Access-control-as-a-service removes the on-premise management server from an Australian enterprise's security stack — but it doesn't remove the on-premise engineering. Door controllers, credential readers and network infrastructure still need designing properly, and the questions that matter most (offline behaviour, credential lifecycle, data residency) are different from a conventional panel-based deployment, not simply "the same thing in the cloud."
Controller-Offline Behaviour Is the First Design Question
A well-specified cloud access-control system caches the current authorised credential list locally at each door controller, so access decisions continue to be made at the door during an internet outage using the last-synced data. What's lost during an outage is real-time event logging and remote management capability, not the ability to grant or deny access — but this only holds true if the offline caching behaviour was actually specified and verified during design, rather than assumed. Some cheaper cloud access-control products cache less generously or sync less frequently than enterprise-grade deployments require, which is a detail worth confirming against the specific product before committing to it for an Australian enterprise deployment.
Mobile Credential Lifecycle: Convenience With New Dependencies
- Mobile credentials can be issued and revoked instantly over the air without physical card production, collection or return — a genuine operational win for high-turnover Australian workplaces.
- This convenience introduces dependency on the user's own device — battery state, app updates, and device loss all become access-control failure modes that a physical card never had.
- Specify a fallback physical credential for any role where guaranteed access regardless of phone state is genuinely necessary — emergency responders, facilities staff, security personnel — rather than mandating mobile-only credentials universally.
- Mobile credential provisioning typically integrates with the organisation's identity provider (Azure AD, Okta), which should be scoped and reviewed as part of the access-control design, not treated as a pure IT department decision made in isolation from physical security requirements.
Design takeaway: Verify controller-offline caching behaviour and mobile credential fallback provisions during design, before commissioning — these are the two areas where cloud access control most commonly under-delivers against what an Australian enterprise assumed it was buying.
Data Residency: A Contractual Question, Not Just a Technical One
Australian organisations should confirm where cardholder data, any biometric templates in use, and access event logs are actually hosted, whether the vendor can commit to Australian or otherwise compliant data residency, and — critically — what happens to that data if the vendor relationship ends. This last point is regularly overlooked: a cloud access-control vendor exit clause should specify data export format and timeline, not leave an organisation negotiating data recovery terms after a decision to switch providers has already been made.
Frequently Asked Questions
What happens to door access if a cloud access-control system loses internet connectivity?
A properly specified system caches the current access list locally at the door controller, so cardholder decisions continue offline using the last-synced credential list — what's lost during an outage is real-time event logging and remote management, not the ability to grant or deny access at the door itself, provided the controller-offline behaviour was specified correctly.
How does mobile credential lifecycle management differ from physical card management?
Mobile credentials can be issued and revoked instantly over the air without physical card production or collection, but they introduce dependency on the user's phone (battery, app updates, device loss) and typically need a fallback physical credential option for staff whose role requires guaranteed access regardless of device state.
What data residency questions should Australian organisations ask cloud access-control vendors?
Where cardholder data, biometric templates (if used) and access event logs are hosted, whether the vendor can commit to Australian or otherwise compliant data residency, and how data is handled if the vendor relationship ends — these should be resolved contractually before go-live, not discovered during an audit or a vendor transition.