Buying Guide · Controller Architecture
Access control controller architecture choices.
A field-side comparison of the three architectures for commercial access control — standalone, networked on-prem, cloud-hosted — and the platform-level decisions that determine your customer’s operational pattern for the next decade.
01 / The Three Architectures
Standalone, networked, cloud.
Architecture is the biggest spec decision in an access control project — bigger than reader choice, bigger than panel brand. Pick the wrong one and the customer rebuilds in three years.
- Standalone — each controller operates independently. Local credential database, no central management. Good for single-tenant, low door count, no audit requirements.
- Networked on-premise — controllers report to an on-prem server (or cluster). Centralized credential management, full audit trail, video/intrusion integration. The commercial default.
- Cloud-hosted — controllers report to a SaaS platform. Lower upfront cost, recurring monthly subscription, simplest multi-site rollouts. Best for SMB, multi-tenant, and customers without on-prem IT capacity.
02 / Standalone — Where It Still Fits
Smaller than installers think.
Standalone makes sense in narrow scenarios:
- Single door, single tenant, fewer than ~50 users
- No audit-trail requirement
- No integration with video, intrusion, or HR systems
- Stable user base — turnover doesn’t drive constant credential changes
- Customer doesn’t want subscription costs OR an on-prem server
Practical advice: most “small” commercial deployments outgrow standalone within 2-3 years. The customer adds a second door, then a third, then asks “can we see who came in last week” — and you’re stuck reading per-controller logs over USB.
For a tiny site that genuinely won’t grow, standalone IS the right answer. For everything else, default to networked or cloud.
03 / Networked On-Premise
The commercial default — still.
On-prem networked access control is still the right answer for most commercial deployments, despite cloud hype. Why:
- Operational independence — doors keep working if the internet drops. Controllers cache credentials locally and operate autonomously.
- Integration depth — direct integration with on-prem video (Milestone, Genetec, Hanwha Wisenet), intrusion panels (DSC, Bosch), HR systems, and BMS.
- Compliance posture — data stays in your customer’s facility. Federal, healthcare, and financial compliance simpler.
- Predictable cost — upfront license + maintenance contract, not per-door subscription.
- Mature platforms — Kantech, Lenel/S2, Mercury, Honeywell all have 20+ years of platform maturity.
Common platforms:
──────────────── ───────────────── ────────────────
Kantech EntraPass Mid-market commercial KT-1 / KT-2 / KT-400
Lenel/S2 OnGuard Enterprise / govt LNL-X / 4820 / 1320
Mercury Security OEM-flexible MR series
RBH AxiomV Multi-site commercial AC-X series
Honeywell Pro-Watch Enterprise PW6000 series
ICT Protege Mid to enterprise GX / WX series
04 / Cloud-Hosted
Right for the right customer.
Cloud access control (ProDataKey Cloud Nodes, Brivo, Genea, OpenPath / Avigilon Alta, Kisi) has matured significantly. Where it fits:
- Multi-site, multi-tenant — managing 20 small sites from one dashboard, no per-site server.
- No IT staff on-prem — customer can’t host a Windows server.
- Heavy mobile credential use — most cloud platforms have superior mobile credential workflows.
- Frequent user churn — coworking spaces, short-term lessees, contractors.
- Customer prefers OpEx over CapEx — subscription budgeting model.
Caveats to set with the customer upfront:
- Internet outage = no new credential changes, but cached credentials still work at doors.
- Recurring monthly costs add up over 5+ years and can exceed an equivalent on-prem TCO.
- Provider lock-in — exporting historical access data on cancellation is rarely easy.
- NDAA / FedRAMP — verify the cloud provider’s compliance posture for government-adjacent customers.
05 / Decision Framework
Pick by customer pattern, not by trend.
──────────────────────────────────────── ───────────────────
1-door, single tenant, no audit need → Standalone
2-8 doors, single site, has IT capacity → Networked on-prem
8+ doors, single site, enterprise-class → Networked on-prem
Multi-site, < 10 doors per site, churn → Cloud
Multi-site, 10+ doors per site → Networked on-prem (per site)
Coworking / co-living / short-term → Cloud
Government / military / high-compliance → Networked on-prem
Cannabis / regulated retail → Cloud (purpose-built) OR Networked
Healthcare / financial / educational → Networked on-prem
For platform-specific spec’ing — controllers, panels, reader compatibility — see the access control buying guide and credential selection guide.
Architecture Spec Review
Choosing an architecture for a deployment?
Send site count, door count, integration requirements, and any compliance constraints. We come back with an architecture recommendation, platform options, and a 5-year cost projection — verified against your specific customer pattern.
Equipment Referenced · Controllers
Controllers and integrated hardware in this guide.
Related Guides
Deployment Architectures
Related Categories