This is the 13th article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
Cloud computing offers new capabilities that premises-based systems can’t provide at a reasonable cost. However, without understanding what a true cloud system is, and without knowing how any particular cloud offering is architected and secured, how could an end-user customer or an integrator fully evaluate product offerings?
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 LegacyHow you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2A look at the different H.264 video frame types and how they relate to intended uses of video.
More to come about every other week.
Thinking About True Cloud Systems
Cloud computing offers new capabilities that premises-based systems can’t provide at a reasonable cost. However, without understanding what a true cloud system is, and without knowing how any particular cloud offering is architected and secured, how could an end user customer or an integrator fully evaluate product offerings?
Furthermore, true cloud systems are continually advancing and evolving. You have probably experienced this with your smartphone. Continually evolving applications makes product roadmaps much more relevant and important. Under modern cloud software development practices, cloud application improvements are automatically implemented on a regular basis. Improvements are made to enhance features, performance and security. Application updates typically occur on a bi-weekly or monthly basis. Users would notice most feature improvements, some performance improvements, and may not notice security improvements at all.
Given the current state of cloud adoption in the physical security industry, continual software improvement means that, prior to subscribing, new customers have the opportunity influence the priority, and sometimes the feature capabilities, of roadmap items critically important to them.
At first glance, cloud offerings seem to present a significant challenge for security system designers and specifiers. Pre-cloud, security design consultants either selected or designed the system architecture based upon the capabilities of the system software. They specified the computing equipment and operating systems to be used, and thus could assure the desired system capacities and system performance. Furthermore, they could conduct proof of concept tests prior to purchasing, to make sure that critical functionality works as needed, and perform acceptance tests to prove out system capabilities prior to customer acceptance of the system. Additionally, customers knew exactly what computer and network security elements were in place, as they owned them.
Under cloud computing, system designers and customers can still achieve the same or better levels of understanding and certainty regarding cloud system design and performance as in the pre-cloud days. It just takes a different approach.
Client-Server vs. Cloud Software
Thus, this article presents the NIST and ISO/IEC definitions of cloud computing, with some examples of how our product design thinking needs to change to fit the nature of cloud offerings. The first and most major change in thinking occurs with the cloud provider’s cloud application deployment, because in a true cloud offering, customers (subscribers) share the same single instance of software. Unlike a client-server security application, which would typically have maybe a dozen users for a small company and up to a few hundred users in a very large enterprise, the single cloud-based application will have thousands to hundreds of thousands of users—or millions of users, if most of a subscriber’s employees or building occupants will be mobile users. Supporting millions of users in the client-server world simply means having millions of software application downloads. In the world of cloud computing—it is an entirely different situation. A single application instance must support all users in a major geographic region.
Defining Cloud Computing
The Cloud Security Alliance’s recently released Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 provides an excellent description of cloud computing, included in the paragraphs below. Version 4.0 is the first major update to the CSA’s guidance document since 2011. This significant rewrite makes the 4.0 version less of an academic document, and more of a real-world conversation. It contains three times as many illustrations as version 3.0, and includes guidance for cloud-related technologies, such as DevOps, IoT, mobile, and Big Data.
In its guidance document, the Cloud Security Alliance states:
“Cloud computing is a new operational model and set of technologies for managing shared pools of computing resources.”
“It is a disruptive technology that has the potential to enhance collaboration, agility, scaling, and availability, as well as providing the opportunities for cost reduction through optimized and efficient computing. The cloud model envisages a world where components can be rapidly orchestrated, provisioned, implemented and decommissioned, and scaled up or down to provide an on-demand utility-like model of allocation and consumption.”
The key word in the paragraph above is “potential”. Cloud computing will not be disruptive in the physical security industry unless manufacturers design and develop applications that take maximum advantage of cloud-computing capabilities, so that customers can experience benefits that client-server-based systems cannot provide.
