I had the opportunity recently to travel to Washington D.C.  When we’re looking for examples of almost any kind or type of security system, that’s the place to see them all.  I had business at several federal agencies; and, while in town, I took the opportunity to visit several museums, both public and private.

The first idea that struck me concerning the diversity of access control methods was: What are we trying to accomplish?

When it comes to access control, there were many different approaches to what constitutes “access control.”  Access control varies from specifically controlling WHO has access to simply trying to assure that anyone (or everyone) who enters a facility does not have anything that can cause harm -- generally weapons or explosives -- even if we don’t know who they are.

The Who and What of Access

One method assumes safety because we know (and we assume trust) those of whom we allow access.  The other method suggests that if we’re careful about WHAT we let into our facility, then we’re less likely to have an incident.

Identifying WHO the person is before allowing access requires that we have the ability to positively identify a person, and that we have previously decided who we want to have access.  The U.S. Government is beginning to require positive identification with requirements such as HSPD-12. 

TWIC, the Transportation Worker Identification Credential, is a good example.  TWIC was established by Congress through the Maritime Transportation Security Act (MTSA) and is administered by the Transportation Security Administration (TSA) and U.S. Coast Guard. TWICs are tamper-resistant biometric credentials that will be issued to workers who require unescorted access to secure areas of ports, vessels, outer continental shelf facilities and all credentialed merchant mariners.

Control Vs. Authorizing

Determining whether the person is expected or allowed access is an issue within an overall access control design.  In most applications, the person controlling access is not a person that can determine whether or not access is allowed.  In other words, the person at the gate (generally a security officer) only ENFORCES an access list. He or she does not determine it.

On my trip, I ventured to the National Cryptologic Museum. The museum is the National Security Agency’s principal gateway to the public. It shares the nation’s as well as NSA’s cryptologic legacy and place in world history.

It is not possible to get onto the grounds of the NSA unless you are an employee, or you had specific business and you were expected (No “cold calls” there.).  The NSA stops all vehicles on the perimeter of the facility, and positively checks “government issued” identification, and determines whether or not you get access.  EVERY vehicle is checked, and it is time consuming.  Oddly, there is no access requirement to enter the National Cryptologic Museum.  There is no entrance fee, and there is no searching of bags or possessions.

In Your Possession

Open access facilities often determine what a person HAS in their possession before allowing access.  Often, the goal is to determine that a person desiring access has no METAL in their possession, but there are many non-metal materials that are dangerous.

Many museums in the D.C. area post “bag check in progress” signs at all entrances.  At one public access museum, a uniformed security officer was standing at the door and looking into purses and bags, while everyone went through a metal detector.  The bag check was cursory, and I walked through the metal detector with a camera, money clip, watch and a pocket full of change without setting off an alarm.

It was clear to me that the security was superficial, and mostly being done for appearances, not actually for effect.

High Risks, Better Access Control

Higher risk brings more extensive access requirements.  The FBI Building was surrounded by marked “FBI Police” vehicles, and every entrance was manned by uniformed police officers – a very physical presence. Other buildings in the area used dogs.

One federal office I visited had an extensive access control system in place.  There was a single access point into the building and the entrance was supported by several armed security officers.  Employees were required to wear identification badges.  A visual inspection of the badge was conducted by a security officer, and that allowed access into the building.  Card readers throughout the building restricted access to specific areas within.  A visitor management system scanned a visitor’s “government issued” identification to quickly capture identification info straight from the user’s card. The collection of this information was followed by a real-time capture of an image of the visitor.  Visitors are required to pass through a metal detector, and any alarm resulted in the hand “wanding.”

There is a lack of consistency as to what exactly constitutes access control.  In creating, designing or managing an access control system, the important question remains. What are you trying to accomplish? Pretending to create a secure environment doesn’t make it real.