PACS 2.0 is cloud-based, IT-centric, token-agnostic … but will it be cheaper?
02 May, 2016
category: Biometrics, Contactless, Corporate, Digital ID, NFC, Smart Cards
Cloud vs. legacy PACS
With both legacy and cloud-based systems, the infrastructure at the door is relatively the same. The primary difference is where the access database is maintained, explains Rajeev Kak, chief marketing officer for Cloudastructure, a company offering cloud-based access control.
- Legacy PACS: The database resides on the premises within a controller connected to a computer or local network. When a company needs to add or modify an employee or contractor, an administrator with sufficient privileges logs in at an on-premises station at the facility.
- Cloud-based PACS: The database resides in the cloud, with a local cache copy in the controller that is refreshed frequently – in time frames of seconds or minutes. An advantage is that the administrator can manage the system and change access levels from anywhere and from any device without having to be physically near the door or building.
The similarity between the two architectures is that the infrastructure at the door is typically the same. To operate either system, a user presents a credential, such as an access card or badge, to a door reader, which captures a digital ID number from the credential. This number is transmitted to a controller, which checks a database to verify access and then responds with either an “unlock” or “no access” signal to the door controller.
The location of the database – on premises or in the cloud – is the primary difference between legacy and cloud-based PACS.
Because a traditional system needs to be connected to a computer or local network within the building, geography and the number of doors it can control are limiting factors. “The beauty of a cloud-based database is you’re not limited by a single building or location,” Kak says.
A cloud-based system enables management of doors in multiple buildings in different cities, all from a single database. From this one system, Kak explains that a group of employees could have access to the front doors of their offices in San Francisco, London and Los Angeles. While this functionality could be achieved in traditional systems, it is far more efficient in cloud-based offerings.
But the location of the database is not the only defining factor for cloud-based PACS.
It is a combination of hardware, infrastructure-as-a-service and platform-as-a-service that allows redundancy, storage and databases to be scaled up without adding extra hardware, explains Patrick Barry, CEO at BluBOX, a provider of cloud-based physical access. “With client-server, you have to invest in a lot of infrastructure. With cloud, you don’t,” he says.
Barry believes it’s time for the industry to abandon legacy architecture, in which all of the servers and hardware are located on the premises of the facility being secured.
“It is technology that’s 35 years old, and the rest of the world has moved on,” he says. “We live our lives every day in the cloud – we do all of our purchasing, buy theater tickets, do banking – and it’s been that way for quite some time. The security industry needs to move on from the old architecture and embrace what everyone else has already embraced.”
Evolving architecture, attitudes
With on-premises systems, internal IT departments build and maintain the servers and infrastructure for their organizations on site. It is the way things have always been, but it can be an expensive way of doing things.
Because cloud-based PACS eliminate the need for on-site servers and appliances as well as the man-hours required to support them, the cost of ownership can be lower.
Brivo has been providing cloud-based physical access control since 2001 and is often credited with championing the security industry’s move to the cloud.
Cybersecurity at the ‘edge’ of cloud-based access control
Some believe that more attention must be paid to the “edge” – in the PACS world door – before the cloud is fully embraced for physical access control.
Sal D’Agostino, CEO at consulting firm IDmachines, questions whether physical access control systems are ready for a complete migration to the cloud because fundamental levels of cybersecurity need to be raised first.
“What’s going on at the edge is dynamic and hardly settled at this point,” he says.
Next-gen physical access control architecture should require a distributed approach, pushing more of the access control decisions to the edge, he explains.
The way that physical access control works today is monolithic: A credential is presented to someone for authentication, and then that person determines whether or not the user has a right to a pre-defined set of resources that are established in the database.
How the architecture might evolve is more toward distributed, autonomous, context-based access control decisions. For example, a door would know what kinds of people are allowed to enter, as opposed to specific list of individuals. Another example might leverage an individual’s GPS device, so you would need to know that person is physically in front of that door before granting access.
“In order to leverage the IT resources, you’re going to need to make sure you’ve got best practices around security,” D’Agostino says. “And you’re probably going to have to look at something other than simply an access control list as the way that you determine whether or not an access grant is going to take place.”
Brivo learned early on that the security industry is not set up to allow providers to sell direct to end users. Van Till realized Brivo would have to follow the channel model and go through integrators and dealers to sell product. But that long-established model put the industry behind a massive wall of entrenched beliefs as to what is secure and should be trusted.
“We spent a good five or six years evangelizing cloud and simply getting people to understand that this is actually safer than many of the on-premises installations that people were using,” Van Till explains.
For Brivo, this added safety includes high-level cloud security and a very limited on-premises footprint. There is still a microcomputer-embedded device and a controller present at a Brivo customer’s location. A little black box, about as big as two iPhones stacked on top of one another, connects the doors to the Internet.
In September, the company launched Brivo Mobile Pass, which further reduces the need for on-premises equipment. The ID credential is transmitted from the phone directly to the cloud, the access decision is made, and then the cloud tells the doors to unlock or deny access. No card reader is required at the door in this new architecture.
The technology has been well received by dealers who are realizing that they can now control doors without readers. This means they don’t have to run wires and can save money on the installation. “They’re seeing an economic advantage in systems that don’t force them to have a reader right there at the door,” Van Till says.
Cloudastructure is also leveraging cloud-based infrastructure to deliver physical access control as a service, often abbreviated as ACaaS. Kak says the business has seen a lot of traction from colleges and universities and from utilities and telecommunications providers that have substations in remote locations.
Kak says multi-location scenarios with multiple people monitoring illustrates a perfect example of how cloud differentiates itself from traditional systems. In the past, each substation would require DVRs for video and PACS controllers at each facility. Providing remote access required creating holes in each location’s firewall, he explains.
“When you do it on the cloud, the footprint becomes much lighter. You can do cross-substation, cross-location management much more intuitively,” he says.
Cloud-based systems are also much easier to scale and can handle more buildings and more entry points. “The physical entity of the building – that has always been the constraint in the traditional system – goes away when you do it on the cloud,” Kak says.
Instead of driving 20 minutes to the office, a system administrator can securely grant a contractor access from the couch, he says.