If physical security system cloud applications are engineered to pass cloud-computing’s capabilities along to application users, for example, cloud-based video storage would be offered in a utility-like model: you could store as much recorded video as you like, and you would only pay for the storage that you use. Under such a model, cloud-based video management system subscribers would only specify how many days of video retention they require (as opposed to terabytes of disk storage), such as 30 days of retention, and the cloud VMS would assure that 30 days of retention was always achieved, automatically adjusting the billing to reflect the storage used in the previous month.
So, for example, if it rained for two weeks, and outdoor cameras were set up to record on motion, it wouldn’t matter if three times as much video as usual was recorded by a particular subscriber—the storage would automatically expand to assure 30 days of retention. A month later, when the amount of recorded video dropped back to normal, so would the amount of storage allocated to that subscriber.
The Service Level Agreement would include a guarantee that the subscriber-requested video retention period would always be met—and for countries that impose a limit on security video retention—would never be exceeded.
This kind of capability is not automatic just because VMS software is running in the cloud. It has to be engineered by the VMS manufacturer, whose software would now include billing functionality for video storage—something not included in client-server VMS software.
A contract-based guarantee of video retention could be part of a disruptive cloud-based VMS feature set. So would on-demand and scheduled use of video analytics, which many school-districts would be happy to pay for. Holidays, major sports games and other school events, and the month surrounding graduation time often see a spike in prohibited high-risk activity, which could be curtailed using the new generation of advanced video analytics. However, most schools would only want to pay for such usage during the times they actually need it. These and other capabilities just aren’t possible with premises-based systems, but they have been slow to arrive in cloud-based security video systems.
NIST defines cloud computing as:
“Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
The ISO/IEC definition is similar:
“Paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand.”
The Cloud Security Alliance states it this way, with my comments inserted in square brackets for this article:
“A (slightly) simpler way of describing cloud is that it takes a set of resources, such as processors and memory, and puts them into a big pool (in this case, using virtualization). Consumers [meaning security system applications, and for our example, VMS systems] ask for what they need out of the pool, such as 8 CPUs and 16 GB of memory, and the cloud assigns those resources to the client [VMS system application], who then connects to and uses them over the network. When the client is done, they can release the resources back into the pool for someone else to use.”
Applying these capabilities to video surveillance applications, it would mean that when there is a lot of activity in the fields of view of the cameras, the cloud-based video analytics applications would request additional CPUs and computing memory to handle the video analytics processing. When the activity is over, the additional CPUs and memory would be released. This requires two new dimensions of application development unique to the cloud: allocating specific computing resources (such as CPUs), and billing specific subscribers for each subscriber’s portion of computing resource allocations. This is not easy development work.
To be fair to security industry manufacturers, cloud computing capabilities have evolved significantly over the past five years. Cloud provider application frameworks, meaning the capabilities that cloud service providers such as Amazon and Microsoft make available to cloud application developers, have not always supported the kind of specific computing resource allocation capabilities described above.
The continuing evolution of cloud technology means that the scope of “true cloud” keeps evolving, if the definition of true cloud means “continually making maximum use of evolving cloud computing capabilities for the benefit of cloud application subscribers.” That’s not exactly what Dean Drako meant when he originally coined the term, but it should be a goal of security industry cloud application providers. It is a way to keep increasing the value provided to customers, and consequently the profits earned by the cloud application provider.
With cloud computing capabilities, there are many new opportunities specific to individual business sectors, to design and price security operational capabilities in ways that client-server on-premises computing cannot provide. These would be true cloud offerings, because they take the capabilities that cloud computing platforms offer, and make maximum use of them to create affordable security applications with features that can’t possibly be achieved in client-server on-premises systems.
This topic requires further discussion, to be continued in the next article in this series, which discusses the six key characteristics of cloud computing. (NIST defines five, and ISO/IEC 17788 adds one more.) The article will address proof of concept testing, acceptance testing, feature trials, and the role of cloud application roadmaps.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.