Security's Nebulous Side
AN INCREASING NUMBER of organizations are looking to cloud-based solutions for benefits ranging from outside expertise to cost savings to scalability. And one fast-emerging area of such services is security as a service for access control and video surveillance.
Typically, cloud-based providers store video footage and other information remotely, helping to ensure reliability and service continuity. For managers, the solutions can be accessed through any Internet-enabled Web browser. Some cloud solutions offer staff who can monitor footage off-site; they also may offer incident alerts and reports.
These service options may present smaller firms with a way to build something like an enterprise-class access control or surveillance system with relatively little start-up investment or ongoing costs, says William Rhodes, an analyst at IMS Research. This type of service can also benefit organizations that have widely dispersed buildings and facilities to create a more unified, centrally managed security solution without installing much on-site equipment.
One company, Osgoode Properties, has been rolling out an IP-based solution across numerous properties. The company has implemented one of the few cloud-based security solutions that integrates both access control and video surveillance capabilities into a single system.
The Energy Resources Department of the City of Mesa offers another example of how an organization can use a cloud solution; in this case, it is used to monitor a remote storage facility. Both organizations offer lessons for any operation interested in this approach.
Osgoode Properties of Ottawa, Canada, one of eastern Canada’s largest owners of rental properties, was looking for a way to beef up security at its approximately 20 residential and commercial locations. In some cases, particularly in less desirable neighborhoods, the company was experiencing ongoing “deviant behavior,” says Geoffrey Younghusband, residential portfolio manager. Loitering, graffiti spraying, and other criminal activity were common.
The facilities had a traditional, key-based access system, but this was proving inadequate from both a security and maintenance perspective, says Younghusband. Osgoode, on average, experiences about 30 percent tenant turnover annually, he says. Tenants would frequently leave without returning keys, creating access vulnerabilities. The company frequently found itself having to reinstall locks and redistribute keys, sometimes to hundreds of tenants. It was also clear that nonresidents were accessing some of the buildings. “It was very difficult to have 100 percent control,” he notes.
Stronger access. After a company executive asked Younghusband and other security managers to explore possible solutions, Younghusband consulted with a third-party access and security consulting firm, Double Vision of Orangeville, Ontario, Canada.
Double Vision suggested a solution from Brivo Systems called ACS Webservice, a Web-hosted security solution. A Double Vision executive demonstrated the product to Younghusband and other managers.
Younghusband says he was impressed with the system’s ease of use. The system, which includes IP-based technology, could be managed from any Internet-connected computer. He also liked the way the service could provide access control through key fobs, which seemed more manageable and secure than keys.
The system also promised to allow Osgoode to scale its access control and to eventually combine video functionality into the same system. For many rental property and other clients, the ACS system’s unified capabilities are a key selling point, says Carlo Di Leo, Double Vision general manager.
The company began installing the solution within a week of the demonstration, first focusing on one or two properties with particularly high loitering and other crime-related issues.
Installation of the new fob-based system took about a week for each building, Younghusband says. It mainly involved installing readers on doors and then connecting wiring to a power supply; the task tended to take longer when more wiring was required. There was no software to install, because that would be in the cloud.
After having the system installed in a building, Younghusband typically allows a transition period, usually of a few weeks, to help tenants adapt, he says. During this time, they can use their old keys as well as newly issued key fobs.
Installation has also involved configuring the Brivo software in the cloud. Presently only one manager, Younghusband, receives full administrative access. Property managers, covering about four or five buildings, are given lower-tiered privileges. Building managers each have a different, lower access level as well. In addition to different controls, each level also has a different degree of visibility into the system.
Managers can control access to the company’s facilities through the ACS Web portal—essentially, working in the cloud. The portal consists of a main screen with tabs located across the bottom that lead managers to areas including access control, the managing of access points or doors, and the generation of access history reports. The software can also be configured to send instant incident alerts via e-mail, pager, or cell phone, to specific security staff.
To date, Osgoode has installed ACS in about 14 buildings, managing access for about 3,500 users.
The system has made access control far safer and easier to manage, Younghusband says. If a tenant loses a fob, it can be instantly deactivated. The same applies if a tenant leaves and does not turn in the fob. “Keys aren’t simply floating around for people to use.”
The system also helps the company manage communal rooms. In the past, Younghusband and other managers would have had to physically lock certain rooms, such as laundry facilities, during certain hours. With ACS, doors can be automatically timed to lock during off hours.
The system also provides better data, says Younghusband. With ACS, managers can determine who entered a room when something may have been stolen, for example.
New video. Not long after beginning installation of the new access control system, the company decided that it wanted to improve its video surveillance capabilities. The company had video surveillance in many of its buildings but because it had purchased properties over more than a decade, it had inherited a patchwork of systems, often of varying quality.
Another major issue was storing the video footage, says Younghusband. In many cases, when a power outage or other computer issue occurred, video footage would be irretrievably lost. It could also be difficult for managers to properly back up data. Generating and maintaining consistent policies over the different systems was a challenge as well.
By implementing video surveillance through Brivo’s cloud, many of these issues, including backup and central control, would likely be improved, he says. With the help of Double Vision, the company began adding new cameras and integrating the surveillance technology into the ACS system.
With both the video surveillance and access control together, the system is not only easier to manage, says Younghusband, but it also has another level of security. Through ACS, for example, managers can check which key fob may have been used at one location. They can then easily get corresponding video footage, helping prove, for example, that the right person was using a particular fob.
Younghusband says working with a third-party vendor for both access control and surveillance has also improved overall efficiency and service. Another advantage of the ACS system is that it is automatically updated by Brivo, he says.
Both the fob system and the additional security cameras have had a deterrent effect, he says. Most buildings with ACS-based cameras and access control are now “incident free.” There has been a noticeable decrease in loitering in many buildings and surrounding areas.
Many tenants and managers have said that they like both the fob system and the increased video surveillance, he says. The added security has also helped the company in terms of marketing.
The cloud. One concern about implementing a cloud-based solution was the security of the data that would be transmitted and stored off-site, Younghusband says. When he and other managers first looked at Brivo’s security measures, however, they were “satisfied that the information would be secure and wouldn’t be used inappropriately.”
To secure customers’ data, Brivo has implemented a host of security measures ranging from encrypting Internet traffic to physically securing servers to conducting regular security audits.
As soon as users log into the Brivo site, the connection is secured with 128-bit Secure Sockets Layer (SSL) encryption; traffic remains secure as it travels to and from Brivo’s servers. The encryption is the same kind used by many financial companies to protect their Web services, notes John Szczygiel, executive vice president of business development at Brivo. SSL can protect against traffic “sniffing,” whether users employ a wired or wireless Internet connection.
Brivo’s Web site also recently earned a TRUSTe Privacy Seal, which involves a certification process and ongoing auditing. Privacy Seal requirements are based on a set of existing guidelines and best practices surrounding Web site data protection and privacy policies.
Brivo protects its servers with tools including firewalls, which are configured to only permit Internet traffic from the company’s public-facing Web site and from user account sessions, the company states. An intrusion detection system is also employed; it can detect signs of hacking and other unauthorized access and generate alerts and reports.
Brivo physically protects its servers, kept at a separate facility, with around-the-clock security guards. The facility is further protected with an access card system and video surveillance. In addition, customer service representatives (CSRs) and other employees are subjected to background checks. CSRs must also follow strict protocols in order to authenticate the identity of callers who might contact Brivo for such reasons as account changes or forgotten passwords.
Brivo also conducts regular security audits. Recently, the company completed a Statement on Auditing Standards (SAS) 70 Type II Information Security Audit. The audit, developed by the American Institute of Certified Public Accounts, helps ensure that sufficient data protection controls and processes are in place. It’s frequently used to gauge security at third-party service providers and is often employed in highly regulated sectors such as financial services and healthcare.
Securing customers’ data is an ongoing process and includes continuous monitoring for potential threats, says Szczygiel, “making sure you’re staying ahead of the people who might want to compromise what you’re doing.” Cloud service providers sometimes have more experience and resources to invest in security than individual customers, he says. Cloud providers “are uniquely poised to make the [necessary] kinds of security investments….It’s our business and really what we do.”
Overall, Younghusband says the system has been beneficial from a cost perspective. A major advantage of going with Brivo is that Osgoode can continue to scale out its security, he says.
Having video and other information stored off-site means the company doesn’t need as many of its own computers, he adds. Moreover, ACS has freed up Osgoode security staff to focus on other tasks.
The system has upfront installation fees that can range from several hundred to a few thousand dollars, according to Brivo. The service also has recurring annual fees ranging from several hundred to more than a thousand dollars.
Mesa Energy Resources
The Energy Resources Department of the city of Mesa, Arizona, wanted to boost security at a remote substation and storage facility. The energy company, which provides electric and gas services to tens of thousands of residents, had suffered from break-ins at the remote facility. Losses had equaled “thousands of dollars,” says Harry Jones, the department’s critical infrastructure protection coordinator.
The facility, which also receives natural gas deliveries and regulates pressure changes, had been secured with measures including a fence. But managers wanted to improve security, so they began researching possible video surveillance systems. They eventually chose a cloud-based system from Iveda Solutions. Jones liked that the system could be installed remotely with little additional cost in equipment at the site.
The vendor provided Mesa with a selection of possible cameras. Jones says the company chose one with strong tilt and rotation capabilities and a second with thermal vision capabilities, the SR-35 from FLIR Systems. Each camera was attached to a unit equipped with Internet connection capabilities via an integrated cellular-based router.
Mesa also made the choice between two basic types of surveillance offered by Iveda. With one, users can access video footage in real-time or after-the-fact and do the monitoring themselves. The other option is to pay Iveda to do the monitoring with its own staff. Mesa chose the latter. If suspicious activity is detected, Iveda can immediately notify appropriate authorities. The service also sends alerts about any incident to Mesa. Reports describe the incident and also include a link to the relevant video footage.
The system proved its worth from the start. Mesa received an alert shortly after installation. Although the activity didn’t appear to directly threaten the facility, the vendor notified nonemergency law enforcement. Jones received a report shortly after and could review the incident. In a separate incident, a trespasser appeared to enter the fence. After an Iveda alert, Mesa worked to strengthen part of the fence that had allowed access.
The cameras have also provided a deterrent effect, says Jones. Signs accompanying the cameras indicate that trespassers will be surveilled. Since the installation, he doesn’t think any equipment has been stolen. Mesa is planning to install additional cameras at other remote sites.
Jones generally accesses the system from his office computer. But he says that he appreciates that, if necessary, he can access video and other data through a mobile device, such as his iPad, which is useful when he’s out of the office or on the road, he says.
A key benefit of the service is the offsite video storage, which means that Mesa doesn’t have to invest in additional computers or storage equipment. The service has also given the organization’s security staff the ability to focus on other security matters, Jones says.
Cloud concerns. The security of storing data with a third party was a concern for Mesa, according to Frank McRae, the Energy Resources Department director. When first looking at Iveda, Mesa learned that the vendor had numerous safeguards in place, ranging from Internet traffic encryption to firewalls to physical security surrounding servers.
But one main reason Mesa was confident in the Iveda solution was the vendor’s designation, by the Department of Homeland Security (DHS), as a qualified antiterrorism technology provider, says McRae. Such designations, authorized by the SAFETY Act, began largely to help spur the adoption of strong antiterrorism technologies. Companies that earn the designation are protected from civil claims brought by customers in the aftermath of terrorism and criminal acts.
“I assumed that if [Iveda] was endorsed by DHS, then it would be secure enough for us,” says McRae.
Both Mesa and Osgoode Properties say they are pleased so far with the cloud option for its efficiency and cost savings. Both also appreciate the security and reliability of off-site video and data storage. As the market for cloud-based access control and video surveillance develops, more organizations may reap these benefits.