ITS 4210 - Access Control, Authentication, and PKI
Chapter 9, Physical Security and Access Control
This lesson discusses physical security issues. Objectives important
to this lesson:
What is physical security
Designing a physical security plan
Physiological and biometric controls
Outsourcing physical security
Designing a Plan
Perimeter security is concerned
with placing a boundary around some
area, whether it is a room, a building, a complex, or a larger site. A basic
concern for any room is a door with
a lock, assuming that there are
walls that prevent access other
than by the door. For a larger area, we might start with a fence
and locked or guarded
text mentions landscaping, which many of us would ignore. It is better
not to ignore it. Lovely trees that someone decides to plant around our
fence may provide a route over
that fence. The text suggests that plants with strong thorns
would be a better deterrent.
I had the pleasure once of visiting a facility that took a different
approach. There was no sign outside
the building, no number on it,
and no indication that it was a secure facility. The perimeter
was fenced, and gated,
and the gate was operated remotely by a guard who you called on an intercom.
The fence was surrounded by tall slender yews,
which blocked the view of the perimeter from the street. The trees were
frail enough that no one could climb them. Yes, they made it difficult
for people inside to watch what was happening outside the building. However,
the intention was to block the view of the building from outsiders, and
to draw no attention. Huge trees with nasty thorns are unusual and they
might draw the attention of someone with an eye for what looks odd. Yews
are just nice landscaping. A good way to keep a secret is to never hint
that the secret even exists. That building's perimeter followed that logic.
Visibility is what you think about when you plan lighting
and surveillance cameras. Sometimes
you need more lights because something you can't remove casts a shadow.
Sometimes you need another camera, because you can't see through or around
that thing the way it is. Your surveillance system needs to cover what
your guards need to see even if they do walk around the interior or the
grounds. They cannot be everywhere at once, unless you have lots of guards.
The text mentions that tracking who enters and who leaves
a location are equally important. This is easier in a well run installation,
where you use the same protocols to enter and to leave. In most locations,
people are in more of a hurry to leave. The text suggests that keeping
video records of people entering and exiting can provide a post-event
record if you can live without a live stream of information. Sometimes,
the exit of a person is the more important event, such as
the provided example of a day care center, as well as in some hospitals
and most prisons. The text warns us that exit points must be watched
carefully in such cases. It should observe that we should watch known
exit points, and be watchful for exits that those seeking them may discover.
If you want to allow foot traffic, but restrict the approach of vehicles,
you should consider the text's recommendation to use bollards.
You may not know the word, but you have probably seen these posts in parking
lots or outside buildings. Follow this
link to a web page that defines them as being available in several
types: visual guides, physical barriers, flexible, and decorative. The
text is most concerned with the physical barrier type, which may simply
be a painted concrete and steel post, or it may have a decorative cover
to make it look less like a barrier. Some locations that require frequent
traffic with the need for restriction in emergencies may lead us to install
bollards that are retractable.
The text continues with a discussion of physical access controls inside
buildings. The text recommends that guards and cameras should
be made visible in general work areas, to act as deterrents to unwanted
behavior. Barriers between general work areas and sensitive areas
should be clearly defined. The text mentions banks as a commonly
available example of businesses with areas for the general public, and
areas that are for staff only. Banks often have high counters, gates,
security barriers, guards, and bullet resistant glass or plastic barriers
between staff and customers. Data centers do not generally provide service
to the public, but is not uncommon to have a data center share a building
with another service from your company that does invite customer traffic.
When this is the case, there must be controls to prevent access by people
who should not have access.
On page 182, you will see a list of five classifications for government
buildings, based on floor space, number of employees,
amount of contact with the public, and shared space with
other agencies. Note that the list is flawed. As we go from level
I to level V, every one of the parameters increases, which will not always
be accurate. We may need to increase one or two parameters, but not the
others, which causes the list to fail to apply to all situations. Let's
recognize this concept, but move on to the next one.
The text discusses data centers in a few paragraphs that give "dark"
data centers more words than they need. You will not work in a dark center,
because such locations are run remotely or by automated devices. You should
be more concerned with data centers that employ staff if you are planning
to work in one.
On page 183, the topic changes to authentication, specifically biometric
authentication. We are reminded that biometrics include something
you are and something you can do. The discussion starts with
physical characteristics. In a way, this method works like a password,
in that a user provides information for authentication, which is compared
to data previously saved on the system.
The text refers to the process of sampling and saving
the reference data as enrollment. A user must be enrolled in
the system before that user can be authenticated by it.
Once a user has been enrolled, that user can authenticate with biometric
data. The process of providing this data to a scanner to gain access
is called identification.
Physiological and Biometric Controls
The text discusses several physical characteristics that are used
for enrollment and identification. It reminds us that some of these characteristics
change a lot between childhood and adulthood.
Fingerprints are characteristics that do not change with age.
Two aspect of fingerprints are scanned for identification:
Ridges - the raised parts of a fingerprint that
form its pattern of lines, called loops, whorls, and arches
Valleys - the lower areas between the ridges
These characteristics may be compared to a reference photo
of your fingerprint, or they may be compared to a capacitance
pattern. Ridges contact a capacitance scanning device,
valleys do not, which makes it possible to scan the fingerprint
in this way on a sufficiently dense scanner. Capacitance scanning
on some smart phones is a possibility.
Matching with the reference data may be done on the pattern
of the fingerprint, or the pattern of the minutiae.
Minutiae are locations in a fingerprint where a ridge changes,
such as branching into two ridges, stopping at a dead end, or joining
Retina scans examine the inside, rear surface of your eye.
This is the surface that receives and interprets light. The idea is
to shine a light into your eye, and take a picture of the pattern of
blood vessels in that area which is believed to be a unique pattern
for each person. Eye surgery can affect this area, so it is not foolproof.
Iris scans examine the part of the eye that is usually blue,
brown, green, or other such colors. The pattern of the muscle in this
area can be scanned and matched. The text tells us this is less likely
to be affected by eye surgery, glasses, or contact lenses than a retinal
Hand geometry does what it sounds like: it measures the shape
of a person's hand, and may measure the ridges on that hand as well.
It occurs to me that changes in a hand are more likely with age, injury,
and arthritis than changes in fingerprints or eyes would be.
Facial recognition scans the
shape and location
of a person's facial features. The location of a feature is measured
in relation to other features, such as the distance of the eyes from
each other. As usual, these measurements are compared to saved reference
The text moves on to behavioral recognition, the other type of
biometric measurement. Several variations are discussed on pages 185 and
Typing is something people tend to do the same way each time,
given a similar console. Measurement is usually done on typing a known
phrase or typing your password. Your typing rhythm is different when
you are on a real keyboard from when you are trying to type on a smart
phone, but if measurements are taken on the same kind of equipment each
time, there can be a reliable consistency. Note that the text address
the length of time keys are depressed and the time between keystrokes.
This assumes a standard keyboard, either rigged for measurement or connected
to software that is taking measurements. The text warns us that this
measurement has a high rate of false negatives, deciding that the typist
is not really the user in question. As you might imagine, there are
many problems that could change the way a person types.
Signature analysis does not measure the shape of a signature.
It measures the speed and pressure a person uses to write each letter,
which means it must be done on a pad that can measure that, like most
art pads. Like the typing measurement, it relies on the user being able
to enter the data in the same way each time.
Voice recognition involves having the user speak a set phrase
into a microphone, and relies on the physical shape of the user's mouth
and larynx to produce sounds that have unique wave properties.
The text changes topics to discuss problems with all of these
techniques. One is lack of user acceptance, which may be from lack
of familiarity, or from fear of the technology being used, such as the
one that scans a retina. Others have to do with the techniques
False acceptance - This can also be called a false positive
or a Type II error. It means that the system accepts someone
as a known user who is not a known user. The text explains that
this can be caused by too little sensitivity in the scanner, which could
cause an iris scanner to see all users blue-eyed scans as belonging
to a known user with blue eyes.
