Evaluating a Cloud-Based Service

July 14, 2016
Embracing and identifying risks as a reseller are critical to success

Cloud-based applications are the central focus of technology development in general, and are quickly becoming the primary experience and expectation of end-users. That’s why the future of your business will involve cloud-based applications.

Evaluating a Software as a Service (SaaS) cloud-based offering — whether related to traditional security technology functions, such as access control and video surveillance, or to an offering whose value lies outside the scope of traditional security applications — involves many important considerations for a security integrator.

The risks involved when an integrator resells a cloud-based service can be several magnitudes greater than for a service that might be adopted internally for your company’s own use. The rewards can be higher too, which can make the risk considerations even more critical.

As a reseller, you have a financial and reputation risk if the cloud service application becomes troublesome or fails, or if the company falls short on service. This makes it prudent to identify an alternative solution as a fallback option, and why ease of use and an easy transition to an alternative offering are extremely important.

There are many checklists available online for evaluating cloud-based services. Unfortunately, most online and free checklists for cloud services do not include important considerations that a security integrator would have as a reseller or as a service provider. It is up to you to establish whether or not the cloud-based system or application will live up to the customer’s intended use of it, and that the service-provider’s level of support to you will be sufficient for your needs in satisfying your customer.

This third in a series of articles on cloud-based security systems presents several perspectives from which to evaluate cloud services (Editor’s Note: For the previous articles in this series, see the "related content" box on the left side of this page).

Qualifying a Cloud-Based Service

In qualifying a cloud-based service key areas to focus on include:

  • company reputation
  • service offering
  • pricing
  • value to customers
  • terms of service
  • cyber security and business continuity
  • ease of adoption/implementation
  • ease of transition to a different offering.

While there are also business factors such as reseller and partnership considerations, this article will explore each of these areas.

Note that as you evaluate each cloud service, you should document your findings. These evaluations will speed up future assessments, facilitate discussing the evaluation points with customer stakeholders, and will add more depth to the understanding of your sales and support staff.

Traditionally, as a risk mitigation measure, major security system RFPs have imposed the requirement that any technology being proposed must have been operating successfully in several similar customer environments for at least five years. Today, in some cases, that amounts to saying, be sure to specify obsolete technology. It is worth considering how we can replace traditional technology risk mitigation measures with those that are appropriate for the rate of technology advancement in the 21st century.

A two-pass approach with each step can help keep you from wasting too much time on unqualified offerings. The purpose of the first pass is to identify show-stopper issues so as to quickly rule out an offering. The order of the evaluation factors listed above provides a good sequence for the first pass evaluation, based on the time it takes to perform a typical show-stopper review for each factor, going from shortest to longest time to evaluate. The order also constitutes a sequence in which the knowledge gained in each step will be useful in addressing the next evaluation factor. It is usually best for a single individual to perform the first pass, and ideally that same person will oversee or lead the second pass evaluation.

The purpose of the second pass is to fully qualify the offering with regard to each evaluation factor. This is a “divide and conquer” opportunity, as your stakeholders — and also your customer’s stakeholders — will have different stakes in the matter and different knowledge sets to apply to evaluating each factor. For example, a salesperson or account manager is likely to be highly aware of what features would be of value to your customer base. Someone with at least a basic familiarity with system and cyber security should address the cyber security and business continuity evaluation. Your personnel should be prepared to discuss the evaluation points with their corresponding customer stakeholders, should that become important at any point in the sales and deployment processes.

Vetting the Company

There are two aspects to company evaluation: the company and its key people. As always, for both aspects history can be important, and usually the surface picture doesn’t convey all of the relevant facts.

Company evaluation: There are many facets to evaluating a company, and company evaluation is not something new for integrators; however, in this age of rapid technology advancements, there are some new dimensions to consider, and those that provide considerable competitive advantage can seemingly appear out of nowhere.

Here’s an example: The Bosch Automotive group, which provides Google with about 80 percent of its self-driving vehicle software, began sharing its video analytics technology with the Bosch Security Systems group in 2013. This situation represents a significant change from the traditional security industry picture. Through technology-sharing partnerships as well as acquisitions, Bosch can bring field-proven analytics to enhance and even revolutionize its traditional intrusion, access control and video capabilities.

