Cloud computing appears to have been accepted into the IT mainstream as enterprises of all sizes increasingly adopt public, private and hybrid services. Whether they choose Software as a Service, Platform as a Service or any other flavour of aaS, they benefit from the flexibility, capacity, cost savings and ease of access that cloud offers.
[easy-tweet tweet=”Why have so #CCTV users been reluctant to innovate and move to the #Cloud?” user=”cloudviewcctv”]
One sector which has been so far reluctant to adopt any sort of cloud model, despite the potential benefits, is corporate CCTV. Why have so many CCTV users been reluctant to innovate and how can cloud help the corporate security community with the very unique challenges it faces? Police forces and utility companies are already using this type of system, but for the majority of corporates analogue solutions which require manual oversight still dominate the market.
The main reason for lack of interest in cloud-based CCTV appears to be the longevity of analogue technology. Only around one fifth of new CCTV installations are digital, despite the widespread availability of digital systems. Users give two key reasons for resisting change: it would require an expensive ‘rip and replace’ of their existing infrastructure, which is simple to install and works well; and digital CCTV is more complex, insecure and expensive to install. In this second point they are only partially correct, as analogue systems are equally insecure if they are connected in some way to a corporate network (e.g. via a DVR).
The main reason for lack of interest in cloud-based CCTV appears to be the longevity of analogue technology
With an installed base of hundreds of millions of analogue cameras, these concerns have been a deterrent for proponents of cloud technology because of the hurdle of connecting the cameras to the internet and the security problems this connectivity can bring. However, both concerns can be addressed by the latest generation of cloud solutions.
First, analogue systems can now be brought up to date and beyond without the need to replace cameras or recording equipment. In effect, users can now take an analogue camera and plug it into the digital world by simply adding an intelligent adapter. This enables footage to be streamed directly to a cloud storage system using standard internet connections − regular broadband, 3G or satellite services − with recording initiated either by automatic event triggers or manual activation. Users can view event-triggered alerts, live views of CCTV feeds and recorded footage from one or more cameras at one or more locations wherever and whenever they want via their smartphone, tablet or PC.
The costs of changing to this type of system are minimised because there is no need to replace cameras or cabling. There is minimal complexity, with no need for third party hardware such as routers and firewalls in order to connect to the internet. It can also be used to add remote monitoring and alerting to a CCTV system without the need for VPN tunnelling, fixed IP addressing or other configuration changes to ensure security from unauthorised access (hacking), or to add visual verification to intruder alarms.
The second reason many are reluctant to move to digital systems is security. Any insecure embedded device connected to the internet is a potential target for attacks. These are usually initiated by computer botnets, but in recent months we have seen major distributed denial-of-service (DDoS) attacks have been triggered by malicious requests from CCTV cameras.
[easy-tweet tweet=”DVR-based CCTV systems have a number of security weaknesses that leave companies vulnerable says @cloudviewcctv”]
Traditional DVR-based CCTV systems have a number of security weaknesses that leave companies vulnerable as an entry point for corruption and a pivot for attacking a corporate network. These include use of port forwarding, few automatic firmware updates, a lack of oversight because footage may rarely be looked at and a predisposition among manufacturers to include ‘back door’ functionality.
They are also vulnerable to data exfiltration – by their nature, DVRs carry a lot of network traffic in both directions. How can organisations tell what that traffic is and where it’s going? This, combined with their large hard drives, makes DVRs the ideal point to extract vast quantities of data from a network.
Adding a digital encoder to an analogue CCTV camera enables it to be connected to the internet but does not solve the host of security issues that come with internet connectivity. They are also expensive. Meanwhile many cloud-based video solutions use the same IP connection and ‘port forwarding’ techniques as an old-fashioned DVR, so the security problem remains.
However, cloud solutions are available which only require outbound connections. And because an adapter only has to perform a fraction of the functionality of a full DVR, it is much less powerful and hence much less attractive to a potential attacker.
A final aspect which must be considered is data security. The 1998 Data Protection Act outlines the steps that organisations must take to preserve the confidentiality of gathered data. CCTV users need to ensure that their potential providers have strictly defined controls around the access to, and management of, customer data, and do not share that data with a third party without the explicit consent of the user. To ensure that sensitive data is secured in the cloud, organisations need to look for systems that offer authentication, end-to-end encryption and a digital signature to ensure data integrity
It remains to be seen when the CCTV sector will fully embrace cloud technology
We recommend asking a potential cloud CCTV provider a series of questions to ensure that they comply with data security requirements, such as:
- How do you ensure secure communication between cameras and users?
- Once data has reached the cloud, how is it protected from unauthorised access, and what happens if the cloud system itself is breached?
- How is data integrity ensured? For example, how does the user know that the data is current and not from say two weeks ago?
- Where is the data held? The Data Controller must know where the data is residing and must be happy that it is compliant with Data Protection regulations.
It remains to be seen when the CCTV sector will fully embrace cloud technology. It offers significant benefits and can be added to existing analogue systems without breaking the bank or compromising security. Many cloud systems do have vulnerabilities but, more often than not, they offer the rigours of well thought out security and data protection standards which are likely to offer better security for a lower cost than those than can be implemented by a singular client. Moreover, they provide the physical security aspect of holding the data in a remote location.