Integrator’s Guide to the Cloud

Even with the cloud poised to have a huge impact on physical security, there still is a segment of the security channel that requires more knowledge about how the cloud operates and, further, how they can incorporate it into their business offerings. This special report, “The Integrator’s Guide to the Cloud,” examines some fundamental basics of the cloud and how systems integrators can adapt to — and maximize the benefits of — its impact on the physical security market.

The National Institute of Standards and Technology (NIST) defines cloud services as those that are hosted (and the user only needs Internet access and a computer); that are sold on demand; and that are elastic (customers can use as much or as little of a service as they want at any given time). Cloud services are also multi-tenant (supporting numerous customers in a single instance).

Far from abstract idea, the “cloud” is actually a very real and extremely large collection of computer servers, storage devices, networks, wires and communications technologies. The capacity of the cloud has been estimated around 1 exabyte — that’s one million terabytes, a billion gigabytes, or a trillion megabytes. The data is stored in millions of computers that sit in more than a half-million data centers and server farms worldwide, totaling 285.8 million square feet or the equivalent of 5,955 football fields, according to Emerson Network Power, a business systems and network infrastructure supplier. Cloud applications for physical security leverage all of that hardware on behalf of end-user customers, and in lieu of them buying their own server equipment to install on site.

When you think of cloud, many people think of storage. In the security market, however, the cloud offers many benefits beyond storage. For security, it’s about cloud solutions.

Addressing Security & Other Objections

Ensuring the security of company data stored hundreds or thousands of miles away may concern security end users. However, if you think about it, the cloud is used commonly today for everything from financial information to trade secrets. Corporate America has largely declared the cloud secure enough for that critical data, which suggests it is also secure enough for physical security data.

Steve Van Till, CEO of Brivo Systems, Bethesda, Md., points out that having a server on a company’s premises does not improve its security. “What matters are the security principles that have been applied,” he says. “It’s an illusion that because it’s in my building it is more secure. Cyberspace doesn’t map to physical space that way. If you’re attacking a computer, it doesn’t matter where it is; it only matters how many layers of security are between you and the computer.”

Concerned customers might wonder how the cloud is secured, and audits are an essential element in cloud security. Cloud applications and data centers should be audited, and integrators should look for certifications such as SSAE 16 (formerly SAS 70). Other certification standards are ISO 27001 (international) and FISMA (related to government).

For cloud systems, both the application and the data center should be certified. The fact that an application uses a certified hosting center does not mean the application is safe: the application itself should be audited and certified. All sensitive data used in the cloud should be encrypted both “at rest” and “in transit.” Applications also should use secure authentication and authorization procedures — both for users and connected devices. Finally, cloud suppliers should use penetration testing, which involves contracting with outside “white hat hackers” to identify and fix any vulnerabilities.

Integrators also should confirm a cloud supplier’s record of availability or “uptime,” which should exceed 99.95 percent. Suppliers should ensure redundancy and disaster-tolerance by using multiple secure data centers.

The bottom line is that for the vast majority of users, security and reliability of cloud services should not be an issue. Secure hosting facilities used in the cloud are more secure than many corporate data centers, and the growing popularity of online banking further attests to the safety of physical security information traveling in the cloud.

Limitations of the Cloud

A limitation of the cloud is incompatibility with existing infrastructure, including cameras and other edge devices. In order to leverage existing infrastructure, encoders (for analog cameras) and IP-enabled controllers (that connect with installed non-IP access control readers) are used. For existing IP cameras, a firmware upgrade can sometimes transition them to be used in a cloud application.

Local area network (LAN) systems use a “center-to-edge” discovery process. To connect to the cloud, an in-bound port must be initiated from inside the firewall, which some IT departments oppose based on security concerns. Cloud-based systems also can use automated “edge-to-center” connectivity, which does not require incoming ports; the camera or edge device initiates contact with the cloud. Being able to “speak IT” and communicate with IT directors on issues such as opening ports for outside access is necessary to installing cloud systems.

“Most IT directors will have issues with installing equipment that may impact the performance of a network or that might create a potential threat to data security,” says John Smith, senior channel marketing manager, Honeywell, Louisville, Ky. “IT directors need to be in the cloud-buying decision-making process and understand upfront things like bandwidth, open ports required and access,” he explains.

To enable interoperability of multiple cloud applications in the physical security market, systems must be integrated using APIs in much the way systems are integrated in the client/server world. Cloud applications are not automatically interoperable. In fact, because development is farther along, today there are more client/server applications that have been integrated compared with cloud applications. Customers, therefore, often have more options to achieve simplified system operation and integration into a single interface in the client-server world than in the cloud world. Currently, at least, cloud systems are likely to be less integrated.

“It’s not to the point that you can pick two vendors and hope they will work together — they have to be adapted to work together,” Smith describes. End users have high expectations of interoperability, so integrators must choose carefully and provide the customer with a complete solution. However, cloud systems do not generally provide the same level of control as an enterprise-level system (although the systems are moving in that direction). Delivering systems that interface among multiple systems — access control, video and intrusion detection at a minimum — is critical to a successful cloud solution.

Currently cloud applications, especially real-time video streaming applications, are limited in terms of size. Most enterprise security systems are currently beyond the capabilities of the cloud. Available Internet bandwidth does not allow real-time streaming of hundreds of high-definition cameras, for instance. In any case, the Internet connection must be able to support the scale of the deployment. Today, network connectivity and reliability are better than ever, but still may be a limiting factor in cloud applications.

In terms of economics, a cloud-based system could be more expensive in the long run because monthly recurring fees continue as long as the system is used, whereas equipment is purchased only once (and is depreciated to provide a tax advantage). However, in a tough economic climate, many users can’t find money for capital expenditures but can easily afford a monthly service fee.

Regulations may be another limitation to applicability of the cloud. For example, a cloud service could not be used in a medical setting if it has not been audited to HIPAA standards. Regulatory aspects are changing fast. Several years ago, for example, the government discouraged cloud-based solutions but more recently has embraced a “Cloud First” policy to promote use of cloud applications.

Currently, most cloud systems are geared towards lower-level installations, meaning fewer cameras, points and doors than an enterprise-level system, says Smith of Honeywell.

Application: Video

Opportunities: Small and medium businesses (SMB) are usually mentioned as the application “sweet spot” for cloud-based video systems. Cloud systems are especially suited for these applications, which generally do not involve live monitoring but might need a live camera view here or there for five minutes or so. Uses might be virtual guard tours or verifying access control.

Even beyond security, cloud-connected cameras can be used to view a critical environment or to monitor a process remotely. Other uses might be verification of system maintenance, inventory management, or confirmation of a delivery. These “business intelligence” applications are a new opportunity for integrators, and the cloud makes them more economical and profitable. Remote accessibility of live recordings is easier with a cloud system than a localized solution. Retail organizations — even large ones — can benefit from cloud video systems that can accommodate 20 to 30 cameras per store.

Live streaming to the cloud (especially of HD video) is not currently practical except for systems with relatively few cameras. Video systems today offer new intelligent features that can help manage video in a cloud environment, backed up by localized storage. These systems enable intelligent usage of bandwidth, such as streaming variable image quality based on the viewing device.

Bandwidth limitations on camera counts are changing every year as Internet connectivity improves, along with improvements in video compression. The acceptable camera count per-location was half a dozen cameras a few years ago. It is now at 20 or 30, and may be more in the near future. It will be many years, however, before cloud video is acceptable for a high-camera-count, live-viewing application such as a casino.

Cloud systems also can expand the range of an enterprise client/server system. For instance, a camera linked to the cloud could be installed at a remote location that would not otherwise warrant the expense of expanding the enterprise system. The cloud camera could be integrated seamlessly with the client’s VMS.

Challenges: Storing large amounts of HD video in the cloud is currently cost-prohibitive. Localized storage provides a better value proposition. The cloud can be used to store event-based video, such as video clips based on alarms, facial recognition images, license plate images, etc.

Also, currently at least, the choice of cloud-compatible cameras and other equipment is limited.

Best practices: Storing HD video at the edge complements the benefits of a cloud-based system. Cloud systems can be configured so that, in the case of an alarm, HD video is recorded in the cloud. At other times, locally stored HD video can be accessed for forensics and investigations. Mobile users especially don’t have a need for HD on a small viewing screen. Some cloud systems can provide the appropriate level of video resolution and frame speed based on the viewing device and the available bandwidth at any given moment. “If you get an alarm on a tablet, you want to be able to see the best quality,” says Mark Collett, general manager of Sony’s Security Systems Division, Park Ridge, N.J. Local storage used with a cloud-based system can provide both HD storage and easy access through the cloud.

Cloud systems also can be used to provide active monitoring only at specified times of day, such as at closing or when cash is being handled.

Overcoming objections: One objection is cost. Customers may balk at higher-than-expected storage fees, although newer technology and smarter implementations can keep storage fees low.

Application: Access Control

Opportunities: The data requirements for access control are small compared with video, so cloud systems can be scaled easily without facing concerns about bandwidth. Access control in the cloud is especially attractive to large enterprises that have a large geographic footprint and many facilities. The cloud makes it easy to unify multiple locations into a single access control application. For smaller companies, the economic advantages of operating access control systems in the cloud make them more affordable.

Cloud systems enable integrators to expand their service to customers by centralizing, and performing, basic access control functions such as adding and deleting users, changing access levels, and reporting. Immediate alerts and proactive response to any equipment outages are another value-add by integrators providing cloud systems. In exchange, integrators can earn recurring monthly revenue (RMR) from managing a customer’s access control, rather than installing an access control system and walking away.

Centralizing systems enables easy management of multiple access control accounts without having to go to separate IP addresses or log-on to multiple sites to make changes. All access can be controlled generally through a single user interface with access to multiple accounts.

Challenges: Cloud systems may not be as advanced as client-server systems related to features such as floor plan graphics, guard tours, and photo ID badge management.

Also, to install cloud systems, integrators must have sufficient expertise to interface effectively with IT departments. The greater the expertise, the more the integrator can become involved in understanding the customer’s security needs and designing a system to meet those needs. Integrators who do not have the expertise may be relegated to the role of installer, with IT handled by the end user.

Standards are another challenge. The mainstream access control market has been built around one standard, the 26-bit Wiegand reader interface, while the category of cloud applications, also known as Web services, involves thousands of standards and specifications.

Best practices: Centralizing data in terms of cardholders and access levels into a single, consolidated database enables easier management of different sites. For instance, combining all of the information from 10 databases around the world enables access levels and user accounts to be changed once locally, rather than multiple times for various locations.

Overcoming objections: Most objections integrators face are related to security concerns about private information on the Internet, as addressed on page 53.

Other Cloud Applications

Mass notification. The cloud can provide information quickly to many users and mobile devices, and cloud-based systems provide fast deployment and lower costs with no additional equipment to install.

Identity management. Centralizing management of identities — securely in the cloud — adds efficiency.

Visitor management systems. Cloud-based systems can take the place of visitor logs, with an added benefit of being linked to government watch lists.

Badging. Badging in the cloud removes equipment costs from the customer and enables badges to be created online, printed by a supplier in the cloud (or on a card printer in an integrator’s office), and delivered to the user.

Intrusion detection. Residential offerings are already in the cloud, and commercial and larger systems are coming.

PSIM. Cloud-based physical security information management (PSIM) systems have a monthly fee to the customer that dealers could mark up to provide recurring revenue.

Concierge services/virtual guard tours. Services provided remotely through the Internet can cut down on labor costs.

Others. Fleet management, executive protection, monitoring delivery locations, protecting lone workers — the list goes on and on.

It’s Here to Stay

Perhaps the most important thing to know about the cloud is that it is not going away. Cloud systems are poised to have an impact on the security market comparable to that of IP systems. “Whether integrators are familiar with the cloud or not, they need to get used to it,” says Jumbi Edulbehram, vice president of business development, Next Level Security Systems, Carlsbad, Calif.

Cloud Security or Security Cloud?

The term “cloud security” refers to cyber security measures used to protect cloud architectures. In contrast, “security cloud” refers to a cloud computing system designed to provide electronic physical security as a service.

SOURCE: SIA’s Standards Cloud and Mobility Working Group Whitepaper

Using the cloud for physical security is an example of software as a service (SaaS). General benefits of SaaS include a common infrastructure, multi-tenancy and economies of scale. For security end users, the core benefits of cloud systems include:

less energy consumption,
lower data center expenses,
lower IT staff costs,
scalability and flexibility to expand and contract, and
no concerns about backups, software patches, support or annual upgrades (all handled by the cloud service provider).

Additionally, integrators can realize these benefits:

ability to integrate with other cloud-based applications such as Google maps or weather services;
ability to manage multiple locations centrally, whether it’s changing an access status globally or providing a firmware upgrade to multiple locations. Specifically, cloud solutions provide services such as remote/automatic updates, system health monitoring, immediate alarm and event notification, dealer access for servicing and scalability; and
recurring monthly revenue.

