The Revolution’s Here

Aug. 30, 2013

The past couple of recessions have mandated organizations to be more effective with fewer resources. Such requirements have served as key ingredients to fuel a “perfect storm” — where corporate IT’s focus has gone away from just keeping the wheels turning to being more focused on enabling their business to thrive. In the process, owning and operating on-premise infrastructure has become less important than ensuring that the right sets of capabilities, competitive advantages and efficiencies are in place.

Cloud solutions are fine-tuned for this transformation, since they are designed to simplify the deployment, management and higher costs that traditional models incur. It makes sense that their adoption has seen a significant increase, but their rise in popularity was not one that was readily embraced or without conflict. While some IT pros may determine the cloud is not the right fit for them, it is at least fair to concede that it is now commonly accepted as a mainstream option — quite a progression from what once was a small and fiercely debated movement.

Conversely, physical security pros are taking a closer look at the cloud, but it hasn’t quite become a mainstream option. However, the progress in IT provides insight into what is coming. With the appreciation that the physical access community has its own set of unique challenges that must be addressed to make the same transition, the overall path is quite similar, and getting to the other side will offer desirable benefits that cannot be gained within the boundaries of traditional deployment models. Consider the similarities of physical and IT pros:
• Both were/are wary of the cloud concept.
• Both are facing increased budgetary constraints with the same demands on number of projects.
• Both see increased demand for integration (systems, monitoring, interoperability, acquisitions, etc.)
• Both are feeling the pressure to perform with fewer resources, and to consolidate skillsets.
• Systems are increasingly installed in an IT-like environment (servers, databases, and networks).

The differences are just as significant. For starters, physical access is made up of hardware-dependant infrastructures. We must be able to execute on our commitments to investigate, oversee, respond, and intervene, and it is nearly impossible to substitute all of these aspects into a virtual process that resides in code and is accessible only through a web browser.

Some of these issues are being solved through a combination of innovation and policy re-engineering. Perhaps the largest barrier has been the fundamental prerequisite that a cloud solution requires the internet to deliver its services, and physical access has generally been “offline.” This is the biggest difference from IT — where almost everything in their world is already connected. Conversely, it is pretty easy to see that there has been little motivation for vendors to develop cloud solutions if customers aren’t able to consume them, even if they wanted to.

IP Changes the Landscape
With IP-based systems proving to hold a prominent role in in the future of physical access, its paving the way for organizations to migrate from copper wire to a network-based infrastructures with the ability to be “online.” This would now provide a platform for vendors to deliver cloud services to end-users that prefer them, however the concept is a bit more complex.

Thus far, IP in physical access has mostly been limited to rolling out CAT5 to act as a pipe that transmits data from one endpoint to another; such as in the case of readers and cameras. A cloud service is neither needed to accomplish this nor does this alone make it one. Asking different people as to what they think the cloud is and you are likely to get as many different definitions. Unfortunately, the term is as nebulous as the namesake it references.

Defining the Cloud
While there are many definitions of the cloud, there is commonality between many of them. As a general guideline, the cloud involves offloading intensive computing processes, their related infrastructures, software and personnel resources to maintain them by an offsite third party. In turn, the customer will consume functionality remotely through a web browser, as they require, and pay accordingly.

The key to getting past the varying perspectives and sales pitches is to form your own meaningful definition that has both context and relevance to what you are looking to solve. For new solutions, you can categorize what would be hosted vs. in-house, who would manage various aspects of it, and perform a gap analysis between solutions to determine the differences.

Be aware that there are different types of clouds. As the space matures, both subtle and drastic differences between them continue to take shape in forms of SaaS, PaaS, IaaS, and others. Don’t be put off or confused by them. While it is great to learn about them all, stick to your core intent to apply it to your environment, effort and goals. It is much more important to understand what you are looking to achieve and conveying this in plain terms to potential solution providers and peers.

The Upside for Security
Implementing an access control system across multiple buildings is traditionally a large project that entails planning, resources, skills, time and funding. It does not happen overnight, and for the large enterprise, it can be quite painful. There is a growing realization that selectively opening up the network to a specific partner to deliver cloud services can reap large rewards.

For example, a cloud service would already be built on a remote server — features, capability, workflows, reporting, etc. — and ready for consumption when it is demanded. Then, connecting to the service for consumption would occur via compatible IT-based “web services” protocols. This would be very simple for those providers that subscribe to them. It may require some configuration via a web interface, but the low-level details, timelines, contractors, skills required and cost are drastically reduced.

