Secure Hosted Technology

Secure Hosted Technology

What you really need to know about cloud-based security management

Cyber security is seemingly in the news every day. From data breaches to security system compromises, there’s a ‘cloud’ hanging over hosted environments, labeling them unsafe or subject to easy compromise.

According to statistics from the “2015 Cost of Data Breach Study: Global Analysis,” which was conducted by the Ponemon Institute, Traverse City, Mich., and sponsored by IBM, the average cost of a data breach increased from $3.52 million in last year’s study to $3.79 million in this year’s research.

Data integrity has been a crucial concern of the electronic security industry for decades. However, it’s been in the forefront due to numerous breaches in the news recently, although the majority of those have been the result of weak user names and passwords.

For the systems integrator, data breaches and compromise result in much more than dollar loss. Not only is the physical security and life safety of the protected premises at risk, but critical customer data can be lost. Even more so, data breaches and system compromise result in dissatisfied customers who will go elsewhere for service. These episodes have a dire effect on the systems integration community which prides itself on providing a full-service solution that includes a safe and secure physical premise, along with data integrity.

The reality of the matter is that the cloud is much safer than non-hosted environments. In the example of cloud-based access control security management platforms, there are inherent layers of safeguards and security in the technology as opposed to local, software-based controllers and servers.

Still, as a security professional, you’ve probably run into many security directors or other end users who either don’t trust cloud security products or are vehemently opposed to them. He or she emphatically states that they will not risk their building security for the convenience, cost-effectiveness and reliability of cloudbased products. They feel there’s no upside in this method of software delivery, and the automatic backups, accessibility and cost predictably don’t outweigh perceived risk. They can’t quite fathom how a cloud-based product might actually be more secure in addition to providing all these benefits.

Legacy Brings Leg-iron Shackles

It’s actually the connections to the outside world through traditional web browsers, common in legacy access control security systems, which promote tangible risk. Another threat is most likely a direct Open Database Connectivity (ODBC) connection to the database and information being passed “in the clear.” Legacy systems were not designed this way because of negligence on the part of the manufacturer. They were simply designed in a different era when network security was not a rampant concern.

Putting information and processes in the cloud has the connotation that it’s easier to hack. However, if that were true, why would we continue to do online banking and expose our finances over the Internet? We expect our financial institution has taken precautionary measures to protect that environment. Those same requirements should be expected with cloud-based access control solutions, and here are some critical factors to consider:

  • Is the connection secure? Websites use SSL certifications to encrypt the connection, which are recognized by URL’s starting with ‘https’.
  • Can the hardware encrypt the data? Assure that the field hardware has the option to turn on TLS (Transport Layer Security) capabilities that allows encryption at the board.
  • Does it use IP Client or IP Server? IP Client uses outbound ports at the user’s site instead of inbound ports, which again, greatly reduces the risks of security breaches.
  • Can it do a secondary authentication? Many people who work or have worked in a corporate environment have used a dongle or token to log onto the server for access to email, ERP systems or repositories like SharePoint. It means typing in a user name, password, then a randomly generated, six-digit number that changes every 30 seconds. Two-factor authentication should be inherent to all software platforms.

The Importance of Secondary Authentication

Simple, two-factor authentication could have prevented many a celebrity photo from being leaked to the web. Passwords can be guessed, recycled, or even written down; all factors which compromise the security of an access control system. The cloud actually eradicates traditional security risks with two-factor authentication. Two-factor authentication comes in many forms from biometrics to apps like Google Authenticator which is built on RSA (encryption) technology, and can be downloaded to the smartphone at no extra cost. This would mean that a perpetrator not only would need to know the user name and password, but would also have to have control or possession of your device (which has its own PIN and biometric security).

In addition, using SSL encryption is something that by default almost all cloudbased solutions provide, as opposed to legacy access control products. Many legacy manufacturers provide Advanced Encryption Standard (AES) encryption from the controllers to the server, but it’s rarely implemented because of the complexity and cost. Not to mention that if you aren’t securing your client/server communications where users are putting the system at risk through Internet connectivity and ‘bring your own’ USB devices, you are encrypting the least vulnerable device.

Some hardware providers enable Transport Layer Security (TLS) with a simple check box and cloud-based products auto-negotiate the encryption with the boards as they initiate contact with the server. The server already knows information about the board entered into it such as the MAC address and other information, so it’s a known caller. The board is programmed to only talk over an outbound port, so IT staff does not have to enable any inbound network ports or set up port forwarding. This helps keep the network secure and lowers the workload on IT. When encryption from the board to the server is just a check box and the server automatically negotiates it as is the case with TLS, it’s much more likely to be enabled.

Disaster Recovery

What’s more is that Software as a Service (SaaS) products typically mean the database is sitting in a cloud like Amazon Web Services (AWS) or Microsoft Azure, which can bring superior economies of scale. An AWS or similar provider has redundant Internet connections, automatic data backup and recovery, months of backup power generation, cyber security experts and of course world-class premise security.

