white paper aaci data center physical security mc donald
DESCRIPTION
Data Center Best Practices for Integrated Physical Security Technology Solutions and SAS 70 and Homeland Security Presidential Directive 7 (HSPD-7) ComplianceTRANSCRIPT
April 21, 2011
Auburn Regional Office
489 Washington Street
Auburn, MA 01501
Phone: (508) 453-2720
www.AmericanAlarm.com
Data Center Best Practices for Integrated Physical Security
Technology Solutions and SAS 70 and Homeland Security
Presidential Directive 7 (HSPD-7) Compliance
By James McDonald
Integrated Systems Consultant
An AACI White Paper
April 21, 2011 2
Contents
Introduction 2
Problem Statement 3
Design Solution Check List 3
Critical Infrastructure Monitoring 6
Implementation 7
Key External Technology Measures 7
Key Internal Technology Measures 7
Policy Basics 9
Non-Compliance 9
Identification Procedures 10
Summary 10
Physical Security Information
Management (PISM) 11
About American Alarm and
Communications, Inc. 12
Appendix A: Understanding Physical
Access Control Solutions 13
Contact Information 16
Introduction
In today's ever-growing regulatory
compliance landscape, organization can
greatly benefit from implementing viable
and proven data center physical security
best practices for their organization.
There are plenty of complicated documents
that can guide companies through the
process of designing a secure data center
from the gold-standard specs used by the
federal government to build sensitive
facilities like embassies, to infrastructure
standards published by industry groups like
the Telecommunications Industry
Association, to safety requirements from
the likes of the National Fire Protection
Association.
Recent federal legislation, ranging from the
Gramm-Leach Bliley Act (GLBA), the Health
Insurance Portability and Accountability Act
(HIPAA) and The Sarbanes Oxley Act of 2002
(SOX) Homeland Security Presidential
Directive 7 (HSPD-7) are putting intense
pressure on data centers, co-locations, and
managed services entities to comply with a
myriad amount of security and privacy
issues. What’s more, companies seeking to
use services from data centers are actively
looking for assurances that a strong control
environment is in place, complete with data
center security best practices.
Homeland Security Presidential Directive 7
(HSPD-7) identified 17 critical infrastructure
and key resources (CIKR) sectors and
designated Federal Government Sector-
Specific Agencies (SSAs) for each of the
sectors. Each sector is responsible for
developing and implementing a Sector-
Specific Plan (SSP) and providing sector-
level performance feedback to the
Any opinions, findings, conclusions,
or recommendations expressed in
this publication do not necessarily
reflect the views of American Alarm
& Communications, Inc., (AACI).
Additionally, neither AACI nor any of
its employees makes any warrantee,
expressed or implied, or assumes
any legal liability or responsibility for
the accuracy, completeness, or
usefulness of any information,
product, or process included in this
publication. Users of information
from this publication assume all
liability arising from such use.
April 21, 2011 3
Department of Homeland Security
(DHS) to enable gap assessments of
national cross-sector CIKR
protection programs. SSAs are
responsible for collaborating with
public and private sector security
partners and encouraging the
development of appropriate
information-sharing and analysis
mechanisms within the sector.
These best practices, which many
times are tested by an independent
CPA firm for SAS 70 Type I or Type II
audit compliance, should be
implemented throughout all areas of
a data center, rather than being
segmented to cover only specific
areas. The SAS 70 auditing standard,
in place since 1992, has been and
will continue to be one of the most
effective and well-recognized
compliance audits for testing and
reporting on controls in place at
data centers.
Problem Statement
The IT Sector is a key enabler for
U.S. and global economies, and its
products and services are relied on
by all critical infrastructure sectors.
Because of this reliance, IT Sector
public and private security partners
are actively engaged to ensure the
resiliency of the sector and prevent
and protect against incidents that
could have negative economic
consequences or degrade public
confidence.
What should be the high-level goals
for making sure that security for the
new data center is built into the
designs, instead of being an
expensive or ineffectual afterthought?
From the moment an individual arrives on
the grounds and walks through the data
center doors, the following items should be
part of a data center physical security best
practices program for any data facility.
