Shopping for Building Access Security? 58
JoeCommodore asks: "At work we are planning a new facility, which will combine a lot of departments into one bigger building. We think it may be time to forgo analog key access and go with access cards (or something like it) for physical security. I could see the benefits (we don't have to collect keys and re-do locks on staff turnover, selective room access, access logs, and so forth). Beyond this, we are pretty clueless on the ins and outs of such systems, so I am asking those of you who have had to shop, install, administer, or even just regularly use such systems, what are your thoughts, recommendations, or opinions? This is pre-building so we can do just about anything within reason."
Go With Simple (Score:2)
Re: (Score:2)
If you have to hire a guard to stand there and watch each biometric scanner to make sure no one is trying to game it, then why even buy a system in the first place?
Don't think you can get away with centralized monitoring either, a guard on the other end of a camera and a little monitor will never even notice either of the two spoofs I mentioned, nor a host of others.
RFID based? (Score:2, Informative)
The card is assigned a unique number (which can probably be linked to username in Active Directory or the likes), and all cards are administered in groups by
Re: (Score:2, Interesting)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
No. RFID is radio frequency identification, which is vague and meaningless. Some RFID tags are RO, some RW, some more complex IO. Some have crypto/hash capabilities. However, they are all RFID.
Consider the one paragraph breif on the TI RFID Compact Series Digital Signature Wedge Transponder DST+ [ti.com]
Re: (Score:2)
> So, Im still curious. Since your non-RFID access cards can just will doors open, does that mean that your locks just will the doors closed? Do the elevators in your building need wire rope, pullie
Re: (Score:3, Informative)
Re: (Score:2)
Re: (Score:2)
Especially in areas where people are often carrying stuff, like datacenters and storage areas. In these areas place the readers at hip/waste height as close to the door frame as possible and turn the sensitivity up. This way when you're carrying a server in to the locked server room you don't have to pull the card out, just leave it in your pocket and walk on by, using your back or foot to open the door once it is unlocked.
Remember the POWER OUTAGES (Score:5, Insightful)
Plan for no power to power the locks.
1) One company, they planned for power outages, by placing the key control computer in a closet, with its own UPS. The day the building went dark (failed breaker) the key control was working find, the servers were on their own UPS. Every desktop was down; the wireless routers and inter-floor routers/switches were down; OH the doors to server were locked - NO power open them. We all could see in the computer room though the big glass window as the equipment started to hardfail.
2) At another company, once the power fails, all doors are opened and blocked with a chair to allow employees and anyone else though. All the video cameras are offline along with every switch. It would have been better just to clear the building and send everyone home.
So keep a few keys, they help.
Re: (Score:2, Interesting)
Re: (Score:3, Insightful)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re:Remember the FIRE CODES (Score:1)
Re: (Score:1)
Re: (Score:1, Interesting)
The access control system is contactless card based and on a whopping great battery backup (apparantly good for over 8 hours). There are specific building regulations about what is to happen in a power outage. Since the ac
priximity cards are nice.. (Score:3, Insightful)
Some places also use these for time clocks and apparently they work pretty well when placed by the front door.
Re: (Score:2)
Don't your employees more-than-occasionally enter areas in groups, and doesn't that throw a wrench into your dream of tracking the "comings and goings of all the employees"? Do you (try to) enforce a policy of "everyone has to wave their cards at the reader
We enforce this (Score:2)
In our secure environment, we have a policy which requires scan "in" and "out." Each person is required to scan every pass through doors. If you scan "in" and don't scan "out" you are prevented from scanning "in" anywhere until you see security to clear your card. This works pretty well.
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
keycards (Score:1)
Keep keys (Score:1)
Otherwise plan on finding clever ways to hit the emergency door lock release button from outside the door area, and then plan on crawling through the ceiling to get to where the cardsystem is at.
FWIW, the door system I am complaining about was put in before I got there. It was easier to change employers than to get that stuff changed after the fact.
Oh, and don't underestimate
Abloy locks (Score:2, Insightful)
Abloy (also known as Assa-Abloy) and Medeco both manufacture physical locks that are difficult to pick. It is also difficult to find someone to duplicate them.
Use Saliva: Lick here to unlock the door (Score:3, Funny)
Re: (Score:3, Funny)
Don't tell me I'm the only one who thought of this.
fingerprints bad (Score:1)
IdentiCard (Score:4, Informative)
We use a product of a GE child company called IdentiCard. It's a low proximity system that will do just about anything you would like it to do. To activate a reader, you must hold a card within a few inches of the reader. The typical cards store only a uniqe number that is associated with a user account in the backend. There are also smart-card variations available that work with the system (there are several smartcard programming features in the control software). Making the cards is as simple as printing the card design, assigning the card to a user, then running it through a laminator (takes a long time if you've got to make several hundred or even thousand).
The backend of the system consists of an SQL database of users, cards, access groups, reader groups, etc. The physical system consists basically of readers, the data cables, per-building (or per-area) controllers which connect to the readers, then the cabling back to the primary server in our IT department. The cable they ran seems to be some proprietary bundle of wires, but they claim they can even do things like video integration and whatnot with it.
The only thing I have not liked about the system is that each user may be assigned only 3 access groups. While an efficient and well-managed access control policy deals with this just fine, it requires you to think ahead on what access groups you want. But then, you can also define as many groups as you want, you just can't assign more than three to any single user.
Identicard Home Page: http://www.identicard.com/ [identicard.com]
Card types (Score:2, Insightful)
There are three card types that are common and moderately safe:
1. Magstripe: Simple and cheep, but easy to duplicate.
2. Smartcard: Very difficult to fake, slightly less convient than than swipecards.
3. Contactless Smart Cards: Nearly as secure as smartcard, and far more convient. Employees would prefer this option, but it is probably the most espesnsive.
The smartcards use public key cryptography with challenge/response verification whi
Tailgating detection (Score:2)
The better systems have "tailgating detection" [mate.co.il], so that only one person can enter at a time. Some systems use machine vision, some use stereo camera pairs [dsigo.com], and some use multiple infrared beams.
If you install an anti-tailgating system, employees take security much more seriously. You don't have to go all the way to a double door/mantrap system. The usual setup is that you can't open the door if there are two people close to it, and if, once the door is opened, two people go through, that's an exception c
Dual Mode is the only "real" option (Score:3, Informative)
Make sure support is at their expense (Score:1, Insightful)
Get expert advice (Score:3, Interesting)
But the most important thing to start with is your requirements. Start with why do you want to replace mechanical keys? Save rekeying costs when employees leave or lose a key? That will frequently pay off by itself. Do you want to avoid people propping doors open because keys are inconvenient? Electronic can help with that, too. Just put the readers in a convenient place (ie. hip-level if you are using cards in wallets/purses - higher if the keys are embedded in picture ids that must be worn in the facility) and buy a system that sounds alarms when doors are open too long. Most businesses don't need to go overboard on security but can still benefit from electronic access.
On the other hand, you may have specific requirements imposed by your type of business or your vendor relationships. If you are handling, for instance, banking records, IRS info, medical data, etc. you may have some very specific security requirements and the key you use will be only a small part. Read the specs specific to your industry or your customers' industries and go from there.
And be sure that you have a tested disaster-recovery procedure. Others have told stories so I'll tell one, too. A friend worked on a NASA funded project. The satellite they were controlling cost 500 million dollars. They had fancy keylocks, backed up by redundant power and a operational plan that involved immediately shutting down non-essential systems and if the power outage looked long-term, having the university physical-plant connect in the emergency generators. When the big all-California whole-day power outage hit the plan fell apart. The on-duty controller headed down the hall, punched in his code and had it accepted but....nothing happened. Turns out that while the security system was backed up, the solenoid that actually retracts the lock was not. Neither was the phone system. Or the pager company transmitter sites. Fortunately the controller found a pay-phone and eventually a manager with a plain-old-telephone at home so they were able to get physical keys to the server rooms. (Note: disaster recovery is rife with this sort of tale. We found that while we can theoretically access our systems, getting to our office when the elevators are out and the fire stairs are locked due to silly post-911 security "enhancements", we can't actually get to our office in a major power outage.)
Re: (Score:1)
The physical layout can be modified to enhance security and the ease of establishing it. However, do not pay for
Call A Local Reputable Security Company! (Score:1)
Combined system (Score:2, Informative)
http://buy.dmp.com/dmp/Shop?DSP=30100&PCR=1:100:10 010:10053&IID=XR2500F-R [dmp.com]
Now a new facility you want Access control, but A fire alarm system is also required, and hey what's a building without a security system ? this device was a combination of all three in one.
The panel is located in the server room, has battery backup and is attached to a
Use an airlock-like system. (Score:1)
Use two-factor authentication where possible. (Score:2)
Some more detail on my question (Score:2)
Just to keep in perspective we aren't talking about a high security data center but a non-profit agency (yeah, money is tight, yadda yadda). So nothing like finger or retinal scans, maybe magstripe, but I would be leary of that.
The two things we see are a 1) regular turnover of staff (the preschool program is seasonal) and 2) having meeting areas available for use off hours. So I think maybe some cardlock doors and then the rest keylock (limited key distribution) might be a good compomise. The idea of t
Doors aren't the only problem (Score:1)
But doors are barely the start. Windows, roofs and ceilings need to be c