Shopping for Building Access Security?

JoeCommodore asks: "At work we are planning a new facility, which will combine a lot of departments into one bigger building. We think it may be time to forgo analog key access and go with access cards (or something like it) for physical security. I could see the benefits (we don't have to collect keys and re-do locks on staff turnover, selective room access, access logs, and so forth). Beyond this, we are pretty clueless on the ins and outs of such systems, so I am asking those of you who have had to shop, install, administer, or even just regularly use such systems, what are your thoughts, recommendations, or opinions? This is pre-building so we can do just about anything within reason."

RFID based?

[slidersv]

General access at our work use have contact-less (?) cards that every single employee has. I really like the system since the card is the size of the standard credit card (not fatter) and works over the distance of about 10-15 cm, and not being blocked too much by the surroundings (e.g. deep inside the wallet) so i can keep it in there all the time.

The card is assigned a unique number (which can probably be linked to username in Active Directory or the likes), and all cards are administered in groups by a central database, so granting/deniyng access is a matter of minutes. The card reader is a small box (about 10cm in height and 5 cm in width) and can be installed on doors and turnstiles likewise. All data is transfered to the database on-line, so the guard-lady/guy actually sees who you are and and all the other necessary info on the screen in front of them (I finally don't have to sign in every time i go to work at night or on weekends)

For more restricted access we have finger-print readers (retina scanners were too expensive at the time of installation), but that is not for general access.

P.S.: From personal experience i think it is important for the card to work through clutter and not to have it take out from the wallet (purse, bag etc). At least that's the difference for me between the cards i like and the cards i don't like.
P.S.: also i had cards on several ocasions that were not working in close proximity to each other (overlapping frequencies?)

Re:RFID based?

[Rellon]

Most of the systems that I've installed, managed and used were a variation upon this theme. They were all contact-less NON-RFID cards that also served double-duty as ID badges. That proved pretty handy as they were always visible and easy to use when mounted to a retractable cord. The wiring system is rather simple as it's simply a serial connection (for the older systems) but requires home runs to the controller.. I've seen newer systems that use POE and are IP based which simplifies installation somewhat in that you no longer have to do home runs to the controller.

Re:RFID based?

[John+Harrison]

there are different standards for radio induction systems. Look up ISO 14443 and ISO 16593 (I believe). Many building security systems use MiFare cards. The chips are produced by Philips and are considered contactless smart cards rather than RFID by those in the know.

Remember the POWER OUTAGES

[jackb_guppy]

Once you lock the doors with electronics remmeber power outages can and will hurt. Also your security is right out the window (door in the case!).

Plan for no power to power the locks.

1) One company, they planned for power outages, by placing the key control computer in a closet, with its own UPS. The day the building went dark (failed breaker) the key control was working find, the servers were on their own UPS. Every desktop was down; the wireless routers and inter-floor routers/switches were down; OH the doors to server were locked - NO power open them. We all could see in the computer room though the big glass window as the equipment started to hardfail.

2) At another company, once the power fails, all doors are opened and blocked with a chair to allow employees and anyone else though. All the video cameras are offline along with every switch. It would have been better just to clear the building and send everyone home.

So keep a few keys, they help.

Re:Remember the POWER OUTAGES

[vaderhelmet]

Sounds like your setups weren't very well thought through. At work we have both proximity cards and hard key locks. When the power fails, a small group of people can still open the building because they've been issued hard keys. Everyone in IT and all of the higher-ups get a key. (We also have the prox cards for convienence when the power is on.) We issue a prox card to all employees and set access groups specifying times and locations in the building that can be accessed. HR/Accounting is super locked down, as is the server room. As for logging the hard keys, unless the power is out, the system requires an id code at a keypad placed just within each door. Lastly, the doors "fail" to the locked position. If they lose power or are tampered with, the door switches into the locked position. This setup is extremely nice for us to set "Business Hours" that the main doors are unlocked automatically. This accounts for holidays as well. Very nice setup. We used a local consulting firm that resells for ADT.

Re:Remember the POWER OUTAGES

[wilko11]

Also, remember fire codes. If you use a qualified security contractor/consultant as the poster suggested, they should think of this for you, but you need to consider doors that are in the emergency exit path - These doors cannot be locked in the event of a power failure. They will need to be fitted with free-exit handles or break glass releases. These doors should also be fitted with a 24 hour monitored alarm that activates when the door is released manually, not just a local siren.

priximity cards are nice..

[joeldg]

we used those in our datacenter, just walk up and wave your wallet at the reader and it blinks and you are logged as going and the door opens, makes it pretty easy to see the comings and goings of all the employees and see who spends more time where.

Some places also use these for time clocks and apparently they work pretty well when placed by the front door.

Abloy locks

[CmdrPorno]

I agree with the other posters regarding biometric locks--Mythbusters recently tested them and was not impressed with their ability to distinguish real and fake fingerprints.

Abloy (also known as Assa-Abloy) and Medeco both manufacture physical locks that are difficult to pick. It is also difficult to find someone to duplicate them.

Use Saliva: Lick here to unlock the door

[mattnuzum]

We actually discussed this topic quite extensively recently here: http://www.servomagazine.com/forum/viewtopic.php?t =4949 Originally, my boss Pete suggested that we use saliva - that would make entering the building a matter of simply licking the sensor. Later on (in the discussion linked above) we thought it might be even better to try and grab some DNA from urine. That way, you could kill two birds with one stone - gain entrance to the building and relieve your bladder all at once. If your company does periodic drug screening then you could just integrate that into the process too. Still, nothing beats the simplicity of just licking the sensor.

Re:Use Saliva: Lick here to unlock the door

[grimJester]

Let me guess; you ended up just drilling a hole in the wall and putting a sign saying "urine sample" on one side and "saliva sample" on the other?

Don't tell me I'm the only one who thought of this.

IdentiCard

[Machitis]

I'm a security manager at a University in the states. We're moving more and more toward electronic access control for many of the reasons you state. As always, they wanted us to do it on a budget, but I feel we've managed to install a respectable system.

We use a product of a GE child company called IdentiCard. It's a low proximity system that will do just about anything you would like it to do. To activate a reader, you must hold a card within a few inches of the reader. The typical cards store only a uniqe number that is associated with a user account in the backend. There are also smart-card variations available that work with the system (there are several smartcard programming features in the control software). Making the cards is as simple as printing the card design, assigning the card to a user, then running it through a laminator (takes a long time if you've got to make several hundred or even thousand).

The backend of the system consists of an SQL database of users, cards, access groups, reader groups, etc. The physical system consists basically of readers, the data cables, per-building (or per-area) controllers which connect to the readers, then the cabling back to the primary server in our IT department. The cable they ran seems to be some proprietary bundle of wires, but they claim they can even do things like video integration and whatnot with it.

The only thing I have not liked about the system is that each user may be assigned only 3 access groups. While an efficient and well-managed access control policy deals with this just fine, it requires you to think ahead on what access groups you want. But then, you can also define as many groups as you want, you just can't assign more than three to any single user.

Identicard Home Page: http://www.identicard.com/

Card types

[Tacvek]

You have some choices. A card based system is generally a good idea.

There are three card types that are common and moderately safe:
1. Magstripe: Simple and cheep, but easy to duplicate.
2. Smartcard: Very difficult to fake, slightly less convient than than swipecards.
3. Contactless Smart Cards: Nearly as secure as smartcard, and far more convient. Employees would prefer this option, but it is probably the most espesnsive.

The smartcards use public key cryptography with challenge/response verification which makes them quite secure. Arguagble more secure than physical keys.

Avoid passive RFID cards.

Dual Mode is the only "real" option

[slasher999]

I would recommend a "dual mode" system for doors - one that relies on a card reader (something physical that the person would need to carry with him or her) along with a biometric scanner - fingerprint for example. The chances of someone other than the person you wish to grant access to having both of these is slim. Of course you need to weigh the actual security provided by these means against what precisely you need to protect. Compared to what you have now, what I describe is far more secure.

Get expert advice

[linuxwrangler]

You are getting some good tips here. Also, talk to lots of vendors. With enough conversations you can put together an even more comprehensive list of possibilities and potential problems.

But the most important thing to start with is your requirements. Start with why do you want to replace mechanical keys? Save rekeying costs when employees leave or lose a key? That will frequently pay off by itself. Do you want to avoid people propping doors open because keys are inconvenient? Electronic can help with that, too. Just put the readers in a convenient place (ie. hip-level if you are using cards in wallets/purses - higher if the keys are embedded in picture ids that must be worn in the facility) and buy a system that sounds alarms when doors are open too long. Most businesses don't need to go overboard on security but can still benefit from electronic access.

On the other hand, you may have specific requirements imposed by your type of business or your vendor relationships. If you are handling, for instance, banking records, IRS info, medical data, etc. you may have some very specific security requirements and the key you use will be only a small part. Read the specs specific to your industry or your customers' industries and go from there.

And be sure that you have a tested disaster-recovery procedure. Others have told stories so I'll tell one, too. A friend worked on a NASA funded project. The satellite they were controlling cost 500 million dollars. They had fancy keylocks, backed up by redundant power and a operational plan that involved immediately shutting down non-essential systems and if the power outage looked long-term, having the university physical-plant connect in the emergency generators. When the big all-California whole-day power outage hit the plan fell apart. The on-duty controller headed down the hall, punched in his code and had it accepted but....nothing happened. Turns out that while the security system was backed up, the solenoid that actually retracts the lock was not. Neither was the phone system. Or the pager company transmitter sites. Fortunately the controller found a pay-phone and eventually a manager with a plain-old-telephone at home so they were able to get physical keys to the server rooms. (Note: disaster recovery is rife with this sort of tale. We found that while we can theoretically access our systems, getting to our office when the elevators are out and the fire stairs are locked due to silly post-911 security "enhancements", we can't actually get to our office in a major power outage.)

Combined system

[brufar]

I was faced with a similar tast about a year and a half ago. I called several local security vendors and eventually choose one that provided a DMP Panel.

http://buy.dmp.com/dmp/Shop?DSP=30100&PCR=1:100:10 010:10053&IID=XR2500F-R

Now a new facility you want Access control, but A fire alarm system is also required, and hey what's a building without a security system ? this device was a combination of all three in one.

The panel is located in the server room, has battery backup and is attached to a generator circuit.

Alarm access can be through a keypad or tied to your proximity token.
Door access was setup with prox card readers

Central station hookup is via the Internet with a phone line backup, other options are available as well. Let me tell you with that Internet hookup for monitoring it's amazing how fast the central station gets the data..

I also purchased the management software so I can manage the users myself, set change access times, enroll new prox cards, de-activate users that left, can pull system and access logs at any time.

It didn't make sense to me to install 3 seperate systems and have to manage them when I could o it all in one place..

ymmv

Best of luck