12:55 System access control | |
Like any theater starts with a hanger, and any system of information security begins with ensuring the physical security of most of the information system, regardless of its type, size and cost.A few words about the essence, rather than administration.In the physical security of the term "access control" refers to the practice of restricting access to property, buildings or premises to which access is restricted to authorized individuals. Physical access control can be achieved through the use of human (a guard, bouncer or employee at the reception), through mechanical means such as locks and keys for doors, or through technological means, such as access systems based on access cards or biometric identification. Obviously, in order to ensure the safety of home information system should at least shut the door before leaving. Otherwise, you will have only two entertainment: recovery of lost data and hoped that the valuable information for you was encrypted ... Most companies that use information systems to work, at the entrance, if not in the working area then the building is a specially trained person with the word "protection" or "security service" on badzhike or on the back:), which usually requires a pass to show those who work in this building and the logs of all, who does not work in this building / room, but for some business matters should go inside. According to legend, he does so in order to be a case of lost property quickly find someone who could do it from outsiders. As a rule, modern offices are equipped with surveillance cameras, so in case of misconduct of visitors they can be easily identified. Ideally near each door to the room to sit by trained security guard, check check and log the then who, what time of inputs and outputs (and preferably 2 to the case when one of the guards itch away for a minute). In addition to guard the door to the premises should be covered by locks (at least from the same guards:)). If the locks are all more or less clear (every house front door is lockable, and even a few), then with the guards, who carefully record in the log each door opening is usually the problem does not even arise, that is to . too uneconomical to maintain such abyss of people do not amusing to direct the workflow of the company, which brings major gains. In order to reduce costs at security personnel and improve the physical security of the system used access control (to buildings and facilities). Immediately say, that the presence of a person's face is still necessary, so we will not touch on this issue because it goes beyond the topic. Access control determines who is allowed to enter or exit, where they are allowed to enter or exit, where they are allowed to enter or leave and when they are allowed to enter or leave. Them in this case means those who have a pass (ie, access), those who do not pass, the questions where, when and where I / O should not worry. Electronic access control uses the power of computers to solve problems associated with the constraints of mechanical locks and keys (and described above as security guards). The electronic system determines whether it is possible to gain access to the protected area, based on the given permission (skipping). If access is obtained, the door opens for a certain period of time and this action will be recorded in the system. If access is denied, then the door will remain closed and the access attempt will also be recorded. The system will also monitor the door and give an alarm if the door will be opened with brute force, or will remain open too long time interval (suddenly someone specifically left the door open so that the inside could get an outsider). Access Control Points can be doors, turnstiles, gates, parking space, elevators or other physical barrier where access can be controlled electronically. Typically, the access control point is a door, and access is controlled by a magnetic lock and card reader. The main user interface with access control system - a smart card reader. Reader depends on the technology of smartcards. Magnetic stripes, bar codes, or cards Weigand usually called contact readers and are most often used in stores and at ATMs. Some contact readers require that the card was held at a certain distance so that data can be well-read. Readers for proximity or contactless smart cards is actually a radio transmitter. Broadcast field, the reader activates the card, which then begins the broadcast with a reader. Smart cards with gold-plated contacts visible on the card, known as contact smart cards and require the same gold-plated contacts on the reader to physically touch the contact card to make the transfer. Biometric readers are unique in the use of technology, but always require the user to the presentation of parts of his body, whether it is touching to the reader for bringing him to a fingerprint or hand geometry, or the need to look into the camera for face recognition, iris scan and retina, or cast some phrases into a microphone for voice recognition. Simply put, the one who has the right to access to the premises (pass) makes a pass system (brings to the proximity reader) and a door is opened or not opened, but in any case such an event is automatically recorded in the system. A non-trivial case of implementation.Of course venturing frantic activity to install the access control system into the room 15 sq.m, which sits 3 people has a special meaning. But for a sufficiently large company, which has several buildings in different cities should think about implementing a full-fledged access control system to improve overall security, including information. Assume the company name which for us is not too important "has several regional branches. Regions where a decent enough apart from each other. With some regions for communication can be used only satellite link with appropriate bandwidth and other amenities associated with a time delay of signal propagation, as shown in the figure. In each branch there are several large buildings in major cities. Between the buildings of the communication line is good enough, so in the following image is not displayed. Also, the figure shows the number of smart card readers. The fact that the controllers and access control are established based on the number of proximity card readers (that is, in fact, the power controller and its price depends on the number of card readers). For buildings in the minimal set of physical protection means ACS is necessary to put readers on the front and a spare input, storage, server room, an office director, office of information security (one on each side of the door, ie on 2 reader at the door). Total for the building to install 12 readers, on average, since will be variations from those offices, which are desirable to limit the inside of the building (this may be a clean room, laboratory, room for secret talks, electrical substation, garage, etc.). In addition, you must take into account that in each building systems installed security and fire alarm system (according to the requirements of relevant authorities) and surveillance system, which should be linked to good access control system for comfort and control. For such a large system would be desirable to formulate requirements. Any details like "the system must support proximity readers and smart cards and record in the event log entry and exit from the premises" to paint here will not mean their evidence. Let us consider the main points and benifitah who would like to receive as a result of the use of these systems: Access Control Time and Attendance Quality Improvement Control of Autonomous Objects in which there is no permanent presence of guards and attendants (PBX and power unit) Reducing the likelihood of damage to property by theft. Document and the possibility of a retrospective of all the events on the entrance / exit to the premises Integration with current IT-infrastructure Integration with existing systems, security, fire alarm and video surveillance. Prevent unauthorized access to the workplace (AWP). Delimited control for different groups of employees Unlimited scalability and control access to interregional level stipulate what should be avoided at the initial stage of choosing the platform access control systems: Using non-industrial databases (in this case a problem arises with specialists capable of this database to work, as well as the problem of data transfer to / from the base / base, not to mention the timely installation of updates and the removal of critical vulnerabilities of these systems, but recently more and Requirements Law on personal data ") Lack of integration with Active Directory, which already has a record of all employees of the company (have to duplicate information in the database access control, while any difficulty with the guarantee of data consistency within the various IT systems) Lack of scalability in all branches of the company (if the system initially will not support such a scale, then when you encounter this problem a solution will be impossible without a complete change of key equipment ACS) No single point of control system (no one is responsible for system, and it will be impossible to tell what's going on with access to the objects if the system is not centrally managed) Additional requirements associated with scaling the system: The system should have an open architecture for easy integration into it of the other components To ensure ease of scaling the system to inter-regional level To provide support for remote autonomous objects in a thin channel TCP / IP (56 kbps) industrial use DBMS (Oracle or MS SQL) To have integration with Active Directory Providing the possibility of using cards not only for access to the premises, but also for a two-stage user authentication. More or less all of the above requirements are satisfied by the system OnGuard Enterprice by Lenel Systems, as shown in the figure below. Better picture quality, and useful information can be found in the brochure on this system. What's remarkable about this system (do not count them for advertising, just in time have to see about fifty different access control systems, both domestic and foreign development): Features and capabilities: Open Architecture Using the ready-standard software products Centralized management of complex security system Saving the independence of local systems A centralized database (any relational customer's choice) Using a single identity card Scalable up to the level of major interregional systems interface to work with databases, HR-systems Sync data between multiple databases via LAN / WAN Simultaneous monitoring of events and alarms in multiple regions with one workstation Segmented architecture database systems, for which there are built-in interfaces: System badge Digital CCTV The alarm Office visitors Privacy Property Management Human Resource Management Time and Attendance Elements of a comprehensive security system, whose support is not limited to quantify: Regional Servers Access Map Time Zone monitoring stations Access Levels Relay outputs + Active Directory integration and other IT systems using proprietary software called OpenIT . The last point it is most important, because most such systems are not integrated with Active Directory, but in vain, because it is a big plus for large companies. Many systems are well integrated into a video surveillance system and alarm system, OnGuard can also be combined with security and fire alarm systems and CCTV. Let's compare the two systems.Let's according to several criteria comparable system from Lenel Systems with the most popular access control system of domestic production Perco. We will compare the most advanced versions of both the manufacturers: What can be said for the comparison. Perco developers need to work on the system. For those who want to use the access control system from Perco to close a single door or turnstile to actually running the company, in which more than 300 employees, will have the opportunity to experience the delights of some closed proprietary systems, and quality of technical support software home manufacturers. At this dwell on the negative reviews. Let us now look at the pros, which makes use of the system of industrial DBMS (Oracle or MS SQL) and integration with Active Directory. Firstly, such a system can be easily integrated with existing systems of personnel records. Secondly, you can use a little modified access card for the organization of two-factor authentication of users on a workstation thus forcing users to lock the workstation before the leaves-room even for a few minutes. Third, once the system will interact with Active Directory, then the same card can be used, for example, in order to pay for lunches in the cafeteria and did not shovel in the pockets of small change. You can use over and ordinary bank cards for such a case, but much more interesting to make interfacing with accounting software and harchevatsya at the expense of wages (even more so that the company can thus reduce the number of tax deductions). Inference.In general, if you decide to install an access control system, remember that a simple time tracking can provide, and grandmother-porter, which will accurately record the arrival and departure times of man. And to create an easy to use and administration system that provides automatic control of access for each employee on the individual scheme, conjugated with alarm systems to CCTV, which can later be expanded into several buildings without changing the hardware is better to find something with an open architecture, industrial database and integration with Active Directory. And most importantly do not let the personnel department too much authority to work with this system, otherwise they will turn it into a tool of blackmail employees for tardiness and absenteeism. | |
|
| |
| Total comments: 0 | |