Physical Access Control: the Ultimate Guide

Physical access controls determine who can access physical spaces and resources. These controls include some of the most common security measures in the world: walls, fences, locks, guards, cameras, and even signs can all function as physical access controls. These all stand in contrast to logical access controls, which determine access within a computer system.

Physical access controls govern who can enter outdoor perimeters, individual buildings, and sensitive areas within those buildings, as well as who can use key hardware. Let’s work our way from the outside in, starting with perimeter security.

Outdoor Perimeter Security

In many cases, physical access control starts with an outdoor perimeter. The following are some common defense measures used to prevent unauthorized access:

• Fences deter and delay intruders. They can be climbed or broken through, but doing so takes time and risks detection.
• Cameras detect intruders, and can also deter them. A prospective intruder might think twice if they knew any trespassing would be caught on video.
• Signs deter intruders, making it clear an area is off limits. They can also emphasize other security measures, making them more effective at deterrence – such as a sign that makes it clear an area is under surveillance by security cameras.
• Guards detect, deter, and defend against intruders. Human guards are often the most vital element of a security system, but they still benefit from other security measures. They’re also the main people who determine physical access on a day-to-day basis – more on that in a minute.
• Lights detect and deter intruders. Without lighting, cameras and guards will be far less effective at spotting intruders.
• Motion detection can support all of the above. By activating lights or alarms, motion systems can alert guards that there may be an intruder present.

A working perimeter security system doesn’t just have to keep people out; it also has to allow access. That’s why every perimeter will have one or more gates or access points. At an access point, guards check IDs and authenticate people before determining whether or not they may access the premises.

When it comes to perimeter security, the fewer entrances, the better – access points are often the weak link in perimeter defenses. You’ll also want to make sure any access point is properly staffed and equipped to maintain security.

For more information, see our complete guide to outdoor perimeter security.

Building Security

If a building’s four walls contain the bounds of a secure area, you could consider that building’s security a matter of perimeter security. But in practice, securing the inside of a building looks very different from securing an outdoor perimeter.

Most office buildings allow open access to a public-facing lobby. From a front desk, access points and security guards determine who can and can’t venture further into the building.

Many office buildings use proximity cards to allow employees to quickly verify their identity. An employee taps the card on the proximity reader, and the gate allows them into the building. These cards can even be used to track who enters the building, and at what time.

This kind of system can be vulnerable to tailgating attacks, in which an unauthorized person walks through the access point right behind an authorized employee. For this reason, many buildings employ turnstiles to ensure only one person at a time can pass through the entry point.

A turnstile is an example of a mantrap: a gated buffer area separating a secure area from the outside. For greater security, a mantrap can even be an entire room between the access point and the facility in question. Much like an airlock, the person is temporarily trapped until they are authenticated, at which point the door to the facility opens while the door to the outside remains closed until they are through.

Most office buildings also employ one or more people to work the front desk and guard the access point. These workers deter unauthorized access while facilitating entry to the building.

When it comes time for a new employee to gain access, these front desk workers are often the people who take photos and issue IDs, badges, and pass cards. This provides another benefit: because they onboard everyone to the access system, the front desk team can readily identify authorized personnel.

These workers also allow guests into the building. To do so, they refer to a guest list, which really is another form of access control list – not unlike those which computer systems use to set permissions.

Physical Authentication: Let’s Talk About Locks & Doors

The most fundamental of physical access controls is the lock. More likely than not, you’ve got a set of keys on you right now. But there’s more than one way to open a lock. Locks, like all authentication systems, entail using something you have, something you know, or something you are in order to gain access.

Something You Have: Keys & Such

Something you have authentication factors entail using a physical item in your possession to authenticate yourself and gain access. With the right key, you can unlock the door. Proximity cards, mentioned above, are commonly used to enter office buildings, transit systems, and other facilities. “Something you have” can also include key fobs, thumb drives, and anything else you use to open a lock.

Hard keys work better for houses and apartments than for office buildings where hundreds of people might need access. When deploying keys at such a scale, you will likely need a key management system to keep track of all your keys. Plus, there’s always the risk that any employee could simply copy a hard key. For this reason, many offices prefer key cards, reserving hard keys for restricted areas and hardware.

Something You Know: Passwords & Such

The most common example of something you know is the password. But although passwords form the backbone of logical authentication, they’re much less widely used when it comes to physical access.

Much more common is the cipher lock, which requires users to input a key combination to gain access. That way, you don’t have to worry about managing hundreds of hard keys. On the downside, cipher locks don’t usually track the identity of people entering or leaving a secure location.

Cipher locks do have a couple notable vulnerabilities. One is shoulder surfing, in which an unauthorized person can learn the code by discretely watching someone else enter it. Combinations can also be easily shared, either accidentally or intentionally, with unauthorized individuals.

Something You Are: Biometrics

Something you are authentication factors are often referred to as biometrics. These could include a fingerprint scanner, retina scanner, and similar technologies. But biometric signals don’t have to be high tech: a security guard checking someone against their ID is deploying some pretty sophisticated facial recognition ability.

Multifactor Authentication

You can make authentication significantly stronger by requiring multiple factors before a person can gain access. To pull money from an ATM, for instance, you need a debit card (something you have) as well as a PIN combination (something you know). To enter a secure work area, an office might require users to input a specific combination and scan their fingerprint.

With one factor, all someone has to do is lift a keycard or observe a cipher combination to gain access. Having two authentication factors significantly compounds the difficulty in breaking through a physical authentication system.

That said, multifactor authentication does slow down the authentication process. It might not make sense for a busy office entrance, at least when it comes to registered employees. But it can be a great way to strengthen authentication around high security areas within a building.

Data Centers & Server Rooms

Within a facility, data centers and server rooms are among the areas that frequently warrant heightened physical access control. It’s especially important to keep systems online and sensitive data safe from unauthorized access.

Most server rooms place systems in locked server cabinets. You may also place locks on individual ports, so that no one can tap into the servers without authorization, and restrict the devices that can enter the room. These days, even a smartphone or thumb drive can carry out quite a bit of valuable data.

Some organizations go further, using dark server rooms, which are largely maintained by automated systems. As the name suggests, the lights are off in these – making it all the more noticeable when someone does bring any light into the room.

In any case, you’ll want to restrict access to these sensitive areas. These are one part of your business where it would definitely make sense to use multi-factor authentication and pare down your access control list to those individuals that really do need to enter the server rooms to perform their duties.

Physical Access Control Best Practices

There’s no one-size-fits-all plan to manage physical access control across organizations. In nearly all cases you should start with a physical access audit to identify where your vulnerabilities are. From there, you can put your focus where it counts.

In general, the fewer entry points, the easier it is to secure a physical location. From there, you’ll want to think through different access levels for different areas – do some areas need tighter access control than others?

You’ll also want to consider how your physical security will operate at different times of day. Motion alarms don’t make a lot of sense while a workplace is teeming with people during its business hours, but can be a very effective tool after hours.