On our first episode of the Koorsen Fire & Security Chat, we talk with Brian Smith, Director of Security at Koorsen Fire & Security about access control systems.
Access control systems allow you to control and define access to areas within a space or facility. This can be as simple as a card access system for employees to gain access to their office building or as complex as a biometric multi-factor authentication system that prevents unauthorized access to a top-secret laboratory.
In this episode, we introduce you to access control systems, the different types of credentials, how the systems are managed, and how they can benefit businesses of all sizes and in all industries. You can listen to the episode right below or click on your favorite podcast player to listen to it from there.
Subscribe to the Koorsen Fire & Security Chat in your favorite podcast player:
LEARN MORE ABOUT ACCESS CONTROL SYSTEMS
If you’re interested in learning more about access control system solutions, contact the security and access control professionals at Koorsen Fire & Security. Our highly trained technicians can design, install, service and maintain an access control system that fits your business’s exact needs.
Aaron: Welcome to Fire and Security Chat brought to you by Koorsen Fire & Security, where we talk about the technology and equipment used to protect and secure life and property. I'm your host, Aaron Whitaker and today I'm with Brian Smith, Director of Security at Koorsen Fire & Security. Okay Brian. Today's topic ,we're going to be talking about the types of access control systems. And before we kind of dive into types, I guess we should clarify what is an access control system?
Brian: So an access control system, in its simplest term is kind of a defined by its title. It's a system that's going to allow you to control and define access from individuals into certain spaces. Typically within a business or structure. This could also expand into a things like access to documents within a facility or secure server rooms, things like that. Equipment racks.
Aaron: Okay. And as far as access control, I always think of key fobs or those little white cards to get into doors. Is that the only, I guess access...
Brian: That's one method of access controls. So access control exists in your home. An access control is a brass key that goes in a door lock and access control system might be a receptionist at a front desk that's stopping people as they come into to sort out what their businesses and get them to an appropriate place. So you know we talk about access control typically in the industry, it's commonly accepted as electronic access control. So you know, again there's, there's lots of different ways that you can perform access control. So based on your, your needs, your facility, your environment, you may have to decide what is going to be the most cost effective or the most applicable form of access control for your business.
Aaron: Okay! Besides cards and I guess there's keypads is another type?
Brian: Sure. Within electronic access control we can use credentials to identify an individual. So key fobs, cards, id badges are all traditional common ways to provide a credential for an identification, a person. Beyond that, biometrics, fingerprints, facial recognition, iris scanners. There's multiple other vascular hand scanners. There's lots of different levels of security within those types of identifiers. But cards and fobs would probably be the most commonly used credential to identify an individual.
Aaron: So as far as the, like the hand scanners and the fingerprints and iris ones, those are 100% perfect now or I mean I know, I can remember the iPhones and stuff when they first came out with the facial recognition and you could use a picture to unlock someone's phone.
Brian: Yeah, the technology has come quite a ways, especially with facial recognition and iris. I saw some statistics a couple of years ago on iris scanners and they're actually very, very fast. And, there was a statistic, something around the possibility of being hit four times by lightning in the same day before you would get a false or duplicate read on an iris. So they tend to be very secure and something like that is probably more commonly used in a place where you might have a surgery center or a hospital or something where you don't want people touching things. Maybe a surgeon has to wash up before surgery and they've got gloved hands. Obviously a fingerprint's not going to work there. They can't touch an ID or a credential to get into a surgery area. They may use something like an iris scan to gain access to an area.
Aaron: Is there proximity ones too? Like if there's Bluetooth or...
