Access Control Systems

# Access Control Systems

Definition

Physical access control is one of the oldest security disciplines in existence and one of the most frequently underinvested in modern cybersecurity programs. The assumption that digital threats belong to IT and physical threats belong to facilities has created a category of risk that neither team fully owns: the intersection where physical access enables digital compromise, and where digital systems govern physical movement.

Physical Access Control Systems (PACS) are the technical infrastructure that determines who can enter which spaces, when, and under what conditions. They are the combination of credentials (badges, biometrics, PINs), readers (proximity readers, smart card terminals, biometric scanners), control hardware (door controllers, electronic strikes, maglocks), and management software that logs every access event and enforces organizational access policy at the physical layer.

The reason physical access control belongs in a cybersecurity framework is direct: data centers, network closets, server rooms, and executive work areas are high-value physical targets. An adversary who gains physical access to a server rack, a network switch, or an unattended workstation bypasses years of network and application security investment in seconds. The most sophisticated perimeter firewall is irrelevant to an attacker who is standing inside the building.

In the Planetary Defense Model, physical access control sits at the convergence of SPH (Security Posture and Hygiene) and IAT (Identity Access and Trust). The SPH dimension covers the physical configuration of doors, readers, and spaces. The IAT dimension covers identity verification: the question of whether the person presenting a credential is who they claim to be, and whether they are authorized to be where they are attempting to go. These two domains cannot be separated in physical security. Authentication without physical enforcement is wishful thinking. Physical enforcement without identity verification is a locked door with the key under the mat.

---

How It Works

Credential Technologies

The credential is what a person carries or presents to prove their identity. The security of the entire access control system depends substantially on how hard that credential is to forge or clone.

Low-frequency proximity cards (operating at 125 kHz) are the oldest and most widely deployed credential type. Brands include HID Prox, AWID, and similar products. These cards contain a simple chip that broadcasts a fixed ID number when placed near a compatible reader. They require no power source: the reader field powers the card inductively. The problem is fundamental to how they work. The ID number is transmitted in the clear, with no encryption and no authentication. Anyone with a $50 reader purchased online can capture a proximity card's ID from a few inches away without the cardholder knowing. That captured ID can then be written to a blank card and used to open the same doors the original holder can access. This is not a theoretical attack. Proximity card cloning is documented, demonstrated at security conferences, and executed by red teams in the majority of physical security assessments. Organizations still operating 125 kHz proximity credentials are running a credential security posture that was obsolete fifteen years ago.

Smart cards at 13.56 MHz (MIFARE Classic, MIFARE DESFire, HID iCLASS, iCLASS SE) operate at higher frequency with cryptographic authentication. The card and reader engage in a challenge-response exchange: the reader sends a challenge, the card responds using a cryptographic key stored in secure memory, and the reader verifies the response without the key ever being transmitted. MIFARE Classic, an early 13.56 MHz standard, has known cryptographic weaknesses and is considered legacy. MIFARE DESFire EV2 and EV3 use AES-128 encryption and are currently considered cryptographically sound for commercial physical access applications. HID's iCLASS SE platform uses SEOS (Secure Element OS) technology and supports mobile credential delivery via NFC on smartphones.

Biometric readers authenticate based on physical characteristics rather than possession of a credential. Fingerprint readers (optical or capacitive sensors) are the most common and least expensive. Iris recognition systems offer higher accuracy with very low false acceptance rates and are used in high-security environments. Facial recognition systems have improved substantially with AI-based processing and are increasingly common in enterprise lobbies and data center access points. Biometrics offer a significant security advantage over card-based systems: the credential cannot be loaned, forgotten, or cloned without the cardholder's physical presence. However, biometric data is irreplaceable; a compromised fingerprint database cannot be remediated by issuing new credentials. Biometric storage and processing must be handled with data sovereignty controls consistent with CDA's DPS domain requirements and applicable privacy law.

PIN keypads provide something-you-know authentication. They are commonly used in combination with card readers (multi-factor: badge plus PIN) rather than alone, since a PIN observed over the shoulder or captured on camera provides no security without the additional factor requirement.