While simplicity and cost by themselves alone are great benefits, there are a few other side-effects inherently tied to this model that make it unique. For one, because it is pre-built, potential customers can quickly and easily try a production version of the product with little or no investment; then, if it is decided to move forward as a paying customer, just continue.

For vendors to be successful with cloud offerings they must be able to effectively manage their environment, feature sets, quality of service and profitability. In order to achieve this, they need scale, which means acquiring multiple customers using the same infrastructure. Thus, the cloud is essentially cost sharing across customers that have similar requirements.

This model creates some very welcomed benefits. Since customers share the same service, and vendors must run them in a similar way to achieve efficiency, if you are having a problem, your fellow customers probably are as well. A cloud provider cannot afford to have many of its customers pick up and leave to another provider, so your problem is certainly their problem too. Most likely, the provider is monitoring this all the time and fixing things while you are unaware there are even issues — another benefit.

End-users do not need to make large capital investments to get off the ground and add license as their business demands. This comes in handy during those times where user populations are uncertain or heading into major mergers and acquisitions. If the contract is written effectively, you can scale down as easily as you scaled up.

Many organizations also find that the tax implications from a “service” (like a cloud service) are amortized and depreciated more favorably than capital investments. These aspects can cascade substantial savings when comparing the life of traditional verses cloud service solutions.

The Hybrid Approach
While the transformation from copper to Ethernet mitigates a key obstacle, the fundamental challenge that physical access is heavily hardware-based — particularly at the end-point — remains. This can inhibit delivering everything through a web browser from a remote server.

Software for head-end systems, visitor management, credential management, device management, intelligence aggregation such as PSIM that can talk to the mandatory hardware and they are great candidates since they are complex and expensive to deploy and manage in-house. And while it may not be convenient to access the system from a web browser all the time, the incorporation of mobile devices via purpose-built apps make this more convenient than ever, if not liberating. We already see some examples of these coming to market.

The picture is not all rosy, however, as there are plenty of gaps that remain. Many cloud solutions in the physical access space are quite underwhelming compared to current offerings in IT because:
• Fundamentally, cloud environments are IT infrastructures, and physical access, in general, lacks the expertise and insight in this area;
• Vendors are resistant to using recognized, neutral, standard protocols that benefit the community rather than the current closed ecosystem;
• New licensing and contract structures; and
• Lack of mass demand to steer vendors to produce better offerings.

It will be essential to incorporate recognized standards -based interfaces from hosted cloud applications that can communicate with onsite endpoint hardware devices, and, in turn, hardware manufacturers must open up their interfaces to connect to them. The reciprocation of both approaches will require the adoption of standards that already exist in IT rather than creating new ones just for physical access — which will also move the industry forward as a whole, not just within the context of cloud applications.

Security Concerns
Even with all its advantages, the concern for security in the cloud is well justified. There is a common assumption that everything in the cloud is less secure and could be more effectively safeguarded in-house. As a general statement, this can be true, but it varies greatly across providers. One of the factors that have enabled adoption in IT is that they have become more skilled in evaluating cloud providers, auditing methodology, and incorporate sound principles into the service agreements that are potentially executed.

In summary, inspect what you expect, and have a sound methodology when doing so. The cloud is a very specialized area, but sources such as the Cloud Security Alliance (CSA) can be informative in this area. Another resource could be your colleagues in IT and information security.

The NET Effect
While the cloud’s proven benefit of paying “as-you-go” is good, even better is that it in turn enables end customers to stop paying and “go-somewhere- else” if their provider is not performing to expectations. In this paradigm, suppliers are now judged based on performance and quality of service they deliver rather than how tightly they lock customers in. This is quite possibly the most significant aspect contribution from the cloud model, because it is changing the way business gets done.

As radical as this may sound for physical access, it is quite the norm on the IT side. It may even serve as a mandate to not invest in offerings that “lock in” end-users. While many vendors may resist giving up this level of control, it will only likely make them less competitive in the market against others completely willing to do so.

As a result, some of the more conservative companies in the industry are now coming to market with cloud offerings. If the evolution of the cloud has taught us anything, it is that the genie is out of the bottle and it cannot be put back in.

Terry Gold is the founder of IDanalyst, a vendor-neutral research and advisory firm focused on security, identity and privacy. He is an expert in advanced authentication, digital identity and services over connected devices and has developed core methodologies that assist corporate clients and investors simplify complex technology initiatives and investments.