We analyze all the factors to take into account to identify a system that has the most recent developments.
By Alejandro Espinosa*
When an organization installs an access control system, it does so basically thinking about three purposes:
The first is to take care of the physical integrity of people; that is, to prevent them from attacking someone. The second is to protect company information: databases, sensitive material, etc. Finally, it is done to guard the assets of the company, such as electronic equipment or any other good that is saleable.
Thus, different means are used to monitor and control people's access to a facility. Decades ago, lock and key systems were used; however, in addition to being vulnerable, stolen or lost keys represented additional expenses for businesses.
Then, the way the world worked and interacted with technology, and even the way crime attacked, changed, and access control migrated to more robust systems with electronic credentials or biometric identification to grant or deny entry to a building or property.
It is worrying, not to say risky, that in the middle of 2020 many organizations will protect themselves with security systems designed in the last century. For that reason, we will present some recommendations for implementing a modern access control system and its features.
How much should I invest for an access control system?
Before implementing a system, it is necessary to reflect on the needs and cost of the investment. In matters of technology, when the risks are unknown, it is very likely to end up leaning towards the price factor.
It's clear: you can't have high security expectations with little investment. Unfortunately, in the market there are suppliers commercializing outdated and vulnerable technology, which generate confusion in users, which results in economic losses; either because of the vulnerability they represent, because of their after-sales service (some do not even have support in Spanish) or because of the operational problems they generate.
An example of the above idea is readers, in the case of biometrics, if the fingerprint sensor is of low quality, it will not have enough reference points to make a quick authentication, generating queues; and in the case of card readers, they will only accept legacy technologies, without any security, promoting the cloning of cards, a frequent crime in Latin America.
That's why it's important to think in the medium and long term, and analyze the return on investment from the question: what would be the costs of not protecting the data, assets and people of my organization?
A secure system
A secure access control system is one that is end-to-end encrypted, this is achieved, first of all, with an identification technology (biometric or card) that guarantees that it is not duplicable or can be cloned; then with the communication between the reader and the control panel, which must be encrypted and monitored using standards such as OSDP (Open Supervised Devise Protocol), and finally with a software that offers the security levels to keep the database protected, whether it is a client-server solution or in the cloud.
To call a system 'modern' you must first ensure that each of these elements that compose it are safe and that its operation is proven in the market.
To ensure this reliability, technologies that establish, verify, and manage identities must be chosen; that is, that they endorse a complete management of credentials throughout the life cycle of the identification: from the moment the reliability is established until the withdrawal of a credential.
A modern system must have strong multi-factor authentication and not disrupt user workflow or productivity.
Open and closed access control system
There is a belief that, by implementing an access control system with a private label, the organization will feel trapped and will not be able to buy credentials or readers from any merchant.
However, the question would be: how secure is an open system? Well, if that 'freedom' puts the whole system at risk, it would be an illusory benefit and would disarm the entire purpose of the project.
For example, if organizations have open databases: transactions, names, identification numbers, etc., and if apart from the hardware is vulnerable, then criminals can manufacture cards with the data of an employee and the photo of the imposter to enter a building.
To avoid the above, brands that offer protocols and closed inscriptions can be used to increase security; however, it must be clarified that it is not a "total closure", sometimes protocols are created to access the information, all with the aim of protecting the integrity of the data.
What are authentication factors?
For an identification process, whether physical or digital, the identity of the person making the request is verified. That verification can be executed using one or more authentication factors.
Authentication factors can be divided into:
• What I know: the knowledge the person has, can be a PIN, a password or a pattern.
• What I have: the id that an individual possesses to certify that it is him, such as a physical or virtual credential.
• What I am: The person's unique bodily traits that are used to verify identity (biometrics).
To increase the level of security, modern systems implement several authentication factors at access points, combining 'what I have' with 'what I know' and 'what I am'.
On the other hand, it is worth mentioning that one of the biggest trends in recent years is mobile access control, which consists of using a mobile device (a cell phone, a tablet or a smart watch) to access doors, gates, networks, services and other spaces of restricted access.
In addition to the use of mobile devices, which by their nature require at least one authentication factor, this modality represents the commitment to provide comfort and convenience to users, a fundamental pillar in today's access control systems.
It is important to clarify that the application that supports a mobile credential must have cryptographic security, which also prevents an identification from being transferred to another device.
By the way, one of the most frequently asked questions related to this type of system is: what happens when the person loses or has their mobile device stolen? Well, thanks to the system management software, security managers can grant or overthrow identities, in addition to controlling the doors by time, privileges, level of access, etc.
When the system uses an extra identity management platform, the privileges of both platforms must be removed, although currently the market offers cloud management software that can already link both platforms.
How to ensure a long service life of access control systems?
Finally, when we talk about useful life in access control, the most important thing is to regulate the voltage of an installation. Controlling that the system has a regulated energy is synonymous with guaranteeing a long service life of the system.
That is why it is recommended to have voltage regulators, power supplies and backup batteries for the readers and the control panel: to withstand electrical failures and voltage peaks. This is crucial when the energy returns after a fall, since it comes back very strongly, and that is when the systems are damaged.
On the other hand there is the dust factor. The recommendation is to have control panels with perfectly sealed cabinets. In this way, the useful life of this equipment is also guaranteed.
* Alejandro Espinosa, Sales Director of the Physical Access Control Business Unit for Northern Latin America at HID Global.
