Battle-Tested: 7 Access Control Best Practices

It's not if, but when your organization will suffer a security breach. Whether they’re large or small, or protecting from internal or external attacks, every organization must remain vigilant. Even the NSA, arguably the most secure US federal intelligence agency, failed to stop Edward Snowden from releasing an estimated 1.7 million sensitive records.

Good physical security infrastructure is only part of the solution. Just as important is knowing and applying the best practices available for enterprise access control.

1. Use the Principle of Least Access

Applying a minimal access policy goes a long way to preventing unauthorized activity. When auditing access levels in any system—physical or digital—determine what that minimum necessary level is for each role in the company.

For example, does your CEO’s swipe card really need unrestricted access to the warehouse? Do they really need to be able to sign out forklifts? Genuine exceptions should only be considered on a case-by-case basis.

2. Apply Layered Defenses

When you build your defense in layers, each is able to mitigate the others’ vulnerabilities. This is sometimes called the ‘swiss cheese’ model of security. Any one layer or ‘slice’ will inevitably have holes you can’t plug. But when you layer two or more security slices on top of each other those holes are reduced, or can be eliminated entirely.

Ideally, you should layer different types of security, such as physical barriers paired with electronic key control and access control systems. Even create micro-layers within your security systems, such as requiring multiple forms of authentication. For example, a PIN code combined with a biometric control panel.

3. Integrate With Existing Systems

IT systems have increasingly shifted to what’s known as ‘open architecture’ design over the last decade. In this case, ‘open’ means the systems are designed from the ground up to be ready to integrate with other technologies.

Integrating security systems gives you data from throughout your organization that’s greater than the sum of its parts. This approach lets you conduct proactive real-time monitoring and threat detection. You also gain operational efficiencies coordinating and communicating between your security assets in a unified system.

Which brings us to...

4. Centralize Access Management

Some organizations for good reason will have a decentralized management structure. But when it comes to managing access controls electronically, a centralized model is ideal. This may seem counter-intuitive to security personnel without an IT background, but when access control is networked this becomes the best practice.

Centralizing controls eliminates redundancy and therefore the chance for error. It also reduces the chance of miscommunications between different control centers throughout the organization.

5. Defend Your Chokepoints

Creating chokepoints has long been an effective practice, especially in high-traffic enterprise environments. The problem is that chokepoints create a predictable flow of people or assets that attackers can exploit.

Modern IT systems also use chokepoints to secure network traffic, so they’re vulnerable in similar ways. In fact, many of the largest headline-grabbing cyber-attacks have targeted vulnerable IT chokepoints. 

That means to stay ahead of attackers, we need to implement new forms of chokepoint security that leverage both physical and electronic tools. For example, manage a physical asset with electronic tools that are hard for on-site attackers to disrupt, such as by securing critical keys with an electronic key management system. Or vice versa, deny remote attackers by keeping certain infrastructure un-networked.

6. Training, Training, Training

You can have all the security tech in the world and attackers will still walk right through your defenses if your personnel haven’t been properly trained. Your security training needs to cover both the threat scenarios that matter to your organization and how to use your security systems to respond to those threats.

7. Plan, Test, and Test Some More

When planning or reevaluating existing security measures, it is essential to begin by defining your goals. To accomplish this, make sure to get input from all levels of the organization, not just security personnel. Different concerns and threat scenarios can emerge from very different sectors of your business. 

Once security plans, policies, and systems are established, the best practice is to conduct regular reviews to update them against the latest threats. Include a thorough review of internal incidents log and assess the outcomes of each and actions taken. Then integrate those outcomes into your security protocols. 

The security sector is changing at an ever-increasing rate, but the principles that found our discipline remain the same. A reliable mix of tools and human expertise will always be the answer to the threats we face.

Editor's note: Originally published March 13, 2017, updated July 13, 2018 for accuracy and comprehensiveness.