Cloud-based physical security systems - are they safe?
More and more physical security systems are being hosted in the cloud. But are cloud-based security systems “safe?” It’s a question being posed by risk-averse security professionals all over the world, and one for which a clear, concise answer may be difficult to find. We decided to pose it to our Expert Panel.
Systems that are designed for cloud-based environments often deploy the latest and greatest security measures available, using sophisticated encryption. The integrity of the information transferred to and kept on the cloud, such as surveillance footage, is often safer than it is when housed in many autonomous systems. An additional question should be whether information is being managed safely. If the authentication principles are insufficient and weak passwords are allowed, it doesn’t matter how strong the encryption is. Because cloud based systems are exposed to the Internet, they demand strong authentication and increased operational procedures. Keep in mind, though, that if the cloud component of a system is mission critical and/or guarding lives, the designer of a security system would not compromise security by relying solely on the cloud for ongoing operations. The connection to the cloud is often not robust enough to be fully dependent on using the cloud.
Cloud-based security systems are extremely safe when hosted by a world class service like Amazon’s Cloud or FORCE.COM that is hosting billions of dollars’ worth of software. These hosting services have built in redundancy and 24/7 technical staff that apply security patches in minutes. Local security systems rarely have 24/7 on-site IT security staff maintaining the security equipment so it can often take hours or even days to apply the latest security patches. Cloud-based security systems also benefit from upgrades to the latest, fastest technology that often takes place behind the scenes whereas upgrading local hardware is inconvenient and expensive.
There is no correlation between where a computer server is physically located and how “safe” it is from cyberattacks. It’s an illusion that a company can keep its information any safer by housing its own server versus using a cloud-based system. Any server that is connected to the outside world is vulnerable. You hear a lot about what cloud providers are doing to ensure the safety of their systems, and it all seems pretty convincing to me. Perhaps the strongest argument for the safety of cloud-based security systems is how many other critical enterprise systems are going to the cloud. Hacking of these critical systems could cause much more damage to an enterprise overall than a hacked security camera or door lock. You also see large entities embracing cloud applications, such as the U.S. government’s “Cloud First” initiative. It seems to me if it’s good enough for Uncle Sam ….
The technological evangelist in me wants to say yes. The cautious consultant in me says no. However, there is no reputable way of rating a system 49/100 and declaring it “unsafe” nor 51/100, or even 100/100, and therefore “safe.” Quite simply, if you’re connected to the Internet you’re vulnerable to unauthorised intrusion. The risk-benefit is a decision for each buyer to make with their own criteria. Physical security systems are not perfect but people buy them. The same is true for cloud-based systems. Sales and marketing folks are touting them like crazy just lately. A lot of it is tosh and spin designed to fool the layman, such as: analogue = poor, digital = good, only IP cameras can be viewed remotely, only off-site storage is wholly safe. All untrue. If the people peddling misinformation tell us that their cloud technologies are safe, why on earth would we believe them?
Before answering the question, it’s important to be clear about what one means by "cloud-based" systems. In the security world, it can mean several things, from the ability to remotely access local (on-site) access control or video systems, to simply having edge devices on site and having video and data stored in the cloud. For securely accessing data over the cloud (i.e. the Internet) from local sites, some basic best practices should be observed, including: Changing default user names and passwords – this is perhaps the biggest security threat for remotely-accessible systems; opening as few networking "ports" as possible and managing the security on the open ports; and encrypting video and data in transit. For video and data stored on a remote "cloud" server, one needs to ensure that the service provider or co-location facility has the necessary security precautions and certifications in place and that they’re audited on a regular basis.
It’s worrisome that cybersecurity questions related to the cloud also point to an even broader concern: Is any security system safe from possible cyberattack? Most of our physical security systems these days are interconnected with the information highway, a necessity given our market’s hunger for features such as real-time information delivered to handheld devices. The required precautions to protect system data extend both to cloud-based systems and to those physically located on a company’s premises. The problem is universal. The answer to the question “Are cloud-based systems safe?” might well be “As safe (or as unsafe) as any other system.”
- Getting to know Dan Grimm, VP and General Manager of Computer Vision at RealNetworks
- Big wins and the importance of showing up: Insights from SourceSecurity.com editor Larry Anderson
- Setting goals, business travels and radioactivity: Success secrets from Tiandy's John van den Elzen
- Getting to know Jeff Burgess, President/CEO at BCDVideo
Automatic vehicle identification: State of the industry 2020Download
How analytics engines mitigate risk, ensure compliance and reduce costDownload
11 considerations for embedded system RFID readersDownload