We asked our customer for the IP address of their cloud access \u201cserver\u201d and ran a free, quick scan of its security. It was immediately categorized with an \u201cF\u201d for security. It’s likely any hacker could get in without trouble. That’s as unsecure as you can get. You might as well leave the front door not only unlocked but prop it open for the burglar.<\/p>\n
![\"f-Report\"](\"https:\/\/www.een.com\/wp-content\/uploads\/2017\/07\/Screen-Shot-2017-07-15-at-5.37.27-AM-1024x742-1024x742.png\")
<\/p>\n
On the other hand, we ran a similar scan of the Brivo OnAir access control system. Their report is below. As you can see, it\u2019s tight and secure. It\u2019s managed by professionals and is a true cloud system.<\/p>\n
![\"brivo-report-1024x486\"](\"https:\/\/www.een.com\/wp-content\/uploads\/2017\/07\/brivo-report-1024x486-1-1024x486.jpeg\")
<\/p>\n
Now, the problem we have in the Physical Security Industry is false claims in advertising. Here are some quotes from the fake Cloud data sheet:<\/p>\n
- \n
- 2048 bit certificate SSL encryption<\/li>\n
- Hardware encryption TLS 1.2 (Transport Layer Security)<\/li>\n
- 99.999% uptime<\/li>\n
- Distributed server architecture for security and performance<\/li>\n
- TLS Encryption with field hardware<\/li>\n
- Two-factor authentication<\/li>\n
- Inherent redundancy<\/li>\n
- Real- time Alarm Events – Zero latency<\/li>\n
- Vulnerability Testing – Combines proven, continuous 3rd party threat monitoring and vulnerability scanning through Veracode and Amazon Web Services<\/li>\n<\/ul>\n
That all sounds really good, but most of it\u2019s not true and some of it is irrelevant. Here are the facts:<\/p>\n
- \n
- They are not doing continuous 3rd party vulnerability testing. Our single amateur scan showed 10 different vulnerabilities that have not been remedied. Or perhaps they are scanning, they just are not doing anything about it!<\/li>\n
- You can\u2019t have ZERO LATENCY – unless you have figured out how to go faster than the speed of light.<\/li>\n
- The report shows they are not running TLS 1.2 and instead are running older version.<\/li>\n
- You are not going to get 99.999% uptime because they run on Amazon Web Services (AWS) and Amazon does not guarantee anything close to that – and putting multiple servers in Amazon won\u2019t achieve it either because Amazon’s whole shebang could have trouble.<\/li>\n
- ”Inherent Redundancy?” Redundancy is never inherent – you actually have to build it.<\/li>\n<\/ul>\n
Moral of the Story: Buyer beware. In the Physical Security world, there are charlatans selling \u201ccloud\u201d and \u201cSAAS\u201d solutions targeting the unsuspecting. You can get burned.<\/p>\n
Words of Advice:<\/p>\n
- \n
- Get a professional IT person to give you some advice when making your decision.<\/li>\n
- Don\u2019t trust everything a new vendor puts on a data sheet.<\/li>\n
- Look at the reputation of the people running the company.<\/li>\n
- Check references.<\/li>\n
- Make sure it\u2019s a TRUE CLOUD solution with real cyber security.<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"
We recently had a discussion with a customer regarding the cyber security of their \u201cfake cloud\u201d provider for access control. They had been sold a bill of goods for an …<\/p>\n