The great thing about cybersecurity is that it touches on many aspects of life, for example human psychology, behavior and physical security.
Indeed converged security – the bringing together of cyber security and physical security – is an accepted strategy to reduce organisational risk.
So, as a cybersecurity practitioner, I need to know about and understand physical security controls.
For one recent project I conducted a review of a Video Surveillance as a Service or VSaaS system for a client. Instead of storing and managing closed circuit television (CCTV) video images locally, with this solution they are recorded and stored on a cloud server. This blog addresses a number of drawbacks in using CCTV as a security control.
But first, some background.
First generation CCTV employed analogue cameras connected to a black and white TV monitor needing the full attention of security teams. Next, the advent of video multiplexers allowed multiple cameras to be recorded to a single time-lapse video recorder using VHS tapes.
Image quality was often poor and recording capacity limited due to the available size of the videotape. Frequent re-use of video led to a gradual degradation of image quality, often rendering evidence useless.
The transition to DVR (Digital Video Recorder) with hard disc local storage improved the quality of image recording and processing. However, with no parallel improvement in camera technology, poor quality images were still the norm. Subsequently, vastly improved systems have been deployed that take advantage of improved computer controlled storage and processing of new or upgraded high quality digital cameras to deliver high quality images.
The fundamental problem with all of these installations is the need to process and store image data locally.
Local storage is costly to purchase and maintain and can hugely increase the time, effort and resources required to access recordings when needed. To physically access and download footage, permission has to be granted first. Then, the relevant site is visited, whether by the police or property owner, often in conjunction with a specialist CCTV company. Technical issues are common, such as media incompatibility or denial of access due to incorrect passwords.
Even when the data has been recovered, there is no guarantee that the correct time stamps have been setup and the integrity of evidence is reliant on the subsequent chain of custody. In many cases, there are no technical controls to preserve the data.
The good news is that there is now an alternative, as the evolution of cloud computing into what is now a commoditised, easily accessible platform is transforming the world of CCTV.
Advent of Video Surveillance as a Service (VSaaS)
Dubbed Video Surveillance as a Service (VSaaS), cloud-based CCTV is gaining a strong foothold.
It seems only natural that CCTV image data would be a strong candidate for being stored in the cloud. Locally stored data is subject to the limitations of local storage media – both VHS and DVR have a finite storage capacity. Local hard discs eventually fill up. The ubiquitous nature of the Internet, seemingly accessible from anywhere, makes connecting cameras relatively straightforward. Cloud-based CCTV should also make access to CCTV images far easier, requiring only a web browser and the appropriate authorization to login and view the data.
Security (or the perceived lack thereof) is usually the first objection to any system that makes use of cloud-based servers.
By its very nature CCTV images can contain sensitive data that may often be subject to some form of investigation. If these images are tampered with, destroyed or otherwise compromised, the evidence will be tarnished at best or lost altogether. For many being able to “put their arms around” CCTV hardware and set of recordings offers a sense of comfort that is missed when dealing with remotely hosted images. Data protection issues also come to mind, especially if data is stored out of a local jurisdiction and may be accessible to those with their own agenda.
It is accepted that there is a mind-set change that needs to be put in place when moving to a VSaaS, but these concerns can be addressed. Image data needs to be managed according to the standard information security triad of confidentiality, integrity and availability.
Confidentiality – ensuring only the right people and processes have access to the video data at the right time. This can be implemented using security controls such as a login name and a strong password. Data encryption can be used to ensure image data remains confidential as it is moved from cameras to the cloud storage system. Once in the servers the data can remain in an encrypted state, only available to those with the appropriate decryption keys.
Local CCTV systems are often physically insecure and access to recorded media can be unprotected. In many instances, there are few controls regulating who can access the room in which a local CCTV system is stored, so it is difficult to produce an accurate audit trail. In addition, by default the recordings may not be encrypted or otherwise security protected.
Integrity – making sure that the data remains in its original form and has not been tampered with. This is normally enforced using a cryptographic primitive called a hash. This uses a function that processes the video data in such a way that any attempt to alter or change it will be provable.
Standard media such as a DVD recording could be tampered with and images re-recorded with little in the way of automatic checks to demonstrate the integrity of the original data.
Availability – this makes sure that the system and data is available to legitimate users at all times. Cloud-based systems are engineered to provide a robust service level agreement so that annual uptime is guaranteed. 99.99% availability equates to only 52 minutes downtime per year. If the internet goes down, then failover to a local SD micro card is often found on more advanced systems, enabling continued recording with images then uploaded when the connection is re-established.
Locally managed CCTV systems can also be switched off or tampered with to reduce their availability – either deliberately or accidentally. Recorded media can be lost, stolen or destroyed (for example in a fire) severely hampering evidence recovery.
As a cyber security practitioner I can see some real upsides to VSaaS. As long as the system has been implemented correctly, made good use of data protection controls and doesn’t destroy your internet bandwidth it seems pretty much a no-brainer.
If you would like to talk with OpenSky about your security strategy, including converged security,
please contact us here.
Read more by Nigel: