SIA Standards Cloud and Mobility Working Group

Transcription

1 SIA Standards Cloud and Mobility Working Group SIA Standards Committee Security Industry Association Silver Spring, Maryland siaonline.org/standards

2 Acknowledgements SIA Standards would like to thank the following individuals for their contributions to this whitepaper effort and for launching the SIA Standards Cloud and Mobility Working Group. Steve Van Till, Brivo Systems (Chair) Dave Adams, HID Global Sal D Agostino, Idmachines Lars Suneborn, Oberthur Steve Surfaro, Axis Communications Charles Wheeler, Brivo Systems Rob Zivney, IDTPartners 2013, Security Industry Association. All rights reserved. Except as expressly granted by the Security Industry Association, no other implied or express license or right is made or granted by Security Industry Association to this work. Moreover, the documentation cannot be used, displayed, excerpted, modified, distributed, or offered for resale or use, without the prior written consent of the Security Industry Association. ii Cloud and Mobility Working Group

3 Introduction Cloud computing is transforming the physical security industry: Applications that were once confined to local, on-premise servers are now hosted in third-party data centers on the Internet. Critical security data that once resided on customer-owned storage devices now resides on service-provider data farms in the cloud. Monthly recurring subscription fees are replacing up-front capital expenditures and significantly reducing day zero investments. Installers and integrators are now expected to have a wide range of networking and information skills, and familiarity with a much wider world of standards than at any time in our industry s history. Similarly, mobile computing is changing the way that every business operates, and it has significant impacts on security: Applications need to be on-demand and uniform across devices, browsers and operating systems. Users demand a consistent experience and full-functionality whether on a personal computer, tablet or smartphone. Proliferation of personal mobile devices enabled for business uses have prompted enterprises to design procedures and policies governing network access for these devices. This has security implications. Security on a mobile platform can be the responsibility of multiple disparate stakeholders, including the mobile service provider, device manufacturer, application provider, system integrator and the enterprise. These developments and changes drive many standards discussions, and security professionals can use a comprehensive view of how they affect our businesses and our customers. Toward that end, the Security Industry Association (SIA) has formed the Cloud & Mobility Working Group, and presents this white paper as an overview of these topics. This document includes a suggested plan for industry standardization efforts that may be undertaken by this group. We welcome your participation in the Cloud & Mobility Working Group. As with all SIA Standards groups, it is an open forum in which anyone may participate at no cost. Please contact standards@siaonline.org. Security Industry Association 1

4 Scope and Purpose This white paper provides an overview of how cloud and mobile computing are transforming physical security systems, and where the new technologies and business models are driving security standards. The scope of the document is: A practical definition of what the cloud means to physical security A reference architecture for cloud-based security applications Interaction between cloud and mobility Examples of security application types currently deployed in the cloud The impact of the cloud on integration Candidate cloud and mobility standards Readers are invited to join the SIA Standards Cloud & Mobility Working Group to learn more, and to help influence SIA s future standards activities. What is the Cloud? Cloud computing has become the most widely referenced technology framework of the last decade. 1 Unfortunately, it has also become one of the most widely misrepresented technologies. Marketing claims from vendors and service providers often obscure the difference between real cloud applications and anything that just happens to touch the Internet. At the other end of the spectrum, standards and technology organizations have created abstract definitions of the cloud, making it almost unrecognizable to consumers and business people. Following is one of the clearest and most concise definitions we have found: Cloud computing is a general term for anything that involves delivering hosted services over the Internet. These services are broadly divided into three categories: Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS). The name cloud computing was inspired by the cloud symbol that s often used to represent the Internet in flowcharts and diagrams. A cloud service has three distinct characteristics that differentiate it from traditional hosting. It is sold on demand, typically by the minute or the hour; it is elastic a user can have as much or as little of a service as they want at any given time; and the service is fully managed by the provider (the consumer needs nothing but a personal computer and Internet access). Significant innovations in virtualization and distributed computing, as well as improved access to high-speed Internet and a weak economy, have accelerated interest in cloud computing. 2 When most business people reference cloud computing, they are really talking about SaaS, or Software as a Service, which is a complete turnkey solution for some sort of business problem 3. In other words, it is a finished application or service model 1 See References at the end of this document for links to additional materials As of 2012, SaaS was more than twice the size of IaaS and PaaS combined. 2 Cloud and Mobility Working Group

