Shopping for Building Access Security?

JoeCommodore asks: "At work we are planning a new facility, which will combine a lot of departments into one bigger building. We think it may be time to forgo analog key access and go with access cards (or something like it) for physical security. I could see the benefits (we don't have to collect keys and re-do locks on staff turnover, selective room access, access logs, and so forth). Beyond this, we are pretty clueless on the ins and outs of such systems, so I am asking those of you who have had to shop, install, administer, or even just regularly use such systems, what are your thoughts, recommendations, or opinions? This is pre-building so we can do just about anything within reason."

Go With Simple

[Jah-Wren Ryel]

Don't let any salesmen convince you to go with some fancy-dancy biometric system. Most of the affordable ones don't work for shit. Like you can spoof some finger-scanners by using a gelatin mold based on fingerprint left behind by the last guy to go through. Or spoof retinal scanners simply by taking a picture of the real person's eye, poking a hole through the iris part and then holding it up in front of your eye. The list is quite long and really kinda absurd how easily so many systems can be defeated

Re:

[Jah-Wren Ryel]

And the amazing thing is that you can do all that with security looking on.

If you have to hire a guard to stand there and watch each biometric scanner to make sure no one is trying to game it, then why even buy a system in the first place?

Don't think you can get away with centralized monitoring either, a guard on the other end of a camera and a little monitor will never even notice either of the two spoofs I mentioned, nor a host of others.

RFID based?

[slidersv]

General access at our work use have contact-less (?) cards that every single employee has. I really like the system since the card is the size of the standard credit card (not fatter) and works over the distance of about 10-15 cm, and not being blocked too much by the surroundings (e.g. deep inside the wallet) so i can keep it in there all the time.

The card is assigned a unique number (which can probably be linked to username in Active Directory or the likes), and all cards are administered in groups by

Re:

[Rellon]

Most of the systems that I've installed, managed and used were a variation upon this theme. They were all contact-less NON-RFID cards that also served double-duty as ID badges. That proved pretty handy as they were always visible and easy to use when mounted to a retractable cord. The wiring system is rather simple as it's simply a serial connection (for the older systems) but requires home runs to the controller.. I've seen newer systems that use POE and are IP based which simplifies installation somew

Re:

[T-Ranger]

Contactless but non RFID? What then, telepathy? These magic little non-RFID cards just willed the doors open?

Re:

[jrockway]

RFID is a specific technology. Some contactless cards have smart crypto chips in them, so they do actual challenge-response authentication. RFIDs just say "I'm 12837345" whenever they are powered up. (Search google for spoofing RFID cards. It's trivial these days to "record" someone's RFID card, and then "play it back".)

Re:

[T-Ranger]

No. RFID is radio frequency identification, which is vague and meaningless. Some RFID tags are RO, some RW, some more complex IO. Some have crypto/hash capabilities. However, they are all RFID.

Consider the one paragraph breif on the TI RFID Compact Series Digital Signature Wedge Transponder DST+ [ti.com]

This new generation of secure RFID transponder provides additional levels of security. In addition to the proven TI encryption known from the DST transponder, mutual authentication increases security and sophis

Re:

[jrockway]

The TI site is talking about RFid, not RFID. Two different things :) RFID is generally accepted to mean dumb tags that you stick on products in stores. Now people are using them for building access, transit system fare collection, etc. In the end, though, "RFID" means dumb. That's what the D stands for :P

> So, Im still curious. Since your non-RFID access cards can just will doors open, does that mean that your locks just will the doors closed? Do the elevators in your building need wire rope, pullie

Re:

[John Harrison]

there are different standards for radio induction systems. Look up ISO 14443 and ISO 16593 (I believe). Many building security systems use MiFare cards. The chips are produced by Philips and are considered contactless smart cards rather than RFID by those in the know.

Re:

[jonwil]

At once place I worked, we had much the same thing except the ones we had were also ID badges and had to be displayed.

Re:

[IpSo_]

Yes, the contact-less RFID or similar cards are very handy.

