Access control as a service
Access control and identitiy management, IT infrastructure
In an economic environment where cutting costs is king, there is still an acknowledgement that access control is a necessary function in every business. In smaller firms, access control may simply be a security door that the receptionist opens when someone arrives, while in larger enterprises it could consist of significant investments in technology and human resources.
While you can’t beat the price of a security door, larger installations are more dynamic, complex and expensive. This is why access control doesn’t receive the publicity that ‘cooler’ technology solutions do; it is installed to be forgotten for a long time (with the exception of maintenance and expansion, of course).
When a company decides it’s time to revamp its access control, it will again be faced with a large expense for hardware, software and manpower. Today, however, there is an alternative to spending the big bucks and having everything installed and managed on site – Access Control as a Service (ACaaS), which promises to make the access control spending more manageable.
There are a few ways to implement an ACaaS solution depending on the requirements of the user. The common scenario is to have the access control software and data stored on a cloud-based server (potentially with a backup on site), where the integrator or service provider manages everything for the user. The management can simply be making sure the system is running and accessible (and secure), or the service provider can take over managing everything related to access control, including enrolment. In some cases, the integrator will also assist in financing or arranging financing for the hardware and rent or lease it to the customer on a monthly or annual basis.
Whatever the final agreement looks like, ACaaS is becoming more popular with end-user companies and with integrators as they have closer control over multiple clients’ solutions without having to be on site. IHS Markit expects cloud-based access control to grow at over 9% through to 2021, which is more than double the rate of growth expected from traditional on-site solutions.
Can we expect the same growth locally? Are local end-users looking from the same services and solutions from ACaaS? Hi-Tech Security Solutions asked two local ACaaS operators for their insights on cloud-based access. Our experts are:
• Johan Van Heerde from Skycom, and
• Vikki Vink from Impro Technologies.
It’s not uncommon to hear that cloud services in various local industries aren’t taking off as they are in First World countries because of the poor local infrastructure and because large companies have a burning desire to control as much as they can.
However, things are looking up in some areas according to Van Heerde. “There is definitely growth in the demand for ACaaS services, but in our experience, it’s been more in the SME markets rather than the enterprise level companies. The larger corporates still prefer managing the IT environment within their network environments and thus prefer locally hosted systems which reside within the controlled realms of their respective IT and network policies.
“The SME market, on the other hand, does not want to maintain access control systems and prefers to outsource the solution as a whole and only use the functionality and output of the fully hosted and maintained system.”
Vink says ACaaS has yet to become a popular option in South Africa. “Part of this can be attributed to concerns around security and the traditional preference for on-site solutions. However, internationally there is growing interest in this solution as organisations become more accustomed to cloud solutions, such as with software services like SalesForce, Cisco WebEx, Google Apps, Office 365 and so forth.”
She adds that while the demand remains low, Impro expects this to change over the next two to three years because the benefits of ACaaS, when correctly managed, result in cost reductions, improved efficiency and rapid deployment.
“For example, there would be no requirement for onsite servers and the associated management of these. All access control software would be based in the cloud, with authorised users accessing the system through something as simple as an Internet browser. This means that deployment can be achieved within a few days. The only hardware would be a physical reader on the door.
Even credentials or tags can be virtual today. For example, at Impro Technologies we are able to offer customers the ability to have their access card securely embedded on their mobile device. This provides greater convenience for the user and ensures reduced loss of cards or duplicated cards (we always know where our cellphone, is but not necessarily our access card).
Where does it fit?
In an industry where one size does not always fit all, are there certain markets where ACaaS would make a better fit. Van Heerde has noted that the SME environment is one area where it is finding acceptance, and international research indicates industrial and manufacturing concerns are more inclined to adopt this approach, as are companies that want to centrally control access for multiple locations.
“It is already evident that the distributed model has been adopted by many industries where you have a small system presence in a remote or temporary work area,” says Van Heerde. “A good example of this would be the building and construction industry where you would ideally put down a temporary structure to manage and control your time worked, access to site and health and safety aspects like breathalyser and licence control.
