How we control access has become a hot topic in the past year as the pandemic has dictated the policies and procedures of who, what, where and when people can be given access to buildings. Access control system providers became infection control experts and COVID-19 became the one and only risk on the register. Many of the overarching principles of access control have been lost in the process. In this article I want to take access control back to principles. These are the principles and objectives that we apply to any access control system design or review. They work for us but in so many systems we review that aren’t followed and that produces risk.
This will not be a step by step guide to access control systems or even an access control framework (the 5D’s is another article) but a look at what we should be aiming to achieve with an access control system
What is access control?
First let’s look at the term itself because it can be misunderstood. Access control is not just about keeping people out. In fact its not even primarily about keeping people out. It is about making sure the right people can get to the right places at the right times. As a by product of that it keeps people who should not be in certain places at certain times out of those places. We do that through controls. Controls are less in the literal sense and more in the risk assessment sense. We use processes, devices, people or barriers as a control to manage free passage. We don’t truly ‘control’ where a person goes. A person with real intent will get through many access control measures with brute force. We do place a control measure to mange the access however as part of an overall security system. Access controls can be divided in a number of categories:
- Physical (doors, walls, gates, barriers, locks and bolts for example)
- Technical (readers, sensors, etc)
- Human (checkpoints)
- Process (systems)
- Electronic (passwords and encryption etc)
A good access control system should combine a range of categories to manage access beyond the control point.
I’m not talking about types of access controls here. I can cover the benefits and differences of DAC, MAC and RBAC in another article.
Objectives of access control
The objectives for the design of access control systems are simple.
- Provide both real and psychological safety for those operating within the controlled area
- Provide access to authorised users to the controlled space
- Prevent access to those who should not have access to the controlled space
- Manage the frequency, time and flow of access to controlled space
- Prevent authorised people from bringing unauthorised objects into or out of the controlled space
Not all systems require all of the above but as minimum I would suggest that 1-3 is critical and 4 and 5 should be considered with each system.
Principles of access control systems are straightforward. When designing a system it should:
- Be risk based and commensurate with a realistic threat assessment
- Fit with the overall security strategy of the site or event
- Involve end users or sample users from similar sites
- Be evidence based
- Have a contingency for response to a breach
- Provide an audit trail to produce evidence of effect
- Be subject to continual review.
The last point is important. Security is generally reactive to threat actors. We don’t know a particular threat vector exists until we catch a poor attempt to execute it. Once we become aware of its existence other occurrences become evident. Like emergency plans we spoke about in a recent article. Access control is like a new car in a showroom. As soon as it becomes operational its value degrades as threat actors see it in operation and learn it flaws. So an access control system is only as good as the learning we take from it over time. No access control will stand the test of time.
In a later article we look at defence in depth (DiD) security systems and look at the 5 D framework as we drill deeper into access control. This week was simply about providing on overview or start point for consideration on your current or planned access control systems.