Digging into Access Control as a Service – Misconceptions, nuances and challenges to wider adoption

Michael Gips, CPP, CSyP digs into the definition and perceived benefits and challenges of Access Control as a Service (ACaaS) adoption in the security industry.

While the term has been used for several years, Gips speaks to experts to understand key considerations for organisations and end-users when investing in software that marks, according to one contributor, “a foundational shift” in the operations of the security and wider business unit.

Michael Gips, CPP, CSyP, principal of Global Insights in Professional Security

Access control as a service (ACaaS) isn’t new, but the term causes confusion. It is used loosely and often synonymously with “cloud-based access control” or “managed access control.”

The term is so hot that security companies and software firms alike are leaping into the market with either adapted solutions or new products and branding them ACaaS. Dozens of different companies claim to offer these services.

When putting together this article, I asked several experts for their opinions on popular misconceptions about ACaaS, as well as for significant issues and nuances involving cloud-based access control and ACaaS that are flying under the radar. Seven major themes emerged.

1. Despite the exodus to the cloud, on-premises systems are not at risk of going away
2. ACaaS is not just for small and midsize companies
3. Adopting ACaaS is as much a business model transition as it is a technical change
4. Data sovereignty issues may be overlooked
5. Supply chain issues lurk in the background
6. Be careful whose solution you adopt
7. ACaaS will suffer setbacks

Definitions of ACaaS, cloud-based access and cloud architecture

Before getting into the expert commentary, definitions are in order.

ACaaS marries access control with Software as a Service. Access control hardware is located at the end user site, but the data is stored on servers that are managed offsite by the service provider. End users can access the system and its data from anywhere over the internet. Fees are by subscription.

Managed access control is an older term that has essentially morphed into ACaaS.

Cloud-based access control is a more generic term. It does not necessarily mean that a third-party is managing the data and servers. The organisation may either have cloud-based servers on site or servers at another location that it manages (the latter is often called a private cloud). The end user may either pay a subscription or own the servers outright.

The distinction between single-tenant and multi-tenant architecture is particularly significant.

Single-tenant cloud architecture, according to cloud-cost-intel company Cloudzero, is “one in where a single software instance and its supporting infrastructure/database serve only one customer…all customer interactions are separate and …

ustomer data is not housed in the same database and there’s no sharing of data in any way.” So if a hosting company has 100 customers in its cloud, it has to treat each independently, meaning running system upgrades 100 times, and so on.

Multi-tenant architecture, per Cloudzero, is “one where a single software incidence and database serves multiple customers (i.e. tenants).” This architecture leverages scale. A single system upgrade covers all 100 clients in the case above.

As physical and cyber security consultant Michael Glasser, sees it, ACaaS truly means multi-tenant architecture. “Taking a physical server, virtualizing it, and housing it somewhere that happens to be in the cloud” – tantamount to single-tenant architecture – is not a true ACaaS solution.”

Multi-tenant also comes with the negative consequences of scale. If a bug gets into the system, all 100 customers get it.

Image credit: Anna Kucherova/AlamyStock

ACaaS vs. On-premise

Many articles and whitepapers document the pros and cons of ACaaS versus on-premises systems. To summarise:

Pro ACaaS

• Dedicated, expert IT support
• Regular updates and patching
• Cheaper up-front costs
• Access the system from anywhere
• Easier to scale system if business grows

Pro Prem

• Control over your data
• Access to data without internet
• Direct control over security tools and protocols
• Customisable to business needs

On-Premise access control: Here to stay?

Despite tremendous hype, much of it justifiable, ACaaS will not monopolise the market. In fact, the market may be growing for both on-prem and ACaaS. The former is driven by the growth of IoT such as the use of increasing use of sensors in factories and commercial buildings.

On-prem also suits defense contractors, government agencies, and other organisations that need to meet stiff security requirements for data control.

“Depending on who I am, the degree of regulation, geography, industry, infosec policies, and so on, I might be more or less inclined to do things as a service,” says Chris Fine, CEO of Integrative Technologies.

In addition, all ACaaS providers aren’t the same. “You have to judge the quality of any vendor’s solution,” he adds.

On-premise also has a place in industries that capitally fund their projects. Operational funding is a different line item that some organisations prefer to keep low, says Matthew Dimmick, Senior Security Development Manager at STV Inc.

“I believe manufacturers are providing cloud-based services to get recurring revenue,” he says. “In that model, they are leaving behind organisations that don’t want to go to subscription models or the cloud” because the recurring payments would go into the operational budget.

Credit: Vichai Viriyathanaporn/AlamyStock

Transit companies, for example, typically do capital projects and want to capture most of the project’s value in that initial spend. “From a funding and procurement standpoint, it’s often easier to not use a SaaS model,” Dimmick says.

Another issue is integration. “How do we integrate systems if video and access control are in separate clouds, perhaps managed by separated vendors”? asks Dimmick. “What do I use for a single pane of glass? It might be easier in some cases to use on-prem.”

The wider ACaaS market – not just for SMEs?

The common wisdom is that ACaaS suits small and medium size companies (SMEs) best. The reasons regularly cited are several:

• SMEs lack the resources to manage systems themselves
• SMEs can focus on business rather than security
• Cheaper startup costs and the monthly subscription make ACaaS more affordable
• SMEs need not worry about updates, upgrades, and maintenance.

Steve Van Till, CEO of cloud-based access control firm Brivo, acknowledges those benefits, but points out that enterprise-level customers have been driving growth at his firm.

“The misconception is that cloud-based anything is fine for small and medium companies, but that enterprise needs on-premise. That’s been the prevailing attitude for many years. But our data shows that it’s no longer true,” Van Till says.

He adds Brivo grew by 38% overall last year, but grew 64% in enterprise customers. And it’s not just Brivo. He explains that discussions and findings from the December 2022 Imperial Capital Security Investor Conference bear out his experience – large companies are discovering the features that have long attracted SMEs.

A new business model

As vendors and customers alike race to the cloud, they are overlooking an important thing, contends Lee Odess, publisher of the Access Control Executive Brief. They treat cloud-based access control as a mere technical change, when it requires a change to the collective mindset.

“It’s a business change that has a technical component in it,” he argues. “It’s a foundational shift.”

In his view, the industry is simply creating solutions based on yesterday’s approaches – attaching a feature (the cloud) to an existing on-prem architecture. That’s like providing a horse with a better saddle and calling it a car, he says.

“That’s because as an industry we feel threatened,” he continues. Existing access control companies want to retain their customers, so they slap a cloud component onto their existing solution. “Our industry is doing a disservice by making this an integration rather than approaching it from a new lens.”

Some app and software companies are doing it right, in his view. Firms like Genea, Hakimo, Eptura, and PassiveBolt focus on user experience and make access control a feature of the proptech software suite.

If you’d like to hear more from Lee Odess, join him at IFSEC where he’ll be speaking on Wednesday 17 May, or take a listen to our interview with him on the Security in Focus podcast below!

Data sovereignty and residency

Customers shifting to the cloud might be overlooking the related issues of data sovereignty and data residency. Data sovereignty means that data is subject to the laws and governance of where it was collected. Data residency means the same for where data is stored. The terms are often used interchangeably.

Some experts believe that companies may overlook the privacy implications of cloud-based access control data.

“If I were an end user, I would ask how my data would be managed,” explains Dimmick. “If I had no operations in Europe, I wouldn’t want my data stored in Europe. If I had European employees, I’d be worried about their data being replicated for redundancy. If they request to be forgotten under GDPR, how does the ACaaS vendor or your organisation handle that?

Possibilities for navigating the issue include working with cloud providers to store data only in data centres located in specific geographies.

The location of backups should be identified as well. If an enterprise has a cloud-based system at its facilities around the world, it might adopt the data sovereignty requirements of the jurisdiction with the strictest rules.

The organisation might use a hybrid approach as well; store some data in the cloud, while leaving data from certain geographies on premises.

Supply chain issues

On first glance, cloud-based access control has little to do with supply chain issues. After all, the customer doesn’t need to acquire servers, and access control hardware has a long shelf life.

Dimmick, though, says that the opacity of the supply chain poses a risk to customers.

“People don’t realize that it may take 34 weeks or more to obtain a Cisco switch,” he says, and to scale up and build a new data centre, a provider may need several dozen switches and new servers.

“They may squeeze more virtual machines onto existing infrastructure to provide elasticity to keep up with demand” in the meantime. “They may be building fewer data centres, taking longer to fix breakdowns, but we can’t see that. It is hard to know what’s going on behind the curtain, which itself is a risk to ACaaS providers.”

Demand for hardware by cloud-based providers also affects organisations with on-prem systems.

What to consider when choosing an ACaaS provider

Be careful who you sign up with, counsel multiple experts, is the message from experts. The risk comes from both ends – large providers that have grafted cloud solutions onto on-prem systems on the one side, and smaller, nimbler software and app companies that may not last through their latest round of funding.

“Some companies took the approach of taking on-premises software, then setting it up in a virtual machine at Amazon or Azure,” says Brivo’s Van Till. “And we will call it a cloud because it’s not on your premises.” These companies created single-tenant architecture systems that were too costly and difficult to maintain. Some had to even drop the service.

Customers who switch from on-prem to ACaaS may not realise how it affects their budget. “Shifting your access control solution from a historically heavy capital-expense solution with minimal operational expenses to heavy OpEx may skew budgets in ways that security professionals are not accustomed to managing,” says Glasser.

If there’s insufficient operational budget for the monthly licensing fees, your solution “may become a brick.”

Investing in the sexy newcomer also carries risks. “Will they even still be there in five years?” asks Glasser. “Yesterday’s agile companies now aren’t innovative – many are acquired by big players” that stifle innovation or stall it until a planned new release down the road.

Regardless of the cloud vendor, Glasser urges end users to determine whether the provider’s tech is the best now and will continue to be in five years.

Bumps in the road to mass ACaaS adoption

Experts warn that the journey to mass adoption of ACaaS will suffer setbacks. Dimmick has seen many popular technologies hit bumps in the road.

“What happens when one of those technologies fails miserably and publicly, and what impact will it have on the industry as a whole?” he asks. “What happens if an ACaaS provider has a breach or a client’s credential list gets out? What impact does that have on everyone else?”

In fact, Dimmick says there is a lot of anecdotal evidence of a pull back from the cloud. He says they are reestablishing their on-prem data centres. Organisations are continually reassessing their technology spend and at the centre of the choice between cloud and on-prem is cost and convenience. Privacy regulations and security also weigh heavily on this decision and ACaaS providers must be able to address all of the above for their prospective customers.

All that being said, ACaaS is having its moment… and that moment may last a while. Consultants and end users considering this solution would be well-advised to take all the aforementioned factors into consideration before selecting an approach that best suits their needs.

About the author

Michael Gips, JD, CPP, CSyP, CAE, is a security professional, attorney, writer, researcher, executive, and principal of Global Insights in Professional Security. He is also a senior advisor for Cardinal Point Strategies and the Network Contagion Research Institute, a leadership columnist for Security Magazine, and an associate with the insider risk firm Signpost Six. The former Chief Global Knowledge and Learning Officer for ASIS International, Mike founded the CSO Roundtable (now CSO Center) and served as editor and publisher of Security Management. Mike was named 2022 Outstanding U.S. Security Consultant (OSPAs) and IFSEC’s most influential security thought leader in 2022.

Listen to the IFSEC Insider Security in Focus podcast episode with Michael, where we discussed the growing threat of social media and insider actors to organisational security, below!