Understanding card-connected access control systems

During times of economic turmoil, security directors and systems integrators are being asked to secure more for less -- in other words, securing more of the company’s assets but with fewer resources.

In these unsettled times companies also want to make sure that, when layoffs become unavoidable, an employee’s access to both critical as well as routine assets is tightly controlled -- denying access to laid off employees as rapidly as possible.

Furthermore, when companies are acquired and merge with the acquiring company, incompatible physical access control systems (PACS) can be a cause of expensive duplication. The temptation is great to align the acquired company with the corporate standard PACS, but what should be done with unwired but important access points such as remote storage facilities or data center racks?

In the past, security directors were forced to choose between integrating the different PACS or putting in stand-alone locks and then fronting the money for later upgrades. With a new technology concept called card-connected access control, users can avoid both the large install costs upfront, as well as the maintenance fees.

Here’s how: First, card-connected locks require no wiring or panel infrastructure so installation and equipment costs are significantly reduced. And unlike some of the electronic lock solutions on the market, they do not require frequent visits by security personnel to update access lists and retrieve logs. In addition, card-connected locks offer the added benefit when they replace “brass key” locks by providing central management and monitoring, access audits and a less expensive alternative to managing keys and re-keying locks.

Card-connected access control technologies use employee smart cards to extend central access control to standalone and mobile (e.g., padlocks) locks. Within a card-connected access control system, standalone electronic locks and physical access control systems communicate by reading and writing digitally signed data to and from smart cards. In this way, cardholders become an extension of the physical access network, where the cards, instead of wires, carry information to and from the standalone locks.

As such, card-connected technologies bring the benefits of smart cards and strong cryptography to the world of physical access control to expand the number of assets which can be cost-effectively protected. In fact, the breakthrough achieved by card-connected technologies provides some of the best of both worlds -- the limited up-front investment of standalone electronic locks and the benefits of wired locks managed through a central PACS system.

Card-connected technologies provide security managers with the opportunity to increase the number of assets and facilities which are electronically secured from, say, the 20 percent they can currently afford to wire, to the 70 or 80 percent they would ideally like to bring into their central PACS management environment. However, it is important to note that due to the non-real time and non-deterministic nature of card-connected technologies, card-connected locks are not a replacement for wired locks protecting critical assets or facilities where immediate, real-time alarms are required.

In a card-connected physical access control system, cardholders carry their access privileges and retrieve log events from card-connected locks using smart cards, such as MIFARE, DESFire or FIPS-201 compliant PIV cards. Furthermore, because card-connected technologies are role-based and not access control list-based, there is no practical limit to the number of cardholders each lock can service. Smart cards carried by cardholders are the network – they carry privilege information to the locks and pick up logs. For example, if John’s card was revoked at 10 a.m. on Tuesday morning due to being laid off, anyone who enters through a wired door after 10 a.m. would pick up this revocation data onto their card when their card is presented to that wired reader which is connected to the PACS. If Emily enters the building at 10:30 a.m., she will pick up the revocation data and share that data with any card-connected lock she accesses inside the facility. If Emily accesses the card-connected supply closet door at 10:35 a.m. and Aaron then visits the same door at 10:40 a.m., Aaron’s smart card will pick up the revocation data that Emily’s card had, and his card will now have the information about John’s revocation. If John stops at the supply closet any time after 10:35 a.m. his card will no longer grant him access and the door will remain locked.

Like any other communication network, the integrity of the data carried on the smart cards and its source must be trusted. Without a proven layer of security, the system
would be vulnerable to attacks where cardholder access privileges could be altered, cards cloned or counterfeited, and access policies on the locks compromised:

  • Card-connected technologies should apply industry-proven cryptography to provide the highest level of assurance;
  • All card-connected privilege data should be digitally signed; and,
  • Before providing access, each card-connected lock should validate the digital signature to prove that the card was issued by the PACS – the PACS is a “trusted source” -- and that the access privileges on the card were not altered.

Card-connected locks are ideal for any company or organization that:

  • Has offices, storage spaces, equipment rooms or remote facilities that should be protected by electronic access control, but for which traditional wired access control is too expensive or impractical;
  • Is required to control and record auditable data for access to sensitive information such as in the financial (Sarbanes-Oxley) and healthcare (HIPAA) industries, and;
  • Has or maintains critical infrastructure that must meet newly established DHS regulations such as the petrochemical and power industries.

In all these organizations, access points and assets anywhere in the world can now be secured without relying on wired or wireless connections, at a fraction of the cost. And soon, user can expect to see card-connected padlocks, cabinet locks, and safe locks become available to further extend electronic access control across the enterprise – ultimately helping organizations take the necessary precautions to ensure their critical assets remain protected, especially during a time of economic uncertainty.

About the author: Todd Freyman is vice president and general manager physical access products for CoreStreet. Todd has more than 10 years experience in the physical security industry, has a strong technical background and is specialized in the transition of advanced technologies into commercially available products and integrated solutions. Todd holds a B.S. in aerospace engineering from Syracuse University and an M.S. in mechanical engineering from Pennsylvania State University.