Matthew Baas-Becking
The most important aspect of a security system is the overall functional architecture of the system. It is often argued that systems security, physical security and personnel security are separate entities that are developed and maintained separately. And yet they need to operate together to achieve optimum benefit for a particular area and level of security.
Electronic security provides us with many opportunities to integrate security systems and develop whole new methodologies of security architecture. But there are pitfalls and much research and development that need to be undertaken before such methodologies can be fully developed and implemented as a complete, integrated security system.
Each element of the security architecture or plan is dependant on another. For example, a security card with photographic identification may also have encrypted access codes. The issuing of the card is part of the security clearance and identification process, but the encrypted codes are an access control component. It is important that the card is issued and secured to the right person. With the use of this one security token, the trusted person can access all the areas that have been coded on the access card, even computer systems. For some agencies, various levels of access control should mean restricted access to sensitive material and information. But with some access control systems, this is not the case.
With the emphasis on electronic security systems providing the only real audit trail and automatic anti-pass-back management, a number of security, and particularly access control principles, have been lost in the push to automate every aspect of the security system. The edict that smart cards, prox systems and other encrypted automatic access products on their own can provide maximum access control security is a risk-averse overstatement. A system that relies solely on such a product, including primary identity management keys, face the risk that the entire security system is vulnerable with the loss of just one card or key. And if compromised at the encryption level, there may be no tamper evidence to show that an area has been broken into.
So, let us get back to some of the basic security system principles. Firstly access control should be based on a structured, graduated, step-by-step process that uses the old principles:
• What you have
• What you know
• Who you are
Each of the above principles can be used as a step process for electronic access control, such as:
• What you have – Access Card (identity secured – photo ID and/or other smart card technology)
• What you know – Pin Codes for Doors, Electronic Key Cabinets, Electronic Keys
• Who you are – Biometric or other added access measures
To be effective, each step needs to be separate from the main access control product (such as the access card) and be managed (for example) at a head-end server so that programming is not included on the main access control item. Each step should be separate, so that the security-in-depth principle literally means a room with a room within an area. This methodology effectively translates to levels of security where the first level must be accessed successfully before the next, and so on. This methodology also allows for automatic anti pass-back at any nominated level.
The next important aspect is that electronic products such as RFID prox auto opening doors, electronic pin pads, electronic key cabinets, electronic keys and biometric systems all have their own propriety software and are difficult to integrate into one fully functioning access control system. Add the complexity of security alarm systems and CCTV and you can easily have a system that defeats itself or is too complex to manage.
With access control, the ‘key’ is to integrate most if not all electronic products into one system. Some ‘middle-ware’ programming may be required, but without integration the system is still vulnerable to one-off attacks. Integration also allows greater audit trail processing, and introduces new features as provided by new products, such as programmable profiles with electronic keys that ‘turn off’ after a nominated period of hours. However, to achieve a complete audit trail and anti pass-back every mechanical device, including keyed locks, must be replaced with an electronic device.
Access to sensitive or classified information can also be added to the system, using prox and pin codes, or even biometrics, at computer terminals and electronic keys for cabinets.
Once an access control system is established, other items can be added or held separately, such as alarm systems and CCTV. In general, it may be more beneficial to have these as separate systems so that alarms are not affected by access control attacks or disruptions. CCTV can be integrated but also can be better utilized as an independent identification monitoring system.
Much research and development still needs to be done to define all areas that could be included in an integrated system. Perimeter security, gates and turnstiles, physical security components, guarding and response force requirements and other systems-related security measures are all components of an integrated security system. And there is still some extensive research required into counter terrorism protective security applications, which can also be included in an integrated system.