Bringing It All Together
Multi-site video security helps resolve many challenges
- By Brian Carle
- Sep 01, 2016
High camera counts, limited bandwidth for connecting multiple
locations and linking together a variety of different security
technologies are just some of the challenges facing multi-site organizations
when selecting video security technology.
Tying it all together by using the right mix of integrated technologies
can lead to a more cost-effective security program and better protection
of people and assets.
USER ACCESS, PERMISSIONS AND SECURITY
The security of the system is an often overlooked aspect of technology selection,
as is deployment and configuration. With the vast majority of products now IPcapable,
it helps to consider how systems are configured and deployed to avoid
compromising network and data security.
Multi-site deployments typically provide video security access to users at each
site and more frequently have centralized monitoring and investigations as another
layer of access.
With multi-user access, exporting evidence needs to be controlled to avoid
sensitive security information being released. The video management platform
should provide the ability to permission user access to playback, exporting video
and taking snapshot images to limit access to such features. Export events should
be logged, providing an audit trail of the camera, time range of exported video,
VMS user account, time of export and the workstation used to export video. Some systems will create a “blind” copy of the exported evidence on centralized storage
automatically providing a record of all the video exported. Additionally, consider
adopting a policy preventing the use of smartphones and cameras in any rooms
with VMS client software to prevent users from recording the screen which would
bypass built in system permissions and logging.
In the event of an emergency or other significant security event, many users
may want to access the same camera simultaneously. In the event the camera is
PTZ and multiple users have permission to move the camera, it’s important the
VMS system allows for prioritizing user access so the highest priority user maintains
control. Also, look for systems that allow user access to cameras to be shut
down immediately, which can prevent users from accessing live video of a particularly
sensitive security event.
Finally, physically securing network connection points should be considered
when deploying cameras. Generally, cameras are placed in public areas. Each IP
camera has a network cable leading back to a switch, so what’s to prevent someone
from taking the cable out of the camera and plugging their laptop in to gain access?
The best practice is to connect cameras to a dedicated network segment or
a camera-only VLAN which prevents traffic from the camera-network-segment
from reaching the business network. Using an NVR with multiple NICs allows
simultaneous connection to the camera network and the business network allowing
users on the main business network to access video and recordings, without
connecting the cameras directly to the primary business network.
INTEGRATION WITH COMPLIMENTARY SECURITY TECHNOLOGIES
Combining data from multiple complimentary security systems makes it easier to
identify what is happening both in real time and during an investigation.
Some organizations that commonly have multi-site deployments may benefit
from integrations that are specific to their industry, such as the integration of video
and point-of-sale data in retail.
Outside of industry-specific integrations there are some very common integration
targets that most consumers benefit from.
The most common system to target integrating with video is Access Control.
When the two are combined, video recording can occur based on access control
events, like when someone opens a door. The recordings are automatically associated
with their corresponding events, so when looking through a list of events an
investigator can click on the event and see the corresponding video. One example
of how the integration benefits investigations is when looking through a list of
access control events to identify who entered a secured area, the access control
system will have a record of the user assigned to the credential used. Viewing the
recording of the event will identify whether the person who entered is in fact the
person assigned that credential or someone else using the wrong credential.
Less common but of great benefit are risk management and social media monitoring
tools that aggregate information from multiple sources and allow filtering
based on geography and keyword. Risk management tools may provide news,
weather and other information sources and present relevant data related to campus
or site locations. Social media monitoring tools, as the name implies, collect
user posts from social media services like Twitter, Instagram and others. Posts are
aggregated and filtered so security professionals can identify any social media activity
taking place at monitored sites that may indicate a threat. Integration with
video allows for visual verification of the individual posting or correlation of real
world events with news, weather or social media reports.
REDUNDANCY
When we think of redundancy, NVR failover and RAID are top of mind. N+1 access to video, at least for investigative
purposes. Centralized live monitoring
of video feeds from remote sites is less
common primarily due to limited bandwidth
available at each site.
Take for example a small retail location
with eight 720P cameras each
streaming with a bit rate of 700kb/s.
In order to stream all those cameras
back to a central location, the local site
would need an internet connection that
supported a minimum of 5.6Mb/s of
upstream bandwidth, just for the video.
Many VMS platforms offer bandwidth
saving features that go beyond
standard video compression to reduce
live streaming bitrates dramatically. The
most common capabilities include multicast,
multi streaming and transcoding.
Multicasting is a great technology
if you have many clients simultaneously
receiving the same information.
