Accept no substitutes: Why the real cloud matters for your security enterprise
Steve Van Till
Like every new technology marching its way through the hype cycle, cloud computing has fallen prey to unscrupulous marketers. Their basic crime is to borrow the language, but not the substance, of technological innovation, and mis-apply it to their own products in a cynical bid to fool the public.
We’re now seeing this trend spread across the physical security industry, as it belatedly catches the cloud wave that the rest of the IT world has been surfing for about 10 years. In this article, I’ll try to explain the business differences between real cloud technology and the pretenders, and show why that matters to your wallet, your data and your risk management profile.
A model for cloud use in security
Just to establish a frame of reference for the rest of our discussion, the diagram (right?) shows an archetypal model of how cloud applications are used in physical security as a service.
In this model we define three domains of the solution:
Web -- which provides universal access to the functions of the service through a variety of secure, authenticated access techniques;
Cloud -- which is a physically hardened computing infrastructure that provides IP path redundancy, emergency power, geographically-dispersed disaster recovery and several layers of cyber defenses;
Facility -- in which local embedded devices, such as control panels, readers, cameras and other sensors are deployed with software protocols that allows them to “phone home” to the Web applications that manage their data and provisioning.
The cloud defined
First, we should acknowledge that “Cloud computing” is a broad term that refers to many different deployment modes and business strategies. However, they are not all created equal. Some are turn-key, others roll-your-own. Some are highly secure, with audits to prove it, while others are easily exploited. Some are publicly accessible to everyone with a Web browser or mobile phone, while others are highly restricted to just one group of users, such as the government or military. For cloud-based physical security applications, all of these characteristics are important for both costs and risk management.
One of the most oft-cited reference models to sum up these different aspects of cloud computing is provided by the U.S. National Institute of Standards and Technology, and captured in the following diagram:
The cloud and hosting: Not the same thing
One thing no one disagrees about is that “cloud” means “hosted” in the sense that the computing and data storage functions are hosted in a remote data center, rather than on the customer’s premise. This single fact is responsible for both the power and, ironically, much of the confusion about cloud computing. It accounts for the financial power of the cloud model by explaining at least some of its “economies of scale.” It accounts for much of the confusion because being hosted is a necessary, but not sufficient, condition for being a true cloud application.
We see the hosting concept treated as synonymous with cloud computing in the form of vendors placing legacy applications into a data center and christening them as cloud applications -- even though nothing about the application itself has changed. This strategy is simply playing “hide the server” and it does not bring any of the economic efficiencies of a true cloud application. Why not? Because one of the core requirements of cloud computing is software multi-tenancy, which is necessary for supporting the essential characteristics of cloud computing:
- On-demand self-service;
- Measured service;
- Broad network access;
- Resource pooling;
- Rapid elasticity.
Software multi-tenancy is defined in Wikipedia as “a principle in software architecture where a single instance of the software runs on a server, serving multiple client organizations (tenants).” This is important because it is the key to both the economic benefits and cyber security of cloud applications. It is the primary enabler of several of the essential cloud characteristics, including self-service, resource pooling and rapid elasticity.
It is also the core of the economic benefits of cloud computing because multi-tenancy allows the service provider to operate a single instance of the software application and spread that cost of running that single instance over the entire user population. For example, a cloud company that had 1,000 customers would use a single logical instance of the application, the database behind it, the storage system, and would be able to load-balance those 1,000 users across all the physical servers supporting the system. This deployment method results in extremely high efficiency for both computing resources and all of the IT support functions they require.
Contrast this with the “remote server” company that does not use multi-tenancy. They must run individual servers (or at least virtual machines) for each of their 1,000 customers. This means individual software licenses for each, individual databases for each, individual storage for each, individual patch management for each, and a small army of IT personnel to make it all happen. Not to mention the technical support headaches that come up when someone has to figure out which of those 1,000 instances needs attention for a customer complaint. As you can clearly see, this is a very low efficiency model.
Implications for cost
The obvious implication of high-efficiency multi-tenant applications is that they provide a much lower operating cost for the provider and, therefore, the opportunity to pass on much lower costs for the end-user. Because lower Total Cost of Ownership (TCO) is one of the main Return On Investment (ROI) considerations for companies considering cloud service providers, this single characteristic is one of the main benefits of real cloud applications versus “hide the server” pretenders. Buyers need to understand this aspect of their cloud service provider’s business because it will determine how much the solution costs over the long term, and how much the vendor will be able to devote to new features and service improvements.
Implications for risk management and cyber security
The multi-tenancy or Software as a Service (SaaS) model also has important implications for risk management and cyber security. As you can imagine, it is much easier to secure data in a single database instance than it is to secure data in 1,000 (or a million) separate instances. Because cyber security continues to be one of the main concerns surrounding cloud adoption, this characteristic of the “real” cloud solution goes to the core of one of the most important vendor selection criteria in this market.
The cyber security benefits of multi-tenancy apply equally to the rest of the applications in a service offering because it is easier to defend a single logical instance of the application stack than it is to defend thousands of copies. It is also far more straightforward to perform the necessary cyber security audits, such as SAS 70 or the newer SSAE 16, against a single instance.
Why this matters for physical security as a service
All of these differentiators between real and fake cloud solutions matter for the success of this model in physical security applications.
First, we all know that our industry is very cost competitive, and that end-users demand a lot of value for their security dollar. That’s why the economic efficiencies of real cloud computing are important for both buyers and resellers. Over the long term, the better value solution usually wins.
Second, there is no more important characteristic of a physical security software application than its cyber security profile.
For these reasons, trust only a true cloud solution -- not some server hidden in a closet.
Steve Van Till is president and CEO of Brivo Systems. He can be reached at: