Applying the SaaS model to access control
November 2018, Access Control & Identity Management, Integrated Solutions
The software-as-a-service model has proven transformative to many organisations, and even entire industries. The benefits it can offer are undeniable, but in the security sector which is risk-averse by necessity, we wanted to hear the views of some local experts in access control as a service (ACaaS) to find out what some of the pros and cons are. Our interviewees are:
• Mike Shipton, managing director, Impro Technologies
• Gary Chalmers, CEO, iPulse Systems
• Mike Smiles, managing director, Masc Solutions
• Mayleen Bywater and Rudi Potgieter, senior product managers, Vox
Hi-Tech Security Solutions: What are the pros and cons of ACaaS versus using a combination of onsite access control and cloud services for some offsite benefits?
Mike Shipton: Globally, ACaaS is expected to grow at nearly triple the rate of traditional access control equipment over the next five years, according to research company IHS Markit. Naturally, a large amount of this will be focused on the European and American markets, simply because of their strong adoption of ‘as a service’ business models – most business software is now operated ‘as a service’ in these markets. Think of your Microsoft Office 365, CRM packages and project management tools – all in the cloud.
Whilst these models are growing in South Africa it’s still at the early adoption stage, but we expect this to ramp up significantly in the next few years. One of the most significant benefits that will drive the growth is the reduction of upfront costs. As an example, many businesses will invest in the hardware and IT infrastructure to enable future growth – in essence, they are purchasing their future growth, up front, at great cost, and many of those resources may be sitting idle as the capacity is not initially being used. With ACaaS you only pay for what you need and you’re able to scale up on-demand, without a capital investment.
Another benefit for businesses is the guaranteed uptimes, built-in redundancy and disaster recovery, qualified personnel managing the systems, as well as 24/7 support. As ACaaS is an operational cost, much needed capex can also be focused on the end users’ revenue generating areas i.e. focus on their core business, while the access control is managed by specialists in this field.
Having specialists managing your system also ensures global best practices are adopted and adhered to – firewalls, virus protection, DRP, associated data encryption and legal considerations such as GDPR, as well as all the associated IT skills. These are expensive skills which many businesses can’t afford, however with ACaaS the skill set is standard.
Lastly, the simplicity of accessing the system is revolutionised, with only an Internet connection and Web browser needed to access your site – and this could be done with a mobile phone, tablet or PC. Both a time and money saving.
Gary Chalmers: Pure ACaaS allows for centralised management and support, making the TCO significantly lower. It also appeals heavily to distributed organisations who only require a small number of devices per branch, which they want to manage and control from a central point, without needing to have a PC in every location. ACaaS allows this to be conveniently controlled and managed from a single source, which hybrid systems typically do not.
Mike Smiles: ACaaS is no different to using cloud services – all the access control hardware remains onsite, software and servers are removed from a company’s premises and are housed in data centres designed to meet the exacting standards necessary for the storage and management of any business-critical information.
Compared to traditional access control, ACaaS offers several advantages, for example:
• The information is stored at remote servers, which eliminates the need for expensive hardware at the controlled premises. In principle this means that ACaaS should be less expensive than traditional (legacy type) access control.
• Using ACaaS enables the management of your access control from anywhere in the world as long as Internet access is available.
• ACaaS is ideally suited to the monitoring and control of multiple locations. Information generated at these facilities is stored at a single location and is available to authorised users, 24/7.
This type of service is ideal for all sizes of system; however, most small businesses do not have the manpower resources to manage the system on a daily basis, or don’t have access to technical support/engineering personnel, 24/7. ACaaS removes these obstacles.
Implementing cloud-based security and/or ACaaS provides a flexible solution which is infinitely scalable, by simply adding more doors, assigning cardholders access authorisation without the need of changing hardware or obtaining extra software. Although there’s concern over possible hacker attacks, most ACaaS uses encrypted communications and data storage solutions that are superior to many server-based systems.
Whilst the majority of the current AcaaS offerings utilise ‘panels’ to manage card/biometric readers and control/monitoring hardware for the secured door, the more radical options eliminate a large portion of this hardware by utilising mobile applications that enable a credential, stored on a smartphone to identify the phone’s owner and issue a signal to a basic door controller that permits the staff member to enter the portals/doors they are permitted to access.
Mayleen Bywater: This is a multifaceted issue, which is precisely why I am providing my insights on the network and security systems that complement the personal identity management side of things, whereas my colleague Rudi Potgieter’s expertise is closer to the area of physical access control.
The question of using a cloud-service versus offsite access control really revolves around capturing the viewer images, storing the data, and specific requirements from a client’s perspective so they can then traverse the network for data and info. For example, if they have huge video surveillance for access where they’re going to use visual images they would need to have something onsite because of the bandwidth and volume of data. Whereas if they’re just using IT-based and specific control measures that are in place, with just access control based on policy, then cloud is obviously the way to go, as opex models assist with cost saving and a managed service can assist with IT and security confidence.
