Access Control as a serviceHosted services are becoming more ubiquitous with every passing year and month. The cloud continues to touch and, in many ways, transform everyday life. From the use of social media to remotely managing home features such as cooling, lighting and even door locks. However, the security industry’s awareness and perception of access control as a service (ACaaS) is limited and there remains an element of confusion over what constitutes ACaaS and its typical features and functionalities. Currently there are many different types of ACaaS in terms of pricing, infrastructure and service offerings.

For ACaaS, all hardware will remain on site; however, the software and all servers will be removed from the customer’s premises. In some cases, hardware may need to be replaced in order to be connected to the cloud / remote server. Examples include updating the panels that are either outdated and do not support encryptions and digital certifications, or serial panels that do not support IP functionality. TCP/IP panels can use existing IT infrastructure and often do not require a port to be opened, which is frowned upon by the IT department. IHS has identified two types of cloud: true cloud and rack server.

True Cloud

To be defined as true cloud, the ACaaS model must contain the following functionality:

  • Multi-tenant: One application serves all clients and each client’s data sets are partitioned on a server and kept secure. The application itself serves the entire ecosystem. The distinct advantage is for security updates – e.g. protecting the operating system that manages the underlying system. Most operating systems are Linux or Windows, which require patches.
  • Scalable and on-demand: the server being used must be flexible with the customer’s demand. If a customer needs to add (or subtract) users or doors, then the system must be able to adapt quickly to those needs, i.e. rapid elasticity.
  • Redundancy: backup servers are in place in case any error occurs.

Rack Server

ACaaS offerings that are not considered true ‘cloud’, include rack-space servers (stack-a-box). Although, rack servers may have some characteristics of true cloud. If a different server exists for every application/customer, then the solution is neither multitenant or true ‘cloud’. In this case, every customer has a server and each server must be updated independently. The provider of a rack server may utilise IaaS (infrastructure as a service) or PaaS (platform as a service) to offer the solution to an end-user or channel partner; however, the economies of scale presented with a rack server are not the same as with true cloud (multitenant).
Furthermore, multitenant / true cloud applications can be segmented into to two types: private cloud and public cloud.

  • Private Cloud: The cloud infrastructure is provisioned for exclusive use by a single organisation comprising multiple consumers (e.g. business units). It may be owned, managed, and operated by the organisation, a third party, or some combination of them, and it may exist on or off premises.
  • Public Cloud: The cloud infrastructure is provisioned for open use by the general public. It may be owned, managed and operated by a business, academic, or government organisation, or some combination of them.

Finally, there are three types of service offerings that rack server and true cloud providers offer: Hosted, managed and hybrid.
Hosted access control is a service in which the servers that hold the access control data are located at a third party location. The end-user has full control of the adding and deleting access rights by using a thin client (web browser); however, the end-user is not required to maintain the server infrastructure. Third party locations can include a server architecture that is either colocation or multitenant.

  • Managed access control is a service where the end-user pays a third party to administer the access control platform. Services include tasks such as adding and deleting access rights, printing badges and credentials, door ajar / propped monitoring, changing/assigning schedules, etc. The servers are located at a third party location.
  • Hybrid access control is a combination of hosted and managed access control. Often an end-user may manage only portions of the access control system while outsourcing certain tasks to a third party.

To summarise, ACaaS is an alternative method of managing credentials, doors and users compared with the traditional method of onsite management and maintenance. The upfront capital cost is reduced by limiting the amount of hardware needed on site and, in some cases, the hardware can be rented as part of a monthly fee. ACaaS also offers redundancy and limits liability of the end-user since third party data centres offer back up servers with encryption and security in order to protect the data. As a result, the end-user does not have to worry about updating security software or the impact of updating an operating system.
When determining how an ACaaS solution will work and be deployed, there are a few things to consider. First, what type of billing will work best? Some providers offer managed services but charge on a per door basis, while other providers will charge for managed services based on the number of credentials/ users, sites or transactions. Many providers, when offering managed services, will opt for the latter since the cost is much higher for the provider when a large number of transactions occur or there are many sites involved, e.g. the provider must have more staff and trained personnel to manage the systems.

If there is a small site with a small number of users it may be better to bill on the number of doors. But if there is a large site it may be better to bill on the users because generally the more users, the more changes that will occur, weekly, monthly or quarterly. The current state of the ACaaS industry does not have a set standard for pricing. Some providers may charge their dealers monthly for the number of connections or doors, or the provider may charge the dealer quarterly or perpetual annual subscriptions. The dealers may charge a mark-up to the end-user and only charge by the number of doors, or the dealer may charge by users, transactions, sites or a combination of all three. The billing model for ACaaS remains custom and on a per project basis.
The market size and growth opportunities for ACaaS continue to rise as the market is educated. IHS estimated the North American and European market size for ACaaS in 2012 to be worth more than $150 million. North America contributed to an estimated 87 per cent in these two regions. The North American and European markets combined are forecast to grow to more than $290 million by 2016.
The European market for ACaaS is forecast to grow faster than the North American market from 2011 through 2016; however, IHS expects the European market to be substantially smaller compared with North America. Currently throughout Europe, hosted and managed access control is not common and there are fewer alarm companies to offer a solution to SME and residential users compared with North America. The North American market for ACaaS was estimated to be the largest market because of the number of vendors providing the services, as well as the penetration rate of alarm monitoring companies. The regulations and acceptance of ACaaS is also greater in the North American market compared with Europe.
Overall, ACaaS is experiencing strong growth year-on-year in North America and will continue to see strong growth as the end-users, suppliers and monitoring companies are educated on the solution. Although a high growth rate is expected in the short-term, continued long-term growth will be dependent on defining this market, as well as dealers offering a more unified pricing structure. Transparency of how the solution will be provided to the end-user and what the end-user can expect in terms of functionality and ease of use will also be important  in order to avoid overpromising and under delivering.