ACaaS: The services model

Access & Identity Management Handbook 2021 Editor's Choice

The concept of Access Control-as-a-Service (ACaaS) is not new, but there are still many who don’t really understand what ‘service’ means. Of course, different companies offer different services too, which can confuse the matter.

In South Africa, the concept of a service can mean many things related to online access to services and data held on a remote server, with one of the regular questions being that of Internet connectivity and ensuring that your access systems are functional even if the Internet disappears for a while. The question of bandwidth and how much is needed for a full cloud service is also always top of mind.

Of course, let’s not forget Eskom and what could happen to your access control system when Eskom takes the day off.

To find out more about what a service, and specifically ACaaS is, Hi-Tech Security Solutions spoke to Gary Chalmers, CEO of iPulse Systems. iPulse has converted its business to providing access as a service, from its traditional role of manufacturing biometric readers – although the manufacturing part of the business is still in operation. (See for more about Chalmers and iPulse’s move to services, as well as additional business benefits the service model enables.)

Chalmers says that the as-a-service concept, despite concerns in South Africa, is definitely a reality. “With the massive explosion of fibre availability in South Africa (and in fact throughout Africa thanks to companies like SEACOM), almost every company now has more than sufficient bandwidth for ACaaS. It is important to note that unlike CCTV, ACaaS requires a tiny fraction of bandwidth to function effectively, making it far more of a reality than its bandwidth hungry brother.”

Does size matter?

Many commentators say that ACaaS is primarily suited to small or mid-sized companies due to its reliance on Internet connectivity, or perhaps for a company with multiple smaller branches all over the country.

Chalmers disagrees, noting that ACaaS is beneficial for every company, and in fact, the simple ease of scalability makes it far more suited to any size business than locally hosted solutions. “Typically, traditional access control is either small and simple, or large and complex, and there are solutions that target each of these areas exclusively, perhaps trying to provide a ‘lite’ version for smaller businesses. However, only ACaaS is truly able to scale from a single door to a multi-continent, multi-site, massive user-base organisation simply by increasing the resources available.”

Far from the idea of having to compromise on your access control installation to ‘what the cloud can provide’, Chalmers states that ACaaS provides far better service and support than locally installed solutions.

“Without anything on site to ‘break’, other than the biometric devices themselves, callouts are reduced to a fraction of what they are for traditional access, as almost every problem is solved remotely,” he says. “More importantly, with online solutions, providers are able to monitor customer sites proactively, and more often than not tell customers they have a problem, or better yet – fix it – before clients are even aware of it.”

Downtime performance

As mentioned above, many organisations are nervous of the cloud model for a function that needs to be operational all the time – such as access control. We asked Chalmers how these businesses can be assured that operations continue when the Internet goes down or when Eskom strikes again.

“All ACaaS systems that are intelligently designed cater perfectly for ‘offline’ modes, allowing devices to continue to function perfectly when not connected to the Internet,” he explains. “Of course, adding/removing people or retrieving clocks are not possible during these times, but all transactions are queued – both on the devices and in the cloud – and as soon as connectivity is restored, these are processed.

“Online solutions are also far better at handling power outages than locally installed solutions. All data centres, and the Internet, are typically designed to be ‘always up’, and since most access control devices are installed with a battery backup (in iPulse’s case), and access to the Internet is typically on battery as well, there is far less chance of the system going down than a fully locally implemented architecture, which must now provide backup power not only for the door controllers, but also for the intermediate controllers and servers that hold the system together.”

Hybrid solutions

Those readers following IT publications that talk about cloud services (which are all of them) will have noticed that many service providers are talking about ‘hybrid’ cloud solutions. These solutions see some processing and storage based off site in the cloud, but sensitive or critical data and services are retained on site. Amazon Outposts is an example of this (

In the South African context, a hybrid solution may provide better peace of mind when it comes to protecting personal information in light of the Protection of Personal Information Act (PoPIA). Keeping sensitive data on site reduces the number of potential risks, although recent events in the country show that data breaches are more a result of insiders providing information (accidentally or maliciously) to the unscrupulous rather than major hacking exercises. Chalmers notes that iPulse offers a locally installed version of its solution, which can be integrated with the web for authentication, or installed as a completely closed loop if required.

“High-profile clients require this when the security of data is an absolute priority. However, almost all of these solutions end up costing significantly more to service and maintain, and it is arguable whether they are more or less secure than the cloud-based offering. They are significantly more susceptible to power and Internet outages, as explained above, and overall, have more than triple the downtime of cloud-based solutions in our experience.”

He continues that ACaaS is designed to massively reduce the total cost of ownership over time, while dramatically increasing the uptime and efficacy of the system. “Furthermore, ACaaS offers seamless multi-site integration in a way that no traditional access control system can, with a single-user record being required for every site being added to the system, making maintenance of users (a key issue with traditional access control systems) as easy as disabling a user, and within seconds, they are deactivated on every device in the world.”

Another implication for on-site installations that is often overlooked is the IT infrastructure. These are typically built and scaled for the installation at the time it is installed. The infrastructure is then generally ignored over the years as the system expands, which can result in under-powered computers driving your access control, which causes more failures and is highly likely to result in a catastrophic failure (such as complete database loss), over time.

“ACaaS systems simply scale their resources as the solution grows, and (if well designed) include automated backup of key data, allowing for instant reinstatement in the event of a catastrophic failure, such as database loss,” says Chalmers.

When referring to “scale their resources”, Chalmers is referring to the ability to add more processing power, memory and storage as required to the cloud setup in minutes rather than having to buy new hardware, bring the local systems down to install it and then starting up again. In a cloud service using (to use data centres from some of the big names as an example, Google, Amazon or Microsoft), scaling up is almost immediate (as is scaling down).

The question of costs

Customers like to know there is a maintenance and support service waiting to assist when required, but they generally don’t like to pay for it (especially in the first few years when they feel warranties should cover the whole system). How are maintenance and support services done in an ACaaS system – even if, as Chalmers notes above, most problems can be resolved remotely?

“iPulse has a single-price billing model that includes all support, maintenance, services and even a full swap-out of hardware devices in the event of any failure,” he explains. “There is therefore a clearly defined, single controllable cost without any nasty surprises.

“iPulse typically includes callouts as well, since our goal is to ensure that our product is remotely supported, and when it cannot be, this should not be the problem of the customer. This forces us to improve our uptime to avoid costly ‘truck rolls’, which in turn drives the uptime of the system – a win/win for everyone.”

iPulse Systems’ primary ACaaS solution is called the platform, which includes full access control, visitor management, health and safety, workforce management and time and attendance solutions. In addition, the company also offers an identity management platform that allows clients to manage identity (both on site and remotely), run loyalty programmes or create a full custom solution for their specific requirements.


Share this article:
Share via emailShare via LinkedInPrint this page

Further reading:

Sasol ensures Zero Trust for SAP financials with bioLock
Technews Publishing Editor's Choice Cyber Security Security Services & Risk Management
Multi-factor authentication, including biometrics, for SAP Financials from realtime North America prevents financial compliance avoidance for Sasol.

KPMG 2022 CEO Outlook, South African edition
Editor's Choice News
Mid-November saw the release of the latest KPMG 2022 CEO Outlook, South African edition, aptly sub-titled ‘Potential Growth in Uncertain Times’.

Do you know where your data is?
Technews Publishing Editor's Choice
Flow Security focuses on making sure companies manage their data security in real time through automated Data Security Posture Management (DSPM).

Two cases of cyber resilience
Technews Publishing Editor's Choice
Infinidat consolidates backups and cyber resilience for a cloud service provider in the healthcare environment, as well as an energy utility based in EMEA.

Are you below the security poverty line?
Technews Publishing Editor's Choice
While management may think their company is pulling its weight in terms of cybersecurity, the security team knows if it is operating below the security poverty line.

Cyber resilience is more than cybersecurity
Technews Publishing Editor's Choice Cyber Security Integrated Solutions IT infrastructure
Hi-Tech Security Solutions held a round-table discussion focusing on cyber resilience and found that while the resilience discipline includes cybersecurity, it also goes much further.

The biggest cybersecurity threats for 2023
Technews Publishing Editor's Choice
Hi-Tech Security Solutions asked a few industry experts what the biggest or most critical cybersecurity threat is that we are facing going into 2023.

Crossing the chasm
Editor's Choice News Security Services & Risk Management Training & Education
Industry reports suggest that in the next ten years, millions of jobs could go unfilled because there simply are not enough people to fill them.

Records in place now, not later
Editor's Choice Security Services & Risk Management
It is important, after an incident, to have records in place as soon as possible. Too often the matter is left for the day when the company is going to court, or a disciplinary hearing is scheduled.

Free of hardware constraints
IoT Revolution Technologies Editor's Choice
Using processing power based in the cloud empowers retailers to expand the scope of operations of surveillance cameras without needing to spend on specific cameras and back-end hardware and analytics.