This is the 15th article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
Every type of inspection, review and test that you would perform with a fully on-premises system, you can perform with a cloud-based system, as long as you adjust your methods to fit the reality of a cloud-based application. Customer and integrators have both the need and the right to verify, one way or another, that a cloud-based system will perform as needed. Fortunately, with a True Cloud deployment there is always a feasible way.
All-in-one RWOB
MAXIMIZE YOUR SECURITY OPERATIONS CAPABILITIES
Upgrade your security operations effectiveness through Security Technology Strategic Planning. Provably get more for your company's security technology investment.
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 Legacy: How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1: Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2: A look at the different H.264 video frame types and how they relate to intended uses of video.
#51 H.264 - Part 3: Once seen as just a marketing term, ‘smart codecs’ have revolutionized video compression.
#52 Presence Technologies: The proliferation of IoT sensors and devices, plus the current impacts of the COVID-19 pandemic, have elevated the capabilities and the importance of presence technologies.
#53 Anonymization, Encryption and Governance: The exponential advance of information technologies requires an exponential advance in the application of data protection.
#54 Computer Vision: Why a good understanding of the computer vision concept is important for evaluating today’s security video analytics products.
#55 Exponential Technology Advancement: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#56 IoT and IoT Native: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#57 Cloud Native IoT: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
#58 Bluetooth vs. Bluetooth LE: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
More to come about every other week.
Due Diligence and the Cloud
Over the past year, I have learned of several significant cloud-based security application deployments that ran into major trouble, which could have been avoided if the proper due diligence had been done. As Brian Coulombe, Principal and Director of Operations at Ross & Baruzzini’s DVS division, wrote a few years ago in a post on the Security Specifiers blog, “Sound security design principles don’t change much over time – only the tools we use to enact them.”
One important set of tools is inspection and testing practice. In many cases, their application to security system deployments has been disrupted by the arrival of cloud applications. Many security application servers are now located in the cloud, and not on the customer premises, and thus are not owned by the customer. This means that inspection and testing practice must change to account for that. In the cases of the troubled systems, no consideration had been given to what should be tested or inspected for the cloud-based system, and that’s what led to the deficiencies not being initially discovered.
Are You Getting a True Cloud System?
As discussed in the two previous True Cloud articles, cloud computing technology can take security system capabilities and performance far beyond what it has been in the past. Cloud computing makes vast pools of computing resources available for security applications, available on demand under a pay-for-what-you-use subscription. Major customer and integrator challenges that exist for on-premises computing don’t exist with a properly-designed cloud system. But since there are no on-premises servers, and since the cloud deployment wasn’t designed by the customer or the integrator, how can you know what you are getting?
What to Inspect
Documentation review has always been a part of the inspection process; with cloud deployments the type and content of documentation has changed. Instead of having to evaluate a detailed design of the system as the means of assuring the levels of performance required, Service Level Agreement (SLA) terms and subscription details are what to examine as a starting point. More detailed discussion should follow based on your system use scenarios. Let’s consider at a cloud-based security camera system in which you specify the number of days for cloud-based video retention. When it rains for a week and your outdoor cameras’ motion-based recording sends ten times as much video to the cloud, video storage should increase automatically, and decrease back to normal when the rain is over. Is there any additional charge for 30 days of storage for that extra video? If so, run through the scenario and understand the cost.
Can you specify that for less critical cameras it is okay to trade off retention time in favor of the critical outdoor cameras? For example, cutting back to seven days, while maintaining 30 days of retention for critical cameras?
Or, if you live in a rainy or snowy area, can you skip the concerns over video retention space by investing in self-configuring smart video analytics that recognize rain and snow, and only record on activity that you truly want? Bosch and Agent VI (maybe a few others) have such analytics. Could that approach save you money on your cloud camera system subscription and make video review easier?
Cyber Security Documentation
Cyber security involves people, process and technology. A cloud-based security system’s documentation should include cyber security documentation, not just for the cloud data center technical measures in place, but for the system data management practices and the cloud data access controls in place.
For systems with on-premises equipment, documentation should include their cyber security profile as well. Ideally, the on-premises equipment will be self-configuring using digital certificate-based authentication and data encryption. That’s the state of current technology. Ideally, the entire system—on premises and in the cloud—will have end-to-end data encryption. For some cameras that’s not possible, but other measures should be in place to compensate.
The Cloud Security Alliance provides a self-assessment questionnaire that cloud application vendors can use to document their security. It is a Yes/No type of questionnaire, with the ability to include a comment. So it doesn’t reveal details of the security implementation, it just identifies what the company found relevant and addressed. Some companies, like Brivo, publish their completed questionnaire on the Cloud Security Alliance website. Others share the information only under a non-disclosure agreement.
Inspecting the Application
You can easily inspect a cloud application, and the nice thing about it is that you are inspecting the actual system that you will get. It’s already deployed in the cloud; what makes a difference is how the demo or actual application is set up, and what equipment it is connected to. Reference sites, as always, can be a great help, and end user advice can help you focus on areas of importance. Once you find a facility that has similar usage to your own, what you see is what you should get.
What to Test
Testing a cloud application is not given much consideration, because it is really only appropriate when there are no subscribers who have the same scale of deployment as you do, such as for number of sites or equipment count. The user experience can be significantly different between a system with 1,000 employees enrolled and 10,000 employees. Does the user interface facilitate reviewing or scrolling through large sets of records? Are query-based searches available so that you can finely control the list of results you get? Do the important and commonly used functions perform as well on tablets and on phones as in a PC browser?
For emergency notification systems, for example, how can you perform a test for the length of time it will take to get a notification out to 20,000 people? If there are no high-user-count subscribers, the cloud application provider should be able to make a QA testing system available that is a read-only copy of the production deployment, that can simulate a base level of system activity. You and the vendor can apply a cloud-based testing tool that simulates 20,000 mobile devices. You can actually prove to yourself how the system will work under the load that your usage is likely to generate. This is a proof of concept (PoC) test, and half of the troubled system experiences I mentioned earlier occurred because no PoC test was done. The customer didn’t realize that a True Cloud system’s deployment would include QA and Staging environments in which the application vendor first tests system updates before rolling them out to the production environment.
Final Note
Every type of inspection, review and test that you would perform with a fully on-premises system, you can perform with a cloud-based system, as long as you adjust your methods to fit the reality of a cloud-based application. Customer and integrators have both the need and the right to verify, one way or another, that a cloud-based system will perform as needed. Fortunately, with a True Cloud deployment there is always a feasible way.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.