There are entire degree and certification programs devoted to computer and network security, along with millions of published articles and dozens more released each day. Due to this perceived complexity and the associated risk, a common approach in video surveillance has been to insulate the system on an isolated network even to the point of “air gapping” or providing no external network connectivity outside of moving files through a physical drive. However, as a recent public IPVM article proclaims, change is coming to video surveillance.
Since we posted our article discussing Policies for Ensuring Cloud Security, we wanted to follow it up with a deeper examination of cloud security. If implementing effective security policies and controls seems overwhelming, the good news is that many system integrators and video surveillance vendors have cybersecurity expertise to help guide your internet and cloud service connectivity. Further, leading cloud service providers such as Amazon Web Services (AWS), Microsoft Azure, and Google Cloud all have a small army of security professionals on staff to keep your business safe. Here is a brief overview of the types of things that these cyber-security experts look at, whether they are a local technical consultant or an expert from AWS.
Defense in Depth
Defense in depth is a well-known information assurance (IA) concept for IT system security. The first defense technology is often the internet router and firewall where network traffic enters and leaves. There are numerous articles and best practices on controlling inbound and outbound traffic for effective security: Best Practices for Network Border Protection from Carnegie Mellon University and Remote Network Access for Video Surveillance Guide from IPVM (subscription required).
Once inside a corporate or organizational network, VLANs (Virtual Local Area Networks) can be an effective way to isolate network traffic and associated systems or data access. Video surveillance is frequently virtually isolated on its own VLAN. It could also run on its own isolated physical network and connect or bridge to another VLAN and then to the public internet.
Software Defined Networks (SDNs) are arguably a more flexible version of VLANs and a good fit for dynamic environments. In a complementary fashion, remote access to a largely isolated video surveillance system is commonly provided via a Virtual Private Network (VPN). There are a number of viable and common approaches for VLAN, SDN, and VPN connectivity and access.
Encrypting Internet Data
Another key element of security for both internal systems or cloud-based services is encryption of communications. There are several different places where encryption is used and a number of encryption standards. A common standard for transporting data over the internet is the aptly named Transport Layer Security (TLS). TLS the newer sibling of the more obscurely named Secure Sockets Layer (SSL), which is an older standard. Back to routers and firewalls, TLS/SSL runs over Port 443 by default and is a common funnel for secure application communication.
TLS encryption is used by default for URLs that begin with “https:” (the ‘s’ means ‘secure’, as in: Hypertext Transfer Protocol Secure). This is the encrypted version of HTTP that is used ubiquitously for internet communications. Sensitive cloud activities such as Customer Relationship Management (CRM) from cloud companies such as Salesforce should be performed over HTTPS, as should personal activities such as internet banking.
Encrypting Data at Rest
Another security option supported by nearly all cloud service providers is encrypting the data “at rest.” The term “at rest” means the information stored on disk in a data center is encrypted to prevent its exposure in the unlikely event that the raw file store is accessible. These file stores are, after all, physical disk drives not unlike what are found in computers everywhere. In a data center, the disks are typically running in servers, locked in racks, or locked behind access control doors; therefore, they are physically secure. However, it is possible to have a weakness such as an incorrectly set up network that exposes the data to virtual snooping. Encrypting data at rest keeps it secure even if it is inadvertently exposed.
Ensuring that all servers, operating systems, software, etc. are maintained with the latest security patches and have effective identity and access control is another essential part of cyber-security. A Cloud Service Provider will typically ensure this to the degree they are able and as defined in their service level agreements.
Policies and technologies go hand-in-hand in providing effective cyber-security and increasingly extending into cloud-based services. Basic concepts for securing your company network are fairly straight-forward while the protection of information in computer systems can quickly become more complex. Two main points to remember:
- More video surveillance capabilities, such as video storage and management, are moving to the cloud.
- There are expertise and people to help effectively implement both security policies and technologies.
What are your favorite cyber-security resources?
Learn more about Pelco’s surveillance solutions.