SaaS... Access Control?

There's in increasing tend towards SaaS, and indeed at work we use it extensively with services like Zendesk, Xero, Statuspage.io etc..

I've done a lot (including custom development, and quick hacks like access control notifications in slack) with Paxton's Net2 access control and was recently looking at other options for a new application.

What I basically want is Paxton Net2, but with an API (ideally HTTP/JSON) to receive notifications of events and to be able to perform basic control operations

This doesn't exist.

Doorkeys in the Cloud

More frustratingly several companies pushed me towards their "cloud solution" because some of them do offer APIs.

Access control is something I firmly believe should be on-site. The suppliers of these solutions wax lyrical about how secure their platform is but, basically, nothing is secure as we've seen with connected cars.

SaaS type services have their place for other things, but physical door security isn’t one of them IMHO;

  • It requires a subscription, and you’re at the whim of the supplier if they change the pricing structure in the future which is fine for just software but when tied to hardware I object to the risk of being held to ransom over it’s future use.

  • If the supplier goes out of business or simply decides to [stop supporting it and remotely turn customer devices into bricks] as Nest did with the $300 Revolv device (https://www.wired.com/2016/04/nests-hub-shutdown-proves-youre-crazy-buy-internet-things/) your doors stop working.

  • It feels like an incident waiting to happen – no matter how many security measures are employed it will quickly become a target and, if compromised, all premises secured by it will become vulnerable.

  • Personally I’d rather our access control system stayed as far away from the public internet as is possible!

Danger in Numbers?

Platforms like Clay seem really well designed, but if they take off and there's 10,000s of properties controlled by them then they will become attractive targets for hackers, who'll then have an easy way to bypass the physical security of many buildings.

Indeed, at the time of writing, they claim 7,001 active systems. That's 7,001 premises that can all be remotely opened (and in some cases alarms disarmed etc) over the internet from a web page or simple API call.

Now, the Clay API (and presumably web interface) uses OTP from a device which is a nice touch, and means if someone gets your credentials they can't hack your doors.

However, is that OTP verified by the door controller or the Clay cloud platform? If the latter, then it doesn't change that there's a cloud service out there capable of unlocking 10,000s of doors.

Local Solutions or ("on-prem")

The ideal solution for me is something that exposes an API like Clay on the local LAN on our own premises, or "on-prem" as seems to be the latest buzz-word for it. This means we can interface with the system but still have the usual protection of having it behind the firewall, accessible only over a VPN

Also, it means no dependency (or vulnerability) created by an external cloud service and if the company decides they don't want to offer the service any more, or goes out of business, your system still works exactly as it did before!

I know at least one person who went a different approach and wrote his own panel code for the Galaxy Alarm/Access control system.

Ultimately, I want a simple option that I can host on-site that's supported and recognised ala Paxton, SALTO, HID etc but has a modern HTTP(S)-based API. Is that too much to ask?

Or, alternatively, does anyone know of anything that does this? (HID OPIN comes close but is a nightmare to work with, SALTO SHIP also looks promising but I'm yet to explore it in great detail and is still a custom protocol rather than simple API)

Until then I have to stick with my Paxton event hacks I guess.

« Back to home