May
21
Access Control Blues
Around this time last year, I had been in up to my neck dealing with a messy repair job at work. Every day my team and I had to work with issues revolving The Tickler, The Reacharound, and The Dumptruck. No, this isn’t some unsavory gay porno I’m talking about… these are real project names we have given to various software components of a fairly complex job. Specifically, these are the functional pieces of a physical access control system that we use at work which needed some significant tuning.
By now, if you’re still reading this you are probably involved in some capacity with the access control or security industry. Thanks for sticking around. I will try to make this whole rant of mine worth your time.
In hindsight, I really wish we had just taken the plunge to be rid of this particular system completely and started over from scratch. It really has been nothing more than a headache for us, but at least I’ve learned a quite a few things about access control and physical ID card production. So here I am sharing these valuable nuggets of information to you, at no cost whatsoever… except that if you find them useful, you owe me a beer (or two). I’m not a heavy drinker. I promise.
…access control functionality is a rather mature feature set, and everyone at this point is supposed to be doing it right… but you would be surprised because some vendors still get it horribly wrong.
I had though long and hard about making any comments about this sort of thing publicly. But after having been asked why I had locked myself in a cage for many months last year, it seemed like a good time to vent a little bit and share some of the mistakes we made so that others can’t make them. This is part of the coolness of working at a university. I wouldn’t dare discuss these sort of issues in the open otherwise, if this was corporate America.
So here goes. I broke these tips down in pieces for you:
Card Production
- Wear Your Overcoat. If you use ribbon printers (Fargo, MagiCard, Zebra, Evolis, etc), don’t cheap out and avoid using an overcoat. You will be left with ID cards which will wear the hell out and look like garbage within the space of a few months. Spend the extra dough and use a proper overcoat. In the words of the great Mister T… “I pity the fool who wants to be a cheap bastard”… or something like that.
- Tune Your Oven. When you use a printer that supports overcoats, you must properly tune it. This isn’t just some fire-and-forget solution… you need to find the proper temperature that the overcoat likes to be applied to the card. Too hot, and the card warps. Too cold, and the overcoat doesn’t bond properly. These printers can be like petulant little electric toasters rather than the grand pizza ovens that their vendors advertise them as. They require occasional inspection and maintenance in order to minimize errors during printing.
- Automating RFID Input Fail. Automated RFID/HID tag reading is one of those things that a good number of the smaller access control software vendors advertise – “It’s all automatic!”… and you will have to accept that this process will most often not work properly at all. This is one feature which is bullshat around the most. Be prepared to enter these values in by hand. Someone’s going to have to do it.
- Strip Permissions Out. Proper delegation. You DO NOT want your card production staff to have the ability to change access control groups or to do ANY of that sort of thing. Why? It’s not about trust. It’s about accountability. Make it easier for everyone and don’t let them have that burden/responsibility. Make sure your production environment makes it impossible for them to do anything other than perhaps correcting typos of a person’s name, or editing data that they would only use, such as barcodes or magstripe data. They and everyone else will thank you in the long run for it.
Access Control Software/Hardware
- Core Access Control Functionality Is Easy-Peasy. For every big vendor like Lenel, AMAG, Software House, or S2, there are are a bunch of smaller companies who eke out a living building accordingly smaller software packages. There is nothing wrong with that. However access control functionality is a rather mature feature set, and everyone at this point is supposed to be doing it right… but you would be surprised because some vendors still get it horribly wrong. In other words what I am saying is that while it may not be as simple a procedure as boiling water- a vendor better not totally fuck shit up when it comes to making doors open when a proper card is presented to them. So if you are stuck with a system which requires you to constantly restart intelligent controllers or door modules… or has trouble updating cardholder state changes across the system… you had best kick them to the curb and find someone else who can do this sort of thing properly.
