14 Aug 2015

More and more physical security systems are being hosted in the cloud. But are cloud-based security systems “safe?” It’s a question being posed by risk-averse security professionals all over the world, and one for which a clear, concise answer may be difficult to find. We decided to pose it to our Expert Panel.


Per Björkdahl ONVIF

Systems that are designed for cloud-based environments often deploy the latest and greatest security measures available, using sophisticated encryption. The integrity of the information transferred to and kept on the cloud, such as surveillance footage, is often safer than it is when housed in many autonomous systems. An additional question should be whether information is being managed safely. If the authentication principles are insufficient and weak passwords are allowed, it doesn’t matter how strong the encryption is. Because cloud based systems are exposed to the Internet, they demand strong authentication and increased operational procedures. Keep in mind, though, that if the cloud component of a system is mission critical and/or guarding lives, the designer of a security system would not compromise security by relying solely on the cloud for ongoing operations. The connection to the cloud is often not robust enough to be fully dependent on using the cloud.

Larry Anderson

There is no correlation between where a computer server is physically located and how “safe” it is from cyberattacks. It’s an illusion that a company can keep its information any safer by housing its own server versus using a cloud-based system. Any server that is connected to the outside world is vulnerable. You hear a lot about what cloud providers are doing to ensure the safety of their systems, and it all seems pretty convincing to me. Perhaps the strongest argument for the safety of cloud-based security systems is how many other critical enterprise systems are going to the cloud. Hacking of these critical systems could cause much more damage to an enterprise overall than a hacked security camera or door lock. You also see large entities embracing cloud applications, such as the U.S. government’s “Cloud First” initiative. It seems to me if it’s good enough for Uncle Sam ….

Simon Lambert Lambert & Associates

The technological evangelist in me wants to say yes. The cautious consultant in me says no. However, there is no reputable way of rating a system 49/100 and declaring it “unsafe” nor 51/100, or even 100/100, and therefore “safe.” Quite simply, if you’re connected to the Internet you’re vulnerable to unauthorised intrusion. The risk-benefit is a decision for each buyer to make with their own criteria. Physical security systems are not perfect but people buy them. The same is true for cloud-based systems. Sales and marketing folks are touting them like crazy just lately. A lot of it is tosh and spin designed to fool the layman, such as: analogue = poor, digital = good, only IP cameras can be viewed remotely, only off-site storage is wholly safe. All untrue. If the people peddling misinformation tell us that their cloud technologies are safe, why on earth would we believe them?

Jumbi Edulbehram NVIDIA

Before answering the question, it’s important to be clear about what one means by "cloud-based" systems. In the security world, it can mean several things, from the ability to remotely access local (on-site) access control or video systems, to simply having edge devices on site and having video and data stored in the cloud. For securely accessing data over the cloud (i.e. the Internet) from local sites, some basic best practices should be observed, including: Changing default user names and passwords – this is perhaps the biggest security threat for remotely-accessible systems; opening as few networking "ports" as possible and managing the security on the open ports; and encrypting video and data in transit. For video and data stored on a remote "cloud" server, one needs to ensure that the service provider or co-location facility has the necessary security precautions and certifications in place and that they’re audited on a regular basis.