• Advertise
  • Subscribe
  • Forums
  • Buyer's Guide
  • Contact Us
  • Connect on LinkedIn
    1. Access & Identity
    2. Access Control
    3. Hosted/Managed Access Control

    Cloud Security Roles

    Nov. 11, 2016
    Ensuring cybersecurity of PSaaS offerings for your customers means understanding each stakeholder’s responsibility
    Photo: iStock
    Ensuring cybersecurity of Cloud offerings is a shared responsibility of both the client and practitioner.
    Ensuring cybersecurity of Cloud offerings is a shared responsibility of both the client and practitioner.

    For Physical Security as a Service (PSaaS) cloud-based offerings — subscription-based offerings that include system software for managing and using on-premises security system equipment such as card readers, security video surveillance cameras, intrusion detection devices, etc. — cybersecurity is an important element.  

    System software for user interaction with the system, which is provided as a cloud-based Software as a Service (SaaS) application, is the key element of a PSaaS offering. Well-designed and soundly-implemented cloud-based applications can be much more secure than in-house applications, but only if all of the security roles and responsibilities are understood and accounted for.

    This is why security integrators must understand all of the roles and responsibilities relating to the security of SaaS applications and their data, and to the security of the on-premises equipment as well.

    Growing Value of Security System Data

    The proven high value of video analytics for retail organizations is a good example of how security system analytics data is continuing to increase in value as the capabilities of analytics and big data analysis evolve. Such analytics data contain personally identifiable information (PII), as well as other data that requires privacy protections (such as security investigations data).

    Advances in electronic security systems ensure that going forward, the cybersecurity protection of security systems data will continue to increase in importance. There are cybersecurity responsibilities for both the on-premises and cloud-based elements of a PSaaS solution: Who is responsible for the cybersecurity of each part?

    The chart below lists the roles and responsibilities for a simple PSaaS solution.

    Cybersecurity Roles and Responsibilities for a PSaaS Offering

    Role

    Description

    Security Responsibilities

    Cloud Service Customer

    Utilizes the PSaaS offering for security operations and investigations, and uses the business-related video analytics data for business planning and decision-making.

    Responsible for:

    • Identifying and/or specifying cybersecurity requirements of data that will reside in the cloud. That includes the classification of the data (confidential, private, etc.) as well as any regulatory requirements such as country residency (data must be stored within that country). Classification and residency requirements determine the encryption requirements and backup data location options
    • Approving the cybersecurity profile of the cloud service, including its on-premises equipment
    • Stringent management of user logons credentials to the SaaS application and on-premises security systems equipment, unless integrator provides user logon credential management as a service
    • Regularly reviewing/auditing system and device access records and user access privilege assignments, and for timely performing or initiating termination of access privileges when appropriate
    • Network security for the on-premises equipment, if the on-premises equipment resides or connects to the Internet via on the corporate network

    Security Systems Integrator

    Installs and maintains the PSaaS on-premises equipment.

    Responsible for:

    • Verifying the status of cybersecurity controls for the PSaaS offering and any cloud-based integrations involved
    • Accurately informing the customer of the cybersecurity profile of the cloud service
    • Cyber-secure configuration of the on-premises equipment
    • Stringent management of service technician logon credentials for accessing on-premises equipment and the cloud service

    PSaaS Vendor

    Provides the SaaS Application and provides or specifies the on-premises equipment that the Security Systems Integrator resells.

    Responsible for:

    • The cybersecurity of the SaaS application and any cloud-based integrations to it
    • Cyber secure configuration capabilities for any on-premises equipment provided or specified
    • System hardening guidance
    • Vulnerability policy and method for integrators and their customers to report cyber vulnerabilities

    Cloud Infrastructure Provider

    Provides the Platform as a Service (PaaS) infrastructure on which a SaaS application runs (such a Microsoft Azure or Amazon AWS).

    Responsible for:

    • Computer and network security of the cloud infrastructure provided
    • No responsibility for SaaS application security
    • No responsibility for on-premises equipment

    Complex Deployments

    Cybersecurity responsibilities for more complex PSaaS deployments are simply extended across the vendors and cloud infrastructure providers involved. It is possible, for example, to have two or three PSaaS vendors — for example, one each for access control, video management, video analytics and visitor management.

    Each PSaaS vendor may have a different cloud infrastructure provider. There may be both cloud-level integrations and on-premises integrations between the various PSaaS offerings. All of the cybersecurity issues must be identified and the responsibilities accounted for to ensure that there are no gaps in cybersecurity protection. This should be reflected in the documentation of the various product and service offerings.

    Assurance of continuous conformance to cybersecurity requirements should be provided by the chain of Service Level Agreements from cloud infrastructure provider, to PSaaS vendor, to security systems integrator, to cloud service customer.

    Whether the picture is simple or complex, it is important to ensure the cybersecurity of a PSaaS offering by determining, fully agreeing on, documenting, and verifying who is responsible for what, and how those responsibilities will be lived up to.

    Editor’s Note: Look for the next article in this continuing series in early 2017.

    Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council and an active member of the ASIS International member councils for Physical Security and IT Security.

    Other Articles in this Series

    This is the fifth article in Ray Bernard’s series dealing with cloud-based systems. Here are links to the other articles:

    Avoid Key Cloud Services Mistakes
    (SD&I March 2016)
    www.SecurityInfoWatch.com/12177153 

    Cloud Computing: Clarity or Confusion?
    (SD&I June 2016)
    www.SecurityInfoWatch.com/12211857

    Evaluating a Cloud-Based Service 
    (SD&I July 2016)
    www.SecurityInfoWatch.com/12223384

    Addressing Cloud Risk
    (SD&I September 2016)
    www.securityinfowatch.com/12243763

    Photo: iStock
    Two “mega-risks” that must be tackled when adding the services to your offering
    Photo: iStock
    Embracing and identifying risks as a reseller are critical to success when it comes to cloud services.
    Photo:
    Sifting through the buzzwords will help you determine the real value of cloud services.
    The first of this three-part series on cloud services focuses on what you should expect from physical security manufacturers’ cloud applications.