Currently and unfortunately, there is no such thing as Cloud Police. If there were, two-thirds or more of the companies using ‘cloud’ in their advertising and documentation would be in Cloud Jail for seriously misusing the word in their marketing.
The term ‘Cloud’ is over-used and misused—sometimes intentionally and knowingly, but also often in ignorance. It’s just a word—but in the context of cloud computing technology, it does have a specific meaning in the United States. We may lack cloud police, but we do have a resource that defines cloud.
Video surveillance system
The National Institute of Standards and Technology (NIST) spells out the requirements in The NIST Definition of Cloud Computing. Regardless of where in the world your video system is located, there are certain, fundamental attributes of a ‘Cloud Video Surveillance System.’
A true cloud system would have significant advantages over a traditional on-premises server-based system
A modern security video surveillance system is composed of securely connected video cameras (IP cameras and/or analogue cameras with encoders), video recorders, video display monitors, and video management software for managing equipment configuration and system performance configurations and for providing system operations functionality. Based on the NIST definition of cloud computing and its essential characteristics, a true cloud system would have significant advantages over a traditional on-premises server-based system.
Cloud video management system
Here's what a cloud video management system should provide:
- Infinite Scalability and an ‘Only Pay for What You Use.’ Cloud video surveillance systems are a subscription-based business model. Integrators derive recurring monthly revenue from the subscription, and the end-user only pays for what they use. True cloud systems do not charge you for unused disk space.
- Cloud Video System can be Operated and Managed from Anywhere. System management capabilities are off-site from camera locations for all system functionality. It should not be necessary to be on-site to view or export video or change system or device
- Redundant System Functionality. The software system functionality is redundant, so in the event of a computing or networking failure, alternate computing and/or networking resources immediately take over without human interaction.
- Recorder Isolation. Camera locations should transmit video off-site to a secure, SaaS service provider location.
- Redundant Video Storage. Video should be stored redundantly for business continuity and disaster recovery purposes, and automatically swap-in redundant storage if primary storage fails.
- Cybersecure Systems and Devices. On-site hardware, data transmission, and cloud systems must be cybersecure. Individual cameras must be protected from other cameras or devices on the network that could be malware-infected.
- Intelligent Video Data Transmission and Video Data The installer and users should be able to configure and adjust video traffic bandwidth usage--such as the percentage of available bandwidth. On-premises appliances should intelligently buffer video being sent to the cloud to accommodate fluctuations in internet bandwidth availability.
- Retention Assurance for Every Camera. Recorded video retention periods must be individually configurable on a per-camera basis.
- Instant Changes. Changes to video retention and/or user privileges must be instantly accomplished with the flip of a switch.
- Internet-Based Integrations. Integrations with system functionality must be available through a single secure and well-engineered applications programming interface (API) available via a secure internet connection to the cloud-based system software.
- Service Provider Account Management. Centralised monitoring and management of reseller accounts dashboard.
- System Performance Metrics. Maintain and chart a seven-day performance window of Camera LAN and internet packet loss, Camera LAN and Cloud Bandwidth Usage, per-camera video storage in hourly increments.
- Automatic Cloud System Upgrades. Feature and system security upgrades to cloud system software and cloud user applications, including periodic software and firmware updates on-premises appliances, should be automatically provided as they are released.
- On-Demand Periodic Full Hardware Replacement. To keep subscribed on-premises system physical hardware technologically current, provide on-demand complete hardware replacement at no charge every six years.
Cloud computing characteristics
Cloud mis-marketing commonly occurs when vendors use public cloud data centre capabilities—such as AWS, Google or Azure--to provide parts of their customer solution, without actually providing the customer with the full benefits of cloud computing. In these cases, vendors are wrongfully labeling the products or services ‘cloud’ offerings.
Common mis-labeling includes:
- On-Premises System Backups to Cloud Data Centre Locations. Whether it is a private or public cloud data centre storing a system backup in a cloud location, if a manual action is required to restore the backup system, this is not a cloud system.
- Client-Server Based Applications Running in a Virtual Server. When a client-server application is installed in a virtual server in a public cloud—the same way it is done within an on-premises virtual server data centre—this is not a cloud application and does not provide the end-user with the benefits of cloud computing.
- Browser-Based Client-Server Applications. Software running in a ‘cloud’ data centre can provide a browser-based interface without conforming to the essential cloud computing characteristics. The browser is not the determining factor in a cloud system.
- Server Database Partitioning. The partitioning of a single client-server application database into separate customer partitions is not a cloud ‘multi-tenant’ model, because a shared database does not provide ‘different physical and virtual resources dynamically assigned and reassigned according to consumer demand,’ this is not a cloud-system architecture.
- Client-Server Camera Licences ‘Priced’ as a Subscription. Software companies that re-price their client-server software licenses into monthly billings and call them cloud subscriptions are not providing a cloud subscriber application
- Remotely Executed Upgrades. Remotely executed periodic upgrades of on-premises system software, performed as part of a service or support fee, are not a cloud computing service—regardless of whether the software upgrade image is stored in a cloud location.
- Assumed Cybersecurity. Service providers will on occasion mistake the cybersecurity credentials and certifications of their public cloud partner with the cybersecurity of the software service provider’s own application. See sidebar ‘Assessing A Vendor’s Cybersecurity Credentials.’
Cloud-Based applications
Based on the nature of its software functionality, true cloud provides maximum value for the subscriber
So how do we sum up true cloud? Based on the nature of its software functionality, true cloud provides maximum value for the subscriber because it’s engineered to take advantage of the characteristics of cloud computing to be cost-effective, flexible, and high performing for all use cases.
Any vendor providing cloud-based applications should be able to explain in detail how they have applied the cloud computing characteristics--on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service--for the benefit of the subscriber.
Provide independent validation
Assessing a Vendor’s Cybersecurity Credentials - When end-users and resellers assess the cybersecurity credentials of vendors, it’s essential to check the documentation, read the fine print, and ask the right questions. Fortunately, there are some easy best practices to follow.
SOC 2 Type 2 and ISO 27001 are rigorous assessments that take six months or more to complete
It’s good news if your vendor has completed audits such as SOC 2 Type 2 and ISO 27001. Considered the gold standard of security audits, SOC 2 Type 2 and ISO 27001 are rigorous assessments that take six months or more to complete, and they provide independent validation that vendor’s policies and procedures meet and exceed cybersecurity standards.
Internal vendor network
Always take a close look at audits and credentials to determine if your vendor holds the cybersecurity credential themselves, or if the credential is held by one of their vendors. For example, some vendors who host software in the cloud—whether cloud applications or virtualised client-server applications—make the mistake of pointing to a SOC 2 Type 2 or ISO 27001 certification held by AWS or Azure or another public cloud whose services the vendor uses to run their software.
However, such reports and certifications apply only to the cloud infrastructure on which the vendor’s software is running. The reports do not apply to the vendor’s software and the vendor’s own cybersecurity and data privacy practices, the vendor’s development environment, its technical support personnel or any internal vendor network that connects to its cloud system.
Popular cloud computing
The vendor itself must establish SOC 2 and ISO 27001 compliance for itself and provide that documentation
The vendor itself must establish SOC 2 and ISO 27001 compliance for itself and provide that documentation. Other publicly available resources can be extremely helpful in assessing vendors’ cybersecurity credentials.
A great example is the Security, Trust, Assurance, and Risk (STAR) Registry provided by the Cloud Security Alliance (CSA), that documents the security and privacy controls of popular cloud computing offerings. Vendors can submit a free questionnaire to show their security and compliance postures, including the regulations, standards, and frameworks they adhere to.
Any cloud application service provider stating they have engineered sound cybersecurity for their cloud offering should back up that assertion by participating in the STAR registry program.—Ken Francis.