Guest Column | March 14, 2014

What About The (Hard) Cloud?

Cloud Security IP Cameras

By Frank DeFina, Senior Vice President, Sales & Marketing North America, Samsung Techwin America

The cloud has dramatically broadened the potential for video, access control, and related security systems to proliferate on the enterprise level for numerous reasons. Aside from the overall advancements in both hardware and software technologies, the cloud presents a much more viable economic model for users to benefit from what can be complex and expensive software solutions. This is especially true for small and medium businesses (SMB) that can benefit from new video surveillance and security system technologies in various aspects of their daily business operations.

For resellers, the cloud has opened up a whole new pathway for business development based on managed services. By offering Software-as-a-Service (SaaS), professional security dealers and integrators can expand their business models to include recurring revenue streams with the benefits traditional alarm companies have enjoyed for years. This is a trend that seems inevitable as the landscape for video and security systems continues to evolve at what seems to be blinding speed.

In recent years alone, we have seen the emergence of SaaS deployed for video surveillance systems and remote monitoring services. This is largely the result of new network system technologies that make video transmission over standard web browsers feasible and cost-efficient. And let’s not forget that the prices for edge devices such as IP cameras and control software have also steadily dropped as demand has increased and manufacturing and development efficiencies help to drive price reductions. Combine these occurrences and you have the ideal environment to cultivate new business opportunities. We’re seeing just that happen with new remote video surveillance monitoring facilities for business and home applications emerging across the country.

Who’s Watching Over The Cloud?

The cloud’s silver lining has a few dark spots that we need to address as an industry before we get too far ahead of ourselves. Although the cloud holds the promise of providing a more secure world, our enthusiasm to achieve system solutions nirvana may have instilled a false sense of security in us. The reality is that all things in the cloud are not always safe and secure. Take the recent run on credit card companies from hacks overseas. They’ve managed to compromise what are widely considered to be the most highly protected data banks in the world.  What’s more disturbing is that executives at leading IT companies whom I met with on a recent trip to Silicon Valley are extremely concerned about security in the cloud as well. And these are the same IT pros who are developing the software programs and platforms that run basically everything around the world. There are two compelling issues at play…

The first issue is determining who and/or what is protecting all that video and security data that already resides in the cloud. The reality is that we have yet to devise a solution to prevent data breaches via cyber-attacks.

In fact, the Russian government recently publicized that it is ordering uniforms without pockets for IT workers so they can’t smuggle USB drives with confidential data out of facilities. It may sound like a low-tech non-cyber solution to a high-tech cyber problem, but the threat of social engineering (a relatively new term in our circles but one adapted by the IT industry to indicate security breaches) is very real and difficult to prevent. Eliminating uniform pockets is actually pretty effective from a physical theft/concealment perspective as it is psychologically. But that’s only the tip of the iceberg.

We need to implement safeguards like the 256-bit Advanced Encryption Standard (AES), which the U.S. government has spent millions of dollars developing over the last decade to help better protect sensitive data banks. High security encryption combined with measures like multi-stage authentication will further decrease the possibility of brute-force password attacks. It’s easy to see how encryption issues are becoming even more of an issue as security professionals look to deploy wireless and mobile video surveillance and security solutions. Imagine what could happen if technology-savvy bad guys gained access to highly sensitive security and video data put on the cloud by the private sector and the government. The consequences could potentially far exceed Mr. Snowden’s decision to out the NSA’s security tactics. What if instead someone released classified encryption data from Nuclear Regulatory Commission?  I think you get the picture.

The second issue deals with the brick-and-mortar aspect of the cloud. What security measures are in place to protect the “hard cloud” — i.e., the data centers’ physical locations where all this information actually lives?  The fact is that the hard cloud requires even greater physical security measures than the user’s facilities they are storing data for remotely. Not just inside facilities, but also around their perimeter and from personnel infiltration, the latter being of tremendous concern to ensure that the people minding our data are totally accountable.

The first step in securing hard cloud facilities involves traditional security solutions: video cameras, access control, and possibly guard services. New video management systems (VMS) do a fine job of integrating video and access control with advanced automation features that seamlessly combine high resolution recording with access and/or alarm system activation — all with instant notification to authorized personnel. Such capabilities are available and continue to become more cost-effective as all the involved technologies mature and become more affordable.

One of the biggest challenges is managing the varied access needs of multiple individuals at hard cloud facilities. This requires the implementation of reliable and robust physical identity and access management (PIAM) solutions. Because it’s so easy for conventional access control credentials like magnetic strip or proximity cards to be stolen or compromised, additional levels of security must be put into place to ensure the real-time accuracy and authenticity of each individual’s credentials. PIAM encompasses the automatic provisioning that provides knowledge and authentication of every identity that may require physical and cyber access based on the assigned privileges in real time. This can be a vast undertaking, particularly in hard cloud operations with multiple locations.

To help combat the problem of identity authentication, the U.S. government spearheaded the development of personal identity verification (PIV) smart cards for physical access to facilities and access to data sources. These PIV cards allow the government to better manage identities by embedding additional information to ascertain that the user of the credentials is in fact the individual authorized to have the card. Additionally, PIV cards are subject to whatever rules the administrator wishes to implement for physical and cyber access privileges from date/time and areas of access — to even more detailed requirements such as compliance training certification. This enables employees, vendors and visitors to all have specific designated access privileges that cannot be easily be replicated.

Securing the cloud is a considerable challenge both in cyberspace and at hard cloud facility locations. The bottom line is that, as with every technology innovation, we need to address the cloud environment in its totality from various perspectives so we can solve issues we may not even know exist. To help realize all the benefits we want from the cloud, let’s start by looking at more efficient and practical ways to meld physical and cyber security into a single issue — and not as separate physical security and IT data issues. Our ability to grow as an industry, capitalize on new business opportunities and provide better overall security depends on it.