Multi-factor combinations represent the appropriate posture for high-security spaces. Data centers, security operations centers, and executive areas should require at minimum two factors: a card plus PIN, or a card plus biometric. Single-factor badge access is appropriate for general office areas with a broadly authorized population, but not for spaces where unauthorized access creates significant risk.

Physical Entry Mechanisms

Standard electronic locks (magnetic locks and electric strikes) are the most common door control mechanism. A magnetic lock holds a door closed by electromagnetic force and releases when power is interrupted or when a valid credential is presented. An electric strike controls the latch mechanism of a standard door lock and is activated by a brief power pulse. Both require the door to be properly alarmed for the open/close state to be monitored.

Mantraps (also called airlocks or access control vestibules) are double-door entry systems that enforce the condition that only one door can be open at a time. A person entering a mantrap presents a credential to open the outer door, steps into the enclosed vestibule, and the outer door must fully close and lock before the inner door can be opened by presenting a second credential. Mantraps eliminate tailgating at the entry point: it is physically impossible for an unauthorized person to follow an authorized person through both doors simultaneously. They are standard at the entrances to data centers, government secure facilities, and financial trading floors. The trade-off is throughput: a mantrap allows one person through at a time and requires several seconds per entry. High-traffic entryways need multiple mantrap lanes or an alternative mechanism during peak ingress periods.

Turnstiles and optical barriers provide anti-tailgating control at high-throughput entryways such as building lobbies. Full-height turnstiles physically block passage of more than one person per credential presentation. Optical barriers (waist-height barriers with sensors) detect when more than one person passes on a single credential event and alert security personnel. The trade-off relative to mantraps is that optical barriers do not physically prevent tailgating; they detect and alert. Mantraps physically prevent it.

Visitor Management Systems

Visitor management governs the access life cycle for people who are not permanent credential holders: contractors, vendors, delivery personnel, clients, and guests. Without a managed process, visitors represent a category of physical access that is uncontrolled and unaudited.

Modern visitor management systems (Envoy, Proxyclick, Traction Guest, and similar platforms) provide pre-registration (visitors are registered before arrival, their identity is verified against watchlists, and a temporary credential is provisioned), check-in (visitor identity is verified on arrival with government ID, and a time-limited badge is issued), escort management (some visitors require escort by an employee at all times; the system tracks whether escort requirements are being met), and check-out and automatic deactivation (badges deactivate at end of day or at scheduled departure time, ensuring no credential persists beyond its intended validity window).

---

Why It Matters

Physical security failures have directly enabled some of the most significant breaches in recent history. The 2020 SolarWinds investigation revealed that nation-state actors had used multiple vectors; physical access to development environments would have circumvented many of the controls that were in place. More commonly, insider threats and industrial espionage rely on physical access to extract data that network controls would have caught if it had traveled through monitored channels.

Tailgating and piggybacking are the most common physical security failures in enterprise environments. Tailgating occurs when an unauthorized person follows an authorized person through a controlled door without presenting credentials. Piggybacking is a social engineering variant: the authorized person holds the door open for the unauthorized person out of courtesy. Security awareness training addresses piggybacking. Mantrap or turnstile infrastructure addresses tailgating. Neither training alone nor technology alone is sufficient; organizations need both.

The compliance dimension is concrete. ISO 27001 (Annex A, control 7.2) requires physical entry controls and visitor registers. SOC 2 Type II (Availability and Security principles) requires documented physical access controls and audit evidence that they are functioning. PCI DSS (Requirement 9) requires physical access controls for cardholder data environments with specific requirements for badge systems, visitor logs, and media destruction. HIPAA Physical Safeguards require covered entities to implement physical access controls for facilities containing electronic protected health information. An organization without functioning PACS and documented access review processes cannot pass these audits.

Red team outcomes are predictable for organizations with weak physical access controls. In penetration tests that include physical access components, testers regularly gain access to internal network connections, workstations, server rooms, and physical document storage through combinations of tailgating, social engineering, and credential cloning. The network and application security investments behind a poorly secured front door are irrelevant to an adversary who can walk through it.

---

Technical Details

PACS Vendor Landscape

The enterprise PACS market is dominated by a small number of platforms with broad integration ecosystems.

LenelS2 (Carrier subsidiary, formerly separate Lenel and S2 brands) is among the most widely deployed enterprise PACS platforms globally. LenelS2's OnGuard platform handles access control, video surveillance integration, and visitor management in a unified system. It supports a broad range of credential types, reader hardware, and integration with HR systems for automated provisioning and de-provisioning.

Genetec Security Center integrates physical access control and video surveillance in a single unified platform. Its Synergis access control module supports over 50 reader and controller vendors, providing hardware flexibility. Genetec's architecture is federated: multiple sites can be managed from a single interface, making it well-suited for distributed enterprise environments.

Brivo is the leading cloud-based PACS platform, delivering access control as a subscription service without on-premises server infrastructure. Brivo's model reduces hardware maintenance overhead and supports mobile credentials via the Brivo Access app. For multi-site organizations that lack dedicated physical security IT staff, the cloud-managed model provides a lower operational burden than on-premises alternatives.

Honeywell Pro-Watch is an enterprise platform commonly deployed in critical infrastructure, manufacturing, and government environments. Pro-Watch integrates with Honeywell's broader building management ecosystem including HVAC, elevator control, and fire systems, enabling physical security events to trigger coordinated building-level responses.

Physical-Logical Integration

The most operationally significant capability of modern PACS is integration with logical access systems: the connection between who can enter physical spaces and what digital systems they can access. This integration matters most in two scenarios.

Termination workflows are where physical-logical gaps cause the highest risk. When an employee is terminated, both their Active Directory account and their physical badge must be deactivated immediately, ideally simultaneously and without manual intervention. Organizations that deactivate the AD account but do not deactivate the badge have a former employee who cannot log in to any computer but can still walk through every door in the building. The inverse, deactivating the badge but not the account, is less likely but also problematic. Integrated workflows connect the HR system (Workday, ADP, or similar) to both the PACS platform and the identity provider, so a single termination event in HR propagates deactivation to both systems automatically. Without this integration, deactivation is a manual process that relies on someone remembering to execute each step, and gaps occur.

Access review synchronization ensures that when an employee changes roles, their physical access changes accordingly. An employee who moves from the finance team to the engineering team should have their physical access to secure document storage reviewed at the same time their logical access permissions are reviewed. Most access recertification programs cover logical access (application permissions, group memberships) but omit physical access from the same review cycle, creating a category of stale access that persists without oversight.

Audit Trails and Forensic Value

Every access event in a PACS generates a log record: which credential, which reader, which door, at what time, and whether access was granted or denied. This audit trail has both operational and forensic value.

Operationally, access logs enable anomaly detection: a user badging into multiple restricted areas in a short window, access attempts at unusual hours, or repeated access denials (suggesting a credential that was not properly updated after a role change) are all detectable patterns.

Forensically, when a physical security incident occurs (an unauthorized entry, a theft, a data exfiltration event that was physically executed), PACS logs provide the timeline. Combined with video surveillance footage from camera systems that integrate with the PACS (correlated by badge event and timestamp), investigators can reconstruct who was where and when with precision that witness testimony alone cannot provide.

Retention of PACS audit logs should align with the organization's incident response and legal hold policies. Ninety days of hot retention with one-year archive is a reasonable baseline for most enterprise environments. Organizations in regulated industries (finance, defense) should confirm retention requirements with legal counsel.

---

Related Articles

• Identity and Access Management (IAM) [IAT101]
• Zero Trust Architecture [IAT110]
• Insider Threat [TID109]
• Video Surveillance Security [SPH-video]
• Autonomous Posture Command (APC) [CDP-APC]

---

Sources

1. NIST SP 800-116 Rev. 1. A Recommendation for the Use of PIV Credentials in Physical Access Control Systems. NIST, 2018. https://doi.org/10.6028/NIST.SP.800-116r1
2. ASIS International. Physical Security Professional (PSP) Body of Knowledge. ASIS, 2023. https://www.asisonline.org/certification/physical-security-professional-psp/
3. CISA. Physical Security Checklist and Overview. Cybersecurity and Infrastructure Security Agency, 2023. https://www.cisa.gov/physical-security
4. ISO/IEC 27001:2022, Annex A, Control 7.2: Physical Entry. International Organization for Standardization, 2022.
5. CDA, LLC. Autonomous Posture Command (APC) Methodology Reference. CDA Canon, 2026.