Does cloud access control work during an internet outage?

Yes, for most platforms. Controllers from Brivo, Kisi, and Avigilon Alta cache the access rule set locally. During an outage, the controller continues to grant or deny based on the last-synced policy. Dashboard visibility and credential changes made during the outage are queued and sync when connectivity returns. The edge-cache window is typically 72 hours or longer. Fail-secure vs fail-safe behavior on power loss is a door hardware setting, independent of cloud vs on-prem architecture.

What door hardware is compatible with cloud access control platforms?

Standard commercial door hardware: OSDP or Wiegand readers, electric strikes, magnetic locks, PoE or 12/24VDC power supplies, and request-to-exit sensors. The controller (the cloud-connected head end at each door or door cluster) is platform-specific, but the lock and reader hardware is not. Brivo, Kisi, and Avigilon Alta all support third-party readers and work with standard electric strikes and mag-locks. Most cloud controllers mount in a standard 2U or 4U enclosure in an IDF closet or wall-mounted box near the door.

How does on-prem access control handle server failure?

Doors default to their hardware-configured fail state: fail-secure (locked, no credential required to exit via REX) or fail-safe (unlocked). Access logs stop recording until the server is back online. Recovery speed depends on your IT team and spare-parts posture. Enterprise on-prem platforms like Genetec Synergis and Lenel OnGuard support hot-standby server configurations for critical deployments. For most mid-market on-prem installs, a spare server image and a documented recovery runbook are the realistic HA solution.

Can cloud access control meet CMMC requirements?

CMMC Level 2 and Level 3 require NIST SP 800-171 physical access controls (PE-1 through PE-6). Cloud access control for CUI-touching environments needs FedRAMP-Moderate authorization. Most commercial cloud access vendors (Brivo, Kisi, Avigilon Alta) are not at FedRAMP-Moderate today. On-prem access control on a controlled, segmented network is the cleanest path for CMMC-in-scope facilities. Tec-Tel scopes access control architecture to the customer SSP before any vendor selection for defense-contractor deployments.

Is mobile credential support available on both architectures?

Yes. Both cloud and on-prem platforms now support mobile credentials over Bluetooth Low Energy (BLE) and NFC. Cloud platforms (Brivo Mobile Pass, Kisi, Avigilon Alta, Verkada Access) ship mobile credential support natively and often in the base license. On-prem platforms (Genetec Synergis, Lenel OnGuard) add mobile credential support via their own apps or through HID Origo. The enrollment workflow and UX differs by platform, but the door reader hardware (Bluetooth-capable readers) is the same on either side.

What is OSDP and do I need it?

OSDP (Open Supervised Device Protocol, SIA standard) is the modern encrypted, two-way communication protocol between a reader and a controller. It replaces the older Wiegand protocol, which transmits credentials in clear text with no supervision. OSDP provides encrypted credential transmission, tamper detection, and reader status monitoring. Any new access control installation in 2026 should spec OSDP-capable readers. Both cloud and on-prem controllers support OSDP. Upgrading from Wiegand to OSDP on an existing install means swapping readers; controller wiring runs are typically compatible.

How does video and access control integration differ between cloud and on-prem?

Cloud platforms integrate most natively with their own video ecosystem. Avigilon Alta integrates tightly with Avigilon cameras; Verkada Access integrates tightly with Verkada cameras; Brivo has pre-built integrations with 200+ camera partners via Brivo Video. On-prem platforms integrate most natively with on-prem VMS: Genetec Synergis is a module inside Genetec Security Center, so video and access share a single pane natively. Lenel OnGuard integrates with Genetec, Milestone, and Avigilon Unity. For customers who want a truly unified view, on-prem-to-on-prem (Genetec Security Center) or cloud-to-cloud (Avigilon Alta with Avigilon cameras) offers the tightest integration.

How does the Tec-Tel free consultation work for access control architecture?

Free call with our team, at 855-577-0400 or via the booking link. You walk through your site count, door count, existing cabling and controller hardware, IT staffing model, and any compliance constraints (CMMC, data sovereignty, retention requirements). You leave with a written architecture recommendation (cloud, on-prem, or hybrid with the split rationale), a 5-year TCO bracket for each path, and a specific platform shortlist. The goal is to give you a vendor-agnostic read before you take the first vendor call.

Compare · Access control architecture

Cloud access control vs on-prem, from a 15-year integrator.

An honest, criterion-by-criterion read from an integrator that installs both architectures. The decision is about IT philosophy, door count, and compliance posture. Most multi-site enterprise customers land on hybrid.

Talk to our team

or reach us directly

Call us855-577-0400

NDAA-compliant
Platform-agnostic
1,000+ deployments over 15 years

Go with cloud access control when you run multiple sites without dedicated on-site IT, want predictable per-door opex, and need fast deployment at new locations. Go with on-prem when you have strict data-sovereignty requirements, 500+ doors at a single campus, an existing enterprise IT operation, or compliance mandates (CMMC, ITAR) that preclude cloud-resident credential data. Most enterprise customers with mixed site sizes end up hybrid: cloud at branches, on-prem at headquarters.

§01 At a glance

The criteria that decide it.

Pick the criterion that matters most for your facilities and IT model, then read the row. This is an architecture-vs-architecture read, not a vendor pitch. Cloud examples: Brivo, Avigilon Alta, Verkada Access, Kisi. On-prem examples: Genetec Synergis, Lenel OnGuard, Software House C-CURE, AMAG Symmetry.

Criterion	Cloud access control	On-prem access control
IT requirements	Minimal on-site IT. Controller phones home outbound; no port forwarding, no on-prem server to patch. A single IT generalist can manage a 50-door cloud deployment.	Dedicated server, OS patching, database maintenance, annual software upgrades. Assumes a working IT team or a managed-service agreement. Typical mid-market on-prem deployment expects 0.1 to 0.25 FTE of IT overhead.
Upfront vs recurring cost	Lower Day 1 capex: door hardware (controller, reader, lock) plus first-year license. Recurring per-door annual fee thereafter. Budget sits in opex; finance teams that avoid capex spikes prefer this shape.	Higher Day 1 capex: door hardware plus server, software perpetual license, and implementation. Lower ongoing cost after year one; annual maintenance is typically 15-20% of license. Budget is capex-heavy up front.
Scalability	Add a door by provisioning it in the dashboard; no server resize, no database re-architecture. Multi-site rollout measures in days per location. Scales to hundreds of sites from one console.	Server capacity and database sizing constrain growth. Adding a large door count mid-life means hardware upgrades or database migration. On-prem shines at large single-campus deployments; multi-site adds complexity fast.
Data sovereignty	Credential data, access logs, and video clips (if integrated) live in the vendor cloud. US-based vendors (Brivo, Kisi, Avigilon Alta) operate domestic data centers. GDPR-touching deployments need a signed DPA.	All data stays on your network. You control where it lives, who touches it, how long it persists, and when it is purged. The cleanest path for customers whose policy says credential data must not leave the building.
Failure modes	Internet or cloud outage: most platforms cache the access rule set locally at the controller so doors continue to grant or deny based on the last-known policy. Dashboard goes dark. Credential changes made during the outage sync when connectivity returns.	Server failure is the single point of failure unless you run a hot standby. Hardware fails, you replace it; in the interim, doors fall to their fail-secure or fail-safe default. Recovery speed depends on your spare-parts inventory and IT response time.
Integration breadth	Strong native video integrations (Avigilon Alta with Avigilon cameras, Verkada Access with Verkada cameras, Brivo with 200+ camera partners). REST API access is standard. Deep ERP or PSIM integrations require custom work.	Deep native integrations with enterprise identity (Active Directory, LDAP), HR systems, elevator dispatch, and PSIM layers. Genetec Synergis and Lenel OnGuard are the integration-depth benchmarks. On-prem wins for highly custom enterprise stacks.
Retrofit difficulty	Cloud controllers install over IP; standard door hardware (PoE or powered reader, electric strike or mag-lock) is the same as on-prem. The retrofit cost is driven by door hardware and cabling, not server build-out. Kisi and Brivo controllers swap directly into many existing reader wiring schemes.	Existing on-prem systems (Lenel, C-CURE, AMAG) retrofit onto Genetec Synergis or newer on-prem platforms by replacing the head end while reusing door hardware where wiring is compatible. Upgrade cost is dominated by server, software, and migration labor, not door hardware.
Upgrade cadence	Vendor pushes firmware and feature updates automatically. New capabilities (mobile credential support, visitor management, occupancy analytics) arrive without IT effort. You also accept changes you did not request.	IT controls the upgrade window. Major version upgrades run on your schedule. Enterprise customers running Lenel or C-CURE sometimes lag two major versions behind to avoid regression testing overhead. Trade is deliberate stability vs continuous improvement.

§02 Where Cloud access control wins

Choose cloud access control when these matter most.

