Cloud-managed access control finally crossed over from "interesting option" to "default for new commercial installs" sometime in 2024. On-premise didn't go away. It just stopped being the obvious choice. Here's how to decide which one suits your site, and the questions to ask before signing.
What we mean by each pattern
On-premise access control runs the management software on a server inside your building (or a hosted server you control). Your door panels talk to that server over the local network. Adding a card, pulling an audit log, or running a report happens through software installed on a workstation. Lenel OnGuard, Tecom Challenger with Forcefield, and Inner Range Integriti are the platforms we install most often in this category.
Cloud-managed access control runs the same management layer on the vendor's servers. You administer the system through a browser or mobile app from anywhere with internet. Door panels at the site still operate locally if the internet drops, but credential changes, reporting, and integrations happen via the cloud platform. Brivo, OpenPath, Kisi, and the cloud editions of the major enterprise platforms sit in this category.
Almost every install we've quoted in 2026 has been a real decision between the two. Below is what actually drives the answer.
The five questions that decide it
1. Who is going to administer the system day-to-day?
On-premise systems need someone reasonably technical to maintain them. Patching the server, backing up the database, managing user accounts, troubleshooting when something goes wrong. Most of our on-premise clients lean on us for this through the maintenance contract, and that's the right answer if your team doesn't want to own it.
Cloud-managed systems are administered through a browser by anyone you give access to. Reception staff can issue a temporary card; HR can deactivate a leaver; a facility manager can pull an audit report from home. No server-side skill required. For sites without a dedicated IT or facilities-tech function, this is often the deciding factor.
2. How much do you depend on internet connectivity?
This question gets framed badly. The honest answer: both architectures keep doors working when the internet drops. Modern panels cache credentials locally and swipe-in continues to function without needing to phone home.
What changes during an outage:
- On-premise: Everything except remote administration keeps working. You can still issue cards from inside the building, pull audit logs, and respond to events. You just can't do it from somewhere else.
- Cloud-managed: Doors keep operating, but you can't issue or revoke credentials, run reports, or change configuration until the connection is restored. For a typical site, that's fine; for a 24/7 critical operation where same-day provisioning matters, it's worth modelling carefully.
If your site has reliable redundant internet (most commercial fit-outs in Sydney metro do, or can have it added cheaply), this becomes a non-issue. If you're in a regional pocket with only one ISP and intermittent fibre, on-premise carries less operational risk.
3. How many sites are you running?
For a single site of any size, both work. The interesting question is multi-site rollouts.
Cloud-managed access control is built for multi-site operation by default. A national retailer with twenty stores administers all twenty from one dashboard, with credentials provisioning across all sites automatically when an HR system change fires. The cost of adding the twenty-first site is the licence and the install, not a new server room.
On-premise multi-site is doable, but it usually means either a central server with VPN connections back to each site, or a distributed architecture with replication. Both add complexity and cost to the design and the ongoing management. We still install multi-site on-premise where compliance or legacy infrastructure requires it, but if you're scoping a fresh national rollout in 2026, cloud is the obvious starting point.
4. What does compliance demand?
Some regulatory frameworks effectively mandate on-premise. Common ones we work under:
- Government, defence, and certain critical-infrastructure operators with strict data sovereignty or air-gap requirements
- Some healthcare and pathology environments with on-premise data handling rules baked into accreditation
- Financial services and high-assurance environments where the auditor wants the database in the same physical building
For most other commercial sectors, both architectures comply with Australian Privacy Principles and standard industry-specific frameworks (NQS for childcare, OLGR for licensed venues, TGA Good Distribution Practice for pharma logistics). We document the install against the relevant framework either way.
5. What does total cost over five years actually look like?
Headline cost comparisons miss the point. The right way to compare is total cost over the system's likely service life. Here's a rough model for a representative 12-door commercial site:
| Cost component | On-premise (5 years) | Cloud-managed (5 years) |
|---|---|---|
| Initial install (panels, readers, cabling, labour) | $28,000 to $42,000 | $24,000 to $38,000 |
| Server hardware + setup | $3,500 to $7,000 | $0 (no on-site server) |
| Software licences (5 years) | $0 to $2,500 (perpetual) | $3,000 to $7,500 (subscription) |
| Server maintenance + patching (5 years) | $2,500 to $5,000 | $0 (vendor responsibility) |
| Door + reader maintenance (5 years) | $3,500 to $6,000 | $3,500 to $6,000 |
| 5-year total | $37,500 to $62,500 | $30,500 to $51,500 |
Cloud usually comes out cheaper over five years for typical commercial sites. The gap narrows or reverses for very large multi-site enterprise deployments, where the per-door subscription cost adds up faster than the maintenance saving.
What we recommend, by site type
- Single commercial site, under 30 doors, no in-house IT tech: Cloud-managed. Easier to administer, lower five-year cost, faster to deploy.
- Multi-site corporate (3+ sites): Cloud-managed, almost always. Single panel of glass across sites is a real operational win.
- Compliance-driven sectors with on-premise data requirements: On-premise, no question. Don't fight the regulator.
- Single large site (50+ doors) with dedicated facilities tech: Either works. Pick on-premise if you want zero vendor dependency or have legacy kit to integrate; pick cloud if you want the IT overhead off the books.
- Sites with unreliable internet: On-premise. The operational risk during outages isn't worth the convenience saving.
What to ask any installer before signing
- Which cloud platforms do you install (and which do you avoid, and why)? An installer who only sells one cloud vendor isn't giving you architectural advice.
- What happens if I want to migrate from cloud to on-premise (or vice versa) in five years? Door panels, readers, and cabling should generally survive a platform swap; the cost is the head-end.
- What's the data export path if I leave the cloud vendor? You should be able to export the full audit log and credential database in a portable format.
- How is the cloud vendor's data hosted? Australian-region hosting matters for some sectors.
- What's the SLA on the cloud platform's uptime, and what happens if it's breached?
The bottom line
For most Sydney commercial buyers in 2026, cloud-managed access control is the right starting point. It costs less over five years, is easier to administer, scales naturally to multi-site, and doesn't require an in-house technical owner. On-premise still wins where compliance forces the issue, where internet reliability is a genuine concern, or for very large enterprise deployments where the subscription economics tilt.
Whichever pattern you choose, the install standards should be the same: walk the site, design to how the building actually runs, install properly, document for handover. If you'd like a walk-through quote on either architecture, get in touch. We install both.
