Adoption of cloud-based security solutions at the crossroads

May 22, 2012
Many physical security pros still cautious about technology

Adopt, postpone or ignore? This is the age-old question physical security professionals ponder while being continuously exposed to new technologies in the management of their programs. Many technologies offer direct improvements, while others offer the simple organization and presentation of security data.

The decision to adopt standards, best practices and apply technologies that promise improved situation awareness is, at times, not enough. The program manager might decide to postpone migration or, worse yet, ignore, citing unbudgeted costs. Imagine if, however, the user’s response during crisis situations improves, and simply "faster" review of authenticated security media like forensic video is made a reality. This is a small view into the many applications available as managed services and virtualized infrastructure: the signature success of cloud solutions.

As an evolutionary progression of network accessible voice, data and media content, cloud computing adoption is not a question of if, but when. Having passed "early adoption," cloud computing has definitely "crossed the chasm," described by technology consultant and "Crossing the Chasm" author Geoffrey A. Moore. Solutions are described as moving from innovator, early adopter to early majority (see Figure 1). Customers across a range of industries and company sizes are moving beyond pilot projects and are beginning to use cloud computing for business-critical applications.

Spending in the cloud

Cloud computing will be a key driver of net new IT spending over the next five years as public cloud service providers and the adopters of private cloud environments invest in the supporting infrastructure. Overall spending by public cloud service providers on storage hardware, software, and professional services will grow at a compound annual growth rate (CAGR) of 23.6 percent from 2010 to 2015, while enterprise spending on storage for the private cloud will experience a CAGR of 28.9 percent, according to an IDC Research report published in October.

By 2015, combined spending for public and private cloud storage will be $22.6 billion worldwide.

EMC reports IT purchases of cloud solutions are replacing "conventional" network hardware, with the combined public and private cloud expenditures expected to be about half by 2015 (see Figure 2).

So, why the delay? What are the reasons for some physical security professionals and organizations to be cautious and delay adoption? The following come up most often:

• How secure is my data in the cloud?
• Where are my assets and who has access to them?
• Is cloud computing deployment success dependant on connectivity?

Security

One type of physical security application in the cloud uses network video cameras. Network video surveillance systems are comprised of “edge” devices like network cameras and encoders that produce video content and metadata, control, analysis, media search and content management, and storage and display components. Physical and logical infrastructure provides connectivity between categories and also conforms to useful standards like 802.1X, or port-based network access control. This ensures a user or device cannot make a full network connection until they are properly authenticated.

Many of today’s network video cameras are actually platforms or small computers, complete with solid-state storage and room for onboard security and video content analysis “apps,” as well as enhanced image processing.

An important process at these “non person entities” and edge devices are cryptographic algorithms to secure the video media, authenticate with a trusted authority, and permit consumers of the video/metadata stream to receive content via any device by having been authenticated in real time.

This structure offers vital resistance to intrusion exploits and distributed denial of service attacks (DDoS) as the devices have achieved trusted identities.

Assets

Today’s cloud services, especially managed or “hosted” video and physical access control can offer the user the ability to track or constrain the geographic location of their data assets, and who has access roles and permissions. Service level agreements (SLAs) communicate these expectations, as well as continuity of service, and are a critical part of any cloud-based service.

The security practitioner and organization they represent still owns all rights to the content. Just as with any VMS-based security system, the rights and access can be controlled by the end-user. Cloud services by nature are meant to replicate in-house systems, but are managed offsite. This simply means the content produced is the same, only the delivery mechanisms are different.

Connectivity, Content and Media

Intelligence, authentication and improved storage management at these “edge” network cameras and physical access control devices can be enhanced with network attached storage (NAS) devices. Managed video devices stream the higher resolution HDTV video data to a local NAS, permitting a lower bandwidth video stream directed “up” to the cloud or managed service provider, where there might be constraints on connectivity, such as with the use of asymmetric digital subscriber lines (ADSL).

Should there be a connectivity failure through the internet service provider (ISP) for the device supported by the cloud, the device can be continuously recording on the NAS. An additional benefit for physical security is that this device can also be connected to local authorities through a local wireless solution (i.e. MESH/MIMO), and fully support video at ruggedized laptops in first response vehicles and a wide variety of mobile devices. The “smart transcoding” of these video streams from cloud to mobile device is discussed at length in the Video Quality in Public Safety Handbook, available at http://www.pscr.gov/.

The bottom line key is to understand the needs of the cloud-based security applications and set up proper expectations and redundancy measures (if necessary) to ensure appropriate uptime. Most hosting providers stick to the law of five-nines uptime – another factor that should be covered in the SLA – yet if the security application calls for additional redundancy, inexpensive hardware can be integrated into the system onsite.
ROI and what makes for a great “match” in the cloud
There are many ROI studies demonstrating the savings organizations and agencies have enjoyed by deployment of both private and public clouds. Tools specific to the video and physical access control manufacturers that estimate return on investment have just been deployed. EMC’s tool outputs the total cost of ownership comparison between a cloud-based network video surveillance solution, compared to a legacy solution. Answer a few questions about each use case and the tool delivers data illustrating a cumulative reduction in total cost of ownership (TCO) through cloud deployment. If the solution uses event-based recordings, as most network video and physical access control systems do, the savings may be even greater.
And so, what makes the cloud "fit" so many applications? It is not by accident that Amazon’s primary offering is known as "Elastic Cloud." Perform legacy, fixed budget IT resource planning and the result will be either surplus (waste of services) or poor performance and limited storage followed by the customer’s dissatisfaction.

This is where the cloud shines. A cloud’s elasticity matches computing and storage resources to the tasks, with minimal waste, dynamically allocating by historical trends or real time adjustments. One of the best approaches is to look at the use of your physical security operation and see if there are service peaks and valleys, starts and stops or unplanned growth or shrink. All of these behaviors are well matched to cloud deployment.

Another approach is to contract with a cloud service provider only when you need to "rent the spike" after establishing baseline costs. This way, you would outsource unbudgeted, unforecasted high usage or specialized applications to managed services. One example of this is video surveillance for event security. The event dates are predictable, but the attendance may not be.

Physical Security applications in the cloud allow our industry to be more operationally effective. They are designed to give authorities minute-by-minute situational awareness about public safety, crime, as well as medical emergencies to which first responders support every day. The flexibility and performance of cloud-based network security solutions are equally important to the valuable content and intelligence these systems provide. Among these solutions include:

• Managed-Video-as-a-Service (MVaaS)
• Hosted video
• Physical access control
• Visitor management
• Identity management
• Intercommunication/mass notification/emergency communications
• Storage/backup/lifecycle management/upgrade
• Activity tracking/security force management/remote guarding
• Video content analysis
• Business intelligence
• Network device provisioning and monitoring

About the author: As Axis Communications’ Security Industry Liaison, Steve Surfaro consults with a number of industry associations, including ASIS, BICSI, SIA and NBFAA/ESA, on physical security technology innovation and best practice adoption.