Once upon a time you’d arrive at work, smile at the security guard in the lobby who knew you by name and proceed to your workstation, free to roam all about the floors, offices, storage areas, labs, and even the data center behind the main door. Those days are gone.

Today you might have to scan your ID badge to unlock a turnstile just to get into the lobby. Then present your credentials again at the interior entrance, and then again to enter secure areas within the building. Some doors may not open based on your level of clearance.

The methods and tools used to enable these capabilities are known as physical access control systems (PACS). They are crucial components of today’s modern security infrastructure, protecting businesses from both cyberthreats and intruders trying to enter the building.

This article will discuss the what’s, how’s and why’s of physical access control, what to look for in PACS, and best practices for implementing and optimizing your PACS in enterprise-class corporate offices or commercial/manufacturing facilities, large public spaces, parking structures, hotels, and more.

Physical Access Control Systems Defined

A physical access control system enables organizations to manage permissions for who can enter a physical space. It can prevent some individuals from entering a building or parts of a building for safety or security reasons, while allowing authorized individuals to freely access gated spaces without supervision.

PACS leverage technology to automate, control, and track individual access activity using smart tools like key fobs, ID badges, or biometrics (fingerprint, retina, facial recognition scanning) to validate users. Manual methods like keyed door locks only get you so far; they don’t tell you who is in a space or for how long, and posting a security guard at every entrance is not feasible.

While based on technology to enable things like role-based access control, PACS should not be confused with Logical Access Control. PACS limit users’ physical ability to enter spaces whereas Logical Access Control refers to the digital identification and authentication processes around granting users access to an organization’s network resources like servers, databases, applications, bank accounts, and websites. However, PACS play a role in overall cybersecurity in that it can prevent unauthorized individuals from accessing areas with computer endpoints, for example.

Cloud vs. On-Prem PACS

One of the first questions to answer is where you want the brains of your PACS to be located; in the cloud or on-premises. This will impact your support and access capabilities as well as costs.

Both require a physical server to store all the credential and door access information for the organization. The difference is the location where the data is stored. On-premises servers are housed and controlled by administrators within the building, cloud-based servers store information off site, away from the physical business and natively allow for access from anywhere there is an internet connection. This allows operators to troubleshoot, add and remove users and permissions, and run reports remotely. (Note that with the proper connectivity configuration, on-premises PACS can also be accessed remotely.)

On-prem PACS give organizations greater control over its hardware and data. This option may be preferable for single location businesses or those with its data center already on site. However, the user is responsible for the maintenance and upkeep of on-premises equipment, software updates, connectivity to all entrances, and even access to the on-prem server room itself. On-prem PACS may limit flexibility with a proprietary vendor platform, hardware, and/or features, and scalability can get expensive buying and supporting additional servers.

Cloud-based access control systems put the onus on the service provider for server maintenance, keeping pace with the latest security threats and software patches, and protecting your data 24×7. Cloud-based PACS are infinitely more accessible, flexible, and scalable. They eliminate proprietary platforms and compatibility issues, support multiple locations, enable rapid deployment, and allow businesses to expand without buying new hardware. Some providers offer pay-as-you-go consumption models to further reduce costs. 

Cloud-based access control systems can be linked with other security software services, such as identity and access management or video surveillance to provide a comprehensive security solution. The Arcules VSaaS platform easily integrates cloud-based video surveillance with an organization’s existing security infrastructure, including physical access control systems. The Arcules VSaaS subscription model reduces risk, cost, and complexity, with several flexible plan options to meet any businesses’ unique needs and budget. Learn more about Arcules here.

How do PACS Work?

Physical access control systems use fobs, smart ID cards, PINs, and biometrics to verify user authorization rather than physical keys. This allows users to control and track access to rooms and buildings at a granular level, granting or denying entry on an individual basis. The components that comprise a typical PACS are:

  • Authentication Devices. The devices installed at building/room entrance points such as numeric keypads, readers, or scanners for users to enter credentials.
  • User Credentials. The vehicles used to present a password or passcode to the authentication device like a key fob, ID badge, RFID card, fingerprint/retina scan, or PIN entered at the device.
  • Control Panel. Data sent from the reader is analyzed here for an authorization decision.
  • Locking Mechanisms. The electronic, programmable (often magnetic) controls installed at building/room entrance points that lock/unlock remotely.
  • Access control server. The on-prem or cloud-based server storing all user credentials.
  • Monitoring & reporting tools. The system tracks and creates reports on all user entrance and exit activity.

When a new employee is hired, they are given an ID badge embedded with digital credentials, a PIN, and/or their biometric information is collected. Their level of access can be controlled based on job responsibility. The user presents their credentials to the authentication device which scans or reads the data, sends it to the control panel for verification, which then sends a signal to unlock the door if the user is authorized, or keep the entrance locked if not.

The Importance of Physical Access Controls

Workplaces are equally vulnerable to incidents of cyber espionage and workplace violence stemming from disgruntled employees as they are to external security breaches, and you never know where or when the next incident will occur. Proactive steps start with keeping unwanted intruders out of a building, keeping employees out of restricted areas within a building, and knowing where people are at all times.

PACS enhance security by giving administrators complete control over and visibility to all entrances, internal and external. It can restrict employees from entering sensitive areas of a facility, like the data center, to mitigate security breaches from internal sources. They can restrict access to labs with sensitive or expensive equipment to prevent theft, and aid in regulatory compliance by protecting rooms full of confidential patient information in a hospital or healthcare facility. PACS can stop outsiders from entering a building to commit violence without posting a manned guard at every entrance.

Further, PACS can be used in conjunction with building-wide security systems to enable emergency response to a fire or medical event, automatically secure all exterior entrances in the event of a lockdown or armed threat, monitor and locate all individuals by their last entrance or egress point, coordinate a mass evacuation and account for everyone in the building, or count and limit access to areas with maximum occupancy levels in real time.

Types of Authentication Methods

The most common types of authentication methods with top pros and cons are:

  • Smart cards/key fobs. Contain data and permission levels for each user.
        Pros: Unique to each user, security levels can be modified
        Cons: Easily lost, possession = authorization without identification
  • Biometrics. Verifying users by facial recognition, retina, palm, or fingerprint scan.
        Pros: Impossible to replicate/clone, highest level of individual verification
        Cons: Extremely expensive
  • Keypads. Entering a PIN known only to authorized users into a numeric keypad.
        Pros: Can be unique to each user, easily changed
        Cons: PINs can be forgotten, compromised or guessed
  • Mobile devices. Credentials can be added to a user’s mobile phone.
        Pros: Reduces number of physical keys to carry, phones often use biometrics or
                  passwords to access, providing additional security over a key fob
        Cons: Can be lost, dead battery = no access

What to Look for in a Physical Access Control System

The answers here depend on what you are trying to protect and from whom. Is it the building, data, or both? How sensitive is the information, are there industry regulations and compliance mandates to follow? How many entrances to you need to secure? Do you have video surveillance to integrate? How many users will access the system? Are there varying levels of access for different users?

For example, it is counterproductive for businesses with hundreds of employees entering a facility every day to make each one enter a multi-digit PIN at a keypad; better to implement some sort of card or badge scanning system to speed things along.

Once you have a handle on what you need your PACS to do and the number of users it must support, look for these elements in your chosen solution:

  • Scalability. Can the system grow with your business, i.e., support additional locations, entrances, and users? Will it support next-generation advancements in technology?
  • Integration. Make sure the system will integrate with other elements of your security infrastructure such as video surveillance or fire suppression systems.
  • Compatibility. Be wary of vendors that limit the type of hardware that can be used to their brand. You PACS should support open standards and work with multiple types of readers, keypads, and scanners.
  • Credential security. Select a system that supports your preferred authentication method; smart cards, biometrics, or keypads.
  • Ease of use. Your PACS should be managed from a centralized dashboard, allowing administrators to quickly create new or replace lost credentials, change access rights, and remove users. It should provide a holistic view of system status with comprehensive activity reporting, and enable fast building-wide response to emergencies.

Full-Service Security Solutions Should Include Video Surveillance

Access control is a critical element of any physical security system, but by itself is not a total solution. The missing element: real-time video surveillance of secured building/room entry points for a visual record of all access activity (see Point #2 in What to Look for in a Physical Access Control System). However, the solution you choose must easily and seamlessly integrate with the access control systems you have in place (see Point #3).

By integrating access control with video surveillance in a cloud environment (video surveillance as-a-service, or VSaaS), businesses can streamline their most important security functions. Arcules is the world’s only truly open cloud based VSaaS platform that enables seamless integration with the access control systems you have in place. Easily correlate access control events with recorded video footage to provide a complete picture of your facility.

Arcules’ open API and partner plug-ins allow you to easily integrate video surveillance with popular access control devices and services like those available from Genea, one of our key partners, for a comprehensive security solution. And because it’s cloud-based, it can be accessed from anywhere.

Best Practices for Optimizing Your PACS

Get the most value out of your PACS by following these tips:

  • Perform regular system maintenance. Install software patches and updates promptly. Remove the identities of those no longer in the organization.
  • Employee education. Make sure users know how the system works, what to do in the event of malfunction, and whom to contact in the event of lost or stolen credentials.
  • Conduct periodic audits. Test systems for vulnerabilities and to ensure controls meet current compliance standards.
  • Implement multi-factor authentication. Add a second or third validation step to protect ultra-secure areas or resources, such as a one-time access code to be confirmed via text.
  • Enable various permission levels. Reduce risk by controlling areas employees can access by role or responsibility.
  • Choose a cloud based PACS. They simply offer more scalability and accessibility while removing the burden of on-prem server maintenance.
  • Make PACS part of your DR plan. Don’t forget to include PACS hardware and authentication devices in your disaster recovery plan. They may need to be reset after an unplanned outage.

Arcules: The Future of Video Surveillance

The Arcules VSaaS Platform is an open, comprehensive platform that easily integrates with all other security resources and existing infrastructure, including PACS. Unlike traditional systems and other cloud surveillance solutions that require a major upfront investment to remove and replace current equipment with proprietary cameras, the Arcules surveillance system saves time and money by seamlessly integrating with existing all types of cameras and physical access control systems, eliminating switching costs and ensuring a smooth transition from legacy technology while keeping your data safe and secure in the cloud.

Interested in learning more about PACS and how the Arcules cloud-based video surveillance system can integrate with and expand your security capabilities? Schedule a consultation with Arcules today.