Security by Design

Security by Design

It’s all in the cloud with no hardware involved

We know by now that there is an abundance of business advantages in the cloud — it’s agile and cost-efficient, and, with little to no hardware maintenance, it’s easier to update and perform maintenance on than traditional on-site servers. Cloud architecture is built to scale with processing and storage needs, meaning organizations can scale up (or down) as needed, and without the concern of outdated software or hardware.

But building a cloud-based service takes time and forward-thinking innovation. After all, the security of the cloud has long been called into question. As more and more customers demand cloudbased services for their businesses—and discover the advantages they provide—it is critical for end users and integrators to understand how these solutions can, and must, be built with security in mind every step of the way.

Architecture and design play a large role in determining how to properly use and update security protocols. Many companies, including Arcules, have adopted the concept of “security by design,” whereby from day one, the security of the solution is considered and kept at the forefront throughout the entire process. For a cloud-based service, this method of oversight is critical as the data is typically transmitted over the internet. There are a number of ways to establish security by design within the product lifecycle.

Risk Management

At the beginning of the lifecycle process, there’s a significant amount of time dedicated to completing risk assessments. Risk assessments enable a manufacturer to eliminate possible failures and reduce the impact of the ones that are likely to place regardless of preparation. As cloud services have matured, protection of privacy has become a risk that cannot be ignored. Assessments can identify sensitive information that is used and stored by the product. With this knowledge, manufacturers can better prepare a product in development and identify potential focus points when utilizing third party pen testers.

Choosing the Right Provider

Another aspect that is crucial to building a secure cloud-based solution is determining the characteristics required for a cloud provider. Cloud-based security use cases generally include the transmission of large amounts of data, so storage is a major factor to consider. The amount of data being generated today is staggering: According to IDC, 41.6 billion Internet of Things (IoT) devices will generate 79.4 zettabytes of data in 2025. most of it from video surveillance. As a result, cloud providers must be able to provide adequate storage for these applications that collect large amounts of data.

With so much data, data loss prevention (DLP) services are required to help ensure data is not being moved without your knowledge. Some providers are able to provide this for an additional fee. Depending on the data stored, this may be worth the investment.

Many virtualization technologies exist and are scriptable, providing the immutable infrastructure which can help teams on multiple levels with disaster recovery and more if an infrastructure issue is found. Choosing the right cloud provider, such as Google Cloud Platform (GCP), eliminates mundane infrastructure management tasks such as security upgrades, leaving manufacturers to concentrate on what’s most important: bolstering the platform’s security capabilities.

Finally, connectivity is always a concern, as users expect (and require) the ability to access data instantaneously. From a security perspective, a product must be able to mitigate different types of attacks including distributed denial of service (DDOS). Some providers, including Google, mitigate these issues within their networking products, giving the manufacturer more time to focus on the product.

Testing, Testing, Testing

A regular part of the manufacturer’s process is the testing phase, which helps strengthen systems. Penetration testing, which includes efforts to circumvent the risk controls and security configuration of the product, attempts to engage the product in a denial of service, to access and authenticate on the product via unauthorized means, to elevate privilege on the product, and to exploit vulnerabilities.

Once a cloud-based service has been designed, tested and introduced to the market, the product testing shouldn’t stop, as new vulnerabilities are found every day. As with every product that works over a network—such as today’s IP cameras and networked access control solutions—the data being collected and stored must be treated with a multi-layered approach and protected through encryption to and from its final destination.

How to Integrate Security by Design as an Integrator

So how does the design of a product affect the integrator’s relationship with an end user? There are a number of ways. First, integrators are increasingly tasked with acting as a liaison between the security side of the business and the IT departments. This means they are often responsible for ensuring networks and firewalls are configured correctly to implement security solutions.

Integrators must also be adept at identifying where data privacy is paramount and communicating what information is being collected so that IT departments can protect said data from outside threats. Finally, integrators are an essential part of training end users on the proper use of cloud-based platforms and how to take the necessary steps in effectively using these tools to protect a facility (or multiple facilities across an organization).