For end users to fully appreciate the total cost of ownership (TCO) advantages of cloud applications, they should consider both the economic advantages to the security department as well as the economic advantages (for example, lower power, less IT expenses) that fall outside of their own department’s budget.

The expansion of cloud applications is happening at the same time as unprecedented growth in mobile applications, which make up a larger and larger percentage of Internet traffic. Increasingly, security information in the cloud will be accessed using mobile devices.

Go Vertical

Specializing in a vertical market is one route to success in the cloud, and DTT, Los Angeles, is showing how it is done. CEO Sam Naficy says DTT is “one of the largest providers of managed services to the hospitality industry” in the cloud. The company’s portal, MyDTT, offers a range of cloud services to restaurants and hotels, including operators of franchises that are household names.

DTT offers video of each location, tied in with point-of-sale (POS) systems to provide exception-reporting alerts to handheld devices. The portal also integrates time and attendance in the cloud, and even en ergy management systems and food equipment. A restaurant manager can log into MyDTT to view video, exception reports, employee background checks, and temperature controls on a walk-in refrigerator or a toaster. A case management application takes the place of paperwork to record incidents such as workplace injuries or liability claims. Employees can provide anonymous tips, and a new real-time text-messaging system, called SCREAM, even provides feedback from customers visiting the restaurant.

Various cameras, cash registers, sensors and other devices in the store are connected to an on-location server with access to the cloud, and the system provides a “mosaic” of each store’s operation, Naficy says. The company earns recurring monthly revenue from each store — currently averaging $300 from each of 10,000 active subscribers. Customers include franchisees of Burger King, Subway, Krispy Kreme, Yum Brands, IHOP, Applebee’s and McDonalds. The system uses Amazon’s cloud with a redundant co-location in Los Angeles.

The company is now expanding into a second vertical, too. A new Las Vegas office, where 200 new employees will bring the company’s total to 1,000 by year-end, will handle convenience stores and small-box “specialty” retailers.

“We consider ourselves a security and loss prevention company, and we have added these other services,” Naficy describes. The server at each store funnels important information about operations, often across inexpensive DSL lines that are common in the market.

CHANGING THE ROLE OF INTEGRATORS

Integrators who are early adopters of cloud systems will enjoy the benefits of being more competitive. Choosing a stable company that has proven its longevity can ensure that the supplier will be around to support the system in the future.

Suppliers say a challenge to the future of cloud services is being able to convince integrators to sell them. Integrators can be slow to adopt new technologies, and in the case of the cloud, awareness among integrators is actually less than among their end-user customers, who are already comfortable with data traveling and being stored on the Internet.

Another challenge for integrators is pricing cloud services, and Smith of Honeywell says simple pricing is best. He warns against allowing complexity to creep into pricing, which sends you down the rabbit hole of “price paralysis” — pricing individual cameras, bandwidth, storage, etc. “It’s better to keep it simple with bundled packages and options,” he thinks. “Your sales team has to be able to communicate it in order to sell it.”

As the industry transitions to cloud systems and a service provider model, many integrators will likely lower prices of equipment to make it easier for customers to have systems installed with little upfront costs. The situation is comparable to alarm dealers who provide equipment below cost (or free) at the front end because they will make it up over time in a monitoring contract.

Transforming an integrator’s sales from integration-focused to service-providing is a great challenge of embracing the cloud. The change should be a top-down approach, with additional training and development. Commission plans, an easy-to-communicate pricing program, and support infrastructure should be in place before an integrator can be ready to offer cloud services.

Resources

SIA Cloud Standards Cloud and Mobility Working Group Whitepaper

Cloud Cover: Where Software as a Service Meets Physical Security (Brivo blog)

The Cloud Security Alliance

MORE ONLINE

Read more on this topic at www.SDMmag.com:

“What You Need to Know When Selling Cloud Access Control”

“Where’s the Gain in Security Cloud Computing?”

“Strategic Alliances, Cloud Computing or Coal?”

“Next Evolution: Security Cloud Computing”

“Securing the Internet: The Cloud Is for Security”

“Head in the Clouds: Content Delivery Becoming Mainstream”

“The Wonderful World of Cloud Surveillance”

PSA Security Network is one of the nation’s leading sources for education, training, and industry networking events. With multiple settings and events throughout the year to meet and exchange industry knowledge, there is something for everyone.

The Electronic Security Expo, owned by ESA, is designed to help electronic security pros to network with other like-minded professionals and to educate about improving your company’s efficiency and productivity