Appliance/Server-Based Access Control
In our previous posts, we discussed the concept that all IP access control systems on the market today can be broken down into three categories: Embedded, Network Appliance, and Web Hosted. In this week's entry, we proceed to examine the second of these—Appliance or Server-Based systems—in greater detail.
Recall that the Appliance architecture features a dedicated IT appliance managing one or more control panels (or edge devices) that use IP—most likely in conjunction with higher-layer Web protocols such as HTTPS. As was the case with the Embedded model, the Appliance communicates directly to the end user by way of a browser. As a networked product, its database and all application code resides within the appliance itself, and its services are available to both the devices it manages and, through APIs, other IT systems on an IP network. These key characteristics dictate both the advantages and limitations of this product architecture. Let's start with the advantages.
The first and most obvious advantage of Appliances over Embedded access control systems is the additional power and capability offered by a larger computing platform. This is the big "upgrade" in both cost and performance over the systems we discussed in our last post. All of its advantages over stand-alone systems flow from this one simple architectural enhancement.
Recall that the computing resources available to the Embedded system were limited to whatever CPU and memory could be fit into an access control panel—along with all the other interface modules and circuitry needed to support the processing of credentials, opening and closing of doors, supervision of inputs, and so forth.
By contrast, an appliance is basically a very powerful rack-mounted PC which is many times faster than an embedded product, with essentially as much RAM and disk storage as the manufacturers sees fit to put into it. This gives it the ability to support much more sophisticated software functions than its embedded cousin, including larger databases, more powerful graphics, and better reporting engines. It also typically has the I/O capabilities—such as USB or other high-speed data transfer interfaces—to support backup or other external storage.
So, why call it an appliance instead of a PC? The big difference between a PC and appliance is not really to be found at the hardware level, but rather at how the software (or firmware) is installed and maintained.
Let's start with the operating system. In a typical PC environment—even those used for physical security applications—the operating system is a generic off-the-shelf configuration that could just as well play a video game as run an enterprise access control system. And that's its weakness—it's trying to do too much, and it brings with it all the bugs and security vulnerabilities of a full-blown operating system. An appliance, by contrast, uses an operating system that has been trimmed down to the bare minimum required to support the specific applications it need to run. Besides reducing the amount of software that's running on the CPU, this also drastically reduces the maintenance of an update burden, in many cases down to the point where the appliance can run for years with no updates at all. When was the last time you saw a PC do that?
This same emphasis on running only what's needed—and providing it as part of factory setup and configuration—also extends to the specific access control applications that are run from the appliance. This makes optional functional updates much more like installing a new version of firmware on your router than like the multi-step process familiar to PC owners. This is a big improvement in ease of installation and maintenance over the PC systems that dominated the security industry for many years.
What most Appliance or Server-Based systems do with all of the extra power is deliver a much more complete user experience to the security manager, and provide a variety of "enterprise" features that many would deem necessary, including higher system capacity, graphical maps, multi-zone or multi-site anti-passback, redundancy and hot standby, and stronger integration with other systems such as video, identity management, and single-sign-on. And now for the disadvantages.
Compared to Embedded, there aren't many disadvantages of Appliance systems, other than a bit of extra cost, and some extra know-how on the part of the installer or integrator. However, for some jobs, those factors will matter, and that's why we've seen the emergence of the Embedded systems to cover the low end of the market.
Summary. The biggest challenge that integrators will have with either the Embedded or Appliance types of system is how to make the data and application functionality available anywhere on the Internet, because that's what the world is demanding of any IT application these days.
The skills required to do so will rely heavily on being able to interact with the customer's IT department on matters of information security and wide-area-network access through firewalls and VPNs—more on this next installment when we talk about hosted, or Software-as-a-Service, offerings.
Posted by Steve Van Till on Mar 05, 2009