Brian: Sure, any of the cards and credentials are proximity based reads. So you would have in the credential itself a chip that has an antenna attached to it and when you presented within range of a reader, the reader would energize that card by the antenna and that chip would then transmit its data to the reader. And that can take place on a very local level where you have a one inch to four inch read range in the typical handheld, up to several 10, 15 meters and longer in some of the RF technologies or UHF technologies for vehicle readers. If you have a parking garage or something like that, city utilities with a large fleet of trucks may have a long range reader, UHF reader out on their gate so as the trucks proceed in, you know, proceed in they're not hindered by the gate, they can just kind of stream through as they approach. You know, a lot of that is proximity. Obviously, one of the concerns with proximity is because you don't have to touch it to get the information off of it, security becomes more of a factor there. And some of the older technologies, the 26-bit prox, that is no longer a secret, can be manipulated and copied. So when you get into proxy technologies, a lot of times customers are concerned with how do they secure that technology. So you've got a lot of different options on the market now with i-class and DESFire and there's even a new version of DESFire coming out now where they're an encrypted format between the reader and the cards. So even though there's data being transmitted through the air based on proximity, that data's now encrypted and without those encryption keys you wouldn't be able to read it. So that's something that comes into play when you talk about, the most, the highest level of security and a lot of cases like federal government installations, you're going to have a pivclass card. It is contact type card. Much like your credit card is today where you have to insert it in the slot with a chip in it. That chip contains a lot of information on it and it can be programmed to contain as much information as you know the chip will hold,
Brian: And all of that information can be used to validate that, that individual. So it makes it incredibly difficult to copy and incredibly difficult to get your hands on. And to bypass the reader because you do have to physically present an object into the reader. It will read the information on the card and then make a decision as to whether or not you have access there.
Aaron: Another question I had was two factor authentication. Like if you use say a key fob or whatever and facial recognition or some others, is that more common in the the kind of high security...
Brian: One of the most common applications for that would be an elevated level of security. So you may have an office space where employees have access to get into an office and then maybe you have a file room that has patient information in there. That file room may have an elevated level of security on it. So not only might you restrict who has access to that room, but you may also want to authenticate with a secondary measure, either a pin credential, a biometric credential or something of that sort to make sure that somebody didn't drop their card. Somebody else pick it up and use it as, as them. The other place that we see that tend to be used is for perimeter intrusion disarming. So a lot of common requests from our customers is they want the access to control, to also disarm the intrusion system. And one of the fundamental flaws historically with that is if you drop a card in the parking lot, somebody can pick it up and actually gain access to your building and not only gain access but also disarm the alarm at the same time. So that's a practice that you really have to be careful of.
Brian: But by putting a pin authentication on the outside of a building on the perimeter of the building, allows the customer to, or allows the employee to also verify that they are who they say they are with the credential by entering a pin that only they know.
Aaron: Okay, So now we're kind of diving into, now we know what access control systems, especially electronic ones, the types, is there types of access control systems?
Brian: So within electronic access control, I would say there's two primary types of electronic control, maybe three. The third one's kind of a blend of the second, but the first level might be door control. This would be something where maybe you have a small business, a strip center, privately-owned type situation where maybe you have four or five or eight or 10 employees. And rather than handing out brass keys to those employees to gain access to the building, you want to give them an electronic credential. This gives you the ability to remove that electronic credential from the system. But it's kind of an all or nothing type situation. If you get a card, that card works on the system and it works 24 hours a day. It works on all of the doors and it's a very, very simplistic system, but it allows you to recover the keys, so to speak, because you're not chasing down, if an employee leaves, you're not chasing down a physical key. Having to worry about rekeying your locks.
Brian: If somebody, you know, takes a key and copies it, something like that, so you know, there's a cost savings potentially there for the user to deploy what we would call a door control system.
Aaron: So if they leave or lose that key, then you can cancel it out in the system?
Brian: Yeah. You basically log into your software, whatever that is, and then you can remove that credential from the system, but it doesn't give you a whole lot of control about when they can come and what doors they can access and things like that. So it's a very plain Jane kind of application where it's really just to remove brass keys and still allow your employees access to the building.
Aaron: So that would be kind of like the base model or the, the starter package.
Brian: Something at that level is, is probably less common, but certainly an option for customers that don't have a lot of money to put into an access control or a security system.
