Printer Friendly

A Q&A approach.


PLANNING AN ACCESS CONTROL system is a complicated process. A good system should be affordable yet provide trouble-free service for many years. Security managers who are considering purchasing access control systems should examine the following questions before committing themselves to a product or supplier.

How long has the prospective supplier been in the access control business? It is important that the company supplying and supporting an access control system have several years' experience in the access control business. The security manager must be confident that the supplier will be able to provide material and technical support for years to come.

Does the prospective supplier have a network of district offices and distributors that can support the security manager's need? The location of offices is a key issue from a support standpoint. Having the manufacturer's district office or a qualified distributor nearby becomes increasingly important as the user's security requirements grow.

Are the products listed by Underwriters Laboratories (UL) for relevant applications? During the listing process, UL conducts a series of detailed tests that cover electrical safety, environmental and operational tests, and more. When a product is UL listed, the buyer is assured that his or her investment will perform to high standards. The UL standard that is typically applicable to access control is UL-294 (access control system units). This standard primarily addresses systems that "provide a means of regulating or controlling entry into an area or access to or the use of a device by electrical, electronic, and/or mechanical means." Most electronic access control systems that use a card or badge for access would fall into this category.

How versatile are the access cards? Many technologies of access cards and encoding schemes are on the market today. The most common card technologies offered are magnetic stripe cards, barium ferrite cards, Wiegand effect cards, and proximity cards (or tags). Choosing a suitable card can be difficult since all these technologies have definite benefits.

Different types of cards offer differing information-holding capacities and degrees of flexibility. Cards typically contain the following codes:

* Card number. This is a unique number assigned to each cardholder.

* Facility code (site or customer code). This number is both encoded on the card and set in the system. This number ensures that only cards held by company personnel will be accepted for verification by the company's card readers and that cards made by the same manufacturer for a different company will be rejected. It is important to confirm that the facility code issued by the vendor will be unique and not used for any other customer.

* Issue level/issue code. This number is a subset of the card number and allows the same card number to be issued many times without the need to issue a new card number. For example, a cardholder is assigned card number 2345 with issue level 1. For reference, it is referred to as card number as 2345.1.

If the card is lost or stolen, the security staff simply reissues card number 2345 at issue level 2 (2345.2). At the same time, the security system is reprogrammed to accept the same card number with the new issue level. The lost card will be rejected if an access attempt is made at any card readers in the facility. Without the flexibility of issue levels or issue codes, security personnel must issue a different card number each time a replacement for a lost or stolen card is required. Over time, this practice tends to reduce the quantity of card numbers the system has available.

Some cards can contain additional information. Security managers should look closely at the flexibility different vendors offer.

How immune are the cards from alteration, duplication, and reading error? The card technology a security manager chooses is critical if protection from alteration, duplication, and reading error is an issue. It is important to take the time to understand all card technologies. This effort will broaden the security manager's knowledge and ensure that he or she makes the right decision the first time.

The fundamental design of some card technologies is extremely secure. The Wiegand effect card technology is a good example. The security of the Wiegand card is accomplished through the patented processing of Vicalloy wire. Licensed manufacturers of the Wiegand card run the Vicalloy wire through a complicated production process to give it its unique characteristics. The wire is typically embedded into modules that are securely encoded at the factory. The modules are then embedded into card material and laminated to form a finished Wiegand card. The number of production conditions and variables involved makes it almost impossible to counterfeit such a card. Several other card technologies on the market today are also considered secure.

Another method of ensuring against alteration, duplication, or card misreads is called encryption. A card that is not encrypted has card information encoded in a consistent format. For example, the card serial number is followed by the facility code, which is followed by the issue level, and so on. When information is encrypted on a card, the data is typically placed randomly. During the production process, a manufacturer uses an encryption algorithm that scrambles the relationship between the card number, facility code, issue level, and other information and that does so differently for each card.

