Are cloud-based systems more or less secure than on-premise systems?
23 Sep 2020
For most security end users, keeping all their data on the premises “feels” more secure. But in the age of Internet connectivity, that feeling of safety is mostly an illusion. In any case, increasingly, video and other security systems are migrating to the cloud. So are most other business IT systems for that matter. However, when “security” is in your job title, it becomes that much more important to ensure that data is reliably protected. We asked this week’s Expert Panel Roundtable: Are cloud-based security systems more or less secure than on-premise systems? How and why?
While both kinds of security systems serve their purpose, it can be argued that the streamlined updates that are commonplace with cloud-based solutions may put them at more of an advantage when it comes to data security. Since cloud-based systems, like access control and video management, are managed via the cloud, it’s far easier for manufacturers to issue updates for potential vulnerabilities in real-time, which is a significant advantage over on-premise solutions that have to manually be addressed. Also, most reputable cloud-based solutions are running in secured data centers by companies such as Google, Microsoft or Amazon, so you also get to take advantage of all the security layers they have protecting your data. This can be a huge advantage over hoping you have fully secured your own networks running an on-premise system. Additionally, integrators and dealers can also ensure the most up-to-date software is being used, further addressing customer needs.
Whether cloud-based security systems are more or less secure than on-premise depends on the management of the systems, as well as the technical deployment of the actual system. From a pure technical point of view, there should not be a difference. It is how you operate and maintain them. It could be the case that cloud-based systems are more vulnerable than on-premise because the on-premise system might be more physically secure but can be broken into using a key or stolen access credentials. The cloud-based system likely has additional security advantages, which are built into most of the common platforms – AWS, Microsoft Azure, Google – but it is connected to an outside network, which also poses extra risks. Either way, both systems have manageable risks. It all comes down to how the system is deployed and managed.
Security of the cloud is two-fold in a sense. First, there is a layer of security when using a public cloud provider, such as Google Cloud Services, which arguably has a team of individuals constantly working to keep the data safe. Applications built using this public cloud have the benefit of this reliability and security. But there is a second layer: the application layer from cloud service providers. These entities must have robust third-party penetration testing and other information security policies in place to ensure end-user data is protected. To answer the question, it depends. End users have to identify cloud service providers, as well as integrators, that take the protection of both cloud-based AND on-premise security systems seriously and have established the protocols, policies, and vulnerability testing necessary to protect data from when it is gathered to how it’s stored — in the cloud, on-prem or in some hybrid.
The answer depends on how secure the cloud-based security system is. Each solution should be evaluated on a case-by-case basis. Is your cloud provider implementing the controls that satisfy your requirements? Can the same be said of your on-premise system's controls? In 2019, IHS Markit reported that 74% of companies move applications onto the cloud, and then move them back to on-premise. There were many reasons, but two that stand out are cloud performance and security concerns. Many applications make sense to move to the cloud. We need to weigh the pros and cons, which include risk, for the applications that are considered critical. Security of a system is the responsibility of the parties adopting and implementing controls. Applications will have native security controls, such as user access control, permissions, and SSL, and the infrastructure that the system resides in and connects to.
Essentially this goes back to the ongoing debate and people’s perception of the cloud, and specifically public versus private cloud. Undoubtedly private cloud hosting is just as secure as on-premise as it is totally controlled by the end user and is part and parcel of their network. With public cloud, it is more of a gray area and is heavily dependent on the service being used. However, there are ways of ensuring it is run securely, and there is more that the Security industry can do to assure end users that what’s going on with their systems is secure. One way to do this is to emulate the security protocols and regimes of the banking sector. Most of us rely (directly or indirectly) on Internet-enabled banking, which we consider just as trustworthy as physical banking. We should seek to demonstrate this level of trust in cloud-based security.
With a cloud-based solution, all-important IT tasks such software patching and infrastructure maintenance are done in a timely matter, ensuring ongoing security of the services provided. Tier-one cloud providers have implemented far more stringent security measures for their infrastructures than most independent organisations could ever afford themselves. They offer the highest levels of physical security for their datacenters since they have to comply with regulation such as SOC 2, ISO 27001, HiPAA and PCI. However, businesses have to be mindful when choosing the right cloud vendor since not all solutions are created equal: cloud service providers must ensure that the right security mechanisms are in place such as encrypted communications, data protection capabilities, and strong user authentication and password protection. Not only do these tools help protect organisations against hackers and other internet-based attacks, but they ensure only those with defined privileges are able to access resources, data and applications.
There is nothing more secure than an on-premises security system entirely disconnected from the Internet. Yet there is nothing more antiquated. A cloud-based system is arguably more exposed to hackers as it does not have the benefit of site-level firewall protections, port blocking and LAN segmentation. But these benefits can be quickly reversed by one user gaining access to an unsecured NVR or using weak passwords. Because cloud-based video systems are centrally managed and hosted in secure data centers, the content is less exposed than, say, hundreds of distributed NVRs recording to hard drives or thousands of IP cameras recording locally to SD cards. The management of a security system is more important to its protection than whether it is on-premises or cloud-based. Cybersecurity experts will attest, a chain is no stronger than its weakest link. A security integrator with cybersecurity and network design expertise can eliminate those weak links.
There is a strong argument to be made that cloud-based systems are more secure than on-premise because the infrastructure can be managed in a centralised way by a company with specialised expertise. Additionally, the ready availability and scalability of sophisticated storage options in the cloud may make it a necessity to move some kinds of resources off-premise. In the end you may not have an “either-or” choice between these two types of hosting environments. Most companies will end up with a mix of cloud and on-premise solutions. In this situation, it is a question of identifying the risks of hosting different types of resources in each environment and coming up with a plan to mitigate them. At the end of the day, it comes down to what kind of data you will be storing, how much of it and what kind of time or resources you can invest into it.
Data security exists as a separate consideration from an end user’s choice of cloud-based or on-premise solutions. Either scenario requires that integrators and manufacturers pay close attention to issues of cybersecurity. In fact, as one Expert Panelist points out, the nature of the application will likely guide the decision between the approaches, and in many cases customers will end us using a combination of both. That’s all the more reason to apply our industry’s best cybersecurity practices to every system, however it is configured and wherever it is hosted.
- Getting to know Dan Grimm, VP and General Manager of Computer Vision at RealNetworks
- Big wins and the importance of showing up: Insights from SourceSecurity.com editor Larry Anderson
- Setting goals, business travels and radioactivity: Success secrets from Tiandy's John van den Elzen
- Getting to know Jeff Burgess, President/CEO at BCDVideo
Protecting dormitory residents and assetsDownload
Protecting Critical Infrastructure through facial recognitionDownload
12 questions to ask your access control providerDownload
Providing frictionless cloud Video Storage as a Service (VSaaS)Download