A prime candidate for multicasting
would be an internet broadcast of a
live sporting event with thousands of
viewers. If the sporting event was being
unicast there would be thousands of
copies of the same information being
streamed simultaneously, one for each
recipient. If using multicast instead, a
single stream is sent from the servers
hosting the live feed and the network
replicates the stream for each of the
recipients. This process saves an enormous
amount of bandwidth but again
the technology is effective when there
are lots of clients receiving the same
data at the same time.
In video surveillance, you usually
have many sources of data and very few
recipients (for instance 64 cameras and
a single security operations center where
monitoring takes place). If planning
for many client viewing workstations
streaming the same cameras at the same
time, multicast makes sense, but it’s an
unusual scenario and not commonly applicable
for multi-site deployments.
Multi-streaming, on the other hand,
can save bandwidth all the time and
even with limited numbers of client
workstations pulling live streams. Multi
streaming involves the VMS platform
pulling multiple streams of video from
each camera. In a simple scenario, one
stream would be pulled at 720P resolution
and a second stream would be
pulled at VGA resolution (about 1/3 the
resolution of 720P). The 720P quality
stream would be recorded but the VMS
platform would switch between the
streams when transmitting live video to
clients for viewing. If the client workstation
is viewing video full screen, then
the VMS would send 720P resolution
so the video is presented at its full quality
level. If multiple cameras are being
displayed on screen, the screen resolution
available to display each camera is
lower. In this case the VMS may send
the VGA stream, because it would contain
enough pixels to present the video
at the highest quality level for the limited
display area but would save bandwidth
as compared to sending 720P.
The next step beyond multi streaming
would be transcoding. With transcoding,
the VMS pulls a single stream
of video from the camera and modifies
the resolution of the stream to send the
correct resolution to clients. The full
quality stream is recorded but if a client
workstation wants to view video
in any resolution, the resolution of the
video sent is resized prior to transmission.
The end result is full video quality
displayed on the client using the lowest
amount of bandwidth.
Transcoding is much more granular
in the resolutions that can be streamed
to clients which results in greater bandwidth
savings as compared to multi
streaming. For multi-streaming to
work the cameras or encoders used
need to support that capability and
have enough CPU performance to send
multiple streams at the frame rate desired,
otherwise the number of streams
or frame rate of the streams would need
to be sacrificed. Transcoding results in
a small CPU overhead on the NVRs
related to scaling the video streams for
client workstations.
CENTRALIZED MANAGEMENT
Multi-site deployments benefit greatly
from a focus on how system management,
health monitoring and configuration
can be accomplished. Without
centralized management tools, the time
spent performing maintenance and updates
will grow as the system expands.
Many multi-site organizations may not
have IT or facilities staff at some locations
making the need for centralized
health monitoring and configuration a
necessary tool for remote troubleshooting
and maintenance.
The administration time spent on
system configuration and software up-dating should be considered. Tools that
allow system configuration changes
and software updates to be deployed to
multiple systems simultaneously should
be considered a prerequisite for any organization
deploying a system which
spans more than 20 sites.
Centralized health monitoring is key
to ensuring any faults in the system are
detected in a timely fashion so troubleshooting
can begin immediately. One
example of the benefit is as the system
grows there is an increased risk of cameras
going down without being noticed.
In order to reduce the risk of not recording
an important security event,
automated notification of system issues
should be an available feature and
properly configured.
PLANNING AND VENDOR SUPPORT
Meeting technology selection project
deadlines can be difficult and it’s not
uncommon for important features or
the best deployment architecture to get
overlooked in the rush. Putting together
good action plan before deploying
new technology can save many headaches
and produce better results. The
importance of good planning for multi
campus organizations is amplified as a
result of the scale involved.
It’s not uncommon for consumers to
deploy systems and use only a fraction
of the features. Once a technology has
been deployed changes may become
more difficult as the size of the installation
grows. Going back and modifying
configuration of many sites or identifying
an architectural flaw in the deployment
after roll out can cause delays and
added workload.
Leveraging support and engineering
resources from your technology
vendors is not only a best practice for
multi campus deployments but is often
also available with little to no impact
on the budget. As part of the planning
process, consider performing a design
review with a vendor’s field engineer.
As part of the process ask your vendor
to participate in commissioning a proof
of concept site so they can see the proposed
deployment model and comment
before full roll out. These processes
give you a second set of eyes from an
expert that has seen a multitude of deployment
designs along with the corresponding
benefits and drawbacks.
Field engineering resources from
your technology vendor can help you
get the most out of your technology
investment. That’s why the level of support
engagement from your technology
vendor should be a key criterion when
selecting a partner.
This article originally appeared in the September 2016 issue of Security Today.