10 factors IT managers need to know before moving access control to the cloud￼
IT Managers across all organisations are seeing a huge drive to move everything to the cloud. Indeed, Deloitte Insights stated the cloud has become the primary location for businesses to store data.
Research by Markets and Markets found the global access control market is expected to grow from $8.6 billion in 2021 to $13.1 billion, at a compound annual growth rate (CAGR) of 8.7% from 2021–2026. The accelerated growth in the access control systems market is being driven by greater accuracy, time efficiency, and suitability over other security solutions (Source: Access Control Systems Market Size 2022 Growth Stats, Taiwan News)
A Swiss high-tech company Morphean surveyed over 1,000 IT decision-makers across Europe in 2020. They found that nearly 50% of IT managers were using cloud-based video surveillance or access control solutions and 20% stated that physical security was a priority improvement in 2020. In 2022, there is still a reluctance for the traditional “on-prem” security systems to make the complete cloud-based shift, in particular for card access and CCTV systems.
1. Landlord access control
If you have an office in a shared building that has its own card access system, find out if a single card or fobs will also work on your new cloud-based system. A single card has the advantage of being used on the landlord’s doors and your own and is one less thing to carry!
Some systems use proprietary card readers which may give you added functionality but may not be compatible with the system you’re currently using. This can be a challenge but can be overcome by choosing an alternative solution that allows you to use third party readers, such as HID Global, a world leader in access control. Their best-in-class access control solutions enables you to read a number of different credentials (including mobile), with the highest level of security, boosting efficiency.
2. Choose the right locations
Obvious access control locations are the main entrance doors and the server room. But there are other places to consider. To prepare for the unexpected, engage with colleagues who have a ‘security-first mindset’, capture their insights and ensure you identify the less obvious risk areas. When planning access control, scrutinise these areas:
Check if your insurer has areas that have special security requirements, these may dictate a certain type of lock requirement. Most electronic locks are not effective to secure a property when it’s unoccupied. Special locks can meet these requirements, but they’re a lot more expensive, so do some background research to find out what you actually need.
Find out if your company is regulated by an industry specific industry body (e.g. FCA, TISAX, PCI DSS) – it may have specific requirements to keep your premises/data secure. If you have an SOC 2 or ISO27001 Information Security Accreditation, be aware there’s a requirement to keep a record of access into certain areas.
Anticipate clients’ security expectations and your contractual obligations to them if they are not met, particularly if they operate in a highly regulated sector.
Supply chain issues continue to be a security concern. Ask if your clients need to prove that their supply-chain have similar levels of security infrastructure in place.
Take your clients’ security seriously – actively protecting your premises, staff and customers’ intellectual property can give you a competitive advantage in attracting and retaining more clients.
Involve HR, they’re an important influencer to on- and offboard employees. HR need specific information from a cloud-based access control system when managing disciplinaries. Ensure the system can generate that information when they most need it.
3. Safety and risk
When it comes to security, safety is paramount, here’s our advice on what to prioritise:
Laws and safety regulations
Regulations differ across the world. Ensure you work with a partner who understands these and can advise you appropriately (what is acceptable in one office location, may not be in another).
For CCTV, correct camera positioning and data retention periods may differ between countries, so it is best to understand the local laws
The type of premises and what the location is used for, e.g. an office in a law firm will be different to an office in an oil refinery.
Consider the number of users and escape routes, it will determine the type and dimension of doors that are installed, this will dictate the types of locks you can use and how they are installed.
Analyse your users – mostly staff who regularly use the office and have received a formal induction on evacuation procedures; those who use the facilities infrequently don’t receive a formal safety induction, e.g. in co-working spaces.
Access Controlled Doors
Each access-controlled door must have an emergency release button to enable people to exit in an emergency. (The only time where a button is not required is where a mechanical door handle or panic bar is in place)
The type of lock to use on a door will depend on the following:
> Door types: a really important consideration is for doors that have a designated fire rating – best to work with your architect/designer to confirm the most suitable type of lock to use with your access control system.
> Emergency/escape routes: all workplaces should have pre-planned routes for escape. This means that all doors along these routes must meet certain requirements and will affect the locks/buttons/settings on these doors.
> Dimensions: all doors should be a certain width and height and so any locks mounted must meet these requirements.
Having an idea of how people will enter and use the facilities is an important part of good security design. Consider these questions:
> Which doors will staff and visitors enter through?
> Once a visitor is in the building, how will you prevent them from entering staff only areas?
> Can visitors access toilets without entering into a secured area?
5. Door access infrastructure
Although most modern-day door access systems are IP-based, standard data (CAT-6) cabling may not be suitable to operate the locks, readers and buttons. Each of these devices requires a special type of cable that will depend on:
> Risk of interference
> Installation location, e.g. internal ceiling or external ducts
Most data-cabling contractors will not be familiar with the precise needs of door access systems, so it’s important to engage a professional installer who understands both the specific needs for door access security as well as the technology you plan to use. Different door access systems can have different cabling standards.
6. IT service maintenance
Like all mechanical items that receive daily physical use (and sometimes abuse), it’s important to schedule regular (either once or twice yearly) IT maintenance service visits. These should include a comprehensive check of all devices whereby the engineer checks and completes diagnostics on critical parts.
We recommend you choose an accredited company that is regulated by an appropriate security authority as this ensures that all companies follow an agreed standard when it comes to maintenance.
7. User Groups
Knowing who will be responsible for different parts of your system set up/administration and day to day operations is useful to review. The most common user groups include:
> Administrator: able to add/remove users
> HR: on/off-boarding and confidential reporting
> Facilities/Office Manager: add/edit/remove and reporting
> Receptionist: add/remove cards only
8. Access Groups
During the planning phase of implementing cloud-based access control it’s useful to consider how many different groups are within your organisation. Common groups include:
> General access: business hours only
> IT access: areas that only IT team can enter, e.g. server rooms
> Cleaners: these may only be restricted to access certain areas at certain times
IT managers will recognise that one of the hardest things in the realm of access control is to keep your database up to date. Fortunately, with many cloud-based systems, the popular use of open APIs means that you can integrate with other systems to ensure your door access system is always up to date.
Also consider card users who may not be hosted on these systems, a separate workflow may need to be considered.
The beauty of cloud-based systems is their ease/ability to integrate with other systems via APIs. The most common systems we see organisations integrating with include:
> Room/Desk Booking e.g. Envoy
> Active Directory / LDAP (Microsoft/Azure)
> Single Sign On Platforms e.g. Okta
> CRM e.g. Salesforce
> HR system e.g. Workday/ADP
> Co-working systems, e.g. Nexudus, Office RND, Essensys
The cloud is here to stay and we’re keen to share our knowledge to help you forge ahead toward cloud-based access control / CCTV and not get left behind. We believe our actionable advice will set you on your cloud migration journey, making your systems more flexible, scalable and secure.
If our guidance has prompted any queries or you need a helping hand to tackle a specific security challenge do get in touch with our physical security consultants and design engineers.