which physical hackers come into contact with your business. An outdated system with easily identifiable poor credential verification is putting out a welcome mat for criminals. Across all industries, it’s vital that access control is taken seriously and not ignored. A good access control system can save money, improve security and provide a great deal of added value for the host organisation.

Nick Smith is Regional Sales Manager at Genetec

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts