Best Practices in Access Control

With a new year approaching, I’d like to take a moment to remind security directors....

...that now is a great time to review your security policies and access control system installations to make sure they are meeting the current needs of your facility. In fact, conducting an annual access control system review is the first step in creating a systematic process for assessing the security of your organization…and it is the principle best practice that provides a framework for all the others.

Once a yearly review process is in place, a fundamental concept to embrace in adopting best practices is that an effective security system uses layered security. A good analogy of this concept would be one where a home protected by a burglar alarm might use both glass break detectors and motion sensors to detect when an intruder enters the house.

Then there are a handful of specific best practices to consider, with two of the most important guidelines being around 1) choices in reader and card technologies; and 2) key management.

Choosing the right reader and card technology

Since there are a wide variety of card and reader technologies being offered by today’s manufacturers, it is important to make sure that both the correct card and reader technology are chosen to match the desired level of security. For example, magstripe offers the least amount of security, whereas contactless smart cards, when properly deployed, provide the highest levels of security.

Key Management

Key management deals with the secure generation, distribution, storage, and life-cycle management of cryptographic keys. This important subject deserves an entire blog post itself, but here are a few of the basic key management rules of thumb.

Whenever there is a choice, choose a manufacturer that allows you to utilize your own cryptographic authentication key that is different than the manufacturer’s other customers. This is exactly the point of HID’s Elite Key program. Although it may be easier not to have the responsibility of managing and safeguarding your own keys, you will be immune from a key compromise that occurs in someone else’s readers from the same manufacturer.

Conversely, do not choose a manufacturer that stores the same key in all of its credentials. Extraction of the key from a single card compromises all of the cards in use. Select a manufacturer that uses ‘diversified’ keys, which means that each card uses a different key that is cryptographically derived from a master key. Ideally this diversification would use a publicly scrutinized algorithm such as DES or AES. For example, HID’s iCLASS key diversification is based on DES.

And these are just a few best practices to look for. Stay tuned for more guidelines on how an organization can effectively balance cost, convenience and security when deploying an access control system.