The Future of Access Control: Building Resilient Systems for the Hybrid Threat Era

Effective access control is more than unlocking doors. It is where security, user experience, and identity management converge.

For people moving through the building, access should feel effortless: badges and phones that simply work, entrances that flow naturally, visitors onboarded without friction. For the organization, the same system must withstand increasingly sophisticated attackers and meet stricter regulatory demands.

Two developments have fundamentally changed this landscape. First, hybrid attacks—where physical intrusion enables cyberattacks from the inside. When remote systems are well-protected, attackers target the weakest physical point: an outdated reader, a cloned credential, a forgotten server room door. Second, regulations such as NIS 2 and CER now explicitly position physical access control as part of cyber resilience. Access systems must support traceability, incident reporting, and rapid response—not merely open doors.

Access control now sits at the intersection of physical and digital security. Getting it right means leaving legacy thinking behind.

When Security Becomes Invisible—But Never Compromised

Four Principles for Resilient Access Control

How secure is your oldest access reader?

Many buildings still operate with technologies designed decades before modern threat awareness. A typical legacy system uses low-frequency 125 kHz cards, simple readers without tamper protection, and Wiegand protocol between reader and controller. The card broadcasts a fixed identifier in clear text. The reader cannot detect physical tampering. The controller accepts whatever signal arrives on two wires—no questions asked.

This architecture is precisely what hybrid attackers target. A cloned badge captured in the car park. A quiet entry after hours. A technical room secured with the same vulnerable reader. A small device plugged into the network backbone. That sequence often suffices to bypass strong perimeter firewalls and endpoint security.

Organizations operating access systems installed a decade or more ago face particular risk. These systems predate modern threat awareness and lack fundamental security capabilities that are now considered baseline.

Modern access control breaks this attack chain at multiple points: credentials that resist simple cloning, encrypted communication on every wire, readers that react to tampering, and policies that flag unusual access patterns in sensitive zones.

For security leaders, the first step is straightforward: Map where legacy credentials and pure Wiegand remain in use. Plan gradual migration, prioritizing high-value zones such as data centers and infrastructure spaces.

    • The solution had to respect the architectural profile

    • Security components must be discreetly integrated

    • Long-term value without continuous maintenance

    • Independence: order and manage credentials without involving building operations

    • Speed: new hires must get access quickly

    • Simplicity: manage identities without technical skills

    • Full overview of all identities and access credentials

    • Minimal administration – no email chains

    • Reliable activation and removal of access rights

STid Architect

For the access hardware, Caverion selected the STid Architect series, supplied by Sotera. These readers are produced in Europe and combine high security with minimalist design – recognized with 11 international design awards. They support modern encryption and secure communication in line with NIS2 and GDPR, while blending naturally into the building’s architecture.

For Base, this was essential: security needed to function flawlessly, but remain invisible.

The road ahead

Behind all acronyms and product names, future-proof access control rests on four interconnected principles.

The solution – where physical access meets digital identity

Caverion faced a clear choice: build around traditional access solutions with known limitations, or find partners capable of meeting all requirements simultaneously.

The answer became a two-part strategy: robust physical access control combined with cloud-based identity management — all provided by Sotera.

Breeze

But access control is more than readers and cards. The real question was how to manage the identities of hundreds of users – with flexibility, control, and traceability.

This is where Breeze became central. Breeze provides every tenant with a dedicated portal and predefined card templates. Ordering a new credential takes only a few clicks. Sotera receives the order automatically, and the card arrives at K8 within two to three days.

  • For tenants, this means independence.

  • For facility managers, it means oversight without administration.

  • For Base, it provides a scalable system with no additional operational burden

The Gap Attackers Exploit

How it works in practice

For tenants, the process has become remarkably simple. Siri from DNB explains:

I log in, add the name, press send – and the card arrives witthin days. I can do it whenever it suits me; full freedom and control.

She contrasts this with previous routines:

“Before, everything had to go through several people. You had no control. Now I can see everything and do it myself.”

Organizations with high security requirements often prefer local card printing. Others – especially those with high turnover or many sites – rely on Duo ID, Breeze’s self-service feature that allows users to manage their own credentials.

For K8, with stable tenants and moderate volume, central card production offered the ideal balance: professional quality, full auditability, and two–three day delivery – without local equipment or training. Breeze handles ordering, Sotera produces, and Newsec activates. Simple, reliable, scalable.

The next evolution is Breeze Access – an expansion that unifies the entire identity lifecycle in a single platform. Connected directly to HR systems and access control software, Breeze Access transforms Breeze into a complete IAM solution for properties and organizations.

Why central card production – and what’s coming next

When hundreds of people move through a building every day, email chains and manual routines simply aren’t enough. Security must be digital, auditable, and intuitive for everyone involved.

With Breeze, STid, and Caverion, Base Group has shown how this can be achieved: a solution that gives freedom to users, control to operations, and confidence to owners.

And with Breeze Access on the way, the next step is full lifecycle identity management – connected directly to the systems that run the organization.

At K8, Breeze is more than a tool – it’s a new approach to identity managment.

For Newsec, the workflow is equally streamlined. Sverre explains:

“The tenant orders, the card arrives at our office, and we enroll it into the access system. The biggest advantage is that tenants have their own portal. Instead of everything going through us, they manage it themselves. We have less administration and fewer mistakes.”

The entire process is digital, traceable, and secure. When employees leave, their access rights are removed just as easily as they were created. No emails, no spreadsheets, no leftover permissions.

The result

Base achieved a building where security is fully integrated, discreet, and dependable.

“It flows naturally and has become part of everyday life,” - Siri Omendal.

Tenants gained control over their own identity management.

“With five or six clicks I order a new card, and two to three days later it arrives at reception,” - Siri Dahl.

Newsec benefits from more efficient operations and fewer errors.

“Instead of everything going through us, tenants manage it themselves. We have less administration and better oversight,” Sverre Dydland.

K8 demonstrates how digital identity and physical access can work together in practice. With the right technology and a smart division of responsibilities, security becomes part of the experience – not an obstacle to it.