Access control is one of the first lines of defence against criminal activity for any organization. After all, it’s difficult for someone to carry out a crime on your property if they can’t get onto it in the first place.
That said, businesses don’t just have to be concerned with protecting their physical assets but their digital assets too. Subsequently, they need to think about logical access control as well as physical access control.
In this post, we’ll look at physical and logical access control – exploring what each type of access control covers, their various components, and the differences between the two.
Defining Physical Access Control
Let’s begin by looking at physical access control systems and how they function.
What is Physical Access Control?
Physical access control is a security measure designed to restrict access to a physical space such as a building or a floor or room within it. Physical access control systems are put in place to protect a business or residential building from criminal activity like theft, vandalism, trespassing, and assault on the people within the property. As well as controlling who can enter an area, physical access control systems can also determine how when they’re allowed entry, i.e., only permitting entry between certain hours.
What Are The Components Of Physical Access Control?
Depending on the way it’s set up and the level of security required by the property, a physical access control system can include:
- Access Points
This is an entrance to the property, or an area within it, where an individual is granted or refused access. Examples of access points include doors fitted with electronic locks or readers, boom gates, password-protected doors, and turnstiles. Additionally, it’s common for a property to place a security guard at the main access point to observe who enters and leaves the building and to deal with visitors.
As well as its main entrance, a property manager, or head of security, can set up access points to restrict entry to specific areas such as floors of a building (typically via elevator access), and individual rooms (via keycard, key fob, or keypad access).
- Readers, Keypads, or Scanners
Each access point needs to be equipped with a device in which an individual can present their credentials and attempt to gain access. This could be in the form of a card or fob reader, a keypad for PIN codes, or a biometric scanner for identifying fingerprint, facial, or retinal (eyeball) scans.
- Personal Access Credentials
These are used by individuals to gain access to a building or an area within it. Personal access credentials include key cards, key fobs, or PIN codes, as well as the individual’s physical features for biometric scans. These credentials inform the access control system of who is attempting to gain entry. The system’s control server will then grant the appropriate access if they match those that it has stored.
- Control Panel
The central control panel & server receives the data from an individual’s access credentials and verifies its validity by communicating with the readers/lock/pin etc. If the credential data proves valid, the control panel grants the individual access. Conversely, if the credential data isn’t approved by the panel & server, the individual will be denied entry.
- Access Control Server
The access control server stores user data, their associated access privileges, and a log of who attempted to gain access to points around the property and whether that access was granted. If an individual is to be granted access to a property, or if their access privileges are to be changed, it’s done through the system’s control server.
Defining Logical Access Control
Now that we’ve covered the concept of physical access control, let’s turn our attention to logical access control.
What is Logical Access Control?
Logical access control is a security measure designed to restrict access to the data stored on an organization’s IT network. While physical access control is concerned with preventing access to physical spaces, such as buildings and rooms, logical access control is about preventing access to computer hardware and network resources. Logical access control consists of identification, authentication, and authorisation protocols that ensure data with certain access privileges can only be accessed by users with the correct privileges.
What Are The Components Of Logical Access Control?
-
Strong Password Hygiene
The first, and the most fundamental, component of a logical access control system is the enforcement of proper hygiene. This means making sure that users maintain strong, and varied, passwords for accessing organisational systems and resources. You could enforce proper password hygiene through your company’s governance policies, i.e., making sure a password is of a certain length and contains characters. However, this doesn’t address the problem of password fatigue: where users use the same password for multiple apps and services.
Instead, you can opt to use a password management application, which suggests strong passwords for each application, etc., and store them all for the user. Password management solutions also protect your organisation from phishing scams – in the event an employee clicks on a malicious link. The password manager will recognise the fraudulent domain and prevent the login screen from being auto-filled with the user’s details.
-
Two-factor Authentication (2FA)
2FA is a security measure that requires a user to prove their identity in two ways before they’re granted access to a system resource or digital asset. Typically, 2FA relies on what a user knows, i.e., their username and password, and what a user has, e.g., a phone or an access credential. For instance, a system with 2FA might require a user to enter their login details before typing in a PIN code sent to their phone number.
-
Readers or Scanners
A particular method of 2FA involves the use of readers or scanners to identify an individual by a personal identification credential, as well as their username and password. A logical access control system could require an employee to use a smart card, key fob, or fingerprint scan to log onto workstations, access the company’s network, encrypt and decrypt data, open and send emails, etc.
-
Security Tokens
Security tokens are another popular form of 2FA used for logical access control. The first way in which they function is by displaying a random number that changes every 30 – 60 seconds. The user simply has to enter this number to prove they have the token and gain access to a machine or network resource. Alternatively, there are USB security tokens that the user is required to plug into a reader so the logical access control system can confirm their identity and grant them authorisation.
-
Access Control Server
Much like for physical access control, the access control server stores user data, access privileges levels and audit logs – only in this case, it pertains to data and digital assets as opposed to areas around the premises. When it comes to logical access control, there’s a greater emphasis on the access control list (ACL).
The ACL contains a list of an entry for every user who can access the system, as well as rules that specify their level of access. ACLs are also installed in an organisation’s routers or switches, filtering traffic based on its source and destination.
Physical Vs Logical Access Control
Now that we’ve explored the concepts and components involved in both physical and logical access control, let’s look at how they compare.
What Are The Key Features Of Each Type of Access Control?
Because physical access control is about restricting access to physical spaces, whether they’re buildings, rooms, or even particular sections of rooms, its main features are a variation of a lock and key. However, instead of a conventional lock, physical access control systems use electronic locks, which, in turn, are opened with key cards, key fobs, or bio-metric markers like fingerprint or facial scans.
Logical access control, in contrast, is about restricting access to digital spaces, i.e., to an organization’s hardware, networks, and other virtual assets. Consequently, the key features of a logical access control system are a user’s login credentials, for accessing an organization’s network, and the access control list (ACL), that determines the user’s level of access.
What Are The Key Differences Between Physical and Logical Access Control?
The main difference between physical access control and logical access control is that the former is concerned with protecting an organization’s physical assets while the latter is intended to protect its data and digital assets.
Physical access control is about preventing unauthorized individuals from entering a property or sections of that property. If a criminal can’t access a property, they can’t commit crimes within it, including theft or vandalism. Subsequently, physical access control is also about ensuring the safety of the people in and around the property, whether employees, customers, or residents.
Logical access control is about preventing unauthorized individuals from both accessing IT networks and specific resources on those networks. Logical access control systems, in other words, are concerned with information security and preventing cyber-crime. However, an additional challenge faced by logical access control systems is that, unlike physical assets, digital assets can potentially be accessed from outside the property – via the internet. Consequently, the person in charge of securing an organization’s data and IT infrastructure, e.g., the chief information security officer (CISO) or IT manager, must make sure all internet-facing assets are secure.
What Is The Role of a Security Guard In Line With Physical And Logical Access Control?
Security guards are more instrumental in physical access control than logical access control. This is because physical access control systems are about restricting people from entering real-world spaces and, in turn, potentially committing crimes within them. A security guard can supplement, and even enhance, a physical access control system by observing people use their credentials to enter buildings, floors, and rooms. Better yet, the mere presence of a security guard may be enough to deter some criminals from even attempting to enter a property – which, in itself, is a form of physical access control.
When it comes to logical access control, in contrast, a security guard’s role is limited. In fact, their role in an organisation’s information security is restricted to where physical and logical access control overlap. By enforcing physical access control policies, like ensuring only personnel with access credentials enter the building, signing visitors in and out, etc., a security guard enforces some aspects of logical access control in the process. After all, a criminal can’t access a workstation or other hardware if they can’t first get in the building.
However, as mentioned earlier, in many cases, it’s possible to access an organisation’s data and digital assets remotely – and do far more damage in the process. Unfortunately, security guards have no influence in such scenarios, and this is the domain of an organisation’s IT department – namely their cybersecurity team.
Summary
Physical access control is a security measure designed to restrict access to a physical space such as a building or a floor or room within it.
Components of a physical access control system include:
- Access Points
- Readers, Keypads, or Scanners
- Personal access credentials
- Control panel
- Access control server
Logical access control is a security measure designed to restrict access to the data stored on an organization’s IT network.
Components of a logical access control system include:
- Strong Password Hygiene
- Two-factor Authentication (2FA)
- Readers or Scanners
- Security Tokens
- Access Control List (ACL)
If you’d like more advice on implementing access control systems, or to discuss any other aspect of your property’s security, give us a call or drop us a line, for a free onsite security assessment.
