Table of Contents
Although physical security remains a priority for every organisation, business owners and security specialists must give special attention to security policies in order to prevent individuals from accessing unauthorised areas within the building while easily being able to access the spaces they need to do their work efficiently.
This makes decisions about access control very important as some areas of an organisation need to be easily accessed by all employees while some require higher security to reduce the risk of damage or loss of valuable and confidential assets.
Security administrators can develop a set of policies using an access control system to strike a balance between user permissions by granting and denying access to certain areas of the organisation.
For instance, all employees can access a building during normal business hours but only a selected few can have permission to access a secure area within the building, such as the server room.
The policies that determine the user permissions within a system are called access control models. There are generally five main access control systems or models: rule-based access control, role-based access control, mandatory access control, discretionary access control, and attribute-based access control.
The type of access control model best suited to your property is based on various factors such as the type of building, the number of people who need access, and the level of security required.
Read on to find out more about rule-based access control, what it is and how it works, its benefits and drawbacks, and how to choose the best access control system for your property:
WHAT IS RULE-BASED ACCESS CONTROL?
Rule-based access control sets access permissions according to a predetermined set of rules that allow or deny users access within the system regardless of their role or position in the organisation.
Under this access control model, security administrators set rules that determine how, when, and where the employees of an organisation can access areas, spaces, and resources.
A control list is set for each space or resource, and when an employee tries to gain access, the list of requirements is checked by the access control system and access is either granted or denied.
Unlike role-based access control, access permissions are not related to specific roles or a hierarchy within the organisation and can be used to override other permissions that the employee may hold.
For example, an HR associate with role-based access permissions to access an area within the building that holds personnel records may not be allowed to access said area on the weekends if it is covered by a rule which says that it cannot be accessed outside of business hours.
Rule-based access control models are mostly used in conjunction with other access control models, particularly role-based systems. This hybrid system enables system administrators to provide additional levels of security to meet specific risks.
HOW DOES RULE-BASED ACCESS CONTROL WORK?
Rule-based access control systems work to limit access to unauthorised users while granting access to authorised ones.
The access rules are created by the system administrators and are integrated throughout the access control system. When the user exhibits their access credentials in the form of an access card, access code, key fob, mobile phone, or biometrics to the system, the control panel checks them against the access rules, and the user is granted or denied access.
There are a few important steps when it comes to implementing a rule-based access control system. They include:
- Reviewing the rules that apply to certain access points as well as general rules that apply to all the access points. The high-risk areas without any specific rules must be identified regularly to keep up with the constantly changing security vulnerabilities.
- Identifying and analysing potential scenarios that may require additional rules in order to minimise risk.
- Setting new rules or updating existing rules based on the assessment in order to strengthen security levels.
- Comparing the rules with access permissions set by other access control models, such as role-based access control, to ensure there is no conflict.
- Documenting and publishing the rules so that all the users are aware of their access rights. While it is okay to skip the details, it is crucial that they understand how the rules and policy changes may affect their work operations.
- Carrying out regular reviews, conducting system audits to identify any issues or gaps within the system, and revising the rules if necessary.
HOW ARE RULES SET IN A RULE-BASED ACCESS CONTROL SYSTEM?
The rules in a rule-based access control system are based on factors such as:
- Time – for example, no access allowed outside of regular business hours;
- Hierarchy – for example, access allowed only to senior managers of the organisation;
- Level of risk – for example, if the organisation is in a risky area or if other access points have been compromised.
Each access point may have a different set of rules, which may be either static or dynamic. Static rules don’t change unless they are changed by the system administrator in order to meet new threats or security requirements.
Dynamic rules, on the other hand, can change under certain circumstances, such as when the system detects several failed attempts at authorisation and denies access to the user.
BENEFITS OF RULE-BASED ACCESS CONTROL
There are several benefits of implementing a rule-based access control system. They include:
- Better security – since most rule-based access control systems work in conjunction with other access control models, they provide a higher level of security.
- Granular control – several variables can be set and managed within rules to ensure a high level of control and increase security in high-risk areas.
- Simple validation – the access requests are checked against a list of pre-set rules and are quickly validated.
- Flexible control – high-level rules can be set and implemented without the need to change any specific role-related access permissions.
- Compliance – rules can be set according to federal and industry regulations and can override other access permissions that might compromise compliance.
DRAWBACKS OF RULE-BASED ACCESS CONTROL
Following are some of the drawbacks of implementing rule-based access control:
- Time-consuming – setting and managing rules can often be a time-consuming process, both for setting up the system and employing the changes.
- Continuous monitoring – to make sure the rules are serving their purpose and meeting their intended objectives, they must be regularly monitored by the system administrators.
- Complex – if the system administrators apply high levels of granularity to the rules, they can become difficult to manage and complex for employees to understand.
- Generic – compared to role-based access control, rule-based models are not based on individual employee roles and their specific needs to access different areas of the organisation.
OTHER TYPES OF ACCESS CONTROL MODELS
There are several types of access control models other than rule-based systems. They include:
Role-based access control
A role-based access control model is where the system administrator determines the user’s access permissions and privileges based on their role in the organisation. This could mean their position in the company or type of employment. For example, a senior manager would have more access privileges compared to an intern.
