Deriving strategic value from access control

February 2011 Access Control & Identity Management

John Loftus discusses the value of access control.

Most South African businesses understand the face value of secure access control, however, what is often missed is the intrinsic value and strategic importance this vital security offering can bring to a business. In the South African climate, crime continues to plague South Africans both personally and in a business context, so securing your people and assets is critical to business survival as well as good corporate governance.

Tough economic conditions over the past couple of years have put business budgets under pressure. Few companies today will embark on company-wide technology upgrades unless deemed critical to the business’s survival. Access control should be considered of crucial strategic importance. Effective access control is the foundation upon which businesses can improve its control over finances, resources and the seemingly constant threat of crime, especially white-collar fraud.

Effective access control devices properly identify people and verify their identity through an authentication process. By definition, access control is the process by which users are identified and granted certain privileges. Good access control systems record and timestamp all communications and transactions so that access to systems and information can be audited at later dates.

Properly planned access control systems can provide information on hourly-paid or temporary workers directly to the payroll system to simplify the process of paying wages; and it can grant or deny access to areas depending on the identity of the individual requesting access. The problem with traditional access systems is that the identification component is inherently insecure.

Who are you paying for what?

Many companies are still using traditional punch card or card-based access control systems because they are cheap, convenient and easy to use. Far too many end up paying workers who often take unauthorised and undetected time off by having a colleague punch or swipe their card for them – a scam known as buddy clocking. At the end of the week or month, these workers receive their full pay as the system records them as being at work, perhaps even working overtime, but the business has not received the productivity it is paying for.

In companies and government departments without any means of access control, the problem of ghost workers is also a constant drain on finances. These workers appear on the payroll, but they do not exist and their wages are paid into someone else’s bank account.

Without the means to positively identify who is where, when, access control systems will cost businesses money. By identification, we mean being sure that the person requesting entrance to a building or clocking in is who they claim to be and not a friend doing them a favour.

Using access control systems that include an effective identity management component allows the company to know who was where and for how long. More importantly, this information can’t be easily tampered with and will therefore result in wages being paid to workers who actually fulfilled their part of the contract.

Health and safety

In South Africa, developments in legislation make it a necessity for all executives to know exactly how many people they have on their premises and exactly where they are. The legislation in the new Health and Safety Act puts the onus on the employer to implement whatever systems are necessary to ensure workers, visitors and passersby are not exposed to danger. This also applies to any contractors one has on site.

What this means that if someone wanders onto a shop floor and is injured by a machine or forklift, for example, even if the injury is due to their own carelessness, the company is responsible and can be taken to court. Every company therefore needs to ensure their access control processes are properly designed and implemented. The alternative is to have someone watching every person on site to ensure they do not damage themselves, which is unrealistic.

Modern access control technologies can take much of this responsibility away from companies, integrating where needed into the corporate network and relevant applications, such as payroll and HR. In high-accident areas, for example, employees can be denied access if they have not attended the latest safety training session or had a scheduled health check. HR simply needs to set the parameters and the systems will do the rest without requiring someone to act as a police officer.

Local access trends

Locally the main type of access control is a role-based access control that allows users to access systems and information based on their role within the business. Role-based access can be applied to groups of people or individuals. For example, you can allow everyone to enter the canteen, but only a limited number of people to gain access to the accounting department. This increases security and reduces the opportunity for crime by ensuring that only those people with a reason to be somewhere can be there.

Another system that is applied is a rule-based access control system that allows users access based on pre-configured rules. Rules can be established that allow access at predefined periods to specific people, again based on their identities and their roles within the organisation. A simple rule might, for example, allow access to a building for all employees during working hours, but only to senior management over weekends.

Using rules in conjunction with roles adds greater flexibility because rules can be applied to people, as well as devices.

Access control technologies

There are various types of access control technologies that can be used to solve enterprise access problems. Tokens, smartcards, biometrics and PIN/passwords are some of the more popular ones.

Biometric devices are growing in popularity. They authenticate users to through some sort of personal identifier such as a fingerprint, voiceprint, iris scan, retinal scan, facial scan or signature dynamics. The benefit of using biometrics is that end-users do not lose or misplace their personal identifier. It is hard to leave your fingers at home.

Initially, biometric applications did not catch on as fast as anticipated due to the number of false positives (incorrect readings). As technology advanced, however, this changed and biometrics is used with confidence in a number of industries today, from mining through to banking. Of course, as with any technology, opting for cheap no-name brand biometric systems is not advised, as the quality can be suspect.

Currently, card-based access solutions are most widely used, but cards can be lost or stolen. Fortunately, the technology embedded within smartcards allows for two-factor authentication. This is commonly described as gaining access due to something you have (the card) and something you know (a password or PIN).

Something you have is the card with your details on it; something you know is a PIN or password, or even a biometric token that ensures you are the person who is supposed to have the card. Two-factor authentication is not used for physical access as much as it is for logical access right now, but it is becoming a preferred integrated solution for allowing people to access buildings and computer systems. The potential for integrated physical and logical access control solutions is another area in which we expect to see tremendous growth in coming years.

As with any technology, it is important to remember that technology is only as good as its acceptance by users and the ease with which they can use it. To ensure you business has an effective access control system in place, you need to start by developing the appropriate access policies and procedures based on the requirements of the company and the capabilities of users. Once you know what you want and how it should perform, selecting the technology to meet your needs becomes easier. All you need then is to find the right partner who understands your business and has the knowledge, skills and experience to ensure your system delivers.

For more information contact Norbain SA, +27 (0)11 887 1546,,


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Understanding key control systems and best practices
July 2019 , Access Control & Identity Management
The effective implementation of a key control and asset management system can be achieved through best practices to realise decreased operational and financial risk and provide the best value from the application.

XS4 Mini DIN standard
July 2019, Salto Systems Africa , Access Control & Identity Management
The new XS4 Mini maintains the fire rating of the door as no additional drilling of the door is required. It is completely compatible with the DIN 18251 standard fixing instructions.

Child fingerprint identification solution
July 2019 , News, Access Control & Identity Management
Gavi, NEC, and Simprints to deploy world’s first scalable child fingerprint identification solution to boost immunisation in developing countries.

Versatile electronic lock cylinders
July 2019, Salto Systems Africa , Products, Access Control & Identity Management
Fully integrated with the SALTO System’s Space and SALTO KS platforms, the new Geo range of electronic cylinders are compact in size, making them a suitable solution for almost any type of door.

Unlocking the potential of smart locks
July 2019, Secutel Technologies , Access Control & Identity Management, Products
Matrix COSEC has an access solution that has been successfully rolled out with one of the major gyms in South Africa – granting access to both the gym and locker facilities to its members.

SIA talks open APIs at ID4Africa
July 2019 , Editor's Choice, Access Control & Identity Management, Integrated Solutions
Pioneering industry-first open standards initiative from the Secure Identity Alliance assures interoperability for sovereign ID programmes and promises to eliminate vendor lock-in.

A face on security
July 2019, ZKTeco , Access Control & Identity Management
Get a personal connection with thousands of your customers, clients and reward their patronage, and with facial recognition you can also increase add-on sales and profits.

Small business solutions with ­Access in a Box
July 2019, Impro Technologies , Editor's Choice, Access Control & Identity Management, Products, Commercial (Industry)
Access in a Box is specifically designed for small businesses, or businesses with only a few entry points such as gyms, medical practices or retail stores.

Credentials in the cloud
July 2019 , Access Control & Identity Management, Integrated Solutions
HID Global brings high-assurance authentication to broader markets with new cloud-based credential management solution.

Taking docking to the next level
July 2019 , Access Control & Identity Management, Industrial (Industry), Products
Maxiflex recently launched its locally designed, MaxiDock AP, an air powered dock leveller that connects the building with the vehicle and allows for quick and efficient loading and unloading.