Design Solution Check List
Build on the Right Spot
Be sure the building is some distance from
headquarters (20 miles is typical) and at
least 100 feet from the main road. Bad
neighbors: airports, chemical facilities,
power plants. Bad news: earthquake fault
lines and (as we've seen all too clearly this
year) areas prone to hurricanes and floods.
And scrap the "data center" sign.
Restrict Area Perimeter
Secure and monitor the perimeter of the
facility
Have Redundant Utilities
Data centers need two sources for utilities,
such as electricity, water, voice and data.
Trace electricity sources back to two
separate substations and water back to two
different main lines. Lines should be
underground and should come into
different areas of the building, with water
separate from other utilities. Use the data
April 21, 2011 4
center's anticipated power usage as
leverage for getting the electric
company to accommodate the
building's special needs.
Deter, Detect, and Delay
Deter, detect, and delay an attack,
creating sufficient time between
detection of an attack and the point
at which the attack becomes
successful.
Pay Attention to Walls
Foot-thick concrete is a cheap and
effective barrier against the
elements and explosive devices. For
extra security, use walls lined with
Kevlar.
Avoid Windows
Think warehouse and not an office
building. If you must have windows,
limit them to the break room or
administrative area, and use bomb-
resistant laminated glass.
Use Landscaping for Protection
Trees, boulders and gulleys can hide
the building from passing cars,
obscure security devices (like
fences), and also help keep vehicles
from getting too close. Oh, and they
look nice too.
Keep a 100-foot Buffer Zone Around
the Site
Where landscaping does not protect
the building from vehicles, use
crash-proof barriers instead. Bollard
planters are less conspicuous and
more attractive than other devices.
Use Retractable Crash Barriers at Vehicle
Entry Points
Control access to the parking lot and
loading dock with a staffed guard station
that operates the retractable bollards. Use
a raised gate and a green light as visual cues
that the bollards are down and the driver
can go forward. In situations when extra
security is needed, have the barriers left up
by default, and lowered only when
someone has permission to pass through.
Plan for Bomb Detection
For data centers that are especially
sensitive or likely targets, have guards use
mirrors to check underneath vehicles for
explosives, or provide portable bomb-
sniffing devices. You can respond to a raised
threat by increasing the number of vehicles
you check, perhaps by checking employee
vehicles as well as visitors and delivery
trucks.
Limit Entry Points
Control access to the building by
establishing one main entrance, plus a back
one for the loading dock. This keeps costs
down too.
Make Fire Doors Exit Only
For exits required by fire codes, install
doors that don't have handles on the
outside. When any of these doors is
opened, a loud alarm should sound and
trigger a response from the security
command center.
Use Plenty of Cameras
Surveillance cameras should be installed
around the perimeter of the building, at all
entrances and exits, and at every access
point throughout the building. A
combination of motion-detection devices,
April 21, 2011 5
low-light cameras, pan-tilt-zoom
cameras and standard fixed cameras
is ideal. Footage should be digitally
recorded and stored offsite.
Protect the Building's Machinery
Keep the mechanical area of the
building, which houses
environmental systems and
uninterruptible power supplies,
strictly off limits. If generators are
outside, use concrete walls to secure
the area. For both areas, make sure
all contractors and repair crews are
accompanied by an employee at all
times.
Personnel Surety
Perform appropriate background
checks on and ensure appropriate
credentials for facility personnel,
and, as appropriate, for unescorted
visitors with access to restricted
areas or critical assets.
Plan for Secure Air Handling
Make sure the heating, ventilating
and air-conditioning systems can be
set to recirculate air rather than
drawing in air from the outside. This
could help protect people and
equipment if there were some kind
of biological or chemical attack or
heavy smoke spreading from a
nearby fire. For added security, put
devices in place to monitor the air
for chemical, biological or
radiological contaminant.
Ensure nothing can hide in the walls
and ceilings
In secure areas of the data center,
make sure internal walls run from
the slab ceiling all the way to
subflooring where wiring is typically
housed. Also make sure drop-down ceilings
don't provide hidden access points.
Use two-factor authentication Biometric
identification is becoming standard for
access control to sensitive areas of data
centers, with hand geometry or fingerprint
scanners usually considered less invasive
than retinal scanning. In other areas, you
may be able to get away with less-
expensive access cards.
Harden the Core with Security Layers
Anyone entering the most secure part of
the data center will have been
authenticated at least three times, including
at the outer door. Don't forget you'll need a
way for visitors to buzz the front desk (IP
Intercom works well for this). At the
entrance to the "data" part of the data
center. At the inner door separates visitor
area from general employee area.
Typically, this is the layer that has the
strictest "positive control," meaning no
piggybacking allowed. For implementation,
you have two options:
-A floor-to-ceiling turnstile
If someone tries to sneak in behind an authenticated
user, the door gently revolves in the reverse
direction. (In case of a fire, the walls of the turnstile
flatten to allow quick egress.)
-A "mantrap"
Provides alternate access for equipment and for
persons with disabilities. This consists of two
separate doors with an airlock in between. Only one
door can be opened at a time, and authentication is
needed for both doors.
At the Door to an Individual Computer
Processing Room
This is for the room where actual servers,
mainframes or other critical IT equipment is
located. Provide access only on an as-
needed basis, and segment these rooms as
April 21, 2011 6
much as possible in order to control
and track access.
Watch the Exits Too
Monitor entrance and exit—not only
for the main facility but for more
sensitive areas of the facility as well.
It'll help you keep track of who was
where, when. It also helps with
building evacuation if there's a fire..
Prohibit Food in the Computer
Rooms Provide a common area
where people can eat without
getting food on computer
equipment.
Install Visitor Rest Rooms
Make sure to include rest rooms for
use by visitors and delivery people
who don't have access to the secure
parts of the building.
Critical Infrastructure Monitoring
"Critical infrastructure" is defined by
federal law as "systems and assets,
whether physical or virtual, so vital
to the United States that the
incapacity or destruction of such
systems and assets would have a
debilitating impact on security,
national economic security, national
public health or safety, or any
combination of those matters.
The Information Technology (IT)
Sector is central to the nation's
security, economy, and public health
and safety. Businesses,
governments, academia, and private
citizens are increasingly dependent
upon IT Sector functions. These
virtual and distributed functions
produce and provide hardware,
software, and IT systems and services,
and—in collaboration with the
Communications Sector —the Internet.
American Alarm & Communications, Inc.
provides technology and services to
monitor many key areas of your operation.
Communication between your business
alarm system and our Monitoring Center is
a critical part of your protective system. Our
Underwriters’ Laboratories (U.L.) Listed
Monitoring Center is the core of American
Alarm’s sophisticated communications
operation. In the event of an alarm, the
CPU in your security system sends an alarm
signal to our monitoring facility through the
phone lines (800 numbers are not used,
given their unreliability). The signal is then
retrieved by our monitoring center, and our
operators quickly notify the appropriate
authorities, as well as the designated
responder, of the emergency.
Monitoring Capabilities
• Fire
• Hold-Up
• Intrusion
• Halon/Ansul
• Panic/Ambush
• Man Down
• Elevator Phones
• Off-Premises Video
• HVAC/Refrigeration
• Sprinkler/Tamper/Flow
• Power Loss/Low Battery
• Gas/Hazardous Chemicals
• Water Flow/Flood Alarms
• Environmental Devices
(CO2/CO/ETC.)
• Radio/Cellular Back-Up
Communications
April 21, 2011 7
Implementation
At American Alarm and
Communications, Inc., we utilize and
integrate mutable solutions to
create a physical security
compliance and risk management
solution that can automate and
enforce physical security policies,
from restricting area perimeter and
securing site assets to personnel
surety and reporting of significant
security incidents; this helps to
ensure both governance and
compliance utilizing an
organization’s existing physical
security and IT infrastructure.
We can centrally manage all
regulations and associated controls
and automate assessment,
remediation and reporting as per
defined review cycles.
Automatically trigger compliance-
based actions, such as rule-based
generation of actions/penalties,
based on physical access events.