It’s a Process

Throughout the years, the increasing popularity of cloud-based services and products has given rise to companies developing solutions that harness the exceptional power of the cloud. However, these companies are also tasked with ensuring that their products are providing adequate protection of the data being transmitted and stored.

Cloud security starts with design and doesn’t end when a product enters the marketplace. End-user customers who choose to transition to a cloud-based service must engage in the stringent process of due diligence and search for a manufacturer that has kept security at the forefront of the design, development and post-sale process in order to protect critical data from outside threats.

This article originally appeared in the September 2019 issue of Security Today.


  • 12 Commercial Crime Sites to Do Your Research

    12 Commercial Crime Sites to Do Your Research

    Understanding crime statistics in your industry and area is crucial for making important decisions about your security budget. With so much information out there, how can you know which statistics to trust? Read Now

  • Cybersecurity Awareness Month: Top Five Action Items to Elevate Your Data Security Posture Management and Secure Your Data

    October is Cybersecurity Awareness Month, and every year most tips for security hygiene and staying safe have not changed. We’ve seen them all – use strong passwords, deploy multi-factor authentication (MFA), be vigilant to spot phishing attacks, regularly update software and patch your systems. These are great recommended ongoing tips and are as relevant today as they’ve ever been. But times have changed and these best practices can no longer be the bare minimum. Read Now

  • Boosting Safety and Efficiency

    Boosting Safety and Efficiency

    In alignment with the state of Mississippi’s mission of “Empowering Mississippi citizens to stay connected and engaged with their government,” Salient's CompleteView VMS is being installed throughout more than 150 state boards, commissions and agencies in order to ensure safety for thousands of constituents who access state services daily. Read Now

  • Live From GSX: Post-Show Review

    Live From GSX: Post-Show Review

    This year’s Live From GSX program was a rousing success! Again, we’d like to thank our partners, and IPVideo, for working with us and letting us broadcast their solutions to the industry. You can follow our Live From GSX 2023 page to keep up with post-show developments and announcements. And if you’re interested in working with us in 2024, please don’t hesitate to ask about our Live From programs for ISC West in March or next year’s GSX. Read Now

    • Industry Events
    • GSX

Featured Cybersecurity


New Products

  • AC Nio

    AC Nio

    Aiphone, a leading international manufacturer of intercom, access control, and emergency communication products, has introduced the AC Nio, its access control management software, an important addition to its new line of access control solutions. 3

  • Luma x20

    Luma x20

    Snap One has announced its popular Luma x20 family of surveillance products now offers even greater security and privacy for home and business owners across the globe by giving them full control over integrators’ system access to view live and recorded video. According to Snap One Product Manager Derek Webb, the new “customer handoff” feature provides enhanced user control after initial installation, allowing the owners to have total privacy while also making it easy to reinstate integrator access when maintenance or assistance is required. This new feature is now available to all Luma x20 users globally. “The Luma x20 family of surveillance solutions provides excellent image and audio capture, and with the new customer handoff feature, it now offers absolute privacy for camera feeds and recordings,” Webb said. “With notifications and integrator access controlled through the powerful OvrC remote system management platform, it’s easy for integrators to give their clients full control of their footage and then to get temporary access from the client for any troubleshooting needs.” 3

  • XS4 Original+

    XS4 Original+

    The SALTO XS4 Original+ design is based on the same proven housing and mechanical mechanisms of the XS4 Original. The XS4 Original+, however, is embedded with SALTO’s BLUEnet real-time functionality and SVN-Flex capability that enables SALTO stand-alone smart XS4 Original+ locks to update user credentials directly at the door. Compatible with the array of SALTO platform solutions including SALTO Space data-on-card, SALTO KS Keys as a Service cloud-based access solution, and SALTO’s JustIn Mobile technology for digital keys. The XS4 Original+ also includes RFID Mifare DESFire, Bluetooth LE and NFC technology functionality. 3