Access control

Access Control Methods
– Geographical access control can be enforced by personnel or devices like turnstiles
– Physical access control can be achieved through locks, keys, or access control systems
– Access control determines who, where, and when someone is allowed to enter or exit
– Mechanical locks and keys do not provide specific time or date restrictions
– When a mechanical key is lost or unauthorized, the locks must be re-keyed
– Electronic access control uses computers to replace mechanical locks and keys
– Different credentials can be used to grant access in electronic access control systems
– Access is granted or denied based on the presented credential and access control list
– The system records transactions and can alarm if the door is forced open or held open too long
– Two-factor authentication can be used to prevent unauthorized access
– Users can authenticate through something they know, such as a password or PIN
– Users can authenticate through something they have, like a smart card or key fob
– Users can authenticate through something they are, such as biometric measurements
– Passwords are commonly used for verifying a user’s identity
– Another factor of authentication is someone you know, where a trusted person can vouch for the user’s identity

Access Control Components
– Access control panel (controller)
– Access-controlled entry (door, turnstile, parking gate, elevator, physical barrier)
– Reader installed near the entry (second reader used for exit control)
– Locking hardware (electric door strikes, electromagnetic locks)
– Magnetic door switch for monitoring door position
– Request-to-exit (RTE) devices for allowing egress (mechanical free egress or electric unlocking on exit)

Access Control System Topologies
– Hub and spoke topology with control panel as the hub and readers as the spokes
– Look-up and control functions by the control panel
– Serial connection (usually RS-485) for communication between control panel and readers
– Some controllers placed at the door for edge decision making
– IP-enabled controllers that connect to a host and database using standard networks
– Serial controllers connected to a host PC via RS-485 communication line
– Serial main and sub-controllers with door hardware connected to sub-controllers
– Serial main controllers and intelligent readers with direct connection to door hardware

Access Control System Technologies
– Access Control Systems using Serial Controllers and Terminal Servers
– Access Control System using Network-enabled Main Controllers
– Access Control System using IP Controllers
– Access Control System using IP Readers

Security Risks and Vulnerabilities
– Tailgating is a common security risk of intrusion through access control systems
– Levering a door open is another common risk, but proper security measures can mitigate it
– Natural disasters pose a security risk, requiring structural and equipment considerations
– Security awareness training and active means like turnstiles can minimize risks
– Access control systems include door prop alarms and forced door monitoring to address security risks
– Crashing through cheap partition walls is a common vulnerability
– Breaking sidelights is another vulnerability
– Spoofing locking hardware using a magnet is a simple and elegant method
– Manipulating power to the lock is also possible
– Mechanical key locks are vulnerable to bumping
– Portable card readers can capture card numbers from proximity cards
– Card numbers are sent without encryption, making them vulnerable
– Dual authentication methods, such as card plus PIN, should be used
– Sequential attacks can be used to exploit access control credentials
– Ordering credentials with random unique serial numbers is recommended
– Need-to-know principle ensures that only authorized individuals gain access to necessary information or systems
– User access controls and authorization procedures enforce this principle
– Objective is to prevent unauthorized access and protect sensitive information
– General access control includes authentication, authorization, and audit
Authentication methods include passwords, biometric analysis, and physical/electronic keys
– Subjects are entities that can perform actions on the system
– Objects are resources to which access may need to be controlled
– Access-control models can be capability-based or ACL-based
– Access control is defined in U.S. Federal Standard 1037C as a service feature or technique used to permit or deny use of the components of a communication system.
– It is also a technique used to define or restrict the rights of individuals or application programs to obtain data from, or place data onto, a storage device.
– Access control can be the process of limiting access to the resources of an AIS (Automated Information System) to authorized users, programs, processes, or other systems.
– It can also refer to the function performed by the resource controller that allocates system resources to satisfy user requests.
– The definition of access control depends on several other technical terms from Federal Standard 1037C.
– Special public member methods called accessors (getters) and mutator methods (setters) are used to control changes to class variables and prevent unauthorized access and data corruption.
– Access control is used in public policy to restrict access to systems (authorization) or track and monitor behavior within systems (accountability) for security or social control purposes.Sources: