Second, the requirement for being in multiple geographically dispersed data centers is important because it insulates you from many types of regional disasters - both man-made and natural - as well as transient Internet congestion, which can affect application response time.
On a related note, it goes without saying that in order for multiple data centers to do any good, your data must be replicated across these facilities in real time. Buyer beware: not everyone does this, so ask about it. The simple question to ask is: "explain your data replication strategy." Key words you are listening for are "real-time" and a proven, name-brand database solution, not a home-grown or "proprietary" approach that you cannot research.
4. Look for integrated applications, not stove-pipes
In the current rush to the cloud, one of the things we see happening is a repetition of the age-old IT sin of stove-piping applications. Traditionally, this term has meant deploying single-purpose applications that do not communicate with one another, thereby resulting in poor data integration, poor work-flows and higher costs to the end-user. SaaS will not change that - a stove-pipe in the cloud is just as bad as a stove-pipe in your own data center. You need applications that work together.
In the physical security domain, this typically means integrating one or more of access control, video surveillance and intrusion detection. Given the immaturity of many of the SaaS offerings currently in our industry, we are seeing many single-purpose, stove-piped applications that are unable to communicate with any of the other applications that are normally a part of a full physical security suite. This does not mean they aren't great applications. The problem arises when you need your hosted IP video system to interoperate with your hosted access control solution - and you may find that your vendor does not offer this pairing.
This means that buyers need to ask about application integration up front, and make sure that vendors can provide the combinations they need.
5. Is your vendor asking for inbound holes in your firewall?
Because SaaS security systems exchange data between on-premise devices and off-premise hosted applications, they need connections through your corporate firewalls. There are both safe and unsafe ways to do this.
In a nutshell, your security devices (control panels, cameras, etc.) should be initiating the connection to the hosting center, and not vice-versa. Why is that? First of all, you never want to open any inbound ports on your firewall unnecessarily - that's just bad policy. Second, firewalls are typically already configured to allow outbound connections from your network to external services points, such as Web sites. This principle explains how your corporate network can safely allow employees to connect to millions of Internet sites without specifically having to identify each one in advance, and, at the same time, keep millions of hackers from gaining entry into your network or personal computer. You should ask no less from your physical security solution.
If your vendor tells you that you need to open up inbound ports on your firewall, think twice about using their service.
6. Device authentication
Your system is only as secure as the authentication and authorization procedures that protect it. This security principle applies to physical devices on your network just as it does to human users. Security equipment such as cameras and control panels are essentially "logging in" to exchange data, and they need to be authenticated as well.
The most widely accepted way to do this is to install X.509 digital certificates from a trusted certificate authority on networked devices. These certificates allow the establishment of mutually authenticated encryption sessions between endpoints and applications.
If your SaaS provider's equipment does not allow you to do this, you should ask what they are doing to provide an equivalent level of security.
7. Penetration Testing
Penetration testing, also known as "white hat hacking," is a process for evaluating the security of a computer system and its applications. The purpose is to have experts try to hack your own system before someone else does, and to fix any vulnerabilities uncovered in the process. Typically, SaaS service providers contract with an outside firm for this service because these firms specialize in knowing how to perform all of the latest and most sophisticated attacks.