When encrypted cards are used at a facility, firmware (typically at the reader interface level) includes an algorithm that deciphers the encrypted card information. With a number of encryption schemes, it is virtually impossible for someone to create another card in a series. Ideally, attempts to alter a card's data pattern so as not to have any trace-ability back to the original card number would cause the card to be rejected. However, this feature is difficult to guarantee with cards that use simple data parity checks.

Some encryption techniques ensure that a card will be accepted by the system only if it has been read 100 percent. In these cases, any discrepancy in the card reading should cause the card to be rejected.

Many users concerned about card duplication require that their cards be encrypted and insist that the decrypting of the card be conducted locally (near the door). This practice ensures that decryption is not involved in data communication lines between the remote card reader terminal (door location) and the access control unit or computer.

Another method of protection against alteration and duplication is to encode card information on a microchip. If a secure technique is used, data encoded on the microchip should be either unalterable or reencodable only by the manufacturer with special encoding equipment. This technique is typically found in proximity card technology but is also used in some other technologies.

A personal identification number (PIN) is an added level of security that comes with many card access readers. A card reader with a PIN keyboard usually requires the cardholder to enter a PIN and then present a card. At this point, the reader electronics verify whether the PIN and card number match up exactly. Requiring a correct PIN helps prevent unauthorized access should an access card fall into the wrong hands. Even with a valid card, a would-be intruder cannot gain access without the matching PIN.

Different card/PIN readers offer different features, such as the ability to trip an alarm if a certain number of invalid PIN attempts occur, the ability to reassign a new set of PINs to cardholders, and the ability for a cardholder to send a duress signal to the security office without being conspicuous.

Does the system's design ensure that intelligent access decisions can be made remotely (near the card reader) if the central computer fails or if communications are interrupted? An important feature of an access control system is its ability to provide local intelligence. Local intelligence provides a second level of security by ensuring that if the central computer were to fail, remote intelligent terminal controllers (the second level of security) could make intelligent access control decisions based on information downloaded from the central computer. A remote terminal controller with real local intelligence should also be capable of making an access decision based on stored parameters for each individual card. In addition, the remote terminal controller should be capable of uploading card and alarm transaction histories when the central computer is working again.

The more levels of access control security offered in a system, the better. The example just presented shows two levels of security -- the central controller provides the first level, and the remote, intelligent terminal controller provides the second. In this case, card readers and alarm sensors might be connected directly to the terminal controller. Security managers should investigate whether the system being considered can provide yet another level of security.

A third level could be accomplished through an interface that services a specific door and is connected to the remote intelligent terminal controller. (Several of these interfaces might be connected to one terminal controller.) If the intelligent terminal controller or communications were to fail, this third level should be capable of making an access decision by comparing the facility code (or site code) on the presented access card to the number stored in the memory of the interface.

In addition, the third level should be capable of verifying the PIN against the card (another reason PIN code verification should be conducted at the reader interface level). In some cases this type of interface can substantially reduce cable costs since door lock and alarm sensor devices, card readers, PIN keyboards, and indicator lamps can all be connected locally to the interface.

Before deciding on a system, the security manager should ask a few last questions: How can the vendor minimize telephone line costs when the security system is spread over several sites? Does the vendor offer any form of autodial communications to minimize requirements for leased lines? Can the system cost-effectively grow to meet future expansion requirements? Can the system satisfy any other needs, such as elevator control, parking lot control, energy control, time and attendance record keeping, guard tour control, and interface with closed-circuit television systems?

The suggestions in this article provide some of the basic groudwork for finding an affordable access control system that will not only satisfy today's security requirements but also grow with the security needs of the facility.

Tony wilson is product planning manager for Cardkey Systems Inc. in Simi Valley, CA.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:planning an access control system
Author:Wilson, Tony
Publication:Security Management
Date:Jul 1, 1989
Previous Article:Decoding the mystery.
Next Article:The body biometric.

Related Articles
A high-rise solution.
A gallery of security.
A comprehensive approach to workplace safety.
Balancing security systems and procedures.
Facility design that facilitates security.
Integrating EDMS Functions & RM Principles.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters