printer friendly version

Is everything-as-a-service worth it?

Cloud computing has changed many of the ways in which we work. Initially the cloud was a good option for storing files at a reasonable cost, and it still is if you aren’t too concerned about security. But hosting your data in the cloud was only one change the cloud brought us, and if you look at what is available today, that was or is possibly the simplest service possible.

The capabilities of the cloud expanded over time to include a number of other products, or to be more accurate, services. Hosting capabilities today can put almost any application in the cloud, allowing users to do whatever their business is with little more than an Internet connection; we can now find applications, platforms, infrastructure, security, access control, video surveillance and many other functions available at the click of a mouse (almost) or available ‘as-a-service’.

The idea is that instead of buying or renting all the kit you need to run whatever the service is, you simply pay a monthly fee and your service provider does all the technical work and you benefit from the results of the service. For example, if you opt for a video surveillance service, you would pay a fee to have a certain number of cameras installed and maintained, with the video being streamed to an offsite (cloud) storage location – of course, integrated on- and off-site solutions are also common. You would access the video from an application or browser via the Internet or your mobile device. It’s a good idea if your bandwidth can handle it, or if you can handle the costs of bandwidth.

When it comes to the benefits of services like this, we’re told that cost is one of the primary advantages. You pay for a service, not the hardware and software and installation and maintenance. You also don’t worry about hardware as the service provider has deliverables they are responsible for and have to ensure you get what was contracted for. Another is that you always have access to the latest software being used as you load it from the provider’s server and the latest version is always there.

Of course, not everyone is happy simply moving everything to a third party and hybrid installations have become more of the norm – some things are remote and used as a service, others are still onsite, although seamlessly integrated into the service offering.

On a side note, moving away from the cost question, it’s also worth noting that Tim Palmquist, VP for Milestone Americas, noted at the MIPS 2019 conference in the US that while Milestone still sells licences in the traditional client-server model, it is looking at ‘taking the journey of hybrid to the cloud’, looking at ways to make best use of cloud technologies and traditional on-site client-server products. (His presentation can be found at www.milestonesys.com/live/tim-palmquist/). The impact of cloud and remote services is therefore something everyone is paying attention to for the future.

The security market is no stranger to the as-a-service model. Your armed response fee pays for a service, for example, and we are seeing more security functions, both physical and cybersecurity, being offered as a service. To get an idea of how the service model is growing in the industry and if it’s worth considering making the move, Hi-Tech Security Solutions asked iPulse Systems and Verifier for some insights into their offerings and how the as-a-service model has and is impacting their businesses.

iPulse is a South African company that builds biometric readers and has been in the business for years. It sells to small and large companies, with hardware and software that covers single or multi-site installations. While it started out in the traditional access control business, the company’s software has changed the way it works and it recently launched an Access-Control-as-a-Service (ACaaS) solution, which includes workforce management.

Verifier was founded in 2009 and is a multi-platform, remote off-site CCTV monitoring service primarily focusing on monitoring triggered events, such as video analytics rule breaches, licence plate recognition alerts, alarm activations and so on.

As-a-service, or not?

While it seems as if everything we do is angling to adopt the as-a-service model in the chase for recurring revenue, is it realistic to move to everything-as-a-service, especially in the security market?

Gary Chalmers.

For iPulse, the answer is yes. “All of our services are now offered as-a-service,” says Gary Chalmers, CEO of iPulse. “We offer access control, time and attendance, workforce management, visitor and vehicle management and identity management as-a-service. For us, this includes all the hardware, labour and support, as well as an extended swap out hardware warranty for the full duration of the contract. This is a huge benefit for clients who do not want to put any cash up front.”

Chalmers adds, “Traditional solutions are no longer offered, although we do have a locally hosted mode whereby we supply a server, or in most cases, a virtual machine on an existing server, that pretends to be the Internet platform and gives clients an on-site, or rather VPN-based solution. However, this is only popular with extremely large, highly security-conscious clients, such as the United Nations, where security is paramount. Most other clients have migrated to the cloud.”

The benefits for the users, he notes, “are hugely increased up time, lower cost of support and maintenance, and the ability to remotely manage and maintain their infrastructure from anywhere. Cloud platforms deliver true multi-venue solutions, not caring where biometric devices, kiosks or other hardware resides, and are able to allow significantly more control than traditional systems that require a server on each site.”

Chalmers uses Seacom as an example; the company has biometric devices in multiple offices and locations throughout Africa, all neatly managed from its head office in South Africa.

“For the integrator, this means huge benefits, as most of the as-a-service systems are API-based, allowing quick, powerful and easy integration between products at a level never before possible. Communications between, for example, access control and fire systems that are similarly offered as-a-service, is normally a matter of hours rather than months to produce.”

Mike Voortman.

Mike Voortman, MD of Verifier adds that while Verifier is not specifically geared to providing services on-premises, “we see that clients are moving towards a hybrid of off- and on-site services. Verifier has always chosen the off-site offering.”

He adds that the primary benefit to the user is the single point of responsibility in terms of the SLA (service-level agreement). In this model, the integrator is able to apply more resources to the site, as the gross margin is higher in relation to the overall basket of services being contracted for.

