Cloud-based services continue to appear in growing numbers. They can be found in any field and industry. The widespread adoption of cloud applications continues to accelerate because — from the user perspective — they save money, provide mobility (access anywhere, anytime), are increasingly intuitive, offer high reliability (including automatic backups), and usually provide around-the-clock support.
With most new software being built for cloud from the outset, IBM predicts that by 2016, more than a quarter of all applications (around 48 million) will be available on the cloud. Cloud adoption is skyrocketing with no letup in sight for the foreseeable future. The average company uses 1,154 cloud services, which is beyond 10 times more than IT expects. Employee-led cloud adoption is transforming the enterprise, and the average person now uses 28 cloud apps regularly, according to a report from SkyHigh Networks.
However, not all of those new cloud services are ready for the enterprise. Troublingly, 49 percent of IT professionals say they have been pressured into approving an app that did not meet their company’s security requirements, according to SkyHigh’s report.
In the past, physical security manufacturers were slow to adopt information technology into products and systems — several years behind the business world’s general adoption of IT advancements. Moreover, in its adoption of information technology, the physical security industry did not always do a good job of it. If IT departments are finding that nearly half of the cloud business applications they want to use are not up to their security requirements, what should we expect from physical security industry cloud applications?
This first of a three-article series on the cloud takes a look at where the security industry was coming from 10 years ago, and contrasts that with where the industry is now with regard to cloud adoption. A lot of mistakes have been made to date in the adoption of information technology, which makes it likely that mistakes will be made with regard to security industry cloud services.
Is the Past Any Predictor?
Historically, the physical security industry has lagged 5 to 10 years behind IT with regard to product development. For example, up until 2010, many network video cameras would be taken offline by a standard network scan using Nmap (http://bit.ly/network-mapper) — a tool commonly used by system administrators to discover computers and devices on a network and create a map of them — which is one way to identify unauthorized computers or computers that do not conform to security standards.
Nmap can detect computer operating systems and identify which network ports are open, which is useful for identifying system vulnerabilities so that appropriate security measures can be applied. Many surveillance cameras did not have up-to-date implementations of the TCP/IP network protocol, and would crash because they were unable to properly handle the simple network messages from Nmap. Such cameras required that their power be manually cycled off and on to bring the cameras back online.
Another example of poor information technology adoption comes from the Defcon 18 hackers’ conference in 2010. In an educational session, a security researcher presented a long list of vulnerabilities he discovered in a networked card access control system product, while testing it for approval to be placed onto his company’s corporate network. The vulnerabilities allowed an unauthorized individual to gain access to the system in a number of ways. In addition to finding multiple ways to crash the system, he discovered how to download the entire access control database without the customer being made aware of the copying, and also lock and unlock doors manually or by schedule. He also displayed multiple marketing statements by the manufacturer about how safe it is to connect the system to the Internet.
Although the past two decades of security industry progress with information technology has not been stellar, that picture is beginning to change — and it has to. In a world where self-parking cars and drone delivery of online purchases is coming to market, business survival is at stake for companies who lag far behind in making good use of IT advancements.
Where Are Things in 2016?
The primary challenge for security industry manufacturers is to keep up with information technology developments when technology advancement continues to accelerate at a pace that is hard to imagine. Right now many security industry companies are working hard to catch up, a challenge that is very much like running up a down escalator that keeps moving faster and faster.
In Nov. 2015, the Security Industry Association (SIA) established its Cybersecurity Advisory Board (http://bit.ly/sia-cybersecurity-board) — a move that ideally should have happened 10 years earlier. Intent on making up for lost time, SIA has filled the board with people like Patti Chrzan, Senior Director, Strategic Programs, Digital Crimes Unit, Microsoft; Dave Cullinane, chairman, Cloud Security Alliance; Founder, TruStar Technology, Founder, Global Security Risk Management Alliance (GSRMA); Dan Dunkel, Vice President, Strategic Partners, Eagle Eye Networks Inc.; Hans Holmer, Senior Cyber Strategist, Intelligent Decisions; Jeff Whitney, Vice President, Marketing, Arecont Vision; and others with strong backgrounds in IT and cybersecurity.
The First Cloud Mistake: Hosted Systems
The first mistake on the part of industry manufacturers was due to confusion about what was meant by the term “cloud service” or “cloud system.” The mistake was thinking that a “cloud system” was any kind of server or system connected to the Internet. This came about because companies — not just in the security industry — provided “hosted systems,” which were client-server systems that customers could connect to over the Internet. They came to think that “cloud” was just a new name for what they already had in place.
Typically, such hosted systems are highly vulnerable, as security controls are weak to non-existent. Like the access control system example described earlier, such systems typically have dozens of ways that outside individuals can crash the system, copy data from the system and/or take control of the system. Furthermore, there is an insider threat risk because some employees of the hosted service company can access customer data.
Since many security practitioner customers get at least a part of their technology education from vendors, this misunderstanding proliferated across the general customer base; thus, both customers and manufacturers were making the same mistake of thinking that a “hosted system” was a “cloud system.”
The Second Cloud Mistake: Avoiding Cloud Systems Over Security Fears
Cloud services can be much more secure than systems deployed on customer premises. This is because the cost of security is shared by many customers, all of whom benefit equally from the security controls that are in place. This is why security can be better — including system redundancy in multiple geographic locations — and still cost less for each customer than the customer’s own security controls would cost, for both physical and electronic security measures. Cloud service providers can staff top-notch system security teams, the equivalent to which would be cost-prohibitive for a customer to establish.
Computer and network security is fundamentally about three objectives:
- Confidentiality (systems and their information must be restricted to authorized users);
- Integrity (data must be protected from accidental or unauthorized intentional change); and
- Availability (the system and its data must be available when it is needed).
Data protection must be applied not only to stored data, but data going into, out of and moving around within the system.
It is completely appropriate to have concerns about the security of any particular cloud service. A cloud service should be able to document (not just explain) its approach to the confidentiality, integrity and availability of its cloud system security. Security is a combination of people, process and technology. Cloud service providers should engage regularly or continuously perform system penetration testing, as well as engage in system security audits. Test report summaries should be available for customer review.
The Third Mistake About Cloud: Insufficient Documentation
Documentation for a cloud service is important — and on a positive note, many security industry companies generally do a good job on product and system documentation. However, it is not just cloud system architecture design information that is needed. Where and how data is stored, including backups and redundant system elements must be provided; along with the lifecycle of backed up data, the standard to which data erasure is performed and encryption details. There are legal considerations having to do with privacy protection that vary from country to country, and must be taken into account. Some countries require that data of private citizens not leave the country.
Documentation for cloud services that integrators resell has two dimensions — one relating to the integrator and one relating to the integrator’s customers. Thus, the following points should be discussed with the cloud service provider, to ensure that the integrator, the customer and customer’s data are protected:
- Compliance requirements
- The type of privacy data that will be placed in the cloud
- The location of the customer’s premises and any personnel who access the cloud service
- The location of data storage
- How data storage and data path requirements will be assured going forward
- In the event the cloud service provider ceases operations or becomes acquired, how full access to all customer data will remain available
- The type of authentication that users of the system will
- How eDiscovery can be handled and how the data locations of digital evidence can be accessed by or on behalf of law enforcement
- Ownership of data residing in the cloud
A service level agreement (SLA) must be provided by the cloud services provider that covers you as the integrator and your customers on points like those listed above.
The Future of Cloud Services
The arrival of cloud services, and the increase in customer willingness to consider them, means that parts of customer security technology infrastructures will eventually move into the cloud, and the role of security integrators will change as a result.
Although revenue relating to customer-site system maintenance will decrease, the opportunities for providing greater value to the customer will increase, and bring new sources of revenue into the picture.
Note: The next two articles in this series will cover evaluating cloud services — including cloud services architecture from the National Institute of Standards and Technology, and security guidance from the Cloud Security Alliance — and providing value-add components to cloud services that integrators provide to their customers. Look for them in upcoming issues of SD&I.
Ray Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities. For more information about Mr. Bernard and RBCS, visit www.go-rbcs.com or call 949-831-6788. Mr. Bernard is a member of the Subject Matter Expert Faculty of the Security Executive Council and an active member of the ASIS member councils for Physical Security and IT Security.