Clearing up cloud confusion

The promise of the cloud, definitions, trust
 - 
Monday, August 17, 2015

DELRAY BEACH, Fla.—Cloud pioneers—security manufacturers who say they’re fully committed to cloud-based systems—believe it’s only a matter of time before all security systems rely, to some degree, on the cloud.

Cloud-based security systems are faster, cheaper and more flexible than traditional security systems, they say. So why isn’t the migration to the cloud a done deal? There is confusion about the cloud, according to Christian Morin, director of cloud services for unified security provider Genetec. (Photo on left)

“The biggest obstacle to cloud adoption is the level of education and awareness. Many have heard of the cloud, but they don’t know what it is, and they don’t know the promise of the cloud. And there’s an inherent fear of the unknown,” Morin said.

Morin was speaking at TechSec Solutions 2015, which took place here. Morin, Dean Drako (photo below), CEO of Eagle Eye Networks, and Steve Van Till, CEO of Brivo, participated in a TechSec educational session, “Get off of my cloud.” Jeremy Brecher, VP technology, electronic security for systems integrator Diebold, moderated the debate.

Morin said Genetec, known for its IP-based VMS, which it introduced in the late ’90s, now also provides access control and license plate recognition on a unified platform. It introduced its first cloud-based systems in 2012.

“Genetec is traditionally an on-premises solution provider, but we see the migration to cloud as the next big thing to hit our industry. It’s going to be transformational in the same way that IP transformed the previous analog-based security industry,” he said.

Morin, Drako and Van Till spoke about the promise of the cloud and definitions as well. How far along is the industry in the move to the cloud? What characteristics must a system have to be a true cloud? What are the different kinds of cloud, and how do you ensure a cloud-provider is safe?

Cloud makes “access to solutions that much easier,” Morin said. “It’s faster to get up and running,” it’s flexible, and easier to scale up or down, and you only pay when you need to use it, he said. Instant software upgrades are “of the utmost importance,” he said.

Genetec “believes in hybrid cloud [systems]. It’s not an all-or-nothing play. In many cases you can’t go all cloud even if you want to. With hybrid, you start to put some components in the cloud and you keep some elements on-premises. … There’s always going to be some [components] present on-premises,” he predicted.

Van Till (photo on left) noted that Brivo, which offers access control, video surveillance and identity management in the cloud, has been a cloud-provider for “longer than anyone I’m aware of.”

Cloud is beneficial in terms of cost for both small- and medium-sized businesses as well as highly distributed organizations. The greatest benefit for the former is ease of use and ease of installation; for the latter, government or companies with 1,000 locations “get a lot of leverage from the intrinsic value of the cloud,” taking advantage of the network that is already in place, for example, he said.

Van Till shared NIST’s so-called 5-3-2 definition of cloud-based systems. The five essential system characteristics are: on-demand self-service; broad network access; resource pooling; rapid elasticity; and measured service.

What about the different types of cloud providers? NIST says there’s public and private.

Morin said Genetec is also seeing a lot of hybrid-type clouds, what he called “community clouds,” especially in government applications. It’s a private cloud “that caters to a specific community of users,” he said.

As for hybrid, Drako said he doesn’t like the term because its means different things to different people. Every cloud-based security system’s set-up “could be categorized as hybrid” according to Drako, because unlike a CRM system where everything is in the cloud—with a security system there’s always some device or component—a door or camera—on-premise.

He did identify a subcategory of cloud: Clouds often need to be “partitioned,” he said. This is when data is sent to specified data centers and not all available data centers. Generally the partition falls along geographic lines, but not always. It depends on the specific needs of the client and the regulatory environment they operate in. 

Brecher (photo on left) asked about trust: How do end users and integrators determine if their cloud provider is safe?

To determine if a cloud provider is secure, it’s important to “trust but verify,” Van Till said. Third-party audits are a first step—but only a first step.

Drako concurred. “The reason Amazon is secure is not because it passed ISO 2001 … [or some other audit] but because it works harder at staying secure than any [audit/certification] would require,” he said.

Large companies or certain industries such as healthcare organizations have a list of up to 300 questions long about cloud provider’s security, infrastructure and practices. Van Till advised integrators and end users to come up with their own substantial lists of questions for cloud providers—both the software company and the data center, he said.

“Certain things you have to trust and certain things should be verified by a third party or your own internal team,” Van Till said.