As a note of caution, he also says service models place ‘all eggs in one basket’ and the transparency of service may be affected.

Potential problems

The key to as-a-service business models is, as noted, the cloud, or storing information on someone else’s server. This is always a sensitive issue with many people dismissing concerns because of the security involved in data transmission and storage, and others highlighting vulnerabilities they perceive. At the least, this is a question any users of services must ask as they will be liable for losing data if the worst happens.

It should be added that ‘the worst’ is often seen as a data breach when hackers use some type of tool to steal the data. In reality, it could also be system failure, human error or contractual discrepancies. One early adopter of cloud systems found out about carefully studying your contract when they wanted to move to a new, cheaper service provider but could not get their data from their initial provider.

While these issues should mostly be dealt with by the service provider – backups, system reliability and failover functionality, as well as security in the form of access control, encryption etc. – the catch is, you as the user can’t simply assume your service provider is doing it. You need to know that these things are being done – especially security.

“Security is, as we know, all about layers of the onion – the more layers, the more the inner core is protected,” says Voortman. “If all layers can be penetrated due to a single centralised failure, then the layers are a waste. Redundancies and failovers are thus more important these days, along with good old “Auditing 101” – separation of duties/functions so that related service providers can assist the client with keeping each other on their toes. It’s a bit more for the client to manage, but the benefits are huge.”

He continues that if separate service providers are used for different layers, the user only needs to replace an underperforming layer without having to change all layers at massive time and expense. Separation also requires constant evaluation, thus further keeping service providers true to their SLAs.

Chalmers takes a practical position regarding the services iPulse provides, saying that for many companies there is a knee-jerk reaction to storing employee information and data in the cloud. “I think that what many do not realise is that the amount of data actually stored by a security system is a fraction that of payroll systems, most of which have long since migrated to cloud.

“Our cloud security is high and the cost of cracking it is certainly not worth the limited data which could possibly be recovered. Fingerprints are not stored in the cloud, only the data extracted from your fingerprints – data which cannot be converted back into a print no matter what system you use.”

One of the biggest reactions in this area is to visitor management systems. Chalmers finds this amusing as he would far rather have his data captured in an electronic, controlled environment, which was designed to be PoPI compliant from the start, than writing down a phone number, ID number and registration number into a little dirty book on the reception counter or at the gate.

“There is absolutely no way to control who sees that information, or what happens to it when the book is used up. Personally, I believe it is one the greatest sources for criminals to get data. Compared to that, an electronic, secured VMS seems like Fort Knox.”

Service in the dark

Even for those users itching to save money and benefit from the improved service levels from the as-a-service model, South Africa has one major vulnerability that is basically a Grim Reaper to business and electronic communications – Eskom. As noted in the article in this issue on power management, the country will have another five years at the mercy of this electricity clown car (we hope it’s only five years) and service providers, intermediaries and users need to cater for regular bouts of no electricity.

This scenario may drive people to more of a hybrid approach with some or much of the solution still on-site under the customer’s control. Voortman says that Verifier advises the customer in accordance with the risk profile of the site. “Some will have basic redundancy built into their layers thus eliminating on-site staff entirely, with others maintaining an on-site presence as part of the site risk mitigation.”

From an iPulse point of view, Chalmers says all iPulse solutions are designed with these principles in mind. “Every device we add to our system is capable of functioning autonomously with no network, and most are configured with battery backup to last up to 24 hours in the event of an outage.

“This means that, for example, a biometric reader granting access or taking staff clocking for time and attendance can continue to operate when offline, following all the rules that are stored locally, and storing all information (up to 25 million records in our case) on its local memory. Once the network is restored, the devices sync up again, and operate as normal. Obviously, during this time, live reporting and the ability to add/remove people is no longer there for that period, however, these actions are carried out the moment connectivity is restored.”

The bottom line

It’s clear that the as-a-service model has value for users as well as the service providers, but does it really make that much difference to the amount you have to spend on a solution? After all, at the end of the day, someone has to pay for the technology, the technicians that will set it up and maintain it, and the day-to-day running costs. Does a service model reduce your spend over the term of the contract as opposed to what you would spend over the same period if you did it all yourself?

“This is an easy question to answer,” states Chalmers. “Typically, most clients do not consider what the cost of maintaining, repairing and servicing a solution is when they buy it. Statistically speaking, the upfront purchase price is usually less than one-third the total cost of system over its lifetime. Installation, maintenance, accessories, servicing, call-out fees, support fees and annual licence fees usually make up around two-thirds of the costs over a three to five year period.

“When compared to this realistic number, the cost of as-a-service normally comes in far less, costing on average about 1,5-times the initial cost, thus saving most clients as much as 50% over the lifetime of the product, without the upfront cash layout.”

With those types of figures, even if we add in a 20% error rate, the answer to the question raised in the heading to this article must be yes. At the same time, users must understand that as-a-service is not abdication of responsibilities and each client must ensure their service providers provide the security and reliability they require, and that the contract they sign doesn’t dump all the risk of exposure or other problems onto the client.

For more information contact:

iPulse, 0860 IPULSE, [email protected], www.ipulse.co.za

Verifier, 086 111 6023, [email protected], www.verifier.co.za

Share this article:

Further reading: