Where’s the Gain in Security Cloud Computing?
As cloud services gain traction and can exchange data freely, security professionals predict the industry will have access to better products, lower costs and greater margins.
Like the vast majority of people, you’ve no doubt heard a lot of talk about “The Cloud” in the last year or two. The concept is by no means a new one. If you use an online email provider such as Google or Yahoo, you’re using the cloud. In fact, many people have been using the cloud for well over a decade (Google’s empire was built on the cloud); it just didn’t have a catchy name until recently.
So while we’re all using the cloud in our everyday lives, a precise definition can be hard to nail down. Ask 10 people to define the cloud, and while some of the concepts you will hear will be the same or similar, you’re bound to get at least seven different answers.
So what is the cloud, exactly? At its most basic, it is any hosted service offered over the internet. However, the full answer is more complicated than that.
When asked to explain the concept, Jay Hauhn, chief technology officer for Boca Raton, Fla.-based Tyco Integrated Security, relies on what the National Institute of Standards Technology (NIST) identifies as five essential characteristics of cloud computing: on-demand self-service, broad network access, resource pooling, rapid elasticity (scalability), and measurement. That could mean software as a service (SaaS), platform as a service (PaaS) or infrastructure as a service (IaaS). Moreover, these can be delivered over one of four “flavors” of cloud: private, community, public and hybrid.
If your head is spinning after reading this, you are probably not alone. In fact, when you add the word “security” to cloud computing, the misunderstanding, vagueness and lack of comprehension may actually be greater than the general public’s perception.
Vic Herrera, chief technology officer for Los Angeles-based systems integrator DTT, puts security cloud computing into plain English, describing it as “a centralized service that allows a person or business entity to review or manage aspects of security for business in a pure Web-based environment.” The benefits of this type of service, he adds, can save end users time and money, creating a very real, easy-to-comprehend return on investment from the very beginning.
“In the cloud, they’re using shared resources that take care of themselves,” he says. “There’s no need for IT staff, systems analyst talent, database administrators — any of the trappings that go with a managed IT infrastructure.”
In the security realm — at least for the moment — there are two cloud services applications that are ahead of the pack in terms of offering security via the cloud: access control and video.
“Access control and video are no-brainers because many of our clients are owners of three, five, seven, 20 stores. They need to manage their enterprise and have that application centralized,” Herrera says. “That allows them to focus on getting done what they need to get done without focusing on system maintenance or infrastructure.”
Because of the relatively small size of the data transferred to the cloud, it’s only natural that access control made the jump to the cloud first. That’s one reason dealers and integrators should be looking at access control as a foot-in-the door service, says Jeffery Ross, vice president, product management, for RedCloud Security of Sterling, Va.
“From our perspective, cloud-based access control in particular represents a great entry point for dealers and integrators looking to wade into cloud services. If they already sell access control, dealers and integrators are fully prepared to offer cloud services,” he says. “Consider that any access control system is primarily comprised of door controllers, hardware, readers, switches, and wiring; or wireless locks and corresponding communication electronics. So the only portion to consider in regards to preparedness for offering cloud solutions is the front end.”
Access control is not just limited to those looking to get into cloud-based services; it is also a significant revenue generator for Tyco Integrated Security, the largest integration firm in the industry.
“Card access is where we’ve had the most success. We’ve been selling hosted card access for 20 years, and a true cloud solution for a little less than 10 years,” Hauhn says. “About 99 percent of our cloud-based RMR is coming from managed card access.”
Not to be outdone, video has been making strides recently, driven mainly by the on-demand video revolution, for companies both in and outside the security industry, says Jeff Whitney, vice president of marketing for Cupertino, Calif.-based Intransa.
“Video surveillance is the most rapidly growing application for cloud security deployments. Several of the large telcos already offer home video monitoring, with one or a few cameras streaming over the cable or broadband connection installed in the home for other purposes,” he says. “And some very large security integrators have begun offering large-scale monitoring systems for enterprise surveillance, in a still very immature and early market.”
While highly in demand, moving video to the cloud — unlike access control — has presented great challenges, relates Mahesh Saptharishi, chief technology officer and chief scientist for VideoIQ, Bedford, Mass. “There’s a unique value for end users in the capability to access video, both live and recorded, from anywhere. That’s highly in demand, and it’s facilitated by the cloud,” Saptharishi says. “There’s a lot of chatter about security cloud computing moving the DVR to the cloud. The problem is that the cost of cloud storage is far greater than the cost of a DVR.”
However, discussion of security cloud computing doesn’t necessarily start and end with video and access control.
“Most security processes are well-suited for a cloud-enabled offering, though one could argue that certain high-security applications for nuclear facilities and other sensitive areas will present additional layers of challenges from an architecture perspective,” Ross says. “But for the most part, any process that has traditionally involved heavy physical investments or an extended deployment timeline is a good candidate.”
If all this has you thinking that there just might be a goldmine of RMR opportunity lurking in the cloud, you are right. If you’re not thinking that yet, now is a good time to start, Whitney says.
“Just as dealers and integrators have sold home monitoring, either through their own service or by reselling a major vendor’s program, there are many new opportunities for those organizations to generate new recurring revenue via the cloud,” Whitney says. “First, there is the obvious opportunity to resell complete cloud-based video surveillance from one of the big integrators for a new revenue stream. As well, dealers and integrators are able to resell servers or appliances from a few of the more video-knowledgeable security manufacturers that are designed for the cloud, which use either private or public clouds.”
This represents a departure from what has been the norm in the security installation world — and the attendant mindset, asserts John Smith, senior marketing manager for Honeywell Systems, Louisville, Ky.
“In the traditional video world, you install cameras and a DVR and walk away, or maybe there’s a maintenance plan, but a lot of end users want access to their video outside of their business to check on employees or access multiple locations to improve their business practices. And they don’t want to have to install software on a dedicated PC and have to configure that PC,” he says. “The cloud is a low barrier of entry to provide those kinds of services on a recurring monthly basis.”
Because there is no up-front investment in equipment, the cloud gives dealers a low barrier of entry for dealers to expand their services offerings at a price point that may be more palatable to customers, Ross says.
“Dealers and integrators increasingly recognize that delivering cloud-based security services opens up RMR opportunities with existing customers, while also extending an offering to new customers that could not previously budget for these services,” Ross claims. “Organizations are pushing back on investing significantly up-front in servers and IT infrastructure, and then being hit with recurring costs associated with managing this IT infrastructure.”
DTT offers its clients Smart Audit, a service that proactively looks at video footage based on virtual intelligence spot checks that, as Herrera puts it, “helps business owners keep an eye on what they don’t have time to look at.” DTT scores the various aspects of that audit and provides audit results in an easy-to-read and easy-to-understand format.
“Providing that kind of additional functionality by incident outside the traditional security realm has been a terrific source of revenue and has allowed us to grow our per-location RMR,” Herrera says.
Stop me if you have heard this before, but the most obvious challenge associated with security cloud computing is bandwidth.
“There are a lot of challenges with video in the cloud. You can share video across a campus quickly, but once you leave the building to ship it offsite to the cloud, bandwidth is an issue,” Hauhn explains.
One way DTT mitigates bandwidth concerns is by limiting the amount of video data that customers look at on one page, which Herrera says just makes sense. “In reality, people won’t be able to actively watch 16 to 32 channels at once,” he says. “It’s important to understand that bandwidth and quality are big factors that are limiting video in the cloud. We’ve found a way to address that and we’ve found that video can operate in very constrained situations. The last mile is getting there. As bandwidth increases, we’re going to see that issue taper off.”
Video analytics will also play a major role in bringing cloud-based video to its full potential, Herrera says. “Video analytics are going to play a bigger part in making cloud-based video more possible as technologies become more affordable and accessible,” he says. “At the price range that small businesses can afford, there’s not a quality that I’m comfortable with at the moment.”
Perhaps the biggest challenge with security cloud computing, Honeywell’s Smith says, has nothing to do with technology. Instead, it is more of a service aspect.
“It’s easy to quote equipment cost and markup for a system, but it’s very different to offer lower up-front costs and price services like annuities — and getting the business behind the service option rather than just selling and installing,” he says. “We’re seeing a reversal of the industry five to 10 years ago when dealers were pushing security products to customers. Product is easy to find; it’s the mindset that needs to change.”
Whitney compares the industry’s reaction to the cloud with the way IP technology made its way into the industry.
“Security has always been very conservative as an industry, taking the slow approach to new technologies. The cloud is no different,” he says. “Cloud technology for security can increase system uptime, reduce costs, and eliminate many of the staffing and monitoring headaches of customers today. But it will be a while before it becomes truly mainstream technology in security, just as IP finally has fully arrived.”
Despite the cloud’s promise, particularly in terms of video verification, success in that realm still depends on the basics, says Larry Folsom, president, I-View Now, and president and owner, American Video and Security, both based in Las Vegas. “Verification is not a magic wand,” he says. “You still have to pay attention to the physical attributes of the building to deliver a quality system that’s associated with the right zones.”
Looking ahead, there is much more to come in the security cloud computing field. First and foremost is the integration of systems, allowing them to “talk” to each other using the same language, Herrera says. “What would be best is real standardization on data exchange at the cloud level, which would allow data to be shared easily in a standard format amongst different systems,” he describes.
In the early days of the internet, there were “islands” of network connectivity, which evolved to intranets and eventually came into “full bloom” in the 1990s, Saptharishi says, with the key revolution being the search revolution (i.e., Google-ization). This allowed people to search for pieces of data, and is almost a roadmap for where security cloud computing is heading.
“All of these sensors that make up a security system are nodes in a network. With the rise of IP, connecting those nodes is more common,” he says.
The data collected by that network of nodes, if integrated, can improve more than just security, ADT’s Hauhn says. “Between burg sensors, card access sensors and video sensors, there’s a tremendous amount of data that physical security systems gather, and it’s just sitting on servers somewhere unless a forensic investigation is needed,” he explains. “I believe we’re going to develop much better ROI when we start using that information with business intelligence applications to improve operational efficiency.”
This integration between systems won’t be limited to security sensors alone, Smith says. “Using the cloud to integrate building automation, visitor management, intercom, HVAC, fire and more specialized systems into traditional security-type applications will break down the borders between business and security,” he predicts.
The bottom line is that while the cloud may be a buzzword at the moment, it is a concept that’s here to stay in the security industry.
“I’m excited about where we’re going,” Herrera says. “As cloud services gain traction and can exchange data freely, we’re going to see better products, lower costs and more margins. It’s going to benefit everybody.”
Securing the Security
One potential stumbling block to security cloud computing is end users’ perception that putting it into a nebulous Internet-based cloud opens them up to greater security risk.
“This is security we’re talking about, and many are going to be reluctant to outsource where their video goes and is stored, fearing a lack of control,” says Jeff Whitney of Intransa.
Publicity and news coverage of data breaches by hackers does nothing to assuage those concerns, says Tyco Integrated Security’s Jay Hauhn.
“A lot of people will say, ‘I’m putting my security on the Internet?’ There’s a lot of fear,” Hauhn says. “The truth is that everything is attacked by hackers. In reality, only an extremely small percent of sites are successfully attacked. But it’s so widely reported, which leads to the mistaken notion that the Internet as a whole is not secure.”
However, says Matt Krebs, business development manager, cloud services, for Chelmsford, Mass.-based Axis Communications, you can choose your cloud service provider wisely, paying particular attention to their data security standards and practices.
“Providers are very much regulated, and they have benchmarks and standards they have to meet, such as SAS 70, ISO 27001 and PCI compliance,” he says. “For data centers, security ratings are tiered. As the tier number gets higher, so does the complexity of those standards. That’s why it’s important to choose a provider who’s Tier 2 at minimum and has all those benchmarks and standards in place.”
As more and more intelligence is moved to the edge, whether in the form of cameras or encoders, that intelligence is going to play a key role in determining the future of security cloud computing, says Tyco Integrated Security’s Jay Hauhn.
“A typical IP camera is outfitted with two or three processors, so there are a lot of smarts on the cameras themselves,” he says. “Those processors are determining what video is even sent upstream, so you’re not recording everything. As analytics and compression algorithms advance, they’re going to become enablers for more video in the cloud.”
Taking that one step farther, Matt Krebs of Axis Communications sees intelligent cameras doing even more than that. “As systems get more integrated, cameras will be able to fully act as a replacement to a total security system,” he says. “We see it today with detection analytics, notification capabilities and video with robust audio capability. You can bundle that with hosted access control for a complete Web-based tool at an attractive price point.”
Krebs says he knows his opinion is “not popular with the alarm panel guys,” but it is the direction he sees security taking based on his observations within the industry.
“The reality is that it’s all about intelligence, capability and what people want,” he says.
What to Look For in a Cloud Services Provider
• Breadth of offerings
• Adherence to standards
• Dealer/integrator development and education
• Cost and pricing of service
• Go-to-market strategy
• How quality of service is measured
Compiled from sources interviewed for this article.