Bates: Decide what kind of cloud best matches the business and use case scenario, and which services you need: whether SaaS (Software-as-a-Service, PaaS (Platform-as-a-Service), or IaaS (Infrastructure-as-a-Service). There are four cloud types: private, community, public or hybrid. If you are a large enough organization, a private cloud for services to share only with your community of users might be best. It requires a good IT staff and expectations around what will be delivered and also the availability. A community cloud allows several agencies that share the same concerns to access information. Many security companies are looking at using public cloud infrastructure to host their security applications as they do not need to invest the millions of dollars involved in owning and maintaining infrastructure and platform. By selecting this PaaS option, these companies can effectively offer their own SaaS service. Another example of SaaS would be Microsoft’s Office 365 or TurboTax that you pay just for what you use.
Meltzer: Starting your own cloud service is technologically not a challenge. But like any business, there are costs to consider. Starting a cloud-based initiative brings with it a host of other considerations including security, reliability, resilience, data storage and infrastructure redundancy. There are legal considerations. By offering these services there will be regulatory and compliance issues that you will be signing up for.
Moran: Whether you offer a public or private-cloud service depends on the IT infrastructure you prefer to manage, the sophistication of your competitors, as well as the needs of your existing customers and prospects in your market. For example, a small, local hospital may want the convenience of cloud-based access control but not want their security information hosted in a public cloud environment along with other customer data. In this case, you could configure a 100-percent, Web-based access control network appliance and host the system for the hospital as a private-cloud solution.
Surfaro: With a larger choice of managed or virtualized physical security offerings out there today, there is a greater demand for the “cloud broker” or service reseller (SR) to qualify and match their services with SLAs to appropriately capable service providers (SP). The SR’s return on investment (ROI) is far faster than that of an SP, as there are far less depreciating investments and a greater reliance on skilled professionals to act as cloud consultants or service agents. An SR may move into a hybrid SR/SP role by accumulating monthly revenue shared with another SP. The SR may realize that the diversity of markets requiring cloud services is so great that the manpower must be allocated to seeking out potential users rather than delivering the actual services. SPs may add reseller roles internally but, to scale as fast as possible, the establishment of a cloud services reseller partner program is both essential and rewarding. With logical and cyber security improving, the decision to use a public or private cloud is getting more difficult.
Q: What’s involved in servicing customers using the clouds?
Bates: As a security practitioner you have to have controls in place to mitigate risk with compliance, privacy, security and other factors associated with risk management. If you take a SaaS application, someone else has complete control of everything; your data, the application and your computing infrastructure. Build trust. Have sufficient contract provisions to protect data and validate those controls are real using an independent source.
Meltzer: Servicing includes both sales and support. For cloud-based video applications you will need staff and personnel that are completely familiar with networks and bandwidth utilization and IP camera technology. And then you will also need personnel well versed in video itself. At a minimum, IT-trained personnel are a must as are specialists in the cloud-based applications you offer. There are new considerations in the areas of service and maintenance. The traditional SLA specifies performance and response, but only after quality of service (QoS) has been defined and real-time monitoring and enforcement have been negotiated. You need to ready yourself for the adoption of SLA-based services, versus the traditional liability limiting indemnifications such as those found in alarm monitoring agreements.
Moran: You could provide on-site response and system administration as a bundled service offering, establish pricing and implement a recurring monthly revenue model. Some manufacturers already offer their access control systems to dealers on a monthly subscription basis, allowing them to resell the systems to customers on a pay-as-you-go model without purchasing the entire system up front, making the transition to a cloud-service offering even easier.