A SaaS based access control solution can eliminate the threat of the user losing data due to negligence or being too busy to regularly backup the database. A reliable product will also provide Elastic Block Storage, meaning that multiple ‘write’ transactions are provided and in case the primary database goes down, that data would exist at another location and brought back online. A second layer of data recovery would be a point in time recovery.

If the user accidentally deletes records, then it shouldn’t take much more than a quick tech support call to roll the system back to a few moments before the error happened. With most legacy systems, it is unlikely than anyone is even doing a monthly backup and even more unlikely that there is some sort of disaster recovery plan in place.

Evolution of Cloud-hosted Access Control

The question that was always asked when intelligent control panels were first put on the network was, ‘what happens if I lose my network?’ This question is still asked and the answer is still the same: the panel continues to make all access grant and deny decisions as it normally would and all transactions are buffered and downloaded when the connection is restored. The cardholder should experience no system degradation.

In cloud systems, the question changes slightly to ‘what happens if I lose my Internet connection?’ and the answer remains the same. For customers with multiple sites over a large geographic area a cloud solution should in fact offer more system uptime. In the traditional premise-based server system, if the Internet connection is lost at the server location, the rest of the sites lose the ability to monitor and make changes. In a cloud-based solution, data centers typically have at least two different Internet Service Providers in case one goes offline.

Very few businesses can afford to or opt to pay for redundant Internet connections, but can benefit by using a product hosted in a data center.

The cloud-hosted environment brings other distinct advantages to the user. While upfront costs are much lower because there is no need to purchase and install software on a server, the long-term total cost of ownership (TCO) is also often lower. The high upfront costs are replaced with smaller monthly payments that businesses can leverage as an ongoing operating expense. From the financial perspective, this is a lower risk model since the company won’t have any surprise costs from the loss of a server or having to rebuild a system. Lower TCO is also driving the growth of SaaS products and the data center building boom.

For customers who want to upgrade to SaaS solutions, but fear being locked in, they should do their due diligence and seek a solution built on open hardware such as authentic Mercury boards and/or HID VertX panels, Edge and Edge Evo controllers. It’s fair to say that Mercury was the first company to push for panels that could be used with multiple software companies and now both HID and Mercury panels each work with more than 20 OEM software products. Integrators should be wary of companies who advertise support for open architectures but try to sell their own proprietary hardware, claiming greater functionality and lower cost.

In the end, cloud-hosted security management platforms deliver the customer cost predictability that incentivizes the growth of their system across the enterprise. It keeps their data backed up and in a secure location. It’s readily accessible and provides secure access from home, the neighborhood coffee shop, or office. The software is always up-to-date and delivered on demand. It never takes network security for granted, because security is inherent in its design and not an afterthought. Secure cloud solutions provide a better customer experience and lower TCO designed with the customer’s day to day operations in mind.

The cloud provides enhanced services along with inherent risk reduction. It gives users choices over hardware and the ability to integrate legacy equipment without extensive upgrades. It’s easy to scale up when users need to add services or locations. It has an open architecture that lends itself to simple, comprehensive security system integration and the move away from proprietary hardware. It’s safe, secure and the future of the successful delivery of security management services.

This article originally appeared in the September 2015 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX
  • People Say the Funniest Things

    People Say the Funniest Things

    By all accounts, GSX version 2023 was completely successful. Apparently, there were plenty of mix-ups with the airlines and getting aircraft from the East Coast into Big D. I am all ears when I am in a gathering of people. You never know when a nugget of information might flip out. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • ResponderLink


    Shooter Detection Systems (SDS), an company and a global leader in gunshot detection solutions, has introduced ResponderLink, a groundbreaking new 911 notification service for gunshot events. ResponderLink completes the circle from detection to 911 notification to first responder awareness, giving law enforcement enhanced situational intelligence they urgently need to save lives. Integrating SDS’s proven gunshot detection system with Noonlight’s SendPolice platform, ResponderLink is the first solution to automatically deliver real-time gunshot detection data to 911 call centers and first responders. When shots are detected, the 911 dispatching center, also known as the Public Safety Answering Point or PSAP, is contacted based on the gunfire location, enabling faster initiation of life-saving emergency protocols. 3

  • Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation.

    Connect ONE®

    Connect ONE’s powerful cloud-hosted management platform provides the means to tailor lockdowns and emergency mass notifications throughout a facility – while simultaneously alerting occupants to hazards or next steps, like evacuation. 3

  • Camden CV-7600 High Security Card Readers

    Camden CV-7600 High Security Card Readers

    Camden Door Controls has relaunched its CV-7600 card readers in response to growing market demand for a more secure alternative to standard proximity credentials that can be easily cloned. CV-7600 readers support MIFARE DESFire EV1 & EV2 encryption technology credentials, making them virtually clone-proof and highly secure. 3