There are a number of reasons that companies wish to keep their office secure, from employee safety to document security. No company wants to be the one plastered on the news because there was a breach in security and sensitive information of clients was stolen or leaked. That kind of catastrophe can sink a brand. More importantly, no one wants to be responsible for any sort of violence that could be avoided by monitoring and restricting those that are in the building. The sad reality is that we live in a time when people will hurt others with and without cause.
One of the first steps in keeping unwanted intruders out of your office is installing an access control system. Access control systems are quickly becoming a staple in many offices around the country for reasons other than just safety. Of course, their primary function is to allow access only to those designated for access. However, many systems offer supplementary benefits that may not be obvious at first, such as monitoring the times that people are in and out of the office for payroll purposes. It comes in handy to know who is in your building and when they are there.
Whatever your reason for purchasing an access control system, you’ll need to decide how in depth you want your system to be. Access control ranges from relatively simplistic fob swipe systems to multifaceted employee recognition systems. Not every company is going to need every aspect of access control. You want to ensure that you are providing a sufficient level of security without purchasing a bunch of bells and whistles to augment the system that provide little real benefit.
Security is Layered, Like an Onion
A layered security approach refers to the idea of provided multiple obstacles for a would be intruder to traverse before a breach is possible. Take your home for example. A thief may need to simply open a window and sneak in. That’s a single layer of security. Add a fence, and the thief must first hop the fence before reaching the window. Two layers of security. Perhaps you have a sun room. Now the thief must hop the fence, break into the sun room, and then get through the window before they are a threat. Meanwhile, there is more time added for a neighbor to notice what is happening and call the police.
The same idea applies to your company. The more sophisticated your access control system, the tougher it is for intruders to get by. This is called multi-factor authentication. A single-factor authentication would be something that a person has, knows, or is. Meaning a person has a card to swipe, a person knows a pin to enter, and a person is Jonathan Blackwood, and Jonathan Blackwood’s fingerprints cannot be duplicated. A two-factor authentication combines two of these factors, such as requiring a card swipe and pin entry. A three-factor authentication combines all three. Additionally, there is a two-man authentication, also known as an escort. This requires two separate users to get into a secure area, where neither may enter alone. A digital certificate may also be installed in a smart card or USB. These work in the same way a driver’s license would for a police officer. If an employee that is no longer with the company still possesses their card or fob to enter the building, a certificate check via public key infrastructure (PKI) would reveal that this employee is a security risk and bar access or inform the proper person.
“Security professionals use the term ‘defense in depth’ to describe any case in which two or more controls are used to provide redundant protection of an asset,” writes Peter H. Gregory, CISA, CRISC, CISSP, DRCE, in HID Global’s ‘Advanced Physical Access Control for Dummies,’ a whitepaper that outlines access control security information. “If any one of the controls fails, the asset is still protected because the other controls continue to protect it.”
Pick a Card, Any Card
There are several types of entry cards that can be used for access control. The most simple is a magnetic strip card. These employ little security to protect the card’s data and can be easily read and cloned. Probably not the best device for office security. The most common worldwide is a proximity card. Proximity cards contain a computer chip that receives radio frequency energy from the reader, and its processor transmits the card number to the reader. These cards to have limitations, however. These cards transmit at a low, limited frequency range and lack additional security features such as two-way communication, memory space, and processing power for other applications, the data is also transmitted unencrypted, leaving it more susceptible to attacks.
Smart cars are some of the newer technologies in the access control industry. These can be contact or contactless smart cards. A contact smart card contains an embedded microprocessor chip. These are most often used for logical access – secure computer log-on, data encryption, or document signing of PKI is involved. A contactless smart card is essentially a mini-computer. It holds a microprocessor, memory, software programs, security, and more. It gets its power for electromagnetic radio waves from the reader, similar to proximity cards. Custom card number formats can be used to lengthen the standard 26-bit format. This adds a layer of security, but make sure that your reader can manage custom or nonstandard formats.
Smart cards offer a faster, more-capable processor, more money, rewriteable and lockable memory, the ability to store and run software applications like cashless payment or secure log-on to computers, and the capacity to hold applications like biometric data. They are more secure than proximity cards because they are built in ways that make it difficult to extract data. Also, their over-the-air data communication is encrypted and more secure. Surprisingly, they are about the same cost as a proximity card would be.
Read Me a Story
Aside from the card, there are a number of considerations that go into the reader that will allow access. Be wary of CSN readers. They simply read the card serial number and then pass the data along for a yes/no decision. It is no more secure than a proximity card, regardless of what type of card you are using. Mutual authentication allows for a two-way dynamic between card and reader by using the symmetric encryption. In these types of systems, the card and reader must first establish that each knows a shared secret encryption before any real data is shared.
Some security vendors will use a single encryption key for all their customers. This isn’t what you want. Choose a vendor that is able to issue a unique encryption key for each customer to ensure maximum security. The same goes for manufacturers providing your cards. Some manufacturers store the same encryption key in all of its cards, meaning if a single card has the encryption extracted, all cards in the corporation may be compromised. A manufacturer that uses diversified keys, ideally using a public-scrutinized algorithm such as DEA or AES, is best. Additionally, it is important that the manufacturer offers the ability to roll, or change, the encryption keys stored in readers and cards. This can help regain security if a key compromise occurs.
Exit readers can also come in handy, not just for security purposes. With this type of system an employee must badge in and badge out each day. This way the system can track or limit who is in the building at any given moment. This aids in being able to monitor all of the personnel on premises in case of an emergency, and also allows payroll to pay attention to who is putting in their full time each week.
“If you require card-in and card-out, through the software you can do what is called time in attendance,” says Greg Birman, Service Manager for Xentry Systems Integration. “They can utilize that for payroll – when someone got in and when someone got out – or as a way to audit salary employees to make sure you’re getting your 8 hours a day out of them.”
There is much more that can potentially go into access control, but a security provider will be able to answer the advanced questions. To start, however, make sure you know what degree of layered security you want, how sophisticated you want your cards to be, and ensure that your reader will use mutual authentication. Soon enough you’ll be sleeping soundly knowing that your office is secure.
To learn more contact MCC’s Security Solutions Division today!