Thursday, February 14, 2008

Physical Security: Tailgating

Few years back when Smart Access Cards were introduced as a solution to unauthorized physical access, Information Security Managers (ISM) felt very relieved. Even in Information Technology organizations, Physical Security breaches were more prevalent and damaging than the network based attacks and hence their relief was justified. However, soon they realized that Access Card based access control wasn’t successful due to tailgating. Social Engineering attackers were easily able to bypass this access control by following an authenticated user. Soon most of the ISMs felt that it’s a technical limitation and either they will have to live with tailgating or else deploy a full time security guard (defeating the purpose and wasting the money invested on Access Card and readers) at premise entrances. I have seen organization (and some of these are among top 20 IT organizations of the world) where Security professionals had deployed a full time guard at all entrances to combat tailgating.

Solution:
Good news for security professionals that there is an effective solution to control tailgating. You may call it an enhancement over the current smart card based access card systems. Of course the cost of control is going to increase, so be ready to convince finance guys with an ROI calculation. The solution is as follows:

Install a one-way turnstile in front of entrances and current access cards will permit access to premise through the turnstile. When a user presents her access card in front of access card reader, turnstile will allow only one person at a time to enter in the premise.

Additionally, a buzzer can be installed to alarm in case a deactivated/fraud card is presented.

Notice, that above mentioned turnstile is one-way, hence for exit you will have to have a separate door with conventional access control. You would agree that tailgating is a problem at the time of entering the premise rather than exiting.

Limitations:
1) This solution will not work if a user presents her access card three times, (intentionally) to allow two other users to pass along with her. However, this abnormal activity can easily be noticed by fellow employees or nearby guards.

2) Due to additional cost, it may not be practical to install turnstiles at every door. Hence, risk managers’ help may be required to identify suitable areas. In my opinion, this solution must be implemented at
a) building perimeter and
b) highly restricted areas such as server rooms, data center and highly restricted project areas.