“In these cases you would not want to deploy a fully fledged system to the temporary site only to remove it after work is concluded. It is here where the worth of ACaaS and distributed systems-as-services come into play. These can be broken down further where these construction companies can have a local, centrally-hosted system with distributed functionality within their network realm or the whole solution can be provided to the company as an ACaaS by a company that specialises in this field.”
Vink agrees that ACaaS is better positioned for multi-sites, simply because it reduces the cost of having multiple servers on each site and the potential complexities of installation and management. However, for large installations such as manufacturing or industrial sites, the main barrier to entry in the short term will be their significant investment in servers (and the associated infrastructure) as well as personnel.
“This will change, and enterprises will start assessing ACaaS when it’s time to upgrade and the technology is proven,” adds Vink. “ACaaS is ideal for medium-sized businesses, specifically because of the reduced investment. For these businesses, the expense of servers and the associated management of firewalls, virus protection, disaster recovery programmes, along with qualified personnel to manage this makes ACaaS a natural alternative.”
She adds that in addition to the cost savings, the biggest factor that will drive this is convenience. “Businesses will be able to focus on their day to day operations, without concern, knowing all the other considerations have been taken care of. They simply log into a secure portal that is already preconfigured and secured for them, and are able to quickly pull reports, enable or deny access, thus reducing a significant infrastructure headache.”
Cloud versus cloud
Some people have dismissed the idea of ACaaS as they believe they can host their own access control function in the cloud without having another service provider or vendor involved. While this is true, it is the ‘as-a-service’ part of ACaaS that makes it valuable to companies.
Simply hosting in the cloud can be done, but the company would still have to take responsibility for installing and running its hardware and software. Vink explains that current hosted solutions are generally more of an IaaS (Infrastructure as a Service) model where users are still responsible for managing the applications and updates etc.
“With ACaaS the application can be run directly from a web browser and, more importantly, the vendor manages everything – the applications, runtime, backups, networking, data, servers, storage etc.”
However, she warns that offline functionality is still non-negotiable in any installation. “This is crucial whether you have on-premise, hosted or ACaaS. In any of these instances, if a server goes down, the access control system must still be able to operate normally. This is one of the key differentiators that Impro provides – if your link back to the server (or associated infrastructure) is lost, people are still able to gain access. This is achieved by not being solely reliant on the server to provide the decision-making.”
Van Heerde notes that three-layer redundancy is a decisive factor when it comes to selecting your system in the long run. “Layer one core system benefits, as in the case with the XTime suite, lies in its capability to do full offline validation, meaning all validations takes place on the controller/access control unit even if it cannot connect to the main server at that time. At the same time all transactions are buffered and recorded and will be downloaded to the database once the connection has been re-established.
“For Layer 2, redundancy tools can be deployed onsite from a general laptop are of utmost importance to accommodate and mitigate worst-case scenarios. In Layer 3, controller backed-up data is directly accessible with software utilities.”
As with most technology solutions, the benefits and ultimate functionality of an ACaaS solution depends on the options one chooses, and this will naturally influence the price. And while the capex/opex argument makes a significant difference to many bean counters, one must ask whether the ACaaS route is actually going to save money in the long run.
The money question
“In my opinion,’”says Van Heerde, “the cost saving would not lie so much within the physical infrastructure and server costs, as server space is pretty much accessible and obtainable in various offerings from renting, to owning and hosting ,and infrastructure is a given whether hosted or local.
“I think the saving will be through the actual manpower required to maintain and manage these systems. With a locally hosted system you would require skilled resources to maintain and support the system and everything pertaining to it. A typical integrated system would require an administrator, IT support, database administrator, infrastructure support and management of all these aspects dependent on the size and geography of the system.
“At the other end, a fully hosted system would still require the above structure to support the system, but the structure and the cost would now be distributed among various clients, thus alleviating costs and in-house responsibility for the system.”
Vink echoes this thinking, noting that ACaaS also moves the problems from the user to the vendor, who is now responsible for guaranteed uptimes, server failovers and data protection. “As we all know, data protection and privacy laws are becoming more stringent, therefore to have a service that manages this for a business also reduces its legal liabilities.”
For more information, contact: