Commercial access control systems: a complete guide for Colorado facility managers

Types of access control systems

There are three broad categories. Which one fits depends on the size of the facility, the number of doors, and whether the system needs to integrate with other building systems.

Standalone systems

These operate door by door, with no central management. Each reader/lock combo stores its own credentials and operates independently. Standalone systems work for small facilities with a few doors and no need for centralized reporting. The limitation is that adding or revoking a credential means physically visiting each door.

Networked systems

Networked systems connect all doors to a central server or controller panel. Administrators manage the entire system from a single software interface. Add a user once, and their credential works on every door they’re authorized for. This is the standard for any commercial facility with more than a handful of controlled doors. Genetec Security Center, Gallagher Command Centre, and AMAG Symmetry are examples of enterprise-grade networked platforms ESI installs in Colorado.

Wireless lock systems

Wireless locks use wireless communication between the lock and a hub or gateway, eliminating the need to run access control wiring to every door. Salto is the most common platform ESI deploys in this category. Wireless locks are well suited for interior doors in existing buildings where running wire to every frame would be disruptive or cost-prohibitive. They have a narrower feature set than hardwired networked systems, but for the right application they solve a real problem at a fraction of the installation cost.

Most mid-size and large facilities in Colorado end up with a combination: hardwired networked systems on perimeter doors and high-security areas, with wireless locks on interior offices and conference rooms.

On-premise vs. cloud-based access control

This is the question that comes up in almost every access control conversation right now. The answer depends on what matters most to the facility.

On-premise systems

These run on a server located at the facility. The facility owns the hardware, the software license, and the data. Genetec Security Center, Gallagher Command Centre, and AMAG Symmetry are on-premise platforms. The advantages: full control over the data, no recurring subscription for the software itself, and the system operates even if internet connectivity drops. The trade-off is that the facility is responsible for server maintenance, software updates, and cybersecurity patching.

Cloud-based systems

Cloud systems run on the manufacturer’s servers. The facility accesses the system through a web browser or mobile app, and the manufacturer handles software updates, backups, and hosting. The advantages: lower upfront cost (no server to buy), automatic updates, and remote access without VPN configuration. The trade-offs: ongoing subscription fees, dependence on the manufacturer’s infrastructure, and data stored offsite.

Hybrid deployments

Hybrid combines both. The controller hardware operates on-premise (so doors still function during an internet outage), but the management software is hosted in the cloud. Several manufacturers now offer this model.

For Colorado facilities, two factors often drive the decision. First, facilities subject to CJIS compliance (law enforcement, courts, some government buildings) may have data residency and security requirements that restrict cloud options. Second, multi-building campuses with unreliable connectivity between sites often prefer on-premise controllers with cloud-based management, so each building operates independently but administration is centralized.

What to look for when choosing a system

Buying criteria differ by facility type and size, but five factors apply to nearly every commercial access control decision in Colorado.

Integration capability

Access control rarely operates alone. It typically integrates with video surveillance (so a door event triggers a camera to record), intrusion detection (so arming and disarming the alarm is linked to the first card-in and last card-out), and visitor management systems. The platform you choose determines which other systems it can talk to. Genetec Security Center, for example, unifies access control and video surveillance on a single platform. If integration matters, the software platform decision comes before the hardware decision.

Scalability

A system that works for 20 doors today may not support 200 doors across three buildings in five years. Ask whether the platform charges per door, per user, or per server, and whether adding capacity requires new hardware or just a license upgrade. Facilities that anticipate growth should select a platform that scales without a forklift replacement.

Credential technology

The shift from proximity cards (125 kHz) to smart cards (13.56 MHz) and mobile credentials is well underway. Proximity cards are inexpensive but easily cloned. Smart cards and mobile credentials use encryption and are significantly more secure. If you’re installing a new system today, there’s little reason to start with proximity-only readers unless budget is the only factor.

Manufacturer support model

Access control platforms require software updates, firmware patches, and occasional troubleshooting with the manufacturer’s engineering team. That support runs through the integrator, and it only works if the integrator is authorized by the manufacturer. Unauthorized installers can get a system running, but when something breaks at the software level, they’re calling the same support line you could call yourself.

Total cost of ownership

The purchase price is the smallest part of the cost. Installation labor, structured cabling to each door, programming and commissioning, credential provisioning, and ongoing maintenance all add to the total. Cloud systems add recurring subscription fees. On-premise systems add server maintenance costs. A realistic budget accounts for all of these, not just the hardware. For a deeper breakdown, see our post on what drives commercial access control pricing in Colorado.

How to evaluate an access control integrator

The integrator matters as much as the platform. A good system poorly installed, programmed, or maintained will underperform from day one. For a longer treatment of integrator selection, our guides on choosing an integrator in Fort Collins and choosing an integrator in Colorado Springs cover the verification process in detail.

Manufacturer authorization

This is the first filter. Authorized integrators have completed manufacturer training, passed certification exams, and have direct access to the manufacturer’s technical support and software licensing. Not every integrator bidding your job holds these authorizations. Ask specifically: are you authorized by this manufacturer to install and support this platform?

Certification and compliance credentials

If your facility is subject to CJIS requirements (law enforcement, courts, some government agencies), the technicians working on site need to pass CJIS background checks. If fire alarm integration is involved, NICET certification matters. Ask for specifics, not generalities.

Local presence and response time

Access control issues are time-sensitive. A locked-out building or a door that won’t secure can’t wait for a technician to drive from Denver. Integrators with offices in your region can respond faster and maintain the system more consistently. ESI operates offices in Fort Collins and Colorado Springs, covering Northern and Southern Colorado directly.

Service and maintenance capability

Installation is the beginning of the relationship, not the end. Ask how the integrator handles firmware updates, software patches, credential management, and hardware failures after the warranty period. An integrator who installs the system and then responds only to break-fix calls is not maintaining the system. Proactive maintenance, including regular firmware updates, door hardware inspections, and controller health checks, is what keeps access control systems reliable over their 7-to-15-year lifecycle.

Access control in Northern and Southern Colorado

Colorado’s facility mix shapes access control decisions in ways that a generic buyer’s guide won’t cover.

Northern Colorado

Fort Collins, Loveland, Greeley, Windsor, Longmont, Berthoud, and Estes Park: the region’s growth has created a mix of new construction and aging commercial buildings. New construction along the I-25 corridor between Fort Collins and Longmont typically specs access control in the design phase. Retrofit projects in older Fort Collins and Loveland commercial buildings frequently deal with non-standard door frames, limited conduit pathways, and existing analog systems that need to be replaced without disrupting operations. The healthcare corridor between Fort Collins and Greeley, anchored by UCHealth and Banner Health facilities, drives a steady volume of healthcare-specific access control work. Municipal facilities in Larimer County and the cities of Fort Collins, Loveland, and Greeley require CJIS-compliant access control installations.

Southern Colorado

Colorado Springs, Pueblo, Monument, Briargate, Fountain, Canon City: Colorado Springs has a different facility profile. The concentration of military installations and defense contractors creates demand for higher-security access control with two-factor authentication, anti-tailgating measures, and integration with intrusion detection. Government and municipal facilities across El Paso County share the CJIS compliance requirements of their Northern Colorado counterparts. The Briargate and Northgate corridors in Colorado Springs have seen significant commercial construction, and many of those buildings are now reaching the 8-to-12-year mark where original access control systems need evaluation or replacement.

Common access control mistakes

Most access control problems ESI sees in Colorado facilities trace back to decisions made during initial installation or system selection.

Choosing the platform based on hardware price alone

The cheapest system per door is almost never the cheapest system over ten years. Low-cost platforms that lack integration capability, scalability, or strong manufacturer support become expensive when the facility outgrows them or the manufacturer discontinues the product line.

Skipping the network infrastructure

Access control systems run on the building’s data network. If the network infrastructure (switches, cable runs, power-over-ethernet capacity) isn’t designed to support access control traffic, the system will have reliability problems that no amount of troubleshooting at the access control layer will fix. This is especially common in retrofit projects where the existing structured cabling wasn’t designed for IP-based systems.

Not planning for credential lifecycle

Every employee, contractor, and visitor who receives a credential creates an ongoing management obligation. Credentials need to be provisioned, updated, suspended, and revoked as people join, move between departments, or leave. Facilities that don’t plan for this end up with hundreds of active credentials assigned to people who no longer work there, which is a security gap and a compliance risk.

Installing without a maintenance plan

Access control hardware has a functional lifecycle of 7 to 15 years, but only with regular maintenance. Door hardware wears out from daily use. Firmware updates patch security vulnerabilities. Software updates add features and fix bugs. Controllers need periodic health checks. Without a maintenance plan, small issues accumulate until a system-wide failure forces an emergency response.

Treating access control as a standalone system

In most commercial facilities, access control is more useful when it’s connected to other systems: video surveillance, intrusion detection, visitor management, and building automation. Planning for integration during system selection avoids costly workarounds later.

How ESI approaches access control projects

ESI Technologies installs access control systems across Northern and Southern Colorado, with offices in Fort Collins and Colorado Springs. We hold manufacturer authorizations from Genetec, Gallagher, AMAG, and Salto, which means our technicians are factory-trained on these platforms and have direct access to manufacturer engineering support.

Every access control project starts with a site assessment. We walk the facility, identify the doors and entry points that need to be controlled, evaluate the existing network and cabling infrastructure, and discuss the facility’s operational requirements, including integration with surveillance, intrusion, or visitor management systems.

We spec and install the system, including structured cabling, controllers, readers, locks, and software configuration. After commissioning, we program the access rules, provision initial credentials, and train the facility’s administrators on the software platform.

For ongoing support, ESI offers service agreements that cover firmware updates, controller health checks, door hardware inspections, and priority response for service calls. Proactive maintenance is what separates a system that runs reliably for a decade from one that degrades into a source of daily frustration. Our technicians hold CJIS certifications for government and law enforcement facility work, and NICET certifications for projects involving fire alarm integration.

Frequently asked questions about commercial access control