5 designed to perform a particular task, like word processing or accounting or, in the physical security space, services such as access control or surveillance. The other two service models for cloud computing, Infrastructure as a Service (IaaS) and Platform as a Service (PaaS), can both be thought of as raw materials that can be tooled into a solution, using a programming staff, engineers and time and money to make it happen. In that regard, IaaS is simply raw computing power: computers, disk drives, and network infrastructure that can be adapted to perform a given task when a user adds applications to it. PaaS is similar, but it includes a specialized rapid application or server development environment for programmers. Service models are discussed in greater depth later in this paper (Paginated reference) Following is a simple diagram that illustrates a number of the key aspects of cloud computing: Figure 1, The Cloud While there are many graphic representations of the cloud, this diagram illustrates several important aspects for the purposes of this discussion. The cloud is not a new technology per se, but rather a collection of very real physical servers, storage devices, networks, wires and communications technology all the things you would see in a traditional local data center. Considered in their native state with no other software installed, these components are what the industry refers to as IaaS (Infrastructure as a Service) The cloud hosts not just infrastructure resources, but also software applications that perform specific tasks, such as HR, security, finance, etc. Some are very specialized, while others are familiar applications such as and calendaring. These are examples of SaaS (Software as a Service). The cloud also refers to companies that use SaaS to provide a complete value proposition and business model as a finished service that anyone can purchase directly from the SaaS provider. All of the named companies in the picture are examples of this aspect. Security Industry Association 3

6 Mobility Mobility is one of the biggest drivers of technology and investment right now. In fact, mobile traffic as a percentage of total Internet traffic is growing exponentially and showing no sign of slowing down. Therefore, focusing on the cloud as though physical security customers will only be consuming services on standard Internet browsers would be extremely short-sighted. Anything consumed in a browser can be consumed on a mobile platform. Both end-users (purchasers) of security products and security service providers (manufacturers) should keep mobility and mobile devices in mind when purchasing or developing cloud services. Global Mobile Traffic Growing Rapidly to 13% of Internet Traffic Figure 2, Mobile Traffic, Source: StatCounter Global Stats 11/12 Mobile Service Considerations Web or Native Service: Will the service be accessed via mobile browser (web application), or will the service be designed as an application native to the device? Platform: If the service will be accessed from a native application, what platforms will be supported? ios, Android, Windows and/or Blackberry? Device: Will the service work as expected across devices? As devices proliferate, there are a number of form factors (mobile phone, tablet, mini tablet), device fragmentation within those form factors, and differences in embedded technology (cameras, nearfield-communications, SIM/UICC card, MicroSD, etc.) 4 Cloud and Mobility Working Group

7 Mobile Security Considerations Organizations certainly face risks and operational challenges associated with the use of employee-owned devices in the workplace. However, by applying sensible management and security polices coupled with deeper legal clarity and technological tools organizations can mitigate the fear, uncertainty and doubt associated with a mobile workforce, while enjoying the benefits of increased, convenience, portability and control. Mobility in Security Mobility has found many applications in the traditional areas of physical security, including access control, intrusion detection and mass notification. The area that is most advanced in the leveraging of mobile technology, however, is IP video. Industry practitioners estimate that within five years 75 percent of all physical security video will be accessed via mobile devices. Security professionals must prepare for the unique challenges that mobile video brings to network video systems, including high bandwidth and utilization; for many applications, anything less than a high definition (HD) video stream is unacceptable. Mobile video implementations introduce network and system load complexities that need to be planned into infrastructure, and this is a prime reason why an enterprise cloud strategy should complement an enterprise mobile strategy. Across all areas of physical security, implementers must bring together security, scalability and utility for end-users. Security Industry Association 5

8 Security Cloud Reference Model A note on terminology: In attempting to define a cloud computing reference architecture for physical security, it became obvious that we would need a shorthand term to substitute for that rather unwieldy phrase. Thus, the term security cloud will be used to denote a cloud computing system primarily designed to provide electronic physical security as a service. The term is close to the more widespread phrase cloud security which the IT industry, and this paper, will still use to refer to cyber security measures to protect all cloud architectures. While there are many reference models for cloud computing in general, SIA Standards is not aware of any that have been developed specifically to address the unique features of cloud-based physical security systems. Therefore, the simple model presented in the last section needs to be made more relevant to such systems. We believe it is important to do so in order to facilitate meaningful dialogue on the subject. SIA Standards also recognizes that defining a reference model for any technology domain is inherently risky for many reasons. First, there may be major architectural differences among actual implementations, and reference architecture may appear to unintentionally favor one system design over another. Second, technology changes rapidly, and the model runs the risk of becoming outdated. We hope that the reference model developed for this white paper will generate both feedback and greater participation in the SIA Standards Cloud and Mobility Working Group to help improve the model. Models are all designed to answer certain kinds of questions about a domain and leave other aspects undetermined. In our case, we have set out to create a reference model that answers the following questions about cloud-based security systems: Which parts of the system are in the cloud? Which parts of the system are on premise? Which components are specialized for the cloud? Which components are the same as in non-cloud systems? Where is data stored? What happens if connection to the Internet fails? How are redundancy and disaster recovery provided? Where does virtualization fit into cloud security models? How do cloud systems manage cyber security? Are cloud services the same as managed services? Standardization Candidate: Security cloud reference model. Having common terms of reference and an agreed upon abstract architecture. 6 Cloud and Mobility Working Group

9 Reference Diagram The following diagram is a visual representation of the cloud reference model for physical security, or security cloud. By the very nature of reference models, it is a generalization and abstraction of any actual cloud security system in deployment. It is intended show the major components of these system and the relationships between them. Figure 3, Representative Cloud Reference Architecture for Physical Security Premise Components The onsite electronic components of a cloud security system are, in many cases, identical to those of traditional on-premise server systems, albeit with several important exceptions regarding protocols. Below, we briefly catalog these device types and their roles in a cloud security architecture. Sensors: Sensors include all of the familiar input devices, such as readers, door state sensors, request to exit, motion and smoke detectors, etc. In a few cases, devices such as readers may also contain additional door control functionality and may connect directly to a cloud service. Usually, however, these low-level devices are still connected to upstream devices such as controllers or other intelligent devices. They are generally unaffected by cloud architectures. Controllers: Used as a generic term, a controller might be an access control panel, an elevator control panel, a burglar alarm panel, or any other device with embedded firmware applications and processing, and local cache memory. While many controllers already use Internet protocols to communicate with head-end software, there are usually higher-layer protocol differences for controllers that connect directly to cloud services. Edge Devices: For the purposes of our discussion, edge devices are considered to be a special subset of controllers. They are typically smaller in processing power than other controllers and service fewer sensors, but functionally, they play the same role: receiving input from a user and processing information. Security Industry Association 7

10 Cameras: IP cameras have been one of the major enablers of cloud-based surveillance systems. As with controllers, most cameras already use standardized Internet protocols to communicate with video management systems on the same network. However, cameras that connect directly to cloud services will also exhibit some higher-layer protocol differences for direct access to cloud services. Gateways: Among other duties, gateways perform protocol adaptation and/or brokerage services between devices on a local area network (LAN) and a wide area network (WAN) such as the Internet or cloud. Functionally, gateways can allow noncloud-capable devices to be used with cloud services by mediating the connection between the two. They are, therefore, useful as part of a bridging or adaptation strategy for cloud-based physical security services. Local Storage: Local storage plays a role in many cloud security architectures. It provides an on-premises data repository as well as resiliency against Internet or other communications disruptions. For example, local storage is often used in conjunction with cloud video or managed video services to allow high-bandwidth recording to a local medium and cloud-based storage, archiving and retrieval only for only offnormal events. Local Applications: There may be some helper applications running in one or more of the components described above. A local video storage device that normally operates with a cloud application, for example, may also support a local video server application to make video viewable when an Internet connection is not available. Cloud Components Local Applications: Deploying software as multi-tenant, rapidly provisioned, demand-elastic, pooled-resource applications is the signature feature of cloud computing. This model stands in contrast with the traditional deployment of singletenant, dedicated-resource systems at the user s premises. Note that simply moving a legacy application from the user premises to a remote data center does not constitute cloud computing. Servers: Servers that run the applications are housed at data centers, usually operated by a third-party business that specializes in operating data centers. Several models are still prevalent for server deployment, from co-location to IaaS and, for larger cloud companies, ownership of the data centers and all related computing resources. Cloud Storage: Cloud storage refers to pooled data storage equipment that is operated in the context of a cloud service offering. Many consumer companies operate cloud storage services for backup of personal computer files. Likewise, there are numerous cloud storage offerings that operate at enterprise scale to offload the burden of storage from IT departments. In the context of cloud applications for physical security, cloud storage figures prominently in hosted video offerings as well as every SaaS offering (since every application requires storage for data). 8 Cloud and Mobility Working Group

11 Virtualization: Often confused with cloud computing, virtualization refers to a layer of software that simulates a hardware platform or another software platform, such as an operating system. Its purpose is to allow multiple virtual servers to reside on a single physical server, thereby improving hardware utilization efficiency and simplifying many aspects of data center management. While virtualization is a technique often used in cloud computing systems, it is also used in non-cloud systems. It does not provide multi-tenant, resource-pooled applications that are characteristic of cloud systems. Resiliency: The ability of a system to compensate for a failure of one or more components. An example within physical security is the ability of a video system to switch over to local storage if access to cloud-based video storage is temporarily unavailable. This system should be able to recover to its original operating state when access to these services is reestablished. Disaster Recovery: The ability of a system to withstand and recover from the loss of one or more data centers. This differs from resiliency in that a loss of a data center can mean the absence of a number of critical services. Disaster recovery can include access to redundant data centers. Communications It probably goes without saying that, if a security system is cloud-based, it uses Internet protocols. However, the converse is not true: just because a security system uses Internet protocols, that fact alone does not necessarily make it a cloud-based system. Many marketers in the security industry attempt to blur this line, but it is important to maintain the distinction within our reference model. Two of the key differentiators in this regard are the interrelated Center to Edge Discovery and NAT Traversal processes that influence communications session establishment. Center to Edge Discovery: Many IP-based devices, including such common consumer products as printers and webcams, support a center to edge discovery and session establishment process whereby a computer (the center ) on the same Local Area Network can find the device (the edge ) using a standardized protocol such as Bonjour or Avahi. In the security industry, many IP cameras use these types of protocols to allow discovery by VMS. This all works fine so long as the center and the edge reside on the same network. Security Industry Association 9

12 Network Address Translation (NAT) Traversal: In the case of cloud-based systems, firewalls and Network Address Translation (NAT) block center-to- edge discovery and other session establishment techniques from working across disparate networks, such as a local corporate LAN and the Internet at large. In a distributed WAN cloud architecture the traditional center-to-edge discovery process must be reversed, whereby the local device ( edge ) finds the cloud application ( center ), rather than vice versa. Absent an edge-to-center session establishment design, legacy devices that rely on traditional center-to-edge discovery or a manual configuration process in lieu of discovery also require holes in firewalls that most IT security policies won t tolerate. Standardization Candidate: Defining a common cloud session establishment framework for physical security products will promote product interoperability, simplify integrator training requirements, improve information security, and increase performance for end-users. 10 Cloud and Mobility Working Group

13 Cybersecurity for Security Clouds Cybersecurity remains the number one concern among all businesses considering cloud services. Many surveys have documented the fact that data security and privacy considerations are the main impediment to universal cloud adoption. These are obviously important considerations for the physical security market. Both end-users and service providers need to understand the risks and mitigation strategies that are relevant to security and in particular cloud deployments. Unfortunately, the topic of cloud (cyber) security is far too large a topic to treat in any depth in this paper, but very extensive literature is available for the interested reader. For our purposes in this paper, we will describe three broad areas technology, policies, and processes that should be considered, and additional references will be provided at the end of the paper. Technologies Technology is often the first focus when cloud consumers ask what their providers are doing to protect their data, and with good reason. Without the right technologies in place, hackers could easily access databases and subvert online systems. Key technologies that should be deployed in any system include: Firewalls Intrusion prevention/detection systems Anti-virus and anti-malware scanners Access logging Encryption Identity management Most cloud consumers are familiar with the basics of firewalls, anti-virus and intrusion prevention systems but the other technologies may be new to some customers. Encryption: Encryption is commonly used to prevent intercepted information from being exploited by providing secrecy to communications and data storage. When evaluating a cloud provider, it is important that all sensitive information be encrypted both at rest and in transit. Encryption is one of a number of cryptographic processes that are used in delivering security for cloud services. Standards are a fundamental part of any cryptographic and encryption solution. An important component is management of the keys that are used for the operation. Identity Management: Identity management includes a number of enterprise policies, services and technologies. It is a must when dealing with a true multi-tenant cloud both from the user as well as the service provider perspective. To help ensure that only authorized users access information, a variety of methods are used. Smart cards, PKI, SAML, Out of Band on USB and mobile devices and Kerberos, as well as evolving standards such as the OpenID Connect and System for Cross Identity Management (SCIM) represent some of the options in the marketplace. In many cases this is addressed inadequately by a simple UserID and Password solution. There are Security Industry Association 11

14 A note on deployment models : Many readers who have been following the development of cloud solutions will be aware of the distinction between public clouds and private clouds. Public clouds are defined as systems that are offered to the public at large and shared among unrelated people and organizations. Gmail and Salesforce.com would be examples of public cloud solutions. Private clouds are defined as systems that are used by one organization alone. They may run similar software as public cloud systems, but they are closed off for one reason or another. Most of the systems that buyers will see in the physical security market are public clouds. Setting up a private cloud for all but the largest customers (e.g., federal government) defeats the economies of scale that are at the heart of cloud economics. Hybrid deployments can include both categories. identity application, enrollment, registration, issuance and lifecycle management associate with individuals and devices to consider. Policies Technology is useless without effective policies to govern how it is used. Several key policy areas that should be addressed as part of every security cloud system include: Providers should follow best practices, and use certified cybersecurity consultants and auditors to complement their own staff. There is no way that a handful of parttime IT security employees can match the collective knowledge of a qualified expert firm in this area. Cloud services customers should make certain that their provider has implemented policies to manage data, access, and storage. Customers and providers should both be aware that the type of cloud service plays an important role in which policies are most important. What works for a SaaS provider will not be as effective for a PaaS provider. The best resource available for further learning on this topic is the Cloud Security Alliance, an industry trade group dedicated to promoting standards for cloud applications. Processes Processes are the expression of policies, and several of the most important are: End-users should require their providers to have one or more standards security audits and/or penetration tests, such as SAS-70, SSAE-16, ISO 27001, or a relevant federal standard such as FISMA or FedRAMP. Without such an audit, there is no assurance that the provider has implemented or tested any cybersecurity measures. Providers should document each aspect of the cloud and be prepared to provide these documents to end-users. Knowledgeable end-users are not content with a black box cloud service and will expect to be able to review policies, test results and configuration documents that will affect them. Cloud Cybersecurity References The International Information Systems Security Certification Consortium (ISC 2 ) is a non-profit organization established to educate and certify information security professionals. The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within cloud computing, and to provide education on the uses of cloud computing to help secure all other forms of computing. FedRAMP is an emerging federal cloud security program that follows in the footsteps of the more familiar Federal Information Security Management Act (FISMA) regulations. Its goal is to outline a standard way for cloud services to be authorized for use in the federal government. 12 Cloud and Mobility Working Group

15 Service Models We introduced the concept of service models earlier when providing a definition of the cloud for physical security applications. Most of the cloud community has adopted language from NIST when referencing the three main service models. For this reason, we will adopt the lexicon from the NIST framework when referencing service models. Service Model Software-as-a-Service Distinguishing Characteristics Entire application offered by provider. No development or deployment from user. Readily accessible from client devices. User does not manage infrastructure or apps. Rapidly provisioned, pay-as-you-go. Platform-as-a-Service Provider offers hosted development environment only. User programs own applications. Provider manages lower layers of network. User pays for underlying resources and licenses. Infrastructure-as-a-Service Provider offers managed computing infrastructure; user is responsible for everything else. User pays for raw server/storage infrastructure. While these service models are often presented as several competing alternatives for using the cloud, it is far more useful to ask what they mean to end-users (consumers of services) versus vendors (providers of services). Below we examine which models are relevant for each stakeholder group. Security Industry Association 13

16 A note on managed services: Managed services refer to a subscription based offering in which a service provider uses a labor pool to perform administrative duties on behalf of the end-user. For example, in a standard SaaS system, the end-user would perform such activities as adding and deleting employees from an access control database, generally through a browser. In a managed service, the service providers charge the end-user an additional fee to perform these activities on their behalf. There need not be any technology differences between these approaches; it s just a question of the business model and who sits at the controls. End-User Service Models In the physical security industry, most end-users are not interested in developing their own security cloud. This process would include contracting with an IaaS or PaaS vendor, developing and deploying custom applications, and then using the resulting system as a service. Undertaking that process would defeat the purposes of using cloud services in the first place, which are to lower upfront costs, reduce maintenance expense and enjoy higher service levels. End-users, as security service consumers, can largely ignore the IaaS and PaaS service models. These models may be part of what their SaaS provider uses to make their system work well, but the end-user is typically not exposed to the IaaS and PaaS models in any direct way. The end-user experience is the SaaS experience. Provider Service Models By providers, we refer to companies who have developed a SaaS application for physical security and now offer it to security system customers as a service. For providers, it is very important to ask the question of which service models they want to use to create the end-user SaaS service they are offering. For example, a provider might decide to use an IaaS provider as a way of rapidly scaling their capacity at low capital cost, while lowering staffing requirements for IT technicians. A provider writing an entirely new application might decide that a PaaS development and deployment model is their most rapid path to market. However, in both cases, the SaaS experience should be transparent to the end-user. Detailed discussion of how to build a service offering is beyond the scope of this paper. Our real focus is on examining how these service models, and the SaaS service model in particular, are being deployed for security customer consumption in today s market. 14 Cloud and Mobility Working Group

