Security in the cloud: a good idea?
After the entrance of IP-networking in security around twenty years ago, it is one of the major current trends in our industry: cloud based security systems. What does that mean exactly? What are the implications? Is it, in general, a good idea for our industry?
In the context of physical security one could define cloud based systems as those systems with a topology that looks like this:
- A server that is ‘in the cloud’ and can be accessed from virtually anywhere;
- Devices that connect over an IP-network to that central server;
- Web based administration of the system;
- Commercially based on a service or transaction model with recurring fees.
Variations exist. But in general this pretty much sums up what to expect when reviewing a cloud based system
We see this set-up currently already in several categories:
- Video Intercom Systems, like the systems from Akuvox, which are based on video intercom stations that connect to a cloud based server, which also enables use of apps as virtual door phones.
- Mobile access systems that enable the use of virtual credentials on smartphones. and that are managed from a cloud based server.
- Video management software now also is offered by several vendors as a cloud service, for example: 3dEYE, OpenEye, and VIVOTEK.
- And, as we saw on IFSEC, of course access control systems also are available as cloud based solutions. Examples: Salto KS and Cloud Access Control by Brivo.
- Some cloud based security applications have been in use for over a decade. Nedap, for example, has deployed a cloud based city access control systems in almost eighty cities in the Netherlands.
It appears, based on the growing number of cloud based propositions in our industry, that the concept is growing in popularity. Why is that?
Running security solutions in the cloud has some clear advantages over conventional security systems topologies where the server is installed on-premise (on a corporate server) and connects to endpoints (stations, readers, devices) using the local IP-network or even a proprietary bus with sometimes an additional layer of controllers or panels:
- Organisations can focus on managing and administering the primary security processes. Much less effort and investment is needed to deploy and maintain a facilitating networking and server-architecture.
- Because of the comprehensive topology, installations are simplified since devices can be pre-configured our auto-configured to connect to the cloud based server.
- Global roll-outs are more easily supported. It is easier to scale-up since the central services can be approached from anywhere and are more scalable by nature. Devices can use standard networks to connect to the server.
- New or improved functionality at server-level can now more easily be rolled out across the enterprise.
- Administration and device management can be centralized, while keeping the possibility to delegate local administration to local staff.
- Integration with other systems that use a similar topology is now much easier and is immediately available across the estate.
Like with any innovation, also cloud based security systems come with some concerns. One of the first concerns always is the security level of the security solution itself: what are the security implications of using cloud based security services? Surely there are risks attached to using public networks for security systems? Of course, any topology should be tested against security requirements. But cloud computing has been around a long time and it has been proven by now that, when managed well, the risks related to these systems can be mitigated well. We store money in bank accounts. We store files in Dropbox or in the iCloud. We store client data in Salesforce.com and we run apps on Azure. Why should we not run security systems in the cloud?
Well, data storage may be an attention point. Do we know where our security related data are stored? Are we, by law, allowed to store it in that location? Are we GDPR compliant (privacy laws) with the information that we store and the amount of time that we store it?
Another concern may be dependency on network connectivity. Do we use a public network? Do we roll out a private network or a virtual private network? Can we sufficiently guarantee network availability to support the security application?
Some organisations dislike the sense that they have less control over the network, the services and the application. What will happen of part of the system or network is down? Who is responsible, who will fix things?
And finally, people are concerned over entering a vendor-lock-in. How easy will it to move away from the cloud provider and move to another one or move to another topology.
But you should have concerns with any topology you choose and any technology that you select. Genuine concerns can be used in your risk analysis and risk mitigation approach.
What is your experience with cloud based security? How do you see this trend progressing into the future?