For many companies, when they need to do access control they need to trust that they’re bringing in strangers to do this. From a skills perspective we can alleviate their problem from an HR point of view, as well as help with best practices and try where we can to help manage their business. Effectively this gives the client more time to be effective in their business, so they can go and make money and let us worry about how to do the access control component.
Rudi Potgieter: At Vox we try to provide a solution that caters to clients’ needs, so it can be either private cloud, public cloud, or a hybrid of the two. We are either investigating or already have a product for almost every single one of our current traditional security solutions in the cloud.
ACaaS represents a predictable cost, essentially converting capex into opex and allowing you to budget for it better. It derisks that portion of your business by decentralising this data portion and taking it offsite if need be. It also assists your potential critical skills shortages, as an organisation doesn’t need to have advanced IT and other skills in-house.
Hi-Tech Security Solutions: How does one integrate new access solutions and existing legacy systems?
Mike Shipton: In most access control systems, the term ‘rip and replace’ is standard. Often, simply scaling up from one system to another requires this harsh and expensive route. However, given the large installed base of Impro legacy systems, we have developed the means to slowly migrate from old technologies to new. This means that many sites are able to operate with existing hardware, take on new software, and slowly replace the legacy items whilst enjoying new software features.
We generally recommend when customers are wanting to upgrade, or expand, this is the time to assess the next 10-year path. With ACaaS this becomes a much easier solution, as there is not the high capital investment of the past and, once you have the cloud platform, it opens a world of new technologies and services to the end-user which simply cannot be accessed with very old technology.
Gary Chalmers: iPulse Systems’ IQSuite.cloud is a true ACaaS platform, designed to work with both new and legacy equipment. Local memory resident services and SDKs allow legacy devices to communicate with the cloud through pre-defined interfaces, ensuring that any system can be integrated quickly and efficiently.
Whilst certain value propositions are lost (such as easy remote support and centralised management) in these scenarios, clients are able to leverage existing architecture for longer, and slowly replace ageing infrastructure rather than having to face a ‘rip and replace’ option so often advocated by security professionals.
Mike Smiles: This is solely dependent on the legacy hardware currently in use at the facility. Most ‘traditional’ access control systems use proprietary hardware that utilises serial communications such as RS-485 or RS-422. In instances where the door control hardware/panels support IP, these are often ‘closed’ systems that have been created to restrict the end user from using software other than that provided by the hardware manufacture.
Rudi Potgieter: My understanding is that yes, this can be challenging, but there are some in-between applications and physical on-premise hardware that can be deployed to translate the environment. So in other words if you’ve got a brand new install you probably would push it out via Web services into the cloud, whereas in an older environment you might still sync to a local copy of an Impro or Paxton or whatever that service might be, and then locally translate it into the correct format so that you can access it and process it in your cloud housing, so to speak.
Hi-Tech Security Solutions: How does ACaaS integrate with other management systems, like security or building management?
Mike Shipton: The process of integration hasn’t principally changed. Whether the access control system is on-premise or operated as a service, the mechanics are pretty much the same. However, ACaaS obviously provides the latest technologies and systems to make that integration simpler, faster and better. By having a standard platform, it also ensures others systems can quickly integrate, rather than the traditional route of having to do multiple integrations for each and every system – integrate once on the platform, and it’s available for many.
Gary Chalmers: IQSuite.cloud as a platform has a fully secured API, accessed via an SDK that makes integration quick and simple. Using sample code and designed in such a way as to ensure minimal coding is needed, creating an integration with an existing system, whether local or cloud-based, is a matter of hours, rather than months.
Rudi Potgieter: Whenever technology moves to the cloud you don’t lose functionality, so if you have an app that’s already integrated into a building management system, payroll, or time and attendance, all of that just moves to the cloud. You’re essentially just taking responsibility for the physical infrastructure of the client’s network. So integration is still part and parcel of the overall solution – we’re not going to take functionality away, but actually add functionality.
Taking services like these to the cloud also allows for better management of a mobile workforce, such as field marketers or merchandisers in a retail environment, or even security companies that have staff temporarily deployed at a site. It is nowadays trivial to have a mobile finger reader whereby a mobile worker can login and they are then virtually clocked in at a specific site. So I think it actually takes the concept to the next level.
Mayleen Bywater: If you’ve got the policies and processes mapped out properly and you do the fingerprint or specific single sign-on or any kind of authentication to a specific person, if your ERP or other system is dated it does create a bit of a stumbling block because they would need to be upgraded or integrated. However this also presents an opportunity to make sure clients are running the correct patches, their version control is correct and that everything actually works together.
What people don’t always do is ensure that the testing of the network and the testing of the access control actually complement each other. In some cases the one will negate the other, and if you’re not managing it from a one-provider perspective you are creating a loophole in your client’s environment.
Hi-Tech Security Solutions: How does one deal with the risks of losing sensitive data, especially with respect to GDPR and PoPIA?
Mike Shipton: This is where international certification becomes crucial. The rigorous standards enforced internationally must be adopted to ensure complete compliance with all legislative requirements. For example, ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, as well as EU specific certifications such as BSI’s Common Cloud Computing Controls Catalogue and adherence to the CISPE (Cloud Infrastructure Services Providers in Europe) Code of Conduct.
In addition, strong encryption of all personal data is a must; as well as the regular testing, assessing and evaluating of the system to ensure that it is continually monitored and meets the changing demands of a globally connected system.
Gary Chalmers: Following international guidelines for storing and managing data, and leveraging the inherent underlying security principles of Microsoft Azure, allows IQSuite.cloud to maintain a rigorous and certified methodology for managing security. In addition to this, our team performs regular penetration testing around the API and its security, and constantly update the underlying authentication and authorisation models to accommodate the ever-changing environment.
Mayleen Bywater: Let’s say for example you have an ERP system and you have access to your client’s info and/or their personal details from a payments perspective. If you know you’ve only given a person access to a specific environment and there’s a solid audit trail, when something does happen whereby information is leaked either maliciously or in error, an organisation’s security measures mean they can validate and prove what has occurred.
Hi-Tech Security Solutions: Where would ACaaS be advised and where not – for example, is it good for small companies but not reliable enough for the enterprise?
Mike Shipton: As mentioned previously, the easiest adoption is for small to medium businesses who haven’t considered access control previously due to the costs, or those same businesses that don’t have the IT and specialists resources to manage all the infrastructure. These are normally the earlier adopters of ACaaS as the benefit is significant and quickly achieved.
On the enterprise side, the adoption is slower simply because of their significant investment in the access control system which cannot be thrown out overnight. In this sector, we see a longer term for the migration as that equipment ages, becomes obsolete and upgrading becomes a business priority and reality. Then ACaaS makes very good sense, especially because of the ability to add additional services such as mobile or virtual credentials, alarm and event monitoring, credential management, SLAs with regulated services etc.
Gary Chalmers: ACaaS is the future. All other products are already dead, even if they don’t realise it. From small companies to large enterprises, ACaaS is the wave of the future. It simply carries too many benefits to ignore, and IT trends have shown that everything will ultimately migrate to the cloud in order to remain competitive in terms of TCO. Ultimately, onsite, closed systems are a thing of the past, and the dangers they bring are no less than anything offered by cloud architecture.
Mike Smiles: There is no question that the take-on rate for ACaaS is far higher in the small business space as opposed to enterprise wide solutions. Major organisations spend years and large sums of money selecting access control products that are suitable for their organisation and take many years to change this perspective because of the risks involved.
Small operations quickly identify the benefits of prescribing to a service which enables them to focus on their core business and eliminate the need to allocate a resource to the task of security system administrator.
The majority of control panels that support this technology are imported from the USA or Europe and are relatively expensive. The delayed implementation of benchmark cloud services such as those offered by Microsoft Assure or Amazon Web Services are a barrier to take-up here in South Africa. Furthermore, the monthly subscription costs charged by companies offering this technology are currently too expensive to support widespread adoption of the solution.
Rudi Potgieter: From the research I’ve done and presentations I’ve seen from our existing vendors, in the smaller environments cloud access control is the sweet spot. Businesses like that don’t necessarily have the skill set to run with it locally, nor do they have the IT, the knowledge etc. So there it works well for us to offer it as a complete service – not only access control in the cloud but access-control-as-a-service. With our 24/7 nerve centre we can field these support calls and assist with bringing on board and activating and deactivating access etc.
In your larger environments I think they’re going more for the cloud play because as-a-service play is not quite there yet and the guys are still quite stringent with their policies. Essentially we are looking at trying to mould some of our existing, traditional models into a cloud model whether the vendor is ready for that or not. I think we are quite innovative and we’ve got the right skills here to be able to take products like that and deploy them in a virtual cloud environment for our clients.
For more information contact:
Impro Technologies, +27 31 717 0700, firstname.lastname@example.org, www.impro.net
iPulse Systems, +27 86 0478 573, email@example.com, www.ipulsesystems.com
Masc Solutions, +27 11 100 0088, firstname.lastname@example.org, www.mascsolutions.com
Vox, +27 87 805 0000, email@example.com, firstname.lastname@example.org, www.vox.co.za