False rejection - This can also be called a false negative
or a Type I error. It means that an enrolled user is not
recognized. The text offers an example of a fingerprint scanner
rejecting a user because there is something on the user's finger obscuring
it. This could happen on a capacitance scanner if something on the finger
changed its electrical properties, like a conductive fluid.
Crossover Error Rate (CER) - Now for the really good
news: all of these systems produce Type I and Type II
errors. We can reduce the rate of either type, but that
will increase the rate of the other type. The image on
page 187 shows both error rates plotted on a graph's vertical axis,
and the sensitivity of the system plotted on the graph's horizontal
axis. More sensitivity give us more type I errors. Less sensitivity
gives us more Type II errors. Users don't like Type I errors, and security
staff don't like Type II errors. The Crossover Error Rate is the point
on that graph where the rates of the two kinds of errors are equal.
Note that the graph in the text is pretty symmetrical. This is not always
the case: actual system performance may be skewed toward one side or
the other for the CER. In any case, the CER rate gives us a way to measure
a system on two scales at once.
Failure to enroll rate - This sounds like a fault of the user,
but it is not. The failure in this case is the failure
of the system to save a sample data
set for a user. The total number of such failuresdivided by the total number
of attempts to save enrollment
information is the Failure to Enroll Rate.
Failure to capture rate -
This refers to a failure of the system to create a useful data set for
a user, such as not being able to scan the user's face due to a lens
problem. The number of such failures
divided by the total number of attempts
to create enrollment information is the Failure to Capture Rate.
The text continues with some material that discusses what characteristics
make good choices for biometrics. As it has already discussed, the characteristic
being measured must be something that all users have, that is unique to
each user, that will not change over time, and that can be scanned quickly
enough to operate an automated entry system. The section is repetitive,
so we will move on.
On pages 192 and 193, the text changes topics to discuss technological
access control systems. It is a short list, so let's consider the items
on it. This
article on Wikipedia discusses some of the same physical
locks use wards which,
we are told, are permanent projections
inside a key operated lock that prevent a key from turning unless it
is cut so that it avoids the wards. This sort of lock is the simplest
one in the list and it can be picked easily, even with a thin key cut
to miss most wards.
Tumbler locks are more common,
and harder to pick because they require the key to push several pins,
that are attached to springs, up to different correct heights. When
the two-part pins are in the right position, each will allow the cylinder
of the lock to turn. The picture on the right shows this kind of lock.
Combination locks - The combination
locks most of us have used operate on a different system that makes
them much harder to pick. Wheels
inside the lock must align to
make it possible to open the lock. The text warns us that electronic
versions of these locks do not work the same way. They are really just
password systems that use a number as the password.
Cipher locks - You can run
search on this kind of lock to see that there are many styles. The
typically have several buttons that can stand for numbers or letters,
and they can be set to open to most any combination of key presses that
the user wants. The text explains that they can also work with swipe
cards and with biometric sensors.
more interesting concept is in the middle of page 183, about fobs
and tokens. Typically a fob may also be called a hard token, and
I showed you a photo of one back in the notes for the first chapter. The
text refers to the physical device
as the fob and to the number
it generates and displays as the token.
This is also correct. This system can also be implemented in software
on a computer, but the same concept is used: a one time only password
is generated for an account, usually once a minute, on a device the user
has and on a device on the periphery of a network that authenticates users.
Different users have different passwords, so having one person's fob will
not let you in as someone else.
The chapter ends its new material with some thoughts about outsourcing
physical security. Like other security issues, it may be best to outsource
when your company is not big enough or
experienced enough to do it right. It is also possible that the
text is correct when it says that a guard from an outside company may
have an easier time being strict
about rules than one who works directly for your company. This may not
be the case, but it is possible. The text offers a list of criteria
that should be part of your evaluation process for an external security
vendor on pages 194 and 195. You should review this list, and think about
what else belongs on it.
Continue the reading assignments for the course.
Complete the assignments and class discussion made in this module