Understanding card-connected access control systems

Asked to control access at unwired points? Card-connected access control has some answers


During times of economic turmoil, security directors and systems integrators are being asked to secure more for less -- in other words, securing more of the company’s assets but with fewer resources.

In these unsettled times companies also want to make sure that, when layoffs become unavoidable, an employee’s access to both critical as well as routine assets is tightly controlled -- denying access to laid off employees as rapidly as possible.

Furthermore, when companies are acquired and merge with the acquiring company, incompatible physical access control systems (PACS) can be a cause of expensive duplication. The temptation is great to align the acquired company with the corporate standard PACS, but what should be done with unwired but important access points such as remote storage facilities or data center racks?

In the past, security directors were forced to choose between integrating the different PACS or putting in stand-alone locks and then fronting the money for later upgrades. With a new technology concept called card-connected access control, users can avoid both the large install costs upfront, as well as the maintenance fees.

Here’s how: First, card-connected locks require no wiring or panel infrastructure so installation and equipment costs are significantly reduced. And unlike some of the electronic lock solutions on the market, they do not require frequent visits by security personnel to update access lists and retrieve logs. In addition, card-connected locks offer the added benefit when they replace “brass key” locks by providing central management and monitoring, access audits and a less expensive alternative to managing keys and re-keying locks.

Card-connected access control technologies use employee smart cards to extend central access control to standalone and mobile (e.g., padlocks) locks. Within a card-connected access control system, standalone electronic locks and physical access control systems communicate by reading and writing digitally signed data to and from smart cards. In this way, cardholders become an extension of the physical access network, where the cards, instead of wires, carry information to and from the standalone locks.

As such, card-connected technologies bring the benefits of smart cards and strong cryptography to the world of physical access control to expand the number of assets which can be cost-effectively protected. In fact, the breakthrough achieved by card-connected technologies provides some of the best of both worlds -- the limited up-front investment of standalone electronic locks and the benefits of wired locks managed through a central PACS system.

Card-connected technologies provide security managers with the opportunity to increase the number of assets and facilities which are electronically secured from, say, the 20 percent they can currently afford to wire, to the 70 or 80 percent they would ideally like to bring into their central PACS management environment. However, it is important to note that due to the non-real time and non-deterministic nature of card-connected technologies, card-connected locks are not a replacement for wired locks protecting critical assets or facilities where immediate, real-time alarms are required.

In a card-connected physical access control system, cardholders carry their access privileges and retrieve log events from card-connected locks using smart cards, such as MIFARE, DESFire or FIPS-201 compliant PIV cards. Furthermore, because card-connected technologies are role-based and not access control list-based, there is no practical limit to the number of cardholders each lock can service. Smart cards carried by cardholders are the network – they carry privilege information to the locks and pick up logs. For example, if John’s card was revoked at 10 a.m. on Tuesday morning due to being laid off, anyone who enters through a wired door after 10 a.m. would pick up this revocation data onto their card when their card is presented to that wired reader which is connected to the PACS. If Emily enters the building at 10:30 a.m., she will pick up the revocation data and share that data with any card-connected lock she accesses inside the facility. If Emily accesses the card-connected supply closet door at 10:35 a.m. and Aaron then visits the same door at 10:40 a.m., Aaron’s smart card will pick up the revocation data that Emily’s card had, and his card will now have the information about John’s revocation. If John stops at the supply closet any time after 10:35 a.m. his card will no longer grant him access and the door will remain locked.

This content continues onto the next page...