Shared 11 May, 2023
Michael Gips, CPP, CSyP digs into the definition and perceived benefits and challenges of Access Control as a Service (ACaaS) adoption in the security industry.
While the term has been used for several years, Gips speaks to experts to understand key considerations for organisations and end-users when investing in software that marks, according to one contributor, “a foundational shift” in the operations of the security and wider business unit.
Access control as a service (ACaaS) isn’t new, but the term causes confusion. It is used loosely and often synonymously with “cloud-based access control” or “managed access control.”
The term is so hot that security companies and software firms alike are leaping into the market with either adapted solutions or new products and branding them ACaaS. Dozens of different companies claim to offer these services.
When putting together this article, I asked several experts for their opinions on popular misconceptions about ACaaS, as well as for significant issues and nuances involving cloud-based access control and ACaaS that are flying under the radar. Seven major themes emerged.
Definitions of ACaaS, cloud-based access and cloud architecture
Before getting into the expert commentary, definitions are in order.
ACaaS marries access control with Software as a Service. Access control hardware is located at the end user site, but the data is stored on servers that are managed offsite by the service provider. End users can access the system and its data from anywhere over the internet. Fees are by subscription.
Managed access control is an older term that has essentially morphed into ACaaS.
Cloud-based access control is a more generic term. It does not necessarily mean that a third-party is managing the data and servers. The organisation may either have cloud-based servers on site or servers at another location that it manages (the latter is often called a private cloud). The end user may either pay a subscription or own the servers outright.
The distinction between single-tenant and multi-tenant architecture is particularly significant.
Single-tenant cloud architecture, according to cloud-cost-intel company Cloudzero, is “one in where a single software instance and its supporting infrastructure/database serve only one customer…all customer interactions are separate and …
Customer data is not housed in the same database and there’s no sharing of data in any way.” So if a hosting company has 100 customers in its cloud, it has to treat each independently, meaning running system upgrades 100 times, and so on.
Multi-tenant architecture, per Cloudzero, is “one where a single software incidence and database serves multiple customers (i.e. tenants).” This architecture leverages scale. A single system upgrade covers all 100 clients in the case above.
As physical and cyber security consultant Michael Glasser, sees it, ACaaS truly means multi-tenant architecture. “Taking a physical server, virtualizing it, and housing it somewhere that happens to be in the cloud” – tantamount to single-tenant architecture – is not a true ACaaS solution.”
Multi-tenant also comes with the negative consequences of scale. If a bug gets into the system, all 100 customers get it.
ACaaS vs. On-premise
Many articles and whitepapers document the pros and cons of ACaaS versus on-premises systems. To summarise:
Dedicated, expert IT support
Regular updates and patching
Cheaper up-front costs
Access the system from anywhere
Easier to scale system if business grows
Control over your data
Access to data without internet
Direct control over security tools and protocols
Customisable to business needs
On-Premise access control: Here to stay?
Despite tremendous hype, much of it justifiable, ACaaS will not monopolise the market. In fact, the market may be growing for both on-prem and ACaaS. The former is driven by the growth of IoT such as the use of increasing use of sensors in factories and commercial buildings.
On-prem also suits defense contractors, government agencies, and other organisations that need to meet stiff security requirements for data control.
“Depending on who I am, the degree of regulation, geography, industry, infosec policies, and so on, I might be more or less inclined to do things as a service,” says Chris Fine, CEO of Integrative Technologies.
In addition, all ACaaS providers aren’t the same. “You have to judge the quality of any vendor’s solution,” he adds.
On-premise also has a place in industries that capitally fund their projects. Operational funding is a different line item that some organisations prefer to keep low, says Matthew Dimmick, Senior Security Development Manager at STV Inc.
“I believe manufacturers are providing cloud-based services to get recurring revenue,” he says. “In that model, they are leaving behind organisations that don’t want to go to subscription models or the cloud” because the recurring payments would go into the operational budget.
Transit companies, for example, typically do capital projects and want to capture most of the project’s value in that initial spend. “From a funding and procurement standpoint, it’s often easier to not use a SaaS model,” Dimmick says.
Another issue is integration. “How do we integrate systems if video and access control are in separate clouds, perhaps managed by separated vendors”? asks Dimmick. “What do I use for a single pane of glass? It might be easier in some cases to use on-prem.”
The wider ACaaS market – not just for SMEs?
The common wisdom is that ACaaS suits small and medium size companies (SMEs) best. The reasons regularly cited are several:
SMEs lack the resources to manage systems themselves
SMEs can focus on business rather than security
Cheaper startup costs and the monthly subscription make ACaaS more affordable
SMEs need not worry about updates, upgrades, and maintenance.
Steve Van Till, CEO of cloud-based access control firm Brivo, acknowledges those benefits, but points out that enterprise-level customers have been driving growth at his firm.
“The misconception is that cloud-based anything is fine for small and medium companies, but that enterprise needs on-premise. That’s been the prevailing attitude for many years. But our data shows that it’s no longer true,” Van Till says.
He adds Brivo grew by 38% overall last year, but grew 64% in enterprise customers. And it’s not just Brivo. He explains that discussions and findings from the December 2022 Imperial Capital Security Investor Conference bear out his experience – large companies are discovering the features that have long attracted SMEs.
A new business model
As vendors and customers alike race to the cloud, they are overlooking an important thing, contends Lee Odess, publisher of the Access Control Executive Brief. They treat cloud-based access control as a mere technical change, when it requires a change to the collective mindset.
“It’s a business change that has a technical component in it,” he argues. “It’s a foundational shift.”
In his view, the industry is simply creating solutions based on yesterday’s approaches – attaching a feature (the cloud) to an existing on-prem architecture. That’s like providing a horse with a better saddle and calling it a car, he says.
“That’s because as an industry we feel threatened,” he continues. Existing access control companies want to retain their customers, so they slap a cloud component onto their existing solution. “Our industry is doing a disservice by making this an integration rather than approaching it from a new lens.”
Some app and software companies are doing it right, in his view. Firms like Genea, Hakimo, Eptura, and PassiveBolt focus on user experience and make access control a feature of the proptech software suite.
