Security up front

Access & Identity Management Handbook 2005 Access Control & Identity Management

First impressions count! Both the interview candidate and the salesperson dress smartly, shine their shoes and put on their most confident smiles. So too the architect who uses the front lobby of a building to create an upbeat image of grandeur, solidity, and welcome to those entering. Polished wood and stone, pools and fountains, flowers and trees, and vaulted ceilings all promote an ambiance of success, dignified calm and well-being.

To match this ambiance is an inviting receptionist protected by a desk, a telephone, and a visitors' sign-in book. Through the usually large reception area pass clients, salespersons, stockholders, consultants, VIPs, executives, and full- and part-time employees. Other people such as office equipment technicians, messengers, employees' spouses and children, ex-employees and interview candidates also pass through this space. If the reception area is the only entrance, add janitorial staff and construction workers to this mix.

Yet entrance areas also provide the initial impression of the level of security in an organisation. For small businesses whose employees, operations, information, and products are not at risk, identification and control of those who pass through the entry presents little problem. For larger businesses with valuable products, trade secrets, and confidential or sensitive company information, controlling access from the lobby to the rest of the facility is a real necessity. Methods and processes to accomplish effective security must be carefully planned if the architect's vision of how the lobby should look is to be maintained.

Unfortunately, the security professional is often presented with a fait accompli, a final design that is non-negotiable, or with an existing lobby that is too expensive to restructure. Early involvement of the security manager with the architect is the best cure for such headaches.

To create a secure working environment - secure for employees as well as for other corporate assets - the most fundamental precept of access control must be applied: everyone entering the facility must be identified and have a legitimate purpose for being there. People are processed most easily if employees with readily identifiable credentials can be physically separated from non-employees. A post with an automated credential-reading system or a separate employee entrance with a security officer who can recognise faces or check badges is the most effective solution.

Depending on the size and nature of the facility, a third processing point for service representatives, janitors, and other contract staff may be considered. Alternatively, such semi-permanent visitors could be issued badges to use at the employee entry point or points. Take special care to ensure such badges provide only limited access.

Address three major issues to ensure harmony among security, architecture, and actual use. These are architectural design criteria, systems considerations, and procedural elements.

Architectural design criteria

Ultimately, the entry area layout and design must rest with the architect. The following design criteria or constraints the architect should consider to maximise security are keyed to the accompanying exhibit.

1. Reception desk: Position the desk to provide the receptionist with the best view of doorways and persons who have not been processed. Include a flat surface at a suitable height for visitor sign in.

2. Employee entry: If controlled by an automated credential-reading system, position the entry as far away as possible from visitor traffic, preferably at a separate entrance. If no systems are used, a guard post may be needed for employee identification.

3. Visitor entry: Psychologically, a receptionist is more likely to challenge a visitor passing to the secure side of the premises who does not have prior authorisation if the receptionist does not have to raise his or her voice. Therefore, visitors should be tunnelled to the reception desk and should not be able to access the secure side without passing close to the desk. Ideally, the receptionist should be able to unlock a gate or door to control the passage of processed visitors.

4. Visitor amenities: Telephones, restrooms, and waiting areas should be kept on the unsecured side, especially if visitors must be escorted once they are on the secure side. Pay phones should be within the sight of the receptionist.

5. General traffic: Traffic unrelated to the reception function should be kept away from the entry processing area.

6. Barriers: These may be solid walls, planters or velvet ropes depending on the degree of security needed.

7. Conference room: For short meetings a small conference room in the visitor reception area negates the need to process visitors or to allow them into sensitive or secure departments.

8. Messenger centre: Arrange a separate drop-off counter for packages, lunches, and other small deliveries.

Procedural elements

The degree of visitor processing depends heavily on the level of security. At one extreme, anyone who is not carrying an axe in his or her hand or who does not look like a hobo can walk past the desk. At the other extreme, visitors must have made prior written request, must provide positive identification, and may have to leave a driver's licence or other valuable identification at the desk. These visitors may also be subject to personal and package searches and must be escorted at all times. The requirements of most facilities fall between these extremes.

The following are some suggestions to make visitor processing effective:

* Even if visitors are required to sign in a book, the information is worthless unless supported at least by a business card.

* Issue visitor badges that indicate the date, department or person being visited, and the visitor's name. Visitors should be required to return their badges to the reception point when they leave, preferably signed by the employee being visited.

* Call the person being visited to confirm the appointment, and if policy requires it, ask for someone to meet and escort the visitor. A signature by the escort when the visitor is collected will remind the employee of his or her security duties.

* Receptionists should be trained to observe signs of drug dependence - the visitor may deal in more than just the company's products.

* If badges are the selected means of employee identification by a security officer or by a badge reader, those who arrive without them should be directed to an alternate entrance.

Different business settings or building structures such as high-rise office buildings provide the biggest challenge to effective entry control. Since high-rises are located mostly in high-density, urban areas, these buildings are at higher than normal risk from crime.

If the building is occupied by a single tenant, street-level, lobby-entry processing coupled with additional controls (either receptionist or automated systems) on sensitive floors is relatively easy to implement. A separate area for visitor processing is preferable as is a messenger centre for packages, lunches and unusual deliveries. Messengers should not be permitted to roam the building freely.

Multitenant buildings are more difficult to secure. Building management may provide security officers with sign in sheets for off-hours. The officers may challenge anyone carrying out a package without a property pass. However, these controls are usually worthless. Anyone, even a person who looks like a derelict, with an envelope or a box of sandwiches along with a company and employee name perhaps taken from the building directory has access to the elevator banks.

A tenant that occupies multiple floors and enjoys a dedicated elevator bank can provide effective security at the elevator bank lobby. Once again, if space is available, lobby-level visitor and messenger centres make entry processing more controllable.

For tenants who occupy a single floor, their own elevator lobby is an obvious control point. If two or three contiguous floors are leased to a single tenant, using internal stairs and programming the elevators to stop on only one floor especially during off-hours allows for economical single point control. Where there are multiple tenants on each floor, tenants must control access at their own company's front door.

Except where the building has a sole occupant, beware of fire stairs and back doors. In a multitenant environment, no occupant has control over who is using the stairways so someone may be allowing free access to that space. Stairwell doors should be secured against re-entry to the greatest extent possible within fire codes. The regular use of fire stairs by multifloor tenants should be carefully examined and appropriate controls implemented.

In a campus-style environment, the pastoral setting of multiple buildings spread across green and wooded acreage in a rural area appears to be a far cry from the urban high-rise. But from a security viewpoint, it may have as many holes as a sieve. The multiple entry points for each building compound the control problem.

Ideally, the campus should be secured at its perimeter. But zoning restrictions, aesthetics, ineffective barriers, and the costs of both implementation and operation often force the controls inward to the buildings themselves. If buildings are linked by pedestrian tunnels or enclosed walkways and are all within reasonable walking distance, one centralised, controlled entry lobby for visitors is most effective. Card readers can be installed on other building entrances for employee use.

If buildings are spread out and distances greater, multiple visitor reception points may be needed. A small lobby with a receptionist or security officer controlling access to the interior of the building is typical. If personnel economies are needed, a telephone in a secured lobby may be all that is required - the person being visited greets and escorts the visitor.

Security is a subjective discipline. The selection and application of protection solutions are often controlled by perception, corporate culture, public image, and the wishes of the company's top management. The guidelines discussed here cannot be implemented in a vacuum but must be customised to suit the security needs and operating style of each facility.

First impressions are important - the entry lobby not only sets the tone for a company's image but also provides the opportunity to project to both visitors and employees the organisation's security posture and expectations.

Access control need not hamper or menace daily operations. Through a close working relationship between the architect and the security consultant, the process should seem natural, businesslike and efficient.

Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Smart parking management platform
Access Control & Identity Management Asset Management, EAS, RFID
Parket builds a seamless bridge between supply and the ever-increasing, but fluid – and often temporary – demand for parking bays.

Visible-light facial recognition terminal
ZKTeco Access Control & Identity Management Products
The SpeedFace-V5L [P] is a visible-light facial recognition terminal using intelligently engineered facial recognition algorithms and the latest computer vision technology.

Facial and palm verification
ZKTeco Access Control & Identity Management Products
The ProFace X [P] supports both facial and palm verification, with a large capacity and rapid recognition.

Glide Master High Security 90° Sliding Gate
BoomGate Systems Access Control & Identity Management Products
Boomgate Systems was asked to make a sliding gate that can turn 90 degrees. The gate had to offer high security and be vandal-proof.

Informing, entertaining and communicating across your landscape
Evolving Management Solutions Access Control & Identity Management
For the first time, the attraction of large shopping malls with many stores, entertainment and food courts no longer offers enough appeal to attract customers.

Suprema’s new BioStation 3
Suprema Access Control & Identity Management Products
The brand new BioStation 3 is not only Suprema’s smallest face recognition device to date, but it also comes packed with the largest variety of features.

Suprema renews international privacy and security standard certifications
Suprema News Access Control & Identity Management
Suprema has simultaneously renewed two important international standard certifications regarding information security management (ISO/IEC 27001) and privacy information management (ISO/IEC 27701).

SuperVision biometric access control
Integrated Solutions Access Control & Identity Management Products
SuperVision is a time & attendance (T&A) biometric access control system Fourier IT has been developing and enhancing for 18 years.

Manage energy usage with Paxton access control
Paxton Access Control & Identity Management Products
Paxton provides access control systems that can integrate with existing infrastructure and manage a building’s energy-consuming activities to save energy and costs.

Why Multi-Factor Authentication, universal ZTNA and Zero Trust matter
Access Control & Identity Management Cyber Security
Malicious cyber actors are experimenting with new attack vectors and increasing the frequency of zero-day and other attacks, according to Fortinet’s 1H 2022 FortiGuard Labs Threat Landscape report.