Many organizations are implementing, or have already implemented, cloud-based physical security services to supplement or replace instances of on-premises software and processing. The trend to make everything into “as-a-Service” has brought us popular cloud services including CRM systems such as Salesforce, communication systems such as GoToMeeting, and shared storage such as Box. Security systems “as-a-Service” are also rapidly growing, including cloud-based identity management, access control, and video surveillance, among others. With more than 20,000 cloud services available, consumers and businesses alike have quickly become accustomed to their advantages, including greatly improved access from any connected location, and greatly improved collaboration with other contributors.
One looming problem, however, is the mistaken assumption that cloud-based services have inherent cyber hygiene, regulatory compliance assurance, and service assurance – they don’t. In a broad sense, because cyber hygiene, compliance, and service assurance needs do not change or go away when services move to the cloud, security and IT managers need to work closely together and proactively make sure that the selected systems and policies will support their business needs and mandates.
Cyber-Hygiene and Cybersecurity
Many cloud-based solutions recognize that implementing cybersecurity is essential for their short-term and long-term survival, so they have invested in strengthening their defenses and in general do pretty well.
It is important to realize, however, that having a secure cloud-based solution doesn't necessarily mean that you’re cybersecure. Your users and endpoint devices still have to make network connections to reach the cloud service, and these connections may be open or unsecure. During operation, sensitive data is likely to be passing over wireless links, for example, and wireless networks themselves are not necessarily that secure. How sensitive is your data, and what is your risk tolerance for having that information or passwords intercepted?
Regardless of the cyber-hardness of the cloud service you are using, the reality is that your need for cyber hygiene doesn't go away because you're on a cloud-based solution. Knowing what devices are on the network and being able to maintain their firmware is required. You still have to be concerned about how communication between points is being handled, can that communication be intercepted, can additional data or commands be injected into that traffic or your network, and can control be given remotely. All of these questions should be reviewed by your security and IT teams to reduce the risk of data loss or worse outcomes.
Unless they are specifically designed for the task, in general, cloud-based systems do not monitor and manage for compliance and audit. In the case of a PCI audit, for example, an auditor comes to your store or similar location. Like many retail stores, your store might be using a cost-effective and easy cloud-based physical security solution. For the purposes of the audit, you will still need to gather the evidence that your systems have been operating correctly and that you have had control over them during the entire audited period of time – that’s the heart of any compliance standard. As the user or as the store owner, do you have control over your systems and can you prove it to us?
Things become even more complicated when a facility has a mixture of local security systems, such as video surveillance, mixed with cloud-based systems, such as access control. Many cloud-based security systems also incorporate on-premise data storage and processing so that the systems can continue to operate in the event of a network or power outage. Such a mixed or hybrid system adds challenges to the audit and compliance assurance processes.
Service assurance is the primary focus of Viakoo solutions, but as we will see in a moment, they also deliver cybersecurity and compliance benefits. Viakoo software agents monitor data traffic flows as well as the operation of critical system elements including video recorders to ensure that not only are all the cameras in the system working, but that the video they are capturing is actually being recorded. When Viakoo software detects a potential failure, it immediately analyzes the situation to find possible solutions and alerts management to the situation so that it can be corrected quickly.
With such service assurance tools in effect, cloud-based tools can be employed to bring together comprehensive systems to meet organizational objectives that feature ease of operation and perhaps reduced costs over time. The biggest advantage, though would be that the system would include the capabilities that Viakoo delivers, including not only service assurance, but cyber hygiene and compliance as well.
Viakoo has customers who operate cloud-based physical security systems as well as traditional ones, and many who have hybrids. This has given us a broad perspective on these issues, and how they can be solved. Our primary message is: Don't think a cloud-based physical security system brings you cyber hygiene, service assurance, and compliance reporting. It may not.
Viakoo solutions are designed for service assurance, but as part of this functionality they also monitor and manage for compliance and audit. So, in the case of a PCI audit mentioned above, the Viakoo automated reporting would come in quite handy – clearly showing exactly then the system was operating, any issues that arose, and what actions were taken to ensure compliance.
In the real world, your cloud-based physical security offering will not be assessed in isolation; it will be assessed along with all your physical and local systems as well. To show the effectiveness of your overall security operation, you're going to want what Viakoo offers in the form of an IOT device tracker, password checking, and other things to show that you've been on top of maintaining your systems for cybersecurity, and that you're doing it in a way that can be reported on easily.
Contact Viakoo to learn more about how to strengthen your service assurance, cyber hygiene and compliance!