17 The Cloud Model for Security Apps: Industry Survey We will now examine how the Security Cloud Reference Model and the SaaS Service Model are currently being used to deliver physical security services. Understanding what is already present in the market is a prelude to understanding where the security industry may find it advantageous to develop security cloud standards, which is the purpose of this working group. The following table presents an overview of the types of applications being delivered as cloud-based systems, and how they relate to the reference model developed earlier in this paper. The table identifies common local components, cloud components and service models in the current physical security market. Access Control Table 1, Reference Models vs Security Applications Local Cloud Service Models LAN UX Credentials Readers Controllers Sensors Web Server Application Database Hosted Video Cameras Web Server Application Video Storage Managed Video Cameras Local Storage Local UI Web Server Application Video Archiving SaaS Managed Service SaaS SaaS Mass Notification Identity Management Systems (IDMS) Identity and Entity Registration Credentials Web Server Application Database Web Server Application Database SaaS Managed Service SaaS Managed Service Lifecycle Management Readers (logical access) and other required endpoints. Security Industry Association 15

18 Standardization Candidate: Agreement on mapping between reference model and components, including nomenclature, present in each type of service offering in the industry. Integration Models From a systems integration standpoint, cloud services are integrated differently than most legacy systems. Following are several of the major differences, which all suggest opportunities for standardization. APIs vs. SDKs Cloud service providers typically do not distribute SDKs because SDKs are necessarily platform-specific, which is antithetical to the value of cloud applications. Instead, most cloud service providers publish API definitions that integrators and developers can build however they want. This usually means defining one or more Web services APIs from a family of protocols that includes SOAP, REST, XML-RPC, and several others. Subscriptions vs. Licenses Cloud service providers (almost by definition) sell subscriptions, not licenses. This changes the way that projects are bid, priced and scoped. It also raises questions of data ownership and recovery that are unique to the cloud service model. 16 Cloud and Mobility Working Group

19 Candidate Cloud Standards Throughout this document, we have identified a number of candidates for standardization. Determining which ones are actually pursued will be the subject of ongoing meetings of the Cloud & Mobility Working Group, which anyone is welcome to join. Reference Model The reference model (see Figure 3, Representative Cloud Reference Architecture for Physical Security), along with the nomenclature it uses, is a primary candidate for standardization. Having common terms of reference including an agreed upon abstract architecture and mapping of security cloud components are a necessary foundation for any further standardization. Technical We have identified the following technical candidates: Session establishment, by which on-premise or edge devices connect automatically to Web Services established by security system cloud providers. Best Practices We have identified the following best practices as candidates: CSA best practices are references for core cybersecurity of cloud services, but the working group believes that these should be extended for the electronic devices typically used in security systems. Privacy We have identified the following privacy policies as use case candidates: Privacy of video data Privacy of personally identifiable information (PII) Information Security The Cloud and Mobility Working Group will also examine existing standards and best practices in the areas of information security, compliance, and identity within the cloud. Security Industry Association 17

20 Relationship to Other Specifications The working group will develop a framework for understanding how SIA cloud standards are related to other standards efforts. We believe that it is important for SIA Standards to take a leadership role in various international standards organizations that have yet to address the matter of cloud implementations of physical security systems. References Cloud computing is a big topic, described by numerous articles, books, blogs, and formal treatments by standards organizations, government agencies and international bodies. The following references are by no means exhaustive, but rather a curated list that we believe will be most relevant to the security reader. Cloud Definitions National Institute of Technology and Standards Cloud Standards CloudStandards.org Cloud Standards Customer Council Openstack Open Cloud Initiative Identity National Strategy for Trusted Identities in Cyberspace Kantara Initiative OpenID Foundation Privacy Internet Privacy - American Civil Liberties Union Electronic Frontier Foundation Mobile Computing PCIA The Wireless Infrastructure Association 18 Cloud and Mobility Working Group