Reduced Information Security Requirements – Although cloud systems do not entirely remove the
           requirements for information security, data management, and protection are much easier as this
           is usually handled by the cloud provider. As biometric data and CCTV footage are often classed as
           special category personally identifiable information (PII), which is the highest sensitivity of data, it
           must be carefully protected as losses can result in significant fines from your local regulatory
           authority (which is the Information Commissioners Office in the UK).

           Although these systems can have some fantastic advantages for security professionals, they also
           have some limitations that need to be carefully considered:


           Higher operational costs – Although they are cheaper and easier to install, cloud-based systems
           usually require a monthly or annual service charge, which can get expensive for large deployments.
           Careful consideration must be given to these costs as not only can these add up quickly, but they
           can change over time.

           They need a reliable IT network – Loss of network or Internet access will usually not prevent IoT
           systems from working, but they can degrade the performance of the systems such as taking live
           event monitoring offline. If an existing IT network exists, additional networking equipment and
           Internet connections may be required and, of course, it must be agreed who will be installing,
           managing, monitoring, and paying for these additional systems.


           IT and Information Security needs to be considered – These systems are essentially small,
           network-connected computers, they need to be carefully looked after and secured correctly. This
           will require the services of a competent IT and Information Security function inside the organisation
           deploying the new services. If these functions already exist, there will be a transition period as they
           learn about the new systems and get to grips with them. If these functions do not exist, then they
           will have to be budgeted for and sufficient capability allocated. Although a Hollywood-style hack
           against a system is unlikely, it should be considered along with other IT-related issues such as
           network failures, power failures, and failed software updates.


           Shorter lifecycle – IoT lifecycles for equipment can be much shorter than traditional security
           systems, sometimes as short as 3-5 years. This lifecycle, and the replacement costs, should be
           checked with the supplier and planned for.

           Governance concerns – There is a host of global legislation which controls how data is collected
           and managed. If you are familiar with the Data Protection Act 2018 (known as the UK GDPR), the
           EU GDPR, or the California Privacy Act, you will know how stringent these requirements can be and
           how stiff the fines for non-compliance can be. Any data stored in the cloud must abide by these
           laws and, as the data controller, it is your responsibility that it is handled correctly by the cloud
           provider and stored in the appropriate country or countries. Careful consideration of the cloud
           provider’s data storage and security policies will be required.

           Supplier assurance is very important – What happens if the supplier of the systems you have
           just bought goes bust or decides that they do not want to offer the system anymore? Will the
           system still run, will another company take over the service and can you download your existing
           video and log data? Careful consideration should be applied to the supplier’s financial stability,
           business relationships, and exit strategies and written into any contracts.






                                                           79