Access control

Controlling access to a facility can be complex. Staff require access to the right facilities at the right time whilst keeping unauthorised people out. Controlling access to computer systems can also be challenging.

 

 

 

Historically, security has been the bane of many company executives as it is sometimes difficult to justify the costs against the potential risks. However with Health and Safety legislation together with good practice Business Continuity Planning, the protection of people, buildings and intellectual property has become a board room issue. Usually physical security matters are the responsibility of the security department whilst network or computer security sits with the IT director. Seldom do these two departments have the same reporting line, objectives or business requirements.
However, times are changing and more and more large corporations are seeing the benefit of combining physical and logical security in a number of ways. With IT networks becoming more robust and bandwidth issues a concern of the past it is easier to use the LAN as the communication bus for the security data of both building and PC’s. This approach enables huge savings on installation and future maintenance costs.

Controlling access to a facility can be complex. Staff require access to the right facilities at the right time whilst keeping unauthorised people out. Controlling access to computer systems can also be challenging. Staff need access to the right applications without being burdened with an “over the top” password system whilst also keeping unauthorised people out. Similar goals, very disparate systems.

Future access control systems, whether they are for physical or logical access, need to be flexible enough for the multi-function environment we work in today and be able to control access to data ranging from “public” to the highly sensitive. It is imperative that companies adopt an approach that will enable an overarching access control strategy that can utilise a variety of authentication methods (cards, PINs, biometrics or a combination thereof).

 

 

Controlling access to a computer system historically has been with the use of a password. For most people, a password is simply a spouse’s name, favourite food, song title or pet’s name and can easily be broken or deciphered. Physical access control is often worse in that it often employs a simple unencrypted mag-stripe or prox card, which (if lost or stolen) can be easily used by unauthorised persons. Both the access control and computer systems need a cost effective and appropriate level of security. The good news is that this can be achieved be using a smart card.

But, choosing the right card is vital. It should be:

• A card that can be personalised.
• A card that is easy to use.
• A card that is easy to manage.
• A card that can be implemented on current applications and supports future requirements.

One card that is capable of being used in many ways; such as access control, time and attendance, computer and application logon or storage of personal data for e-cash payments.

 

 

A card that is secure
In order to combine “physical” access and “logical” access the most appropriate token is contactless smart card. This allows a user to “show” their card to the reader and the system will read the cards credentials and pass this information onto the back-end system which holds that individuals access rights. There are no contacts to wear or get damaged on the card or reader; this means a longer life for both card and reader adding further savings.

 

 

As with all technologies there are a variety of solutions on the market, ranging from the cheap and cheerful to the extremely complex. Ascertaining the right solution for your specific requirements is often a daunting experience. Options range from secure or non-secure cards, reader types and the data communications between them. Choosing the right solution is critical to your company’s ability to ensure a return on the capital invested. It is important to ensure that when choosing a card/system, it complies with existing ISO standards. For instance ISO 14443 and ISO 15693 are standards that define intelligent read/write devices that are capable of storing a variety of data sets and operating over specific distances.

 

 

If a smart card is used to store  user information it should provide enhanced privacy the stored information is owned by the user and the user has control over access to this information. Adherence to standards could also ensure that the system you choose adopts an open standard and does not operate in a proprietary format. It is also important to ensure that your chosen solution is fully scaleable and simple to upgrade, allowing cost effective changes. Key areas of the business may need stronger user authentication to gain access, where proof of identity is also required as well as ownership of a smart card in this case the system should be able to use a combination of a smart card and a biometric. An example of this may be the computer centre, or bank vault.

 

 

Biometrics is a way of identifying or verifying the claimed identity of a person automatically by using either their behavioural or physiological characteristics. Most systems don’t normally have the luxury of being able to monitor a persons behaviour over a period of time so their physiological characteristics are used e.g. a fingerprint, face or iris scan. Adding a biometric identifier ensures that the correct user and card must be present, so eliminating the possibility of shared cards.