Correlate alarms and identities to
better manage situations and
responses across the security
infrastructure. Incorporate real-
time monitoring and detailed risk
analysis tools to instantly enforce,
maintain and report on compliance
initiatives
Key External Technology Measures
Entry Point
Data centers are generally designed
with a central access point that’s
used to filter employees and visitors
into the data center.
All requests are vetted by a security
guard with an intercom link to
ensure that they have a legitimate reason
for entering the premises.
Automatic Bollards
As an alternative to a guard-controlled gate,
automatic bollards can be used at entry
points. These short vertical posts pop out of
the ground to prevent unauthorized
vehicles from driving onto the site. When a
vehicle’s occupants are verified by a guard,
an access card or other secure process, the
bollards are quickly lowered to allow the
vehicle to enter. When in the lowered
position, the top of each bollard is flush
with the pavement or asphalt and
completely hidden. The bollards move
quickly and are designed to prevent more
than one vehicle from passing through at
any one time.
Closed-Circuit TV
External video cameras, positioned in
strategic locations, including along
perimeter fencing, provide efficient and
continuous visual surveillance. The cameras
can detect and follow the activities of
people in both authorized and “off limits”
locations. In the event someone performs
an unauthorized action or commits a crime,
the digitally stored video can supply
valuable evidence to supervisors, law
enforcement officials and judicial
authorities. For added protection, the video
should be stored off-site on a digital video
recorder (DVR).
Key Internal Technology Measures
Lobby Area
With proper software and surveillance and
communications tools, a staffed reception
desk, with one or more security guards
checking visitors’ credentials, creates an
invaluable first line of access control.
April 21, 2011 8
Surveillance
Like their external counterparts,
internal cameras provide constant
surveillance and offer documented
proof of any observed wrongdoing.
Biometric Screening
Once the stuff of science fiction and
spy movies, biometric identification
now plays a key role in premises
security. Biometric systems
authorize users on the basis of a
physical characteristic that doesn’t
change during a lifetime, such as a
fingerprint, hand or face geometry,
retina or iris features.
Mantrap
Typically located at the gateway
between the lobby and the rest of
the data center, mantrap technology
consists of two interlocking doors
positioned on either side of an
enclosed space. The first door must
close before the second one opens.
In a typical mantrap, the visitor
needs to first “badge-in” and then
once inside must pass a biometric
screening in the form of an iris scan.
Access Control List
Defined by the data center
customer, an access control list
includes the names of individuals
who are authorized to enter the
data center environment. Anyone
not on the list will not be granted
access to operational areas.
Badges and Cards
Visually distinctive badges and
identification cards, combined with
automated entry points, ensure that
only authorized people can access specific
data center areas. The most common
identification technologies are magnetic
stripe, proximity, barcode, smart cards and
various biometric devices.
Guard Staff
A well-trained staff that monitors site
facilities and security technologies is an
essential element in any access control
plan.
Loading and Receiving
For full premises security, mantraps, card
readers and other access controls located in
public-facing facilities also need to be
duplicated at the data center’s loading
docks and storage areas.
Operational Areas
The final line of physical protection falls in
front of the data center’s IT resources.
Private cages and suites need to be
equipped with dedicated access control
systems while cabinets should have locking
front and rear doors for additional
protection.
Humans are the weakest link in any security
scheme. Security professionals can do their
best to protect systems with layers of anti-
malware, personal and network firewalls,
biometric login authentication, and even
data encryption, but give a good hacker (or
computer forensics expert) enough time
with physical access to the hardware, and
there’s a good chance they’ll break in. Thus,
robust physical access controls and policies
are critical elements of any comprehensive
IT security strategy.
According to a report by the SANS Institute,
“IT security and physical security are no
longer security silos in the IT environment;
April 21, 2011 9
they are and must be considered
one and the same or, as it should be
called, overall security.”
It is the innermost layer—physical
entry to computer rooms—over
which IT managers typically have
responsibility, and the means to
have effective control over human
access focuses on a set of policies,
procedures, and enforcement
mechanisms.
Policy Basics
Given their importance and
ramifications on employees, access
policies must come from the top
leadership. After setting
expectations and behavioral ground
rules, actual data center access
policies have several common
elements. The most essential are
definitions of various access levels
and procedures for authenticating
individuals in each group and their
associated privileges and
responsibilities when in the data
center.
Step 1
Authorize, identify and authenticate
individuals that require physical
access: • Identify the roles that require both
regular as well as occasional physical
access and identify the individuals that
fill these roles.
• Provide standing authorization and a
permanent authenticator to individuals
that require regular access.
• Require individuals that require
occasional access to submit a request
that must be approved prior to access
being attempted or allowed.
• Authenticate individuals with regular
access requirements through the use of
their assigned permanent authenticator.
• Authenticate individuals with occasional access
requirements through the use of a personal
identification mechanism that includes name,
signature and photograph.
Step 2
Verify that work to be performed has been
pre-approved or meets emergency
response procedures: • Verify against standard Change Control
procedures.
• Verify against standard Maintenance
procedures.
Step 3
Make use of logs to document the coming
and goings of people and equipment:
• Assign the responsibility for the
maintenance of an access log that
records personnel access. Record the
following: • Date and time of entry.
• Name of accessing individual and
authentication mechanism.
• Name and title of authorizing individual.
• Reason for access.
• Date and time of departure.
• Assign the responsibility for the
maintenance of a delivery and removal
log that records equipment that is
delivered to or removed from facilities;
Record the following: • Date and time of delivery/removal.
• Name and type of equipment to be
delivered or removed.
• Name and employer of the individual
performing the delivery/removal and the
authentication mechanism used.
• Name and title of authorizing individual.
• Reason for delivery/removal.
Non-Compliance
Violation of any of the constraints of these
policies or procedures shoulld be
considered a security breach and depending
April 21, 2011 10
on the nature of the violation,
various sanctions will be taken:
• A minor breach should result
in written reprimand.
• Multiple minor breaches or a
major breach should result in
suspension.
• Multiple major breaches
should result in termination.
Although older data centers typically
just consisted of a large, un-
partitioned raised-floor area, newer
enterprise facilities have taken a
page from ISP designs by dividing
the space into various zones—for
example, a cage for high-availability
servers, another area for Tier 2 or 3
systems, a dedicated network
control room, and even separate
areas for facilities infrastructure
such as PDUs and chillers. Such
partitioned data centers provide
control points for denying access to
personnel with no responsibility for
equipment that’s in them.
Identification Procedures
The next step in a physical security
policy is to set up controls and
identification procedures for
authenticating data center users and
granting them physical access.
Although biometric scanners look
flashy in the movies and certainly
provide an added measure of
security, a magnetic stripe badge
reader is still the most common
entry technology, as it’s simple,
cheap, and effective and allows
automated logging, which is a
necessary audit trail.
One problem with magnetic readers,
according is their susceptibility to tailgating,
or allowing unauthorized personnel to trail
a colleague through an entryway. That’s
why we advise supplementing doors and
locks with recorded video surveillance.
I also like to add a form of two-factor
authentication to entry points by coupling a
card reader (“something you have”) with a
PIN pad (“something you know”), which
reduces the risks of lost cards. I also
recommend using time-stamped video
surveillance in conjunction with electronic
access logs and a sign-in sheet to provide a
paper trail.
Access levels and controls, with
identification, monitoring, and logging, form
the foundation of an access policy, but two
other major policy elements are standards
of conduct and behaviors inside the data
center such as: prohibitions on food and
beverages or tampering with unauthorized
equipment, limitations and controls on the
admission of personal electronics such as
USB thumb drives, laptops, smartphones, or
cameras are critical.
Policies should also incorporate processes
for granting access or elevating restriction
levels, an exception process for unusual
situations, sanctions for policy violations,
and standards for reviewing and auditing
policy compliance. Stahl cautions that
penalties for noncompliance will vary from
company to company because they must
reflect each enterprise’s specific risk
tolerance, corporate culture, local
employment laws, and union contracts.
Summary
It’s time to get physical—as in physically
protecting a data center and all of its assets.
