The Flip Side of Amazon

April 7, 2020
Despite heated competition posed by Amazon in the residential security space, commercial-focused integrators may find the company holds the key to dramatically changing the way they do business
This article originally appeared as the cover story in the April 2020 issue of Security Business magazine. When sharing, don’t forget to mention @SecBusinessMag!

Amazon tends to be a dirty word in the residential security services industry, because integrators can see the threat posed to their businesses by DIY in general – a concept that Amazon has fully embraced via its many security technology-related acquisitions, including and especially Ring.

Despite the heated competition posed by Amazon in the residential space, there is a flip side to the coin. For integrators focused on commercial and enterprise clients, Amazon could be the key to a positive game-changer for integrator businesses – by providing the means to deliver cloud-based security services in a revolutionary way.

Milestone Systems has been revealed as the first to embrace this revolution in the security industry, when the company announced it will be offering its popular XProtect VMS using Amazon Web Services (AWS). It is the first of potentially many ways that AWS can dramatically change the way security integrators offer their services, and create a more efficient, nimble and ultimately successful business model.

On-Premise or Cloud System?

Since the advent of cloud-based access control and video systems, the basic choice has been on-premise vs. cloud – one or the other. Nowadays, based on modern technology, an electronic security physical security system (EPSS) can be composed of a variety of interacting premises-based and cloud-based elements. This includes cloud-based virtual hardware running a new generation of previously premise-based application software, launched and configured by a physical security or IT systems integrator.

For cost, convenience and performance reasons, this is a forward technology path that is not going to reverse itself. Taking this path requires that manufacturers understand evolving cloud computing capabilities and how to apply them to the range of security applications. It also requires that security system service providers embrace the related business models, and expand their knowledge and skill sets, so as to effectively and efficiently deliver the new technical capabilities in ways that make the most sense for prospective and existing customers.

Getting the Full Picture

An electronic physical security system (EPSS) can and should be built using an appropriate cyber-secure combination of on-premises computing and cloud computing capabilities as fits the following factors requiring consideration:

  • Existing security technology infrastructure;
  • Current and anticipated security/life-safety risk mitigation needs;
  • Normal, emergency and crisis security/life-safety response requirements;
  • Business and facility operations requirements (data provision and building controls integrations);
  • External stakeholders (including law enforcement private/public partnerships);
  • End-users of the related software applications;
  • Directions of computing and networking;
  • Smart building and other built environment continuously-advancing AI trends; and
  • Fast-growing electronic sources of real-time risk and threat intelligence.

Each of the bullet points above would easily warrant its own article or two of discussion; however, the purpose of this article is to present some of the new facility security systems topology options – and resulting systems integrator business opportunities – that key Amazon AWS services make possible today.

Milestone Systems is the first security industry company to make use of use of these AWS Marketplace capabilities, doing so in ways that supports the entire Milestone customer base as well as prospective customers, and their systems integrators and technology partners. Thus, what Milestone is doing is illustrative of what the future holds, as others begin taking advantage of the technology and business opportunities now possible. There are a lot of dimensions to this Milestone initiative, presented in a 92-minute video from the Milestone MIPS event:

Milestone’s initiative serves as a use-case example for how AWS Marketplace can impact the application deployment experience both for integrators and their customers, expanding the array of opportunities available for integrators.

Making Deployments Easier

If security industry vendors expect their advancing security technology products and services to achieve a high rate of adoption, they must be easier to buy, deploy and maintain than the previous generation of products and services. That’s what Milestone is accomplishing through its use of AWS Marketplace, which includes the adoption of a Bring Your Own License (BYOL) software licensing model that enables companies to use XProtect product licenses flexibly – meaning on-premise or in the cloud. AWS already supports BYOL for Microsoft Windows Server and SQL Server. BYOL support is good news for enterprises who have well-priced quantity license packages.

Tom O’Connell, A&E Program Manager for Milestone, says the BYOL model is just part of the company’s inclusionary vision. “Our objective is ‘not leaving anyone behind’ in sales, service and technology when it comes to cloud adoption – that includes customers, integrators, system designers and specifiers,” he says. “To that end, the AWS and Milestone cloud training and certifications are paramount in enabling integrators and specifiers to make the most of these new opportunities for their customers.”

Amazon Web Services has a broad AWS customer profile that includes small and medium size businesses as well as very large enterprises such as Netflix, Facebook and ESPN, to name a few. This means that it must support a wide range of user authentication options including Microsoft Active Directory and advanced multi-factor authentication; thus, it will be easy for integrators to accommodate their customers’ current and future authentication preferences, whether the customers be small, mid-size companies or very large enterprises.

On-Premise vs. Cloud and Technology Evolution

Today, many of the “on-premise vs. cloud” discussions are still framed around the legacy thinking of yesteryear’s technologies – where the security software applications are thought of as being entirely on-premises or entirely in the cloud. Modern security systems can now be built with applications running both on-premises and in the cloud; thus, making a choice will be influenced by a number of end-user customer factors, including OPEX vs. CAPEX considerations, facility locations, existing on-premises technology capabilities, security operational needs and overall long-term strategy for EPSS technology deployment.

Because technologies are continually evolving, deployments should be designed and managed in ways that enable their continual advancement in place. That includes not only more frequent software and firmware upgrades, but also more frequent hardware upgrades – something that is only feasible in the cloud. Because cloud hardware is virtualized into sharable pools, it is possible to log in and upgrade the compute, storage and networking capabilities of a cloud-based security system application with just a few clicks, with application downtime measured in seconds and minutes – not hours or days – without traveling to a site.

A server hardware upgrade for a large multi-site video surveillance system typically take weeks to months to execute and involves days of on-site technician work at each location. In a cloud scenario, a single technician can upgrade a large VMS deployment’s compute, storage and network capacities for a dozen customer locations across the country in just an hour or two from a single desk.

Such capabilities radically improve an integrator’s cost-to-serve picture, especially for large multi-site customers. It also significantly improves the customer’s technology experience as well, compared to dealing with fixed-hardware on-premises server deployments that typically outgrow the hardware capabilities initially provided.

AWS as it Applies to VMS Deployments

There are four key AWS services relating to VMS deployments:

1. EC2 (Elastic Cloud Compute) – Via AWS Marketplace, integrators will be able to launch an XProtect server cloud instance in minutes and begin configuring it. Upgrading the server capabilities for system expansion can also be accomplished in minutes. Technicians can simply stop the running AWS VMS instance, select the new levels of computing, memory and/or network capability and then restart using RDP (Remote Desktop Protocol) to securely access the AWS EC2 XProtect server instance.

2. AppStream – AppStream 2.0 is an application streaming service for centrally managing desktop applications and securely delivering them from AWS to any computer, thin client, phone or tablet. It is perfect for the XProtect client and client software because it provides the levels of CPU and GPU processing security that video requires, shifting those requirements from the end-user’s device to AWS. It supports multiple monitors and optionally USB ports on the end-user side. The display and user interaction data sent from AppStream to the local client device streams via an encrypted remote protocol, meaning traditional workstations and desktops can now be lightweight terminals. Security operators interact with their XProtect clients as a secure stream of pixels, not a locally-installed set of Windows applications.  

The AppStream service provides uniformly great application user experience on laptop, tablet and workstation computers with no special video processing capabilities required on those devices. Additionally, video data itself is secure because unless video export is enabled for the local computer, the video data itself never leaves AWS.

3. S3 (Simple Storage Service) – An S3 cloud storage volume can be specified in XProtect for archiving video, whether XProtect is running in the cloud or on-premises. Amazon S3 is designed for 99.999999999% uptime – eleven 9s of durability. The XProtect experience for viewing S3-based video is the same as for on-premises data, making no difference to the user. There is no data ingress charge for the video data sent to an S3 storage volume, as is typical for data sent into a cloud service; however, there is also no charge for video data egress out of S3 storage to XProtect clients running on AppStream, whereas there is an egress charge if the XProtect client is running outside of the AWS cloud environment. The S3 Glacier service provides low-cost, long-term data storage appropriate for video that must be retained for regulatory reasons and will be accessed infrequently, if at all, for about $4 per TB per month.

4. AWS Direct Connect – AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from an on-premises network to AWS. Its purpose is to reduce bandwidth costs as well as establish more consistent network performance over Internet-based connections. Direct Connect is available to use in place of customer-furnished or integrator- provided VPN connections where that makes sense from performance and cost perspectives.

Use Cases  

One, a few or all of the above-mentioned AWS services can be used as appropriate for existing and new deployments. Here are two multi-site use case examples:

On-Premises NVR-based VMS Deployment – This example use-case has five customer retail store sites, each with its own Milestone Husky NVR and 24 network cameras. The owners and managers are now being provided remote access to video from their homes and business offices, whereas before video was only available to them on-premises. Under this cloud-enhanced topology, the integrator no longer has to go on site to perform VMS client software updates and system configuration changes because they can now be done remotely.

The simple remote access solution uses Amazon AppStream to run the XProtect Management Client and Smart Client software in a virtual private cloud. This topology provides consistently high XProtect application performance on both standard and lightweight client devices, regardless of the number of video streams being viewed.

Pricing has a small fixed element, plus monthly charges based on how many hours the users are logged in and running applications. So, for example, a retail store’s security surveillance Smart Client instance would run 24 hours per day, whereas a store manager’s instance may need to run only 10 hours per day. This is a typical pay-for-what-you use cloud scenario.

When an NVR hardware refresh is due, the XProtect server software can move to the cloud in an EC2 instance, set up through AWS Marketplace. It would connect to store cameras via the VPN connection originally established for each NVR, with the AppStream clients now connecting to XProtect server EC2 instances. It is a straightforward path to full cloud deployment that ensures full return on investment for the NVR on-premises deployments. The NVR-to-cloud switchover could be accomplished in just a few minutes during store off hours, with no need for a technician to visit the site, except to physically retire the NVRs when convenient.

Enterprise VMS Deployment – This example use case depicts an expanding multi-site large enterprise, whose sites have a variety of on-premises hardware of varying ages as well as a variety of XProtect software versions, with its XProtect Smart Client applications running on Amazon AppStream, and individual sites migrating to cloud server deployment over time. This makes it possible to start with exactly the virtual hardware resources needed and expand them easily over time as needed for camera growth, additional video analytics use, and so on.

The combination of AWS and Milestone training and certification options, plus the inclusion of XProtect offerings that provide “instant product launch and configure” capabilities for running server and client software, provide a very focused path for embracing modern computing technologies for physical security system applications, as well as the related business model elements. This is an approach that achieves current-day profits while establishing future technology readiness in the process.

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services ( He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security. Follow him on Twitter: @RayBernardRBCS.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (, a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (

Follow him on LinkedIn:

Follow him on Twitter: @RayBernardRBCS.