The transition to cloud-based systems has been so pervasive that the question now might be, what doesn’t run on the cloud?
By Ellen Cools
The answer? Access control. Or at least, on-premise access control is still the norm.
But the growth of Access Control as a Service (ACaaS) is changing this.
According to Jim Dearing, lead analyst for electronic access control research at IHS Markit, “Access Control as a Service is a fast-moving market within the access control subspace.”
In 2013, the ACaaS market in the Americas was worth $150 million. Now, it’s worth $375 million, he says.
But what is driving this growth? And how can security professionals capitalize on this trend?
Another question must be answered first: how does ACaaS work?
“A cloud application like anything else”
There are three types of ACaaS, says Dearing: hosted, managed and hybrid.
“Hosted essentially means that the provider is providing the software platform and hosting the software for the person who’s buying the service,” he elaborates. “Whereas [with] managed … the end user is buying a fully-managed service from the provider.”
Typically, says Dearing, end users expect a managed service whereby the provider installs the equipment and monitors the service.
The third type of ACaaS, hybrid, involves a hosted solution and a managed aspect. For example, the end user may also subscribe to have their credentials managed.
Beyond the different ways ACaaS can be installed and operated, there are two sides to the technology, says Steve Van Till, president and CEO of Brivo.
“One side, of course, is user facing, and that includes the ability to administer either on a web browser, or now, on a mobile phone, and to get alerts, information, look at videos,” he explains.
“The other side of it is the device side, and on that side, you still have a control panel installed locally, inside the building, which people are now calling edge computing.”
The control panel functions as usual, Van Till says. “But the big difference is that it talks to the cloud.”
As with any cloud application, the data is remotely hosted. However, where the data is hosted varies.
“Typically, it can either be hosted on a public cloud space, like Amazon or Microsoft — large resources of cloud — or it can be a private cloud set up where only the end user has access,” Dearing explains.
Currently, he says, the market is split between private and public cloud, with public cloud becoming increasingly popular.
However, “there is also the issue of companies not really wanting the data to be stored on a server that may also be storing or hosting some other website.”
Additionally, “there are a number of limitations on storing identities,” such as privacy laws.
For example, with the recent adoption of the General Data Protection Regulation (GDPR) in Europe, providers “had to ensure that they were compliant with that new regulation by creating means to delete data within certain time frames and create new software features that allowed end users to comply,” he explains.
Bernhard Mehl, CEO and co-founder of ACaaS provider Kisi, a New York-based company established in 2012, says, “In the end, even cloud software is hosted on a local server — it’s just a server that is hosted by Amazon, for example.”
Remote hosting ACaaS enables companies to remotely manage systems, he elaborates, making access control “infinitely scalable.”
On the infrastructure side, he adds, ACaaS is easier to manage and creates a more “seamless deployment” for end users.
Integrating security standards
This “seamless deployment,” is partly thanks to ACaaS’ integration potential.
Kisi’s clients “want to embed access control into their on and off-boarding workflows that they have on the IT side and security side,” Mehl explains. “That means you embed provisioning and deep provisioning of access rights into the normal onboarding workflow.”
“Imagine you’re a new employee at the company: you’re automatically getting file access, email access…why not door access?” he elaborates.
Businesses “have security standards for all other security critical applications,” he adds. “So why isn’t that standard already at the doors, too?”
Mehl believes ACaaS solves that problem, especially with mobile apps that allow two-factor authentication on doors.
Van Till agrees that ACaaS has a lot of potential. In fact, Brivo already has “a couple hundred integrations with our product alone,” he says.
“The most interesting sector is integration with other business systems, which means that access control is becoming a part of how other things are functioning, and that’s driving a lot of adoption,” he adds.
Given this, one might wonder about the typical customer base for ACaaS solutions.
The market is currently more focused on commercial than residential. In fact, Kisi and Brivo work solely for the commercial market.
Kisi’s clients include biotech labs, educational institutions and financial institutions, Mehl says. Across Canada, they include Cowork Penticton, Launch Coworking Space, York Entrepreneurship Development Institute and Sequence Bioinformatics.
They are “mostly companies on a corporate side, and if it’s enterprise [companies], it’s typically a smaller office that starts this transition,” Mehl says.
Small and medium businesses (SMB) are the biggest adopters of ACaaS, adds Dearing.
“But you also have a few smaller education, health-care based [end users], smaller doctor’s offices, etc., and they’re also starting to opt for Access Control as a Service as a means to keep investments low,” he adds.
Additionally, property management firms are a big adopter of ACaaS, as they own large buildings and rent offices to smaller companies, and are often responsible for the entire building’s access control. ACaaS offers these companies a way to outsource management or that responsibility, Dearing says.
Barriers to adoption
However, there are still some constraints to widespread ACaaS adoption.
“Traditionally, the Access Control as a Service business model was designed for smaller installations that perhaps either could not afford the initial capsule outlay of installing a fully-fledged traditional access control system, or did not want to spend money managing it themselves,” Dearing says.
Consequently, ACaaS is not typically used in larger enterprise security installations.
Dearing argues this is because “the leading providers of traditional access control have not really developed Access Control as a Service offerings.”
“Most of the Access Control as a Service companies are quite small … and they are mainly servicing smaller segments of the market because there’s a lack of demand from the enterprise segment,” he explains.
This is partly because ACaaS providers have traditionally charged clients per door.
“As you increase the number of doors over a thousand, it becomes very difficult to manage how you’re going to charge for that and how you’re going to create software that’s going to allow you to charge for that centrally,” he explains.
But while SMB makes up the majority of Brivo’s customers, the company also does a lot with enterprise systems, says Van Till.
However, Brivo is a unique case, he maintains. The company began offering ACaaS in 2001, about “10 years ahead of our time,” he argues.
This gave the company an early foothold with larger companies such as Tyco, ADT and Pro1, he says.
“So ironically, the biggest companies…were actually the earliest adopters of this technology,” he continues. “And they thought it was very useful for niche applications in particular, because the control panel that we developed had built-in cellular, which was very unusual for that day and commercial access control.
“It slowly grew and grew and grew and became a bigger part of their overall offering.”
The consumerization phenomenon
According to Dearing, the ACaaS market in the Americas is forecasted to reach $685 million in 2022.
Globally, IHS Markit estimates that revenues will increase to $950 million by 2022, according to the report, “ACaaS and mobile access propelling each other to mainstream adoption.”
Van Till agrees with this prediction.
“If you’re looking at new purchases of access control, it’s probably somewhere around 10-20 per cent right now,” he says.
“But that number, I believe, is swinging…to the 50-60 per cent level, and it’s going to ultimately catch up with the cloud adoption statistics for enterprise application software and the world in general, which is currently running at 80-90 per cent.”
So what is driving this growth?
One of the main influences is the flexibility ACaaS offers, since companies can outsource the responsibility of access control, Dearing says.
Van Till agrees, adding that cloud provides the convenience end users are demanding as they become more comfortable with cloud.
“The convenience of cloud versus the convenience of on-premise is unmatched because the anytime, anywhere, mobile access [possibilities], with notifications, integrations with other systems — you simply can’t match with the old-client server model,” he explains.
However, both Mehl and Van Till argue consumerization has been the biggest driver.
“There’s this phenomenon called consumerization, which was first discussed in the context of the consumerization of IT,” Van Till explains. “We’re seeing the same thing happening in security now … increasingly the on-premise piece like sensors and so forth are IoT [Internet of Things] devices that are equally at home in a residential context and a commercial context.”
IoT has put “huge downward price pressure” on sensors and connected devices, he adds, which is making demand for ACaaS grow.
Dearing does not believe the Bring your Own Device trend is influencing the adoption of ACaaS — at least with regards to mobile access control.
“The market adoption of mobile credentials so far has been a little bit limited because there are a few issues still,” he explains.
The problem is that access control card readers are still popular and work well, he says. In contrast, with a mobile solution, users have to open the application, authenticate themselves and then activate it, at which point they can use it to open a door.
“For that to continue to work, the application will need to be running in the background the whole time,” he says.
Consequently, if someone turns off their phone or their phone closes its background applications, then the process has to be repeated.
“A number of Access Control as a Service providers have not put the investment into developing a successful mobile application that allows their customers to deploy mobile access,” he argues. “But that is changing.”
“Once that happens, I feel like mobile access and Access Control as a Service will go hand in hand quite nicely.”
Given the potential ACaaS presents, how can industry players get ahead?
Dearing says offering flexible pricing options is key, as charging clients per door can become complicated.
But the most important thing is “to develop solutions catering to the larger enterprise end users,” he says.
“Because once larger enterprise end users start using this type of service, obviously the market size will increase massively. Once you’ve got large enterprises using this type of solution, you can also leverage all the data they are gathering and improve it.”
“Being more accepting and being able to market cloud-based solutions…better, is probably another thing they need to improve,” Dearing adds.
Van Till agrees, saying that first industry players must make the investment in the cloud, and then hire the best engineers possible.
Mehl argues security professionals should take their involvement with cloud even further before entering the ACaaS market.
“We’ve seen companies do everything from white-labelling a cloud-based connector, licensing some Bluetooth technology for their reader, licensing mobile credential technology, hiring an outside IT firm to build their new mobile app,” he explains. “But that will not solve the big problem of access control just not being in the cloud.”
“If I would have to give one [piece of] advice to other companies … it’s to become a cloud company first,” he continues. “Use cloud for your own business. Hire people that are familiar with the cloud, change your culture and organization to a cloud mindset, and then build products that follow this mindset.”