The need for ironclad virtual security
April 21, 2011 11
measures, such as managed
firewalls, is well known. Yet physical
security is often placed on the back
burner, largely forgotten about until
an unauthorized party manages to
break into or sneak onto a site and
steals or vandalizes systems.
Today’s security systems include:
• Intrusion and Monitoring
Systems
• Access Control Systems
• Visitor Management Systems
• Surveillance Systems
• Emergency Communications
Systems
• PISM Software Platforms
The newest of these is the PISM or
Physical Security Information
Management system.
Physical Security Information
Management (PISM)
The PSIM Platform enables the
integration and organization of any
number and type of security devices
or systems and provides a common
set of services for analyzing and
managing the incoming information.
It also serves as the common
services platform for video and
situation management applications.
Effectively maintaining security of
critical infrastructure does not
happen by accident, it means giving
your security professionals the best
security/software tools available
today. By unifying your existing
surveillance system and providing
spatial context to your camera
feeds, PISM brings out the best of your
equipment.
To investigate day-to-day incidents, as well
as prepare for emergency situations, the
security department makes use of a vast
network of video cameras, access control
points, intercoms, fire and other safety
systems. PISM unifies all of these disparate
feeds, including systems from diverse
manufacturers, into a single decision-
oriented Common Operating Picture.
Within the PSIM Platform are five key
components:
Integration Services – Multiple strategies
are used for connection, communication
with, and management of installed devices
and systems from multiple vendors. The
PSIM Platform offers complete support for
the industry’s most commonly-used device
types – out of the box. In addition, it
employs customizable “pipeline”
architecture to receive device events. This
architecture exploits commonalities among
similar devices (including format and
protocol) and reduces the need for one-off
adaptations. Network connectivity is
achieved using combinations of multiple
communications protocols.
Geo-Location Engine – The Geo Location
Engine provides spatial recognition for geo-
location of devices and supports situation
mapping functionality. The physical
position of devices is stored in an internal
knowledge base as GIS/GPS positions or
building coordinates. The engine uses the
information to determine relevance,
selects, and relate devices involved in a
given situation. The system uses the
information to overlay graphical
representations of security assets and
April 21, 2011 12
activities onto Google-type maps or
building layouts.
Routing Engine – The Routing Engine
is an intelligent switch that connects
any security device to PISM
command interfaces or output
device(s) and accommodates any
required transformation of formats
and protocols between connected
devices. In most cases, devices
connect directly to each other and
exchange data streams directly,
avoiding possible bottlenecks that
would arise from routing all traffic
through a single centralized server.
An internal knowledge base of all
connected devices and their
characteristics is maintained by the
Routing Engine, which uses that
information to ensure a viable
communication path, compatibility
of signal format and acceptable
quality of service.
Rules Engine – The PSIM Platform
contains a powerful Rules Engine
that analyzes event and policy
information from multiple sources
to correlate events, make decisions
based upon event variables and
initiate activities. Pre-packaged or
user written rules define the events
or event combinations for
identifying and resolving situations
in real time according to business
policies.
Dispatch Engine – The Dispatch
Engine integrates with
communications infrastructure to
initiate external applications or the
transmission of messages, data and
commands. Dispatch actions are
automatically triggered by the rules engine
as it executes recommendations for
situation resolution. Operators can
manually initiate actions as well.
The system integrates and analyzes
information from disparate traditional
physical security devices including analog
and digital video.
The key benefits of today’s technology is
allowing system users to do more with less
by getting maximum benefits through
integrated technologies with each system
(Both new and old) and with the goals of
company policies and procedures like never
before.
About American Alarm and
Communications, Inc.
American Alarm and Communications, Inc.,
is in a unique position to improve personal
protection of key individuals as a
Massachusetts based Underwriters
Laboratories (UL) Listed, and United States
Federal Government (DOD) recognized 24-
hour Security Command Center and Central
Station. Every day we manage a full range
of security, communication and escalation
procedures specifically designed for our key
customers. Our founders, three engineers
from the Massachusetts Institute of
Technology (MIT), have worked to bring the
benefits of new technology and solutions to
our customers. Though we have grown over
the years, our mission has remained the
same: to provide the best possible security
technology and customer service to protect
homes and businesses across
Massachusetts.
April 21, 2011 13
Appendix A: Understanding Physical Access Control Solutions
SOLUTION STRENGTHS WEAKNESSES COMMENTS
KEYS •Most traditional form of access control • Easy to use • Don’t require power for operation
• Impossible to track if they are lost or stolen, which leaves facility vulnerable • Potential for unauthorized sharing of keys • Difficult to audit their use during incident investigations • Difficult to manage on large campuses with multiple doors • Re-coring doors when a key is lost or stolen is expensive
• Several solutions are currently available on the market to manage keys and keep key holders accountable.
LOCKS
Maglock
Electric Strike
• Easy installation • Economical • Easy retrofit • Quiet operation • Can be either fail-secure or fail-safe • Does not need constant power • Door knob overrides for safe exit
• Power always on (fail-safe) • Typically requires exit device to break circuit • Requires backup power supply for 24-hour service • Door/lock hardware experience needed
• DC only • Comes in different “pull” strengths • Check extra features, such as built in door sensor • Requires more door hardware experience than Maglock • Specify for life-safety requirements • Can be both AC and DC (DC lasts longer) • Fail-safe must have power backup • Fail-secure most popular
ACCESS
CARDS
Magnetic
Stripe
• Access rights can be denied without the expense of re-coring a door and issuing a new key • Can limit access to a building to certain times of the day • Systems can provide audit trails for incident investigations • Inexpensive to issue or replace • Durable • Convenient • More difficult to compromise
• Prone to piggybacking / tailgating (when more than one individual enters a secure area using one access card or an unauthorized person follows an authorized person into a secure area • Users can share cards with unauthorized persons • Cards can be stolen and used by unauthorized individuals • Systems are more expensive to install than traditional locks • Require power to operate • Not as secure as proximity cards or smart cards • Can be duplicated with relative ease • Subject to wear and tear • Cost more than magstripe cards
• Can incorporate a photo ID component • Can be used for both physical and logical access control • Card readers should have battery backup in the event of power failure • Tailgate detection products, video surveillance, analytics and security officers can address tailgating issues • Can integrate with video surveillance, intercoms and intrusion detection systems for enhanced security • These are the most commonly used access control cards by US campuses and facilities
April 21, 2011 14
Proximity
Smart Card
than magstripe cards • Less wear and tear issues • Multiple application functionality (access, cashless vending, library cards, events) • Enhanced security through encryption and mutual authentication • Less wear and tear issues
• Easier to compromise than smart cards • Currently the most expensive card access option on the market
• Are widely used for access control (although not as widely as magstripe) • Not as widely adopted as magstripe or proximity cards due to cost • Widely adopted in Europe• Can incorporate biometric and additional data such as Photo and ATM
PIN
NUMBERS
(Pass codes)
• Easy to issue and change • Inexpensive
• Can be forgotten • Difficult to manage when there are many passwords for different systems • Can be given to unauthorized users • Prone to tailgating/ piggybacking
• Should be changed frequently to ensure security • Often used in conjunction with other access control solutions, such as cards or biometrics
DOOR
ALARMS
• Provide door intrusion, door forced and propped door detection • Reduce false alarms caused by unintentional door propping • Encourage staff and students to maintain access control procedure
• Will not reach hearing impaired without modifications • Will not detect tailgaters • Door bounce can cause false alarms
• Appropriate for any monitored door application, such as emergency exits • Used in conjunction with other access control solutions, such as card readers or keys • Can be integrated with video surveillance for enhanced security
TAILGATE/P
IGGYBACK
DETECTORS
• Monitor the entry point into secure areas • Detect tailgate violations (allow only one person to enter) • Detect when a door is propped • Mount on the door frame • Easy to install
• Not intended for large utility cart and equipment passage (which could cause the system to go into false alarm) • Not for outdoor use
• Appropriate for any monitored door application where a higher degree of security is needed, such as data centers, research laboratories, etc • Used in conjunction with other access control solutions, such as card readers • Can be integrated with video surveillance for enhanced security
PUSHBUTTO
N CONTROLS
• Many button options available • Normally-open/Normally closed momentary contacts provide fail-safe manual override • Time delay may be field adjusted for 1-60 seconds
• Anyone can press the release button (unless using a keyed button), so button must be positioned in a secure location (for access control, not for life-safety) • Some can be defeated easily • Can open door to stranger when approaching from inside
• Used to release door and shunt alarm • Used for emergency exits when configured to fail-safe • May be used in conjunction with request to exit (REX) for door alarms and life safety • Still may require mechanical device exit button to meet life-safety code • With REX, careful positioning and selection required
MULTI-ZONE
ANNUNCIAT
• Display the status of doors and/or windows throughout a monitored facility
• 12 VDC only special order 24 VDC option • Door bounce can cause
• Designed to monitor multiple doors from a single location
April 21, 2011 15
ORS • Alert security when a door intrusion occurs • Many options available: zone shunt, zone relay and zone supervision
false alarms • Requires battery backup in case of power failure
• May be used in conjunction with door alarms, tailgate detection systems and optical turnstiles • No annunciation at the door; only at the monitoring station
FULL
HEIGHT
TURNSTILES
• Provides a physical barrier at the entry location • Easy assembly • Easy maintenance • Available in aluminum and galvanized steel
• Physical design ensures to a reasonable degree that only one authorized person will enter, but it will not detect tailgaters
• Designed for indoor/outdoor applications • Used in parking lots, football fields and along fence lines • Use with a conventional access control device like a card reader
OPTICAL
TURNSTILES
• Appropriate for areas with a lot of pedestrian traffic • Detects tailgating • Aesthetically pleasing and can be integrated into architectural designs • Doesn’t require separate emergency exit • Provides good visual and audible cues to users
• Can be climbed over • Not for outdoor use
• Used in building lobby and elevator corridor applications • Use with a conventional access control device like a card reader • To ensure compliance, deploy security officers and video surveillance
BARRIER
ARM
TURNSTILES
(Glass gate or
metal arms)
• Appropriate for areas with a lot of pedestrian traffic • Provides a visual and psychological barrier while communicating to pedestrians that authorization is required to gain access • Detects tailgating • Reliable
• Units with metal-type arms can be climbed over or under • Not for outdoor use • Most expensive of the turnstile options • Requires battery backup in case of power failure
• Used in building lobby and elevator corridor applications • Use with a conventional access control device like a card reader • To ensure compliance, deploy security officers and video surveillance • Battery backup is recommended
BIOMETRICS • Difficult to replicate identity because they rely on unique physical attributes of a person (fingerprint, hand, face or retina) • Users can’t forget, lose or have stolen their biometric codes • Reduces need for password and card management
• Generally much more expensive than locks or card access solutions • If biometric data is compromised, the issue is very difficult to address
• Except for hand geometry, facial and finger solutions, biometric technology is often appropriate for high-risk areas requiring enhanced security
INTERCOMS • Allow personnel to communicate with and identify visitors before allowing them to enter a facility • Can be used for emergency and non-emergency communications • IP solutions today offer powerful communications and backup systems with integration
• Will not reach hearing impaired without modifications • Not appropriate for entrances requiring throughput of many people in a small amount of time
• Appropriate for visitor management, afterhours visits, loading docks, stairwells, etc. • Use with conventional access control solutions, such as keys or access cards • Video surveillance solutions can provide visual verification of a visitor
April 21, 2011 16
Contact Information
James E. McDonald
Integrated Systems Consultant
Government Contracts Team-Massachusetts State Contract FAC64 Vendor
American Alarm and Communications, Inc.
Central Massachusetts Regional Office
489 Washington Street
Auburn, Massachusetts 01501
Direct Phone: (508) 453-2731
Direct Fax: (781) 645-7537
Email: [email protected]
American Alarm Website: www.AmericanAlarm.com
JEM_Blog: www.SecurityTalkingPoints.com
JEM_ Twitter: www.Twitter.com/physectech
Bio: http://www.linkedin.com/in/physicalsecuritytechnologist