printer friendly version

Deriving strategic value from access control

John Loftus discusses the value of access control.

Most South African businesses understand the face value of secure access control, however, what is often missed is the intrinsic value and strategic importance this vital security offering can bring to a business. In the South African climate, crime continues to plague South Africans both personally and in a business context, so securing your people and assets is critical to business survival as well as good corporate governance.

Tough economic conditions over the past couple of years have put business budgets under pressure. Few companies today will embark on company-wide technology upgrades unless deemed critical to the business’s survival. Access control should be considered of crucial strategic importance. Effective access control is the foundation upon which businesses can improve its control over finances, resources and the seemingly constant threat of crime, especially white-collar fraud.

Effective access control devices properly identify people and verify their identity through an authentication process. By definition, access control is the process by which users are identified and granted certain privileges. Good access control systems record and timestamp all communications and transactions so that access to systems and information can be audited at later dates.

Properly planned access control systems can provide information on hourly-paid or temporary workers directly to the payroll system to simplify the process of paying wages; and it can grant or deny access to areas depending on the identity of the individual requesting access. The problem with traditional access systems is that the identification component is inherently insecure.

Who are you paying for what?

Many companies are still using traditional punch card or card-based access control systems because they are cheap, convenient and easy to use. Far too many end up paying workers who often take unauthorised and undetected time off by having a colleague punch or swipe their card for them – a scam known as buddy clocking. At the end of the week or month, these workers receive their full pay as the system records them as being at work, perhaps even working overtime, but the business has not received the productivity it is paying for.

In companies and government departments without any means of access control, the problem of ghost workers is also a constant drain on finances. These workers appear on the payroll, but they do not exist and their wages are paid into someone else’s bank account.

Without the means to positively identify who is where, when, access control systems will cost businesses money. By identification, we mean being sure that the person requesting entrance to a building or clocking in is who they claim to be and not a friend doing them a favour.

Using access control systems that include an effective identity management component allows the company to know who was where and for how long. More importantly, this information can’t be easily tampered with and will therefore result in wages being paid to workers who actually fulfilled their part of the contract.

Health and safety

In South Africa, developments in legislation make it a necessity for all executives to know exactly how many people they have on their premises and exactly where they are. The legislation in the new Health and Safety Act puts the onus on the employer to implement whatever systems are necessary to ensure workers, visitors and passersby are not exposed to danger. This also applies to any contractors one has on site.

What this means that if someone wanders onto a shop floor and is injured by a machine or forklift, for example, even if the injury is due to their own carelessness, the company is responsible and can be taken to court. Every company therefore needs to ensure their access control processes are properly designed and implemented. The alternative is to have someone watching every person on site to ensure they do not damage themselves, which is unrealistic.

Modern access control technologies can take much of this responsibility away from companies, integrating where needed into the corporate network and relevant applications, such as payroll and HR. In high-accident areas, for example, employees can be denied access if they have not attended the latest safety training session or had a scheduled health check. HR simply needs to set the parameters and the systems will do the rest without requiring someone to act as a police officer.

Local access trends

Locally the main type of access control is a role-based access control that allows users to access systems and information based on their role within the business. Role-based access can be applied to groups of people or individuals. For example, you can allow everyone to enter the canteen, but only a limited number of people to gain access to the accounting department. This increases security and reduces the opportunity for crime by ensuring that only those people with a reason to be somewhere can be there.

Another system that is applied is a rule-based access control system that allows users access based on pre-configured rules. Rules can be established that allow access at predefined periods to specific people, again based on their identities and their roles within the organisation. A simple rule might, for example, allow access to a building for all employees during working hours, but only to senior management over weekends.

Using rules in conjunction with roles adds greater flexibility because rules can be applied to people, as well as devices.

Access control technologies

There are various types of access control technologies that can be used to solve enterprise access problems. Tokens, smartcards, biometrics and PIN/passwords are some of the more popular ones.

Biometric devices are growing in popularity. They authenticate users to through some sort of personal identifier such as a fingerprint, voiceprint, iris scan, retinal scan, facial scan or signature dynamics. The benefit of using biometrics is that end-users do not lose or misplace their personal identifier. It is hard to leave your fingers at home.

Initially, biometric applications did not catch on as fast as anticipated due to the number of false positives (incorrect readings). As technology advanced, however, this changed and biometrics is used with confidence in a number of industries today, from mining through to banking. Of course, as with any technology, opting for cheap no-name brand biometric systems is not advised, as the quality can be suspect.

Currently, card-based access solutions are most widely used, but cards can be lost or stolen. Fortunately, the technology embedded within smartcards allows for two-factor authentication. This is commonly described as gaining access due to something you have (the card) and something you know (a password or PIN).

Something you have is the card with your details on it; something you know is a PIN or password, or even a biometric token that ensures you are the person who is supposed to have the card. Two-factor authentication is not used for physical access as much as it is for logical access right now, but it is becoming a preferred integrated solution for allowing people to access buildings and computer systems. The potential for integrated physical and logical access control solutions is another area in which we expect to see tremendous growth in coming years.

As with any technology, it is important to remember that technology is only as good as its acceptance by users and the ease with which they can use it. To ensure you business has an effective access control system in place, you need to start by developing the appropriate access policies and procedures based on the requirements of the company and the capabilities of users. Once you know what you want and how it should perform, selecting the technology to meet your needs becomes easier. All you need then is to find the right partner who understands your business and has the knowledge, skills and experience to ensure your system delivers.

Share this article:

Further reading: