Access control in the cloud

YARMOUTH, Maine—On the residential side of security, the idea of using your phone to disarm your alarm, open your door or just check on things remotely has not only become expected today but demanded, as both manufacturers and dealers have embraced this new wireless world we are all living in. But on the commercial side of the business, especially within access control, that same kind of convenience, ease of use and access to resources and data at your fingertips is not quite there yet, although conversations with some leading cloud providers in this area provide both hope and tempered excitement for the future of access control in the cloud.

“Everything is going to mobile, which is influencing the security industry greatly, and the residential applications are ahead of the commercial applications right now,” said Steve Van Till, CEO for Brivo, a worldwide provider of cloud-based access control and Software-as-a-Service solutions for physical security. “But that is where commercial security needs to get to, whether you are talking about mobile credentials or installation or anything else.”

“As cloud proliferates in the residential markets, it will really start to push things in the commercial piece,” added Melissa Stenger, VP of product management and marketing, ISONAS Inc., an access control company that designs and manufactures an IP-to-the-door cloud-based solution. “We are really taking the end user's perspective around how we develop product so that they have the same experience from their personal lives all the way into their professional.”

In terms of access control in the cloud, the industry is beginning to make the leap in regard to increased adoption.

“Technology advancements and changes in end customer demand and consumption models are reshaping the physical access control market,” noted Hilding Arrehed, VP Cloud Services for identity solution provider HID Global. “As indicated by current market research and surveys, by 2020, 20 percent of physical access solutions will be shaped by mobile and cloud architectures. Today's technologies allow physical access control providers to move from on-premise to cloud-based access control and an increasing number of traditional PACS head-end system providers have started moving their solutions into the cloud.”

Ralph Shillington, chief architect with Feenics, a company that provides on-premise and cloud-hosted integrated access control and security management solutions, said he is seeing a “rapid shift” among the end users toward cloud-based solutions.

“But what is happening is their own IT departments in other areas are scaling back their own data centers and moving to the cloud and are turning to their security folks and saying, 'How are we going to get you in the cloud?'” Shillington pointed out. “The push is coming from the end users and is coming in a really surprising number of verticals, from transportation to property management to financial services.”

Van Till pointed out that security has seen many new entrants from outside the industry.

“So those companies, especially with the pedigree of Latch, which is a former VP of design for Apple, and then Jim Clark who recently launched a new company, you've really got a Silicon Valley DNA strand that is becoming more prominent in the security industry, and that is where we are right now,” Van Till said. “You are starting to see newcomers from outside the industry becoming very interested in security, and very interested in the physical world by way of IoT.”

Van Till noted that the minute you mention IoT, you are also saying cloud “because every single IoT company out there is built on the cloud,” he explained. “So between the natural momentum of the cloud and then the hit from the other direction of IoT pervading and making all of hardware devices much cheaper, it is kind of a squeeze play on traditional architectures in security and what you are going to end up with is 100 percent cloud within a few years.”

Stenger agrees that more and more people are getting into the cloud business. “All of this increased interest and new entrants in the cloud speaks to what end users want—a platform that is easy to use, has low cost of entry—while integrators want a platform that gets them into a recurring revenue model,” she said. “What is driving a lot of that is you are seeing the price of hardware, specifically cameras, go to a commodity, so integrators are starting to differentiate themselves with the services they provide, and the cloud allows them to do that in a much more maintainable and manageable way; they can manage everything centrally for all of their customers and provide a lot of different services that they couldn't by just competing on a hardware price or an install price.”

As the cloud becomes more widely adopted within security, she said, integrators are going to have to shift their traditional sales approach to more of a managed services model.

“You certainly see that [as] the emphasis of many providers, and not just access control but almost anything else in security and other industrial contexts,” noted Van Till. “IoT is a very managed service in the industrial setting, and the channel wants it because it is their way of creating value.”

Denis Hébert, president, Feenics, pointed out that although there are many arguments that can be made in favor of the cloud, convincing integrators on the merits of selling cloud as a service is at times like “pushing a rope,” he said. “They get intellectually what it means but they don't have sales commission models that are attributable to a recurring kind of service. For the typical integrator today, it is all about the big kahuna—the big sale and big commission check, etc.”

Hébert said that it takes a different sales approach to sell cloud-based services. “Our challenge today is that they [systems integrators] haven't incorporated a business model to be able to sell this kind of service, rather than just selling equipment, which is what they are used to doing. Cameras, readers and servers—their whole business model from a commission standpoint is built around that. So that is the 'pushing the rope' concept. Intellectually, and from a business perspective, an integrator is going to say, 'It would be great if I had more recurring revenue,' but they've got to get over that hump and figure out how they are going to compensate their sales people within this new managed services model.”

All agreed that they are working hard to educate integrators on cloud's potential and provide them with the resources and support to sell cloud-based managed services.

“We will continue to develop features in the cloud that make it easier from an end user perspective, but also empower our integrators to have the tools they need from a central management perspective, from firmware updates to general ability to managing things without having to roll a truck to a site—really allow them to take advantage of that managed services model,” said Stenger. “ISONAS offers an off-the-shelf managed access control platform that our customers have really latched on to and have had really great success with, so they really have been able to expand what they do outside of installs to more managed services.”

The cloud is also changing the way end users look at access control, with many embracing mobile access and credentialing.

“Cloud-based mobile access is a growing industry and we see more and more companies sell mobile access as a complimentary solution to their traditional access control offerings, in addition to card credentials,” said Arrehed. “In certain verticals, such as education, we see universities moving to 'mobile-only' models as their only access control system. While cards will continue to exist for the foreseeable future, there are trends that point toward the market transitioning to mobile, over time.”

“The level of customer excitement among end users is tremendous,” added Van Till. “They see the credential on the phone and it closes deals.”

Stenger agrees, noting that from a mobile credentialing perspective, “we have seen a big jump since we launched that in March,” she said. “And the adoption of that is probably one of the key drivers to why people go with our hardware solution, because they want to get rid of the physical card and have everything at their fingertips.”

While mobile credentialing is becoming more widely accepted, Arrehed noted, “Organizations are still grappling with the issue of visible identification, which is a valuable tool as a secondary method to identify a person. Visual IDs are easily implemented on a physical credential, but not having this visible identification on a mobile device is something organizations highlight as a key reason for maintaining some form of physical ID cards.”

Another selling point for the cloud is its inherent cybersecurity advantages over on-premise systems.

“When you are dealing with a cloud-based product, the physical network that the cloud-based computers are running on are physically secured inside buildings built for that purpose alone, so that the attack vector on your database is reduced to near zero,” noted Shillington. “In the traditional on-premises environment, all the data is in the building, where it doesn't belong. Because everyone has their own phone and laptop, those are all connected onto the same database, for example, so it becomes very easy to get malicious code collocated with your database, and now you are nine-tenths of the way there to having data walk out the front door either physically or electronically.”

That kind of scenario “just doesn't happen in a well-secured cloud-based environment because there is no physical connectivity,” Shillington continued. “The database and where all the data resides, is locked up tighter than a drum.”

Hébert noted that if you look at a good number of on-premises systems today—though it may be surprising—security patches and software versions are not up to date. “When you are in a cloud environment you don't worry about that because that becomes our problem, so these patches and updates are happening automatically. I can't tell you how many customers I have seen in the access control world who are three versions behind on their software and they haven't put a patch in three or four years.”

Stenger said that having Amazon Web Services run the cloud provides a certain level of trust and comfort for customers. “[AWS] basically built their business out of hosting and they are really great at it and people feel really comfortable with it, which shows in that 90-10 split of cloud to on-premises ratio we see with our customers.”

In terms of the security within the cloud, Van Till pointed out that it really is contingent upon whose cloud we are referring to.

“People who are sophisticated with this don't form a general opinion on, 'Is the cloud safe?' or 'Is the cloud not safe?'” Van Till explained. “It is more about, 'Is Steve's cloud safe, and does he run it properly' because it is all about how you take care of it. So to say the cloud is safe or not safe is kind of meaningless because you can run a really crappy website and web application that is as insecure as the day is long or you can run something that is really buttoned down tight.”

Arrehed agrees, noting that moving to the cloud “requires both significant investment and thorough knowledge of what it takes to build and offer a truly secure cloud-based solution for physical access,” he said. “Given our large and global base of enterprise customers, HID has risen to the challenge of meeting various demands and regional requirements, which has in return helped us to gain a broad and solid understanding of our customers' needs when moving to the cloud. This has enabled us to evolve to where we are today. Not every player in the physical access space is yet equipped to take this step or is able to offer cloud solutions that can meet the stringent security and privacy regulations that we are able to deliver.”

Arrehed continued: “Cloud hosting allows continuous threat monitoring, vulnerability scanning, advanced encryption and provides various other privacy-preserving features.”

In addition to providing cybersecurity advantages, the cloud also provides great potential for leveraging emerging technologies.

“The cloud is implicated in easier installation, greater ease of use for the users, but the other thing with the cloud is it really is the platform for everything,” said Van Till. “All of the interesting things that are happening with mobile are connected to the cloud. All of the interesting things happening with AI are happening in the cloud, so if you go through any of the advancing technology sectors, cloud is foundational to all of them. If you want to be part of AI, big data and IoT, you are going to be on a cloud platform. So saying you are not going to believe in the cloud or the cloud is not secure, you are really cutting yourself off from most of the new advances in technology generally.”

Arrehed believes “there is huge promise in data analytics in the context of physical access control,” he said. “We believe that devices related to physical access control will be increasingly connected to the cloud and the data ranging from virtual/digital identities, mobile access, video streaming and biometrics, to IoT applications, BLE sensors and location services can be consolidated to and used for machine learning analytics. Combined, we believe that the data from these technologies, coupled with advanced data analytics, can provide services such as 'intention detection' for a more seamless, secure and connected user experience.”

Data analytics “is key to our business,” noted Shillington. “I heard a quote that data is the new oil, and I firmly believe that. Now for that to be true, though, the data has to be meaningful and it has to be aggregated across a number of different vectors. Once you start to have all of that information coming into a single repository and being handled by a single management pipeline, then you can start to do some very interesting predictive analysis. Over the course of the next of year, you will see a lot more from us in that area.”

Hébert added that the proper aggregation of data also provides “greater operational efficiencies, business intelligence and business continuity” that can benefit the integrator from a selling standpoint and the end user from an ROI perspective.