Personnel evaluation: Evaluating a vendor’s key personnel is also not new to integrators. Now, however, it is even more important to determine who establishes the company’s visions, including the technology vision. Because physical security systems are based on information technology, and information technology advancement is continuously accelerating within the security industry, it is now technologically easier to live up to forward-looking visions than in the past. For the company and its personnel, past and current connections to IT advancement and new applications of IT in any industry, can be of pivotal importance. For many companies, the extent of their corporate and technology visions will have a greater impact on the company’s upcoming success than many other factors.

The Service Offering

Software as a Service is the cloud model used to provide security application offerings, which sometimes further classify themselves according to their physical security product category, such as Video Surveillance as a Service (VSaaS) or Video Analytics as a Services (VAaaS). Steve Van Till, president and CEO of Brivo Systems — the first company to provide cloud-based access control — has written an excellent article, 7 Requirements for a SaaS (available at www.securityinfowatch.com/10537058), identifies the following seven requirements for physical security cloud-based offerings:

  1. Audited data security controls
  2. Track record of high availability
  3. Multiple, secure, disaster-tolerant data centers
  4. Integrated applications, not stove-pipes
  5. Is your vendor asking for inbound holes in your firewall?
  6. Device authentication
  7. Penetration testing

Another consideration is the level of training that your own personnel will require, in order to support the offering. Additional requirements are addressed in the section below about the service offering’s value to the customer.

Pricing

As always, pricing is a key consideration in the profit picture. Be sure to understand the organizational implications of subscription-based pricing for your customers, including the potential shift from CapEx to OpEx funding. Take into account the customer’s expectations for future use and expansion for the cloud-based application.

Be sure that the Terms of Service includes the length of time for which the current pricing is valid. Service pricing trends are going in the downward direction, unless the customer adopts additional subscription items.

Value to Customers, Including Customer ROI

In addition to the technical requirements addressed in the service offering section, the application must meet your customer’s needs and wants. This includes not only the functions and capabilities of the application, but also the quality of the user experience. What tasks will the users need to perform? How helpful are the task workspaces that the application provides? How consistent is the experience across the computer, tablet and smartphone devices your customer expects to use?

The more intuitive and self-explanatory the application’s user interface is, the simpler the training will be. Ideally, you will be able to talk to the personnel of end-user reference customers, who can explain how the application’s features have improved their ability to get work done.

Terms of Service

There are two terms of service to consider — between you and the cloud services provider, and between you and your customer. The terms of service for cloud-based subscriptions are captured in a Service Level Agreement, which is a binding contract between the cloud service provider and your company that outlines responsibilities on both sides. At a minimum, your cloud provider’s terms must give you all the support you need to live up to the level of service you specify in your customer contract.

Cybersecurity and Business Continuity

Cybersecurity: A good resource is the Cloud Security Alliance (CSA) and its Security Trust & Assurance Registry (STAR) program (https://cloudsecurityalliance.org/star), which documents providers from at least at the self-assessment level. At the time I wrote this article, Brivo was the only physical security industry company listed in the registry (http://bit.ly/brivo-systems-csa-star).

Business continuity: Consider the ways that the cloud-based application could become unavailable, and if the application’s usual Internet connection could fail. What alternative Internet connection can the organization make use of in such a case? If the customer organization does not already have Internet continuity addressed, you will need to provide them with an appropriate solution. How and where will the data in your customer’s cloud-application be backed up, and how will your customer access or download that data, in case of the need to transition to a different product or service?

Ease of Adoption/Implementation

It is important to determine how easy it will be for your customer to adopt the cloud-based application. What changes will be required to the way they usually work because of the application? How easy it will be for you to support the application’s implementation? How much training will the customer need?

Ask the service provider to facilitate discussions between you and several integrators who have provided the service to their customers — this will help you set your customer’s expectations, and help you price the services appropriately.

Ease of Transitioning to Different Offering

If for any reason the cloud-based application turns out to be unacceptable or fails in some way, how difficult will it be to transition your customer to another product or system? You should be prepared to answer such a question from your customer. Will the customer be able to fall back to their previous solution, at least temporarily, or will an entirely new cloud-based solution be the only option?

Editor’s Note: Look for follow-up articles in the coming months, with various perspectives on cloud-computing-related opportunities for integrators.

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council and an active member of the ASIS International member councils for Physical Security and IT Security.