ACaaS: The services model

Access & Identity Management Handbook 2021 Editor's Choice

The concept of Access Control-as-a-Service (ACaaS) is not new, but there are still many who don’t really understand what ‘service’ means. Of course, different companies offer different services too, which can confuse the matter.

In South Africa, the concept of a service can mean many things related to online access to services and data held on a remote server, with one of the regular questions being that of Internet connectivity and ensuring that your access systems are functional even if the Internet disappears for a while. The question of bandwidth and how much is needed for a full cloud service is also always top of mind.

Of course, let’s not forget Eskom and what could happen to your access control system when Eskom takes the day off.

To find out more about what a service, and specifically ACaaS is, Hi-Tech Security Solutions spoke to Gary Chalmers, CEO of iPulse Systems. iPulse has converted its business to providing access as a service, from its traditional role of manufacturing biometric readers – although the manufacturing part of the business is still in operation. (See for more about Chalmers and iPulse’s move to services, as well as additional business benefits the service model enables.)

Chalmers says that the as-a-service concept, despite concerns in South Africa, is definitely a reality. “With the massive explosion of fibre availability in South Africa (and in fact throughout Africa thanks to companies like SEACOM), almost every company now has more than sufficient bandwidth for ACaaS. It is important to note that unlike CCTV, ACaaS requires a tiny fraction of bandwidth to function effectively, making it far more of a reality than its bandwidth hungry brother.”

Does size matter?

Many commentators say that ACaaS is primarily suited to small or mid-sized companies due to its reliance on Internet connectivity, or perhaps for a company with multiple smaller branches all over the country.

Chalmers disagrees, noting that ACaaS is beneficial for every company, and in fact, the simple ease of scalability makes it far more suited to any size business than locally hosted solutions. “Typically, traditional access control is either small and simple, or large and complex, and there are solutions that target each of these areas exclusively, perhaps trying to provide a ‘lite’ version for smaller businesses. However, only ACaaS is truly able to scale from a single door to a multi-continent, multi-site, massive user-base organisation simply by increasing the resources available.”

Far from the idea of having to compromise on your access control installation to ‘what the cloud can provide’, Chalmers states that ACaaS provides far better service and support than locally installed solutions.

“Without anything on site to ‘break’, other than the biometric devices themselves, callouts are reduced to a fraction of what they are for traditional access, as almost every problem is solved remotely,” he says. “More importantly, with online solutions, providers are able to monitor customer sites proactively, and more often than not tell customers they have a problem, or better yet – fix it – before clients are even aware of it.”

Downtime performance

As mentioned above, many organisations are nervous of the cloud model for a function that needs to be operational all the time – such as access control. We asked Chalmers how these businesses can be assured that operations continue when the Internet goes down or when Eskom strikes again.

“All ACaaS systems that are intelligently designed cater perfectly for ‘offline’ modes, allowing devices to continue to function perfectly when not connected to the Internet,” he explains. “Of course, adding/removing people or retrieving clocks are not possible during these times, but all transactions are queued – both on the devices and in the cloud – and as soon as connectivity is restored, these are processed.

“Online solutions are also far better at handling power outages than locally installed solutions. All data centres, and the Internet, are typically designed to be ‘always up’, and since most access control devices are installed with a battery backup (in iPulse’s case), and access to the Internet is typically on battery as well, there is far less chance of the system going down than a fully locally implemented architecture, which must now provide backup power not only for the door controllers, but also for the intermediate controllers and servers that hold the system together.”

Hybrid solutions

Those readers following IT publications that talk about cloud services (which are all of them) will have noticed that many service providers are talking about ‘hybrid’ cloud solutions. These solutions see some processing and storage based off site in the cloud, but sensitive or critical data and services are retained on site. Amazon Outposts is an example of this (

In the South African context, a hybrid solution may provide better peace of mind when it comes to protecting personal information in light of the Protection of Personal Information Act (PoPIA). Keeping sensitive data on site reduces the number of potential risks, although recent events in the country show that data breaches are more a result of insiders providing information (accidentally or maliciously) to the unscrupulous rather than major hacking exercises. Chalmers notes that iPulse offers a locally installed version of its solution, which can be integrated with the web for authentication, or installed as a completely closed loop if required.

“High-profile clients require this when the security of data is an absolute priority. However, almost all of these solutions end up costing significantly more to service and maintain, and it is arguable whether they are more or less secure than the cloud-based offering. They are significantly more susceptible to power and Internet outages, as explained above, and overall, have more than triple the downtime of cloud-based solutions in our experience.”

He continues that ACaaS is designed to massively reduce the total cost of ownership over time, while dramatically increasing the uptime and efficacy of the system. “Furthermore, ACaaS offers seamless multi-site integration in a way that no traditional access control system can, with a single-user record being required for every site being added to the system, making maintenance of users (a key issue with traditional access control systems) as easy as disabling a user, and within seconds, they are deactivated on every device in the world.”

Another implication for on-site installations that is often overlooked is the IT infrastructure. These are typically built and scaled for the installation at the time it is installed. The infrastructure is then generally ignored over the years as the system expands, which can result in under-powered computers driving your access control, which causes more failures and is highly likely to result in a catastrophic failure (such as complete database loss), over time.

“ACaaS systems simply scale their resources as the solution grows, and (if well designed) include automated backup of key data, allowing for instant reinstatement in the event of a catastrophic failure, such as database loss,” says Chalmers.

When referring to “scale their resources”, Chalmers is referring to the ability to add more processing power, memory and storage as required to the cloud setup in minutes rather than having to buy new hardware, bring the local systems down to install it and then starting up again. In a cloud service using (to use data centres from some of the big names as an example, Google, Amazon or Microsoft), scaling up is almost immediate (as is scaling down).

The question of costs

Customers like to know there is a maintenance and support service waiting to assist when required, but they generally don’t like to pay for it (especially in the first few years when they feel warranties should cover the whole system). How are maintenance and support services done in an ACaaS system – even if, as Chalmers notes above, most problems can be resolved remotely?

“iPulse has a single-price billing model that includes all support, maintenance, services and even a full swap-out of hardware devices in the event of any failure,” he explains. “There is therefore a clearly defined, single controllable cost without any nasty surprises.

“iPulse typically includes callouts as well, since our goal is to ensure that our product is remotely supported, and when it cannot be, this should not be the problem of the customer. This forces us to improve our uptime to avoid costly ‘truck rolls’, which in turn drives the uptime of the system – a win/win for everyone.”

iPulse Systems’ primary ACaaS solution is called the platform, which includes full access control, visitor management, health and safety, workforce management and time and attendance solutions. In addition, the company also offers an identity management platform that allows clients to manage identity (both on site and remotely), run loyalty programmes or create a full custom solution for their specific requirements.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

FortiGuard labs reports disruptive shift of cyber threats
Issue 1 2021 , Editor's Choice
Threat intelligence from the second half of 2020 demonstrates an unprecedented cyber-threat landscape where cyber adversaries maximised the constantly expanding attack surface to scale threat efforts around the world. Adversaries proved to be highly adaptable, creating waves of disruptive and sophisticated attacks.

The year resilience paid off
Issue 8 2020 , Editor's Choice, Security Services & Risk Management
Hi-Tech Security Solutions spoke to Michael Davies about business continuity and resilience in a year when everything was put to the test.

Retail solutions beyond security
Issue 8 2020, Axis Communications SA, Technews Publishing, Hikvision South Africa , Editor's Choice, CCTV, Surveillance & Remote Monitoring
The need for security technology to deliver more than videos of people falling or stealing from retail stores is greater than ever.

Smart healthcare
Issue 2 2021 , Editor's Choice
In the past year, hospitals, elder care and other healthcare facilities have found themselves overwhelmed with new patients, COVID-19 regulations and other side effects of the pandemic. As efforts focused ...

Platform-based access management solution
Issue 2 2021, ASSA ABLOY South Africa , Editor's Choice
Available in South Africa and throughout sub-Saharan Africa, new Incedo Business connects all your security software and hardware within one platform. You can easily scale it up or down, based on your needs, to keep your people moving and your business growing.

FS Systems celebrates 50 years
Issue 2 2021 , Editor's Choice
This year, FS Systems celebrates 50 years in the fire detection and enterprise security market, successfully executing projects in over nine countries in Africa and LATAM.

Formative AI and distributed cloud among four megatrends revealed at MIPS 2021
Issue 2 2021, Milestone Systems , Editor's Choice
Almost 4000 participants representing end customers, technology partners and media from across the globe attended the first virtual MIPS conference, held over two days in March 2021.

Kiss passwords G00dby3
Issue 2 2021 , Editor's Choice
Cisco Secure has unveiled infrastructure agnostic, passwordless authentication by Duo which enables enterprise users to skip the password and securely log into cloud applications via security keys or biometrics built into modern laptops and smartphones.

200 000 daily access transactions
Issue 2 2021, Impro Technologies , Editor's Choice
The University of KwaZulu-Natal’s legacy access control system was suffering from increasingly limited support, both in terms of hardware and software, with maintenance becoming a pressing concern as it on-boards approximately 9000 new students each year across five campuses.

Do not take the bait
Issue 2 2021 , Editor's Choice
Banks are unable to fully protect consumers from falling prey to the tactics used by fraudsters to obtain confidential information such as banking details, card information and one-time-pins.