Page 4 of 3
Where the Cloud Meets Video Surveillance
I’m sure by now everyone understands the basics of “The Cloud” since it has
become ubiquitous with almost all business apps now offered or exclusively
offered in the cloud. Who would have imagined just a few years ago that a
company’s financial systems, ERP solutions and entire document management
would be in the cloud? This same trend is disrupting the traditional
video surveillance market, in particular for small businesses that can now access
professional video surveillance systems in the cloud without having to manage onsite
storage and video management hardware.
If you’ve been thinking about taking that next step and adding video surveillance
to the long list of solutions you’re already using in the cloud, it’s important to be
aware of some considerations as it relates to the privacy and security of your data.
SECURITY CONSIDERATIONS FOR CLOUD VIDEO SURVEILLANCE
I hear this all the time: “Okay. Cloud sounds great, but how do I know it’s secure?”
This is a great (and fair) question. Ultimately, it’s up to the customer to
feel comfortable with the cloud and ensure they are balancing their security needs
with more practical considerations around cost and convenience. It’s all about risk
management and the appropriate level of security required for your application.
Here are some points to keep in mind if you consider using the cloud for video
surveillance.
Is the device adequately secure? A bit of a paradox here, but when considering
cloud security, you need to take a hard look at that local hardware device that’s
sitting inside your own network before you even spend much time worrying about
cloud security. That’s really where your security considerations begin. If you’re
using the most secure cloud infrastructure ever built, but the endpoint IP camera
or NVR hardware device is not properly configured or has security vulnerabilities,
then that’s a potential source of risk.
Any time you are planning on accessing the device from the internet, you need
to be sure you are taking a few basic precautions. The first one is to consider the
hardware vendor. Do they have a good reputation? Do they regularly update their
firmware? When was the last update? And of course when you configure the device
for the first time, be sure you follow the vendor’s recommended best practices, keep
the firmware current, choose a strong password, and any other recommendations
they might have.
Find out your vendor’s definition of “cloud.” All clouds are not created equal.
Even worse, it has become such a buzzword that the meaning of “cloud” is all over
the map. So, check that you’re really being offered a cloud service, which means that
cameras are managed, data is stored and the media infrastructure and value-added
services are all managed from the cloud. I’ve seen many vendors market a cloud service
that is simply a remote access to a local device, which has limited value.
If you have multiple sites you will
still be managing connections back to
each of these devices individually. Further,
many of these internet connected
NVRs or IP cameras are simply brokering
connections into your network
through a 3rd party P2P service.
Once you’ve determined that it is in
fact a cloud service being offered and
not just an internet-connected NVR
or IP camera, then find out a bit about
their cloud and data center. If they are
using their own proprietary data center,
you are immediately introducing risk in
my view. Sure thing, there are clouds
that nobody has ever heard of that are
fantastically secure, but how do you
know? If the cloud provider has built
their solution on an Amazon, Microsoft
or Google cloud then you can at
least be assured the data center environment
and general security is adequate.
As an example, the Amazon AWS
data center has all achieved high levels
of ISO and other compliance, and they
are supporting some of the largest internet
services in the world. In addition,
the durability of their data storage environment
is second to none, meaning
their systems are designed specifically
to limit the loss of data objects to tiny
fractions of a percent per year. In addition,
make sure your video data is “encrypted
at rest”, meaning that once it’s
stored in the cloud storage facility, it’s
stored encrypted.
Bottom line, if you’re using a cloud
solution built-on a first-class data center
you’re going to realize a network
and data management environment
orders of magnitude better than any local
storage you could construct on your
own, using your own network resources
and a low-cost network storage device.
Understand your connection from
camera to cloud. This is a big one. It’s important
to have a good understanding of
how the device(s) on your local network
is being accessed by the cloud. Generally
speaking, there are three options.
- No network configuration required
- Network configuration required
- The use of an on-site device or
gateway.
Let’s ignore the third one since an
on-premise gateway isn’t exactly a cloud
solution. The no network configuration
options are a bit more limited, but
there are some good ones. For example,
some camera vendors like Axis Communications
offer an extremely robust
solution for configuring a cloud camera
that requires no network configuration.
Known as Axis AVHS, it’s a great option
for setting up a cloud surveillance
system and, coming from Axis, it’s well
built, reliable and well—just works.
Ask your cloud vendor if they support
Axis AVHS, as it could be a great
option. Other manufacturers have
built-in a direct connection from their
camera to the cloud, for example solutions
from Nest and Amcrest, both are
excellent but more targeted at the DIY
end of the market. Beyond that, any
“cloud solution” being offered by a vendor
is likely a P2P solution, which involves
using a separate P2P server that
brokers a connection into your network
down to the device. These type of connections
tend to be not as reliable as the
other options listed here, and are also a
bit of a “black box” in terms of how the
network interactions are happening, so
research the options from your camera
or cloud vendor since they do vary.
The other approach for managing a
connection from camera to cloud is to
simply configure your network to permit
access to your device from the internet.
Now before closing this article and
running the other way, it’s important to
understand that this is a completely legitimate
and safe way to configure your
cameras for the cloud, if proper steps
are taken. The technical term for this
approach is known as “port forwarding”
and this isn’t meant as a technical
port forwarding guide, but just a few
tips when doing this.
First, pick a strong password for
your device and ensure all available
firmware updates are applied. This is
the most common area of risk when
opening a device to the internet. A recent
CSID study showed that 61 percent
of people use the same password
on multiple sites. Don’t do that. Pick
a unique password for this device, and
follow strong password best practices.
In addition, ask your cloud provider
for a list of IP addresses that would
be used by the cloud service. Whitelist
those IP addresses so that a very restricted
list of servers are allowed to
connect to your device. You take these
two steps and work with your network
or IT person, and this is a perfectly acceptable
way to configure a cloud video
surveillance system. It’s also reliable
since there are no black box P2P connections
or other network magic happening.
It’s simply a trusted connection
from a restricted list of cloud servers to
your camera. The benefit is, once you
do this you open up a huge list of cameras
you can use for cloud surveillance.
Understand your connection from
cloud-user. Now that you’ve setup a
trusted connection from your camera
to the cloud, your data is cozy in
a secure cloud environment; the final
consideration is understanding how the
cloud provider makes that data available
to the user, either through its web
or mobile apps.
At this point, the cloud provider has
all the video and user data under their
control and there’s no dependency on
camera hardware. Therefore, there’s no
reason that all the traffic from the cloud
servers to your web browser or mobile
app shouldn’t be strongly authenticated
with your username and password and
encrypted in transit using TLS. This includes
standard web traffic and the video
streams being reviewed and played
back over the apps.
THE BOTTOM-LINE
Security concerns should not be any
reason for avoiding cloud video surveillance
options for your small business.
By taking some sensible precautions
and configuring your surveillance system
correctly, you can get good, and
often times better, security than a local
storage solution.
There might be, of course, other
reasons for not using cloud video
surveillance. For example lack of adequate
bandwidth could be an obvious
one. Cloud surveillance doesn’t work
without internet. If you decide to investigate
cloud video surveillance options,
make sure to do your homework,
pick a great camera and a reputable
cloud provider. Then you’ll be on your
way to enjoying the
benefits of a cloudbased
system.
This article originally appeared in the September 2016 issue of Security Today.
About the Author
Andre Fontana is the director of sales at Camcloud, Inc.