Especially in areas where people are often carrying stuff, like datacenters and storage areas. In these areas place the readers at hip/waste height as close to the door frame as possible and turn the sensitivity up. This way when you're carrying a server in to the locked server room you don't have to pull the card out, just leave it in your pocket and walk on by, using your back or foot to open the door once it is unlocked.

Remember the POWER OUTAGES

[jackb_guppy]

Once you lock the doors with electronics remmeber power outages can and will hurt. Also your security is right out the window (door in the case!).

Plan for no power to power the locks.

1) One company, they planned for power outages, by placing the key control computer in a closet, with its own UPS. The day the building went dark (failed breaker) the key control was working find, the servers were on their own UPS. Every desktop was down; the wireless routers and inter-floor routers/switches were down; OH the doors to server were locked - NO power open them. We all could see in the computer room though the big glass window as the equipment started to hardfail.

2) At another company, once the power fails, all doors are opened and blocked with a chair to allow employees and anyone else though. All the video cameras are offline along with every switch. It would have been better just to clear the building and send everyone home.

So keep a few keys, they help.

Re:

[vaderhelmet]

Sounds like your setups weren't very well thought through. At work we have both proximity cards and hard key locks. When the power fails, a small group of people can still open the building because they've been issued hard keys. Everyone in IT and all of the higher-ups get a key. (We also have the prox cards for convienence when the power is on.) We issue a prox card to all employees and set access groups specifying times and locations in the building that can be accessed. HR/Accounting is super locked down

Re:

[wilko11]

Also, remember fire codes. If you use a qualified security contractor/consultant as the poster suggested, they should think of this for you, but you need to consider doors that are in the emergency exit path - These doors cannot be locked in the event of a power failure. They will need to be fitted with free-exit handles or break glass releases. These doors should also be fitted with a 24 hour monitored alarm that activates when the door is released manually, not just a local siren.

Re:

[jackb_guppy]

If some one was in the server they could get out. Both doors exit out. The isse was no one could get in!

Re:

[brenddie]

Not if each controller has a battery. Each controller has a battery that keeps the magnet on for a couple hours. ANyway , all your doors should have locks. Access control (RFID cards etc..) shoould be just that, access control. Locks are for closing doors. Just remember to close with the lock on friday nigth.

Re:

[Machitis]

Each area/building controller should have a battery backup. That's what we do with dedicated wiring from the controllers to the readers and controllers to the server, which is also batter backup. Will last for several hours, by which point either power is usually on, or we have people on the ground controlling access.

Re:Remember the FIRE CODES

[Joe The Dragon]

some Fire codes may force you to have all doors auto unlock when the fire alarm goes off or the power go outs. This is so people can not get suck in parts of a building. People have died and this is way that is in the fire codes.

Re:

[icestorm487]

The security company that installed the access control that didn't have power backup should be taken out and shot along with whom ever signed off on the install. If the security company did install some sort of battery backup why did they not keep up the maintenance on them, the batteries have a shelf life of about 3 years.

Re:

[Anonymous Coward]

As I understand it, the systems in the buildings I have worked have relied on magnetic locks. The building is sealed up tight when the power goes out, so I assume there is a rather large permanent magnet at each door and associated coils to negate the field long enough to open the door.

The access control system is contactless card based and on a whopping great battery backup (apparantly good for over 8 hours). There are specific building regulations about what is to happen in a power outage. Since the ac

priximity cards are nice..

[joeldg]

we used those in our datacenter, just walk up and wave your wallet at the reader and it blinks and you are logged as going and the door opens, makes it pretty easy to see the comings and goings of all the employees and see who spends more time where.

Some places also use these for time clocks and apparently they work pretty well when placed by the front door.

Re:

[shakah]

we used those in our datacenter, just walk up and wave your wallet at the reader and it blinks and you are logged as going and the door opens, makes it pretty easy to see the comings and goings of all the employees and see who spends more time where.

Don't your employees more-than-occasionally enter areas in groups, and doesn't that throw a wrench into your dream of tracking the "comings and goings of all the employees"? Do you (try to) enforce a policy of "everyone has to wave their cards at the reader

We enforce this

[anomaly]

We have multiple locations. Most are "low security" where passing an access badge is a requirement to enter the facility and largely movement in the building is unrestricted.

In our secure environment, we have a policy which requires scan "in" and "out." Each person is required to scan every pass through doors. If you scan "in" and don't scan "out" you are prevented from scanning "in" anywhere until you see security to clear your card. This works pretty well.

Re:

[shakah]

They don't have "scan out" where I work, I thought it was a safety issue. Generally there are motion detectors to release the door for outgoing folks, in a few places there are "press to exit" button next to the doors, along with a "pull to release" emergency handle (looks like a fire alarm, but yellow).

Re:

[stan_freedom]

We use key FOBs for our time tracking. We have a reader on the inside and outside of the door. When arriving, the outside reader registers, and when leaving, the inside reader registers. The data stream is dumped via RS-232 serial to a serial port on a linux box where a simple PHP script listens. The script parses the data stream to determine the key FOB and card reader and loads the results into a MySQL database. It also dumps the raw data to a daily log file. I use the computer's time as opposed to

Re:

[daspriest]

"An ideal system would combine what you have with with you know for effective security. Combining a pin number with an contactless access card for instance would be reasonably effective, and probably at least as secure as any biometric system alone and probably cheaper.",p.,p. Contactless card with pin fullfills pretty stringent security requirements. I have worked at some pretty high security places and this was the access system used at all of them.

keycards

[Artana Niveus Corvum]

The place where I work is actually set up with a pretty comprehensive physical security system involving access cards. The departments with more critical... stuff I guess for the sake of not divulging overly... are even separately alarmed. The swipe cards are uniquely numbered and assigned per employee. Each employee is authorized only for particular doors. The big downfall is that the system is actually several different systems that ultimately just have the same employee "user interface" as it were. Ther

Keep keys

[noweb4u]

Make sure you can get where the door controller is at in the event of a hard powerfailure. Don't rely on a UPS to help you with this.

Otherwise plan on finding clever ways to hit the emergency door lock release button from outside the door area, and then plan on crawling through the ceiling to get to where the cardsystem is at.

FWIW, the door system I am complaining about was put in before I got there. It was easier to change employers than to get that stuff changed after the fact.

Oh, and don't underestimate

Abloy locks

[CmdrPorno]

I agree with the other posters regarding biometric locks--Mythbusters recently tested them and was not impressed with their ability to distinguish real and fake fingerprints.

Abloy (also known as Assa-Abloy) and Medeco both manufacture physical locks that are difficult to pick. It is also difficult to find someone to duplicate them.

Use Saliva: Lick here to unlock the door

[mattnuzum]

We actually discussed this topic quite extensively recently here: http://www.servomagazine.com/forum/viewtopic.php?t =4949 [servomagazine.com] Originally, my boss Pete suggested that we use saliva - that would make entering the building a matter of simply licking the sensor. Later on (in the discussion linked above) we thought it might be even better to try and grab some DNA from urine. That way, you could kill two birds with one stone - gain entrance to the building and relieve your bladder all at once. If your company does periodic drug screening then you could just integrate that into the process too. Still, nothing beats the simplicity of just licking the sensor.

Re:

[grimJester]

Let me guess; you ended up just drilling a hole in the wall and putting a sign saying "urine sample" on one side and "saliva sample" on the other?

Don't tell me I'm the only one who thought of this.

fingerprints bad

[jipis]

I worked for a company that -- like yours -- was building out from scratch. The boss (that's Mr. Idiot to you) wanted real high-tech. So, we got a box of access cards and a bunch of readers. We had to supply the computer -- running nothing newer that Win98 -- in 2002. After that debacle was past, we got to find out how much fun it was to need both the card and our fingerprint to get into the office. Ignoring the security part, what do you think happens when you have a band-aid on the one finger that you use

IdentiCard

[Machitis]

I'm a security manager at a University in the states. We're moving more and more toward electronic access control for many of the reasons you state. As always, they wanted us to do it on a budget, but I feel we've managed to install a respectable system.

We use a product of a GE child company called IdentiCard. It's a low proximity system that will do just about anything you would like it to do. To activate a reader, you must hold a card within a few inches of the reader. The typical cards store only a uniqe number that is associated with a user account in the backend. There are also smart-card variations available that work with the system (there are several smartcard programming features in the control software). Making the cards is as simple as printing the card design, assigning the card to a user, then running it through a laminator (takes a long time if you've got to make several hundred or even thousand).

The backend of the system consists of an SQL database of users, cards, access groups, reader groups, etc. The physical system consists basically of readers, the data cables, per-building (or per-area) controllers which connect to the readers, then the cabling back to the primary server in our IT department. The cable they ran seems to be some proprietary bundle of wires, but they claim they can even do things like video integration and whatnot with it.

The only thing I have not liked about the system is that each user may be assigned only 3 access groups. While an efficient and well-managed access control policy deals with this just fine, it requires you to think ahead on what access groups you want. But then, you can also define as many groups as you want, you just can't assign more than three to any single user.

Identicard Home Page: http://www.identicard.com/ [identicard.com]

Card types

[Tacvek]

You have some choices. A card based system is generally a good idea.

There are three card types that are common and moderately safe:
1. Magstripe: Simple and cheep, but easy to duplicate.
2. Smartcard: Very difficult to fake, slightly less convient than than swipecards.
3. Contactless Smart Cards: Nearly as secure as smartcard, and far more convient. Employees would prefer this option, but it is probably the most espesnsive.

The smartcards use public key cryptography with challenge/response verification whi

Tailgating detection

[Animats]

The better systems have "tailgating detection" [mate.co.il], so that only one person can enter at a time. Some systems use machine vision, some use stereo camera pairs [dsigo.com], and some use multiple infrared beams.

If you install an anti-tailgating system, employees take security much more seriously. You don't have to go all the way to a double door/mantrap system. The usual setup is that you can't open the door if there are two people close to it, and if, once the door is opened, two people go through, that's an exception c

Dual Mode is the only "real" option

[slasher999]

I would recommend a "dual mode" system for doors - one that relies on a card reader (something physical that the person would need to carry with him or her) along with a biometric scanner - fingerprint for example. The chances of someone other than the person you wish to grant access to having both of these is slim. Of course you need to weigh the actual security provided by these means against what precisely you need to protect. Compared to what you have now, what I describe is far more secure.

Make sure support is at their expense

[Anonymous Coward]

I've seen a few access control systems that have been in place for over a year and still have weekly problems requiring technicians to come out and fix thems. Other systems get installed once and never have a problem. So clearly there is some quality difference between the different products. I would suggest that you make sure that any follow-up/repair work is at their expense, and there are some sort of penalties on the vendor if the system fails to perform as designed. You don't want a system that's flaky

Get expert advice

[linuxwrangler]

You are getting some good tips here. Also, talk to lots of vendors. With enough conversations you can put together an even more comprehensive list of possibilities and potential problems.

But the most important thing to start with is your requirements. Start with why do you want to replace mechanical keys? Save rekeying costs when employees leave or lose a key? That will frequently pay off by itself. Do you want to avoid people propping doors open because keys are inconvenient? Electronic can help with that, too. Just put the readers in a convenient place (ie. hip-level if you are using cards in wallets/purses - higher if the keys are embedded in picture ids that must be worn in the facility) and buy a system that sounds alarms when doors are open too long. Most businesses don't need to go overboard on security but can still benefit from electronic access.

On the other hand, you may have specific requirements imposed by your type of business or your vendor relationships. If you are handling, for instance, banking records, IRS info, medical data, etc. you may have some very specific security requirements and the key you use will be only a small part. Read the specs specific to your industry or your customers' industries and go from there.

And be sure that you have a tested disaster-recovery procedure. Others have told stories so I'll tell one, too. A friend worked on a NASA funded project. The satellite they were controlling cost 500 million dollars. They had fancy keylocks, backed up by redundant power and a operational plan that involved immediately shutting down non-essential systems and if the power outage looked long-term, having the university physical-plant connect in the emergency generators. When the big all-California whole-day power outage hit the plan fell apart. The on-duty controller headed down the hall, punched in his code and had it accepted but....nothing happened. Turns out that while the security system was backed up, the solenoid that actually retracts the lock was not. Neither was the phone system. Or the pager company transmitter sites. Fortunately the controller found a pay-phone and eventually a manager with a plain-old-telephone at home so they were able to get physical keys to the server rooms. (Note: disaster recovery is rife with this sort of tale. We found that while we can theoretically access our systems, getting to our office when the elevators are out and the fire stairs are locked due to silly post-911 security "enhancements", we can't actually get to our office in a major power outage.)

Re:

[Coffeehound]

Good comments. Refine your requirements; you need to consider what you are protecting, and what are the threats you are concerned with. Sure server rooms are sensitive, but your boss can go to jail if the financial records are not valid. Your company can get big fines if health information is disclosed improperly, and there are always the GAAP rules to prevent fraud.
The physical layout can be modified to enhance security and the ease of establishing it. However, do not pay for

Call A Local Reputable Security Company!

[icestorm487]

Call a local security company that will be able to go over your options. I work for one company and we don't use any biometric devices. There are a number of different access control products that will work from low security proximity cards to high security scramble pads. Because of all of the options please give the pro's a call, we do our best to find the right product for your company.

Combined system

[brufar]

I was faced with a similar tast about a year and a half ago. I called several local security vendors and eventually choose one that provided a DMP Panel.

http://buy.dmp.com/dmp/Shop?DSP=30100&PCR=1:100:10 010:10053&IID=XR2500F-R [dmp.com]

Now a new facility you want Access control, but A fire alarm system is also required, and hey what's a building without a security system ? this device was a combination of all three in one.

The panel is located in the server room, has battery backup and is attached to a

Use an airlock-like system.

[dascandy]

Without that, people will feel a social need to keep the door open for the next person, so you'll lose quite a lot of security. I've seen both with and without where the companies that were with were clearly a lot more secure. Also, if you can afford it, have somebody present at all times for checking who or what uses the door. Try to make a building with one front door, or at least a strongly limited amount (not more than 2 or maybe 3 for a huge company).

Use two-factor authentication where possible.

[RemovableBait]

At my University we have access cards with an embedded chip (like on a recent credit card) and a two-factor authentication system. To gain entry to a controlled area, you have to put the card in a reader (no RFID here) and type in your 4 digit PIN. In theory at least, the PIN is known to only the holder of the card, so if the card was copied/faked/stolen/found, it would be unusable by itself. The access cards are required for things like access to buildings, laboratories within buildings, computer labs, and

Some more detail on my question

[JoeCommodore]

Just to keep in perspective we aren't talking about a high security data center but a non-profit agency (yeah, money is tight, yadda yadda). So nothing like finger or retinal scans, maybe magstripe, but I would be leary of that.

The two things we see are a 1) regular turnover of staff (the preschool program is seasonal) and 2) having meeting areas available for use off hours. So I think maybe some cardlock doors and then the rest keylock (limited key distribution) might be a good compomise. The idea of t

Doors aren't the only problem

[thoglette]

As everyone else has said:

1. Plan and test the power down. There are neat two-way locks (the frame is electric, the door keyed) out there. Use them
2. Avoid Yale-style locks, use Abloy or similar.
3. Avoid Biometrics and passive RFID
4. Layer your defences & use multiple factors where necessary (where fingerprints _can_ be useful)
5. consider what is going to happen when someone quits; loses their hardware or just leaves it at home

But doors are barely the start. Windows, roofs and ceilings need to be c