Multi-site without on-site IT

Retail chains, K-12 districts, multi-location healthcare, and franchise operators cannot staff an IT person at every location. Cloud collapses operations to a single web dashboard; one person can manage 50 sites from headquarters. Credential provisioning and access schedule changes propagate in real time across every door.

Fast deployment at new locations

A cloud controller goes from box to operational in a day once door hardware is wired. No server build, no database replication, no firewall ticket. New-site rollouts that took weeks with on-prem systems routinely run in one to two days with cloud platforms like Brivo and Kisi.

Mobile credential rollout

Brivo, Avigilon Alta, Kisi, and Verkada Access all ship native mobile credential support over Bluetooth and NFC. Eliminating card issuance and reader programming overhead is the biggest operational win at high-turnover facilities. Mobile credentials update instantly; lost cards become an app action, not a badge desk visit.

Predictable opex budgeting

Per-door annual subscription is a clean opex line. Finance teams running tight capex approval cycles prefer the flat recurring shape over a $200K server-and-software investment every seven years. The per-door number is also auditable: add a door, add a line item.

Vendor-managed security patches

Cloud platforms push firmware and security patches to controllers automatically. On-prem customers own their own patch cadence, and enterprise access control servers have historically lagged on updates. The vendor absorbing patching risk is a real operational advantage for IT-lean organizations.

Visitor + occupancy management

Modern cloud platforms bundle visitor management portals, occupancy dashboards, and time-based access scheduling into the base license. On-prem platforms add these as separate modules with separate licensing. For facility managers who want a single workflow covering employees, contractors, and visitors, cloud is the faster path.

§02 Where On-prem access control wins

Choose on-prem access control when these matter most.

Regulated data sovereignty

Defense contractors with CUI, government facilities, financial institutions whose policy mandates that credential data stays inside the network perimeter. Genetec Synergis and Lenel OnGuard run on a server you own; access logs never leave your building. On-prem is the only answer when the compliance requirement is explicit about data residency.

Large single-campus deployments

Hospitals, universities, large manufacturing campuses, and government complexes with 500+ doors at a single address. The per-door recurring cost of cloud compounds across a large door count; the on-prem server amortizes across those same doors. At scale, the on-prem economics frequently win on a 5-year total cost basis.

Deep enterprise identity integration

Active Directory and LDAP integration for automatic provisioning and deprovisioning, ERP-triggered access changes, PSIM integration, elevator dispatch, and building management system (BMS) tie-ins. Genetec Synergis and Lenel are the depth benchmarks here. Cloud platforms integrate via REST API but rarely match the native depth of an enterprise on-prem stack.

CMMC and ITAR environments

CMMC Level 2 and Level 3 physical access controls (NIST SP 800-171 PE-1 through PE-6) are cleanest on-prem. Cloud access for CUI-touching environments requires FedRAMP-Moderate authorization, which most commercial cloud access vendors have not achieved. On-prem is the default recommendation for defense contractors in scope.

Existing IDF closet infrastructure

Facilities that already run structured cabling and IDF closets with on-prem servers, switches, and UPS are set up to run on-prem access control without incremental IT infrastructure cost. The PoE reader wiring to each door is identical; the head end cost is the variable. Customers with that existing closet infrastructure often find on-prem is cheaper total.

Long audit retention requirements

Investigations, litigation holds, and regulated industries sometimes require 5-7 years of access log retention. On-prem storage is bounded by your disks; cloud platforms charge for extended retention tiers or cap retention at 12-24 months in standard licenses. Long retention at scale is a case for on-prem.

§03 How each architecture works

Cloud and on-prem access control, defined.

Cloud-managed access control means the head end lives in the vendor cloud. Controllers at each door communicate outbound over IP to the vendor platform; the admin dashboard is a web or mobile app. The vendor handles server infrastructure, database maintenance, software updates, and uptime SLAs. You handle door hardware: the controller, reader, lock hardware, power supply, and the IP network connection at each door. Platforms that work this way include Brivo, Avigilon Alta (the former Openpath), Verkada Access, Kisi, and Salto KS for wireless lock systems.

On-premises access control means the head end runs on a server you own and operate, typically in an IDF closet or server room. Doors connect to that server via field controllers over the internal network or RS-485 wiring. The software runs on Windows Server; you own patching, backups, and hardware refresh. Platforms that work this way include Genetec Synergis (the access module inside Genetec Security Center), Lenel OnGuard, Software House C-CURE 9000, AMAG Symmetry, and Genetec Mission Control for enterprise PSIM.

→ Door hardware is largely interchangeable. Wiegand readers, OSDP readers, electric strikes, mag-locks, and PoE-powered controllers work on both architectures. The architecture choice determines the head end, not the door hardware.
→ Hybrid deployments are common. Genetec Security Center can unify on-prem Synergis access with cloud cameras. Brivo has enterprise integrations with on-prem VMS systems. The architectures are not mutually exclusive at the door level.
→ OSDP (Open Supervised Device Protocol) is the modern reader-to-controller wiring standard for both architectures. It replaces Wiegand for encrypted, supervised communication and is the recommended spec on any new installation.

§04 The real cost picture

What cloud and on-prem access control actually cost over 5 years.

The door hardware cost is similar on both sides: controller, reader, lock, power supply, and cabling labor. That is the part of the quote that does not change based on which architecture you choose. What changes is the head end and the recurring cost. Cloud adds a per-door annual license fee from the first year forward. On-prem adds a server build, perpetual software license, implementation services, and annual maintenance (typically 15-20% of license), but no per-door recurring fee after that.

The 5-year math turns on door count and IT model. A 30-door single-site with no internal IT often finds cloud cheaper total because the avoided server, IT labor, and software maintenance offset the per-door annual fee. A 400-door single campus with a staffed IT department often finds on-prem cheaper total because the server amortizes across 400 doors and the recurring cloud fee compounds to a large number. Neither architecture is universally cheaper; the numbers depend on your specific shape.

→ Cloud cost drivers: door count times annual per-door license, contract length (3-year and 5-year terms typically carry 15-25% discounts), and add-on modules (visitor management, video integration, advanced reporting).
→ On-prem cost drivers: server and OS licensing, primary VMS or access software perpetual license, annual maintenance contract, IT labor (typically 0.1-0.25 FTE for a mid-sized deployment), and hardware refresh every 5-7 years.
→ Migration cost: switching from cloud to on-prem or vice versa is a real door-hardware-agnostic cost line. Budget 20-40% of the original head-end cost for migration labor, credential re-provisioning, and parallel-run testing.
→ In the quotes Tec-Tel benchmarks, cloud per-door annual fees for commercial platforms typically run in ranges that vary meaningfully by tier, door count, and contract length. Model both for your specific door count before committing.

§05 How to choose

When to go cloud, when to go on-prem, and when hybrid is the answer.

Cloud access control wins on operations simplicity for multi-site deployments, fast rollout, and thin-IT environments. If you run more than five locations and cannot staff IT at each one, cloud is the architecture that does not punish you for geographic spread. The provisioning and deprovisioning workflow is especially important for high-turnover facilities: hospitality, retail, light industrial. When a credential change needs to propagate to 30 doors across three buildings in under a minute, cloud handles that natively; on-prem requires either a real-time server sync or a technician visit.

On-prem wins when data sovereignty, compliance posture, or campus-scale economics are the primary constraints. Defense contractors, regulated healthcare with strict data residency policies, and large campuses that already run on-prem identity infrastructure will find on-prem access control fits cleaner into the existing security and compliance stack. The hybrid path most enterprise customers land on: cloud at branch offices and remote facilities where IT is thin, on-prem at headquarters or regulated-use facilities where the compliance requirement is explicit. That split lets you optimize each site class independently rather than forcing a single architecture onto locations with different economics and risk profiles.

→ Signal for cloud: more than one site, no dedicated on-site IT, high-turnover credential management, fast new-location rollout cadence, preference for opex over capex.
→ Signal for on-prem: data-sovereignty compliance mandate, 300+ doors at a single campus, existing enterprise IT infrastructure, deep PSIM or identity-system integration requirements.
→ Signal for hybrid: campus headquarters with compliance requirements plus regional offices without IT staff. Design the architecture per site class.
→ Always verify OSDP reader compatibility before committing to a platform. Some legacy installations are Wiegand-only; migration to OSDP is the right move for new installs regardless of architecture.