Discretionary access control
In discretionary access control, the decisions for the user permissions and privileges are taken by an individual who may or may not have security expertise. Although this model limits the number of people who can change and update user permissions, it can also put the organisation at risk because the decision maker may not be aware of the security risks and implications of their decisions.
Mandatory access control
In contrast to discretionary access control, mandatory access control gives the responsibility of user permissions to a security professional. This person is the only person with the authority to set and manage access rights and permissions. This model is ideal for businesses that have sensitive data and assets to protect, and therefore, require a high level of security.
Attribute-based access control
Attribute-based access control, also called policy-based access control, takes into account the attributes and characteristics of the employee rather than their roles in order to determine access. An employee that doesn’t have the attributes set by the system administrator is denied access.
HOW TO CHOOSE THE RIGHT ACCESS CONTROL MODEL FOR YOUR PROPERTY?
Choosing the right access control model for your property is an important decision and a big investment necessary to protect your valuable assets.
Access control is generally the first line of defence in keeping unauthorised individuals out of areas where they shouldn’t be and is a key safety feature in several types of properties such as workplaces, campuses, and residential flats.
When choosing the best access control model for your property, you need to evaluate your current security needs, which include the level of risk and the number of users of the system.
One of the biggest determining factors is the size and scope of your deployment. If you have only one door to secure, your needs will differ greatly from a property with multiple doors and access points to guard.
Also, the nature of your property will have a huge impact on the type of access control model you use. The more high-risk your property is, the stricter the access control permissions need to be.
Some useful features for access control systems include:
- Real-time data and notifications
- Detailed reports and audit trails
- Custom dashboards
- Remote management
- Integrations
- Emergency lockdowns
- Touchless access
- Built-in video capabilities
- Smart intercom functionality
Discretionary access control is best suited for properties that require the most flexibility and ease of use, and for organisations where a high level of security is not required. Some common use cases include start-ups, small businesses, and schools and coaching centres.
Mandatory access control is best used in high-risk properties with confidential data and information such as government buildings, healthcare facilities, banks and financial institutions, and military projects.
Role, rule, and attribute-based access control systems are used in various industries as they provide a good balance between ease of use, flexibility, and security.
Some common places where they are used include commercial and residential flats, offices, banks and financial institutions, hotels, hostels, warehouses, educational institutions, and many more.
CREDENTIAL TYPES FOR ACCESS CONTROL MODELS
After you have chosen the right access control model for your property, you need to choose how the users can get in. The most common credential types that most modern access control systems support include:
Keypad
When using a keypad, users are required to enter a 4 or 5-digit code to enter the building, which the system will authenticate and grant or deny access based on the user permissions.
Key cards
Key cards are one of the most commonly used credential types for access control systems. RFID or proximity key cards can often double as employee badges in offices and other workplaces.
These systems consist of a reader, a controller, and an access control panel connected to an electronic lock, where the user waves the card to the reader for the system to authenticate their credentials.
Key fobs
Key fob door entry systems are similar to key card systems, and they work by tapping the key fob next to the reader or the button on the fob.
They are usually made to fit on a keychain, and a good example would be the key fob used to lock and unlock your car door.
Biometrics
Biometric entry systems use fingerprint, iris, or facial scanners, and are a great option for properties that need additional advanced security such as data centres, financial institutions, government buildings, and other high-security areas.
They are usually used as a secondary method of access in addition to a key card or code and add an extra layer of security compared to other keyless entry systems.
Mobile access control
You can turn your phone into your key with mobile-based entry systems. A virtual key is sent via a mobile app or web portal and the system works by authenticating the user’s encrypted key saved in the cloud and authorising or denying them access in real time based on their permissions and privileges.
CONTACT CALDER SECURITY
Calder Security provides access control system services for homes and businesses that includes professional installation, maintenance, and repair.
We’ve been working in the security industry since 1976 and partner with only the best brands. Our MLA-approved locksmiths can advise you on the best type of system for your property by helping you assess your security needs and requirements.
Because an access control system operates the locking and unlocking mechanism of your door, installation must be completed properly by someone with detailed knowledge of how these systems work.
We are SSAIB-approved installers and can work with all types of access control systems including intercom, proximity fob, card swipe, and keypad. We also offer biometric systems that use fingerprints or retina scans.
Access control systems are very reliable and will last a long time. But like any technology, they require periodic maintenance to continue working as they should.
We conduct annual servicing to keep your system working well and give it a full check including checking the battery strength, power supply, and connections.
While generally very reliable, sometimes problems may occur with access control systems that can potentially compromise the security of your property.
Common issues include simple wear and tear or faults with the power supply or batteries, and to preserve the security of your property, you need to get the problems fixed ASAP.
We operate a 24-hour emergency service run by qualified security specialist engineers who understand access systems and can resolve issues efficiently and effectively.
Contact us here or call us on 0800 612 9799 for a quick consultation and more information on access control models and how to choose the right one for your property!
Photo by Bernard Hermant on Unsplash