- Scalability Blah Blahblahblah. Unfortunately the refrain is similar to above. A lot of the smaller vendors simply don’t have this functionality done properly. What works well when you are a single building with less than a hundred card readers, and a fixed population will most likely turn into a vat of boiling vomit when you double or quadruple the cardholder population. There are some things which simply can’t be reproduced in a lab environment. When talking to a vendor, get their references and seriously grill them. Ask these references what sort of problems they encountered with scaling up, and home in on the usual suspect issues… such as server requirements, hardware costs, additional feature costs, and the reliability of each additional component when added to the system as a whole. Do your homework and do not be afraid to dig in.
- System Monitoring… Don’t Underestimate It. Make sure you have some way to monitor your smart controllers. Industry standard stuff like SNMP would be nice, but most of them don’t support it, so you are left with the only option of ping monitoring. This is complicated by a lot of the controllers having Ethernet/TCP/IP support as an afterthought, with their roots from RS-485 or similar serial connections, so the Ethernet module might fail, but the underlying controller will resume functionality.
- Go Heavy On Smart Controller RAM. There is a temptation to cheap out on the memory available for transactions or card data for your smart controllers- in particular the ones you will regard as being low-traffic. Don’t do it. You will be doing yourself a huge disservice. Think about what happens if access to a set of readers changes because of a department move, and suddenly many more people need access to a set of doorways. Understand that many vendors do not have truly drop-and-replace system boards… they will need to be reprogrammed and one of the side effects to that is system downtime. We all know how pissed of people can be if they can’t access their corporate computing resources. Now think of what happens if you deny them access to their bathroom doors.
- Proprietary Schmoprietary. Some of the intelligent controllers available on the market allow you to run any vendor’s software on them. Of course this is used as a selling point. Guess what though… just like any other technology, you can get royally screwed by this. The caveat usually falls in line with… “Oh, you can run our new software on these boards… but you would have to have the latest version of the board to do it”. Sound familiar? Sure! You can upgrade to Windows Version XXX but your motherboard and CPU are too slow, so you need to upgrade to something newer… The moral of this story is that it really doesn’t matter if a vendor’s hardware is proprietary or open- if you plan on switching vendors with an open system you are going to get screwed in some fashion. As for the war between choosing a proprietary or open system… so long as the damn thing works properly, these sort of issues really falls into oblivion.
- Think Like A Boulder. If rocks and dirt could actually talk… what would they say? Other than expressing displeasure at being buried without anything interesting to look at for hundreds of millions of years, only to be exposed to the elements, perhaps without a good view for hundreds of thousands of years… only to be covered over again by a mudslide or whatnot for another few million years… okay, the point is… you need to take a long term perspective on how long the hardware installation is going to last. Instead of just thinking on three year level, you need to really look further down the road and scale things to the lifetime of the building, or at the very least, the full length term of your lease. You will not be a happy camper if you are faced with the prospect of replacing hardware mounted in door jambs or walls on a frequent basis.
- Don’t Overlook The Installer Selection. Shady installers will underbid their initial installation contracts because they know once they have you locked in, they can charge $$$ for any service related work in the future. Chances are… you will have lots of service work. I think it goes without saying that you cannot simply assume that the installer vendor search is going to be straightforward. This is probably the most critical piece of the whole vendor search process.
- Beware of Mom & Pop Shop Disease. This is mainly applicable to the access control software vendor… but if they are too small of a company, or if the product is run by a single super-intelligent guru (who doubles as a single point of failure), then you need to be careful. Veeeery careful. This is your physical security we are talking about, right?
Well, as abruptly as I started ranting, I will end it. I guess I’ll quit when I’m ahead, right? As a disclaimer, the people at my job who I continue to work with on security related capacities are awesome people, and they know I’m not railing at any of them. If anything they’re probably wondering why I haven’t said anything about this sooner.
Anyhow, this is my attempt to distill my however short involvement with access control and security into some meaningful nuggets of knowledge. I hope they don’t appear like floating poop logs… but even lodged within the poop there are kernels of wisdom. Thanks again for reading.