Questions buyers ask us

FAQ

Does cloud access control work during an internet outage?: Yes, for most platforms. Controllers from Brivo, Kisi, and Avigilon Alta cache the access rule set locally. During an outage, the controller continues to grant or deny based on the last-synced policy. Dashboard visibility and credential changes made during the outage are queued and sync when connectivity returns. The edge-cache window is typically 72 hours or longer. Fail-secure vs fail-safe behavior on power loss is a door hardware setting, independent of cloud vs on-prem architecture.
What door hardware is compatible with cloud access control platforms?: Standard commercial door hardware: OSDP or Wiegand readers, electric strikes, magnetic locks, PoE or 12/24VDC power supplies, and request-to-exit sensors. The controller (the cloud-connected head end at each door or door cluster) is platform-specific, but the lock and reader hardware is not. Brivo, Kisi, and Avigilon Alta all support third-party readers and work with standard electric strikes and mag-locks. Most cloud controllers mount in a standard 2U or 4U enclosure in an IDF closet or wall-mounted box near the door.
How does on-prem access control handle server failure?: Doors default to their hardware-configured fail state: fail-secure (locked, no credential required to exit via REX) or fail-safe (unlocked). Access logs stop recording until the server is back online. Recovery speed depends on your IT team and spare-parts posture. Enterprise on-prem platforms like Genetec Synergis and Lenel OnGuard support hot-standby server configurations for critical deployments. For most mid-market on-prem installs, a spare server image and a documented recovery runbook are the realistic HA solution.
Can cloud access control meet CMMC requirements?: CMMC Level 2 and Level 3 require NIST SP 800-171 physical access controls (PE-1 through PE-6). Cloud access control for CUI-touching environments needs FedRAMP-Moderate authorization. Most commercial cloud access vendors (Brivo, Kisi, Avigilon Alta) are not at FedRAMP-Moderate today. On-prem access control on a controlled, segmented network is the cleanest path for CMMC-in-scope facilities. Tec-Tel scopes access control architecture to the customer SSP before any vendor selection for defense-contractor deployments.
Is mobile credential support available on both architectures?: Yes. Both cloud and on-prem platforms now support mobile credentials over Bluetooth Low Energy (BLE) and NFC. Cloud platforms (Brivo Mobile Pass, Kisi, Avigilon Alta, Verkada Access) ship mobile credential support natively and often in the base license. On-prem platforms (Genetec Synergis, Lenel OnGuard) add mobile credential support via their own apps or through HID Origo. The enrollment workflow and UX differs by platform, but the door reader hardware (Bluetooth-capable readers) is the same on either side.
What is OSDP and do I need it?: OSDP (Open Supervised Device Protocol, SIA standard) is the modern encrypted, two-way communication protocol between a reader and a controller. It replaces the older Wiegand protocol, which transmits credentials in clear text with no supervision. OSDP provides encrypted credential transmission, tamper detection, and reader status monitoring. Any new access control installation in 2026 should spec OSDP-capable readers. Both cloud and on-prem controllers support OSDP. Upgrading from Wiegand to OSDP on an existing install means swapping readers; controller wiring runs are typically compatible.
How does video and access control integration differ between cloud and on-prem?: Cloud platforms integrate most natively with their own video ecosystem. Avigilon Alta integrates tightly with Avigilon cameras; Verkada Access integrates tightly with Verkada cameras; Brivo has pre-built integrations with 200+ camera partners via Brivo Video. On-prem platforms integrate most natively with on-prem VMS: Genetec Synergis is a module inside Genetec Security Center, so video and access share a single pane natively. Lenel OnGuard integrates with Genetec, Milestone, and Avigilon Unity. For customers who want a truly unified view, on-prem-to-on-prem (Genetec Security Center) or cloud-to-cloud (Avigilon Alta with Avigilon cameras) offers the tightest integration.
How does the Tec-Tel free consultation work for access control architecture?: Free call with our team, at 855-577-0400 or via the booking link. You walk through your site count, door count, existing cabling and controller hardware, IT staffing model, and any compliance constraints (CMMC, data sovereignty, retention requirements). You leave with a written architecture recommendation (cloud, on-prem, or hybrid with the split rationale), a 5-year TCO bracket for each path, and a specific platform shortlist. The goal is to give you a vendor-agnostic read before you take the first vendor call.

Get a straight comparison

A free consultation picks the right architecture for your doors.

Tec-Tel installs both architectures and the major platforms on each side, so there is no incentive to push one. Bring your site count, door count, IT model, and any compliance constraints. The Tec-Tel team models cloud, on-prem, and hybrid side by side over 5 years and leaves you with a clear picture of gaps. Call 855-577-0400 or book online.

Tell us how many sites you run and what's already in place. We'll show you what a build or upgrade looks like.
Straight answers from the team that does the work. We're platform-agnostic, so you get the system that fits your sites, not one brand's catalog.

Since 2010 · 1,000+ deployments nationwide · ISN-accredited

Talk it through with us 855-577-0400

Or send the details

How can we help?

What you're looking for, plus any details. We review it and follow up, usually the same day.

Related from Tec-Tel

Compare