Brian: But, you know, maybe they're concerned that employee may leave and they may have to rekey their building. It could, you know, a system like that could be less expensive than having to rekey a building once or twice. So that may be of interest to them.
Aaron: So would apartment buildings be common for that? Or is that another level?
Brian: Yeah, that could be a multi-tenant is where you come in with apartment complex, apartment buildings and condos and things like that. And multi-tenant applications are sort of their own entity. They kind of have almost more like a hotel type system. But certainly similar kind of concept with an apartment. Obviously you have the ability to access your unit at any time 24-7, so you're not going to put restrictions typically on an individual like that. So you know that might be a good representation for it.
Aaron: So that's kind of the base model. Basically we're replacing the standard old key with a card access.
Brian: And that just gives you the ability to wipe the credential from the system so they no longer have access. You don't have to chase that key down. The next level up we might consider be like a rule based or role based access control system. And this would be what's commonly accepted as a a traditional access control system. This would be where not only are we handing out credentials, but we also may be through the use of access levels or roles or permissions, be granting or denying people access based on time or based on the door that they're going into. So typical environment, you know, an employee may have access to the office space but they may not have access to the IT rooms. So that would require a rule or a role based access control system where I can assign a role to an individual. Maybe it's based on their title or special requirements that they have within the company. But I would allow them into certain doors and not others. Or maybe I allow them in between Monday through Friday, eight to five, but not after that. So that would be a rule or a role based access control system. I can control with a little more depth where people can go and when they can go there.
Aaron: Is that a software kind of upgrade, is it technology? Or is it the actual locks on the doors?
Brian: Yeah, it's actually not so much the hardware. The hardware is going to be kind of the same all the way through and you're going to have an electrified strike, electrified lever set, or a mag lock or whatever it is that you're securing the door with and you're going to have a reader. It's not really based so much on the hardware. Once you have the hardware in place, then your system can kind of be escalated based on your needs. But to go from a door control system to a rule or a role based type system, it's typically just going to be software. It's going to be a change in software to give you that ability. And then the third, that's kind of a hybrid of that rule role based is what we might call a security system.
Brian: And you, you sort of have to find out from, from your customer what they're looking for in terms of a level of security. So a rule in role based system is great because it allows you to define who goes where or when, but it doesn't always necessarily give you feedback in terms of security. From a security perspective, is that door secure or has somebody forced their way through that door? And not all applications require this, but it's what we would call door position monitoring. And that would involve outfitting the door with a request to exit device, any door position switch or contact. So we'd be monitoring that door through the access system all the time, 24 hours a day, seven days a week. And if the user were to present their card to the reader, it would grant access. You'd be allowed to come through the door.
Brian: But if I were to come up to the door and somehow, jimmy the lock, get around the door, then that door contact would create an event in my access control system. That event then could drive an alarm output. It could drive a notification on my cell phone or any number of factors, but it allows me to not only control who goes where, when, but also make sure that my building is secure and that people aren't forcing their way into areas that they shouldn't be. And then the other aspect of that that's nice is you also then have the ability to do things like door held. So if a, if a door's propped open for a period of time after the card swipe or after the request to exit event, it can also then give me a notification. So I know as a facility manager, my building is not secure. So, you know, it adds that extra level of protection into the solutions that I know, not only are people restricted from going certain places, but nobody's violated the level of security in my building.
Aaron: As far as that goes, Is that more hardware?
Brian: That does require an additional set of hardware because with so far the the door control system and the rule in role based basic system, you're talking about having to install readers and strikes. So you need a reader to read the card, you need an electronic mechanism to release the door so that you can get through it. To do true security access control system, where we're doing door monitoring, you would also have to add a door contact, door position switch to the door, as well as, a request to exit device. That request to exit device may be a motion detector above your door, it may be a button next to your door, but there's something there to signal the egress of an individual through that door so that it doesn't create the alarm. So obviously on the way in, if we're presenting a card, the system knows that somebody has come through that door with a card. On the way out, we really have nothing to tell the system that somebody is legally exiting the building. So there would be a motion detector or something that would be typically automated around the door that would signal, a recognizing signal that somebody's leaving, so that you don't get that door alarm. So that requires a little bit of extra hardware to do that. And a little bit of extra programming typically in the software, but generally speaking, your software solution is going to be the same for a role based and a true security based access control system.
Aaron: And as far as programming, getting into that and assigning roles, who can have access to what? And at what times and all that? Is that something that someone at the business would be able to do? Is it user friendly?
Brian: Well, we hope it's user friendly. If not, we're, we're not doing a great job. Yeah, that's certainly an administrative function of the end user. So, you know, we would always assist them in the learning curve of getting used to their new software. And assisting in setting up some basic rules and rolls and things like that. If they need a particular door to unlock during certain business hours, you know, we would help set that up ahead of time, but then the customer would kind of take the keys from there, so to speak. And they would have the ability to add new roles to the system or access levels, whatever you want to call them. They'd be able to add new cards, remove cards, you know, create time zones and things like that, control their doors manually locking and unlocking, they would have the full permissions to do those functions.
Aaron: And as far as the software goes, can I tell when a certain employee has come into the building? Can I see where they've been throughout the building? Almost a timeline.
Brian: Yeah. Generally speaking, that's one of the major advantages of having an access control system at any level, beyond just simple door control is that you would be able to run reports on that system and see who accessed what, when. So as long as your system is keeping correct time, you would have a time log and a report of any place that they went. And in a lot of cases you would also have an audit trail of who changed what in the programming. So if somebody were to go in and change an access level or a permission for an individual user or an individual card holder, you know, that would typically be be logged as well.
Aaron: As far as costs go, like we replaced the key with a card access system on a a retail store? Where do we typically start to see access control systems as far as key fobs and stuff? As far as the size of a business? Is it cheap enough or is it affordable enough that I could do it at my house or would you see it at a retail store?
Brian: Residential applications are going to be more easily served by using some of the products that are on the market, like a Z-wave type lock or something like that. There are Bluetooth locks and pin entry locks and Z-wave locks and things like that that you can replace your residential grade hardware with to get an access control system on your house that you can control through your phone or locally at the door. Typically where we start to see electronic access control at any of these levels would be small retail all the way up through enterprise, fortune 500 companies. And that's kind of the gambit that runs a lot of your door control solutions. Depending on hardware pricing, it is kind of widespread, I mean, some of these doors, you can electrify a hardware wise for under a thousand dollars and others may take seven or $10,000 to electrify depending on what hardware is there and what it's going to take to get it up to a level of that you can control it.
Brian: But, you know, typically you may be talking about solutions that are 1 to $2,000 a door for a door control type system. You may be talking about 2 to $3,000 a door for a role based basic system. And then for a, what we call a complete door or where it's fitted out with a request to exit device and a door position monitoring switch and things like that, you might be talking about $2,500 to $3,500 a door for enterprise type solutions and higher. So it's probably not something that your average consumer is going to throw in their house at that level, but again, there's a lot of residential options on the market to get a homeowner in control of their doors electronically without having to go to a full fledged software based access control system.
Aaron: Thank you for talking with us about access controls. This ends our podcast. Thank you. if you like today's episode, we encourage you to subscribe to the podcast and rate us on iTunes. You can also find our podcasts on Spotify, Pocketcasts, Google podcast, another popular podcast players. Search for "Koorsen Fire and Security Chat" to find it. Thanks once again for listening and I will see you next week for our next episode of the Koorsen Fire and Security Chat podcast. Have a great day, everybody. Bye. The information in this podcast is for informational purposes only. It is believed to be reliable, but Koorsen Fire & Security assumes no responsibility or liability for any errors or omissions in the content of this podcast. It does not constitute professional advice. The listener of this podcast is responsible for verifying the information's accuracy from all available sources, including the product manufacturer. The Authority Having jurisdiction should be contacted for code interpretations.