Audit Trail - don't believe the hype

Yesterday I was in the foyer of an Australian Government building in Sydney. I checked in at the security desk and waited for my escort to arrive.

Access beyond the foyer required going through turnstiles with a proximity RFID card. I noticed the prox cards were required for both entering and exiting... no doubt a serious access control system to monitor staff movements.

My escort arrived, a quick hello and we headed toward the turnstiles, he presented his card to the reader (badged) and went through, then passed his card back for me. This puzzled me and I questioned him why the system allowed this (card passbacks). He told me the whole system was a failure and the supplier was coming back next month to completely remove it.

It turns out the tender documents stated the system must provide reports of staff movements, and "fire reports" of who is currently in the building when the fire alarm is activated. The supplier and the hardware were top notch, but even with 3.5 million dollars, and 2 years of installation and trouble-shooting, these seemingly basic features had proved impossible to implement in real life.

Initially card passbacks were not allowed, they had since been made allowed because people were being trapped in areas of the building because the system thought they hadn't yet entered, or already left that area. Every door required badge-to-enter and badge-to-exit, so technically it was plausible, however when a group of people arrived at a door the so-called "access-control" system became useless and reverted to a "follow-the-rules" system... rather lame for such an investment; a bundy clock would've been far cheaper. The same problem applied when someone arrived at a door just as someone else was exiting the door... follow the rules - wait for the door to close... then present your card... one person at a time.

Accentuating the problem... parts of the building were not just corridors with branching rooms, they were more rabbit-warren style (like the training rooms we were in), and the system couldn't differentiate the complex possibilities of entry/exit areas, so people became inadvertently trapped even if they followed all the rules.

Most doors were now reverted to a "soft" anti-passback mode, which allowed passbacks but recorded it as a "suspicious event" in the system. Security personnel were supposed to investigate these suspicious events but there were hundreds every day. So 2 years later the supplier is removing all the hardware, and is bearing all the cost.

Moral to the story... "Audit Trail" is simply a list of which cards have been used at which doors... great in theory, but the real-world functionality is minimal at best. Even extracting basic information requires that everyone knows and follows the rules... essentially the same as asking everyone to sign a book. Audit Trail is a sales gimmick (and always at the top of the propaganda). Don't believe the salesman! If they mention features like knowing when staff arrive and leave; how long they had for lunch; who is in the building, etc... ask for it in writing!

Until they implant chips in our bodies at birth (the end of the world if you ask Nostradamus) then recording staff movements is best achieved with imagery. It will tell you exactly who, what, when, where, how many people, what they were carrying, with evidence!

(edit - 19/12/14) - Today I was contacted by a gentleman opening a 24-hour gym. He wanted card access on the front door to control and monitor member access. I mentioned all the above perils and his reply was "but it works for Anytime Fitness??" After some investigation into the system that Anytime Fitness uses it was clear their electronic tag access did NOT provide this and they rely upon cameras to ensure only one person enters; nobody enters as someone leaves; and the member hasn't lent their electronic tag to a mate.


Leave a comment

Comments have to be approved before showing up