Axis VSaaS Myths - Issues and Inaccuracies

JH
John Honovich
Published Mar 28, 2011 00:00 AM
PUBLIC - This article does not require an IPVM subscription. Feel free to share.

A March 2011 Axis 'op-ed' piece on Hosted Video published in SDI Magazine [link no longer available] promised "Myths busted and truth revealed!" Despite the grand pretenses, Axis manufactured a dangerous new myth and significantly misinformed the community. In this note, we examine a number of issues and inaccuracies in the article.

The article attempts to prove that hosted video is safe and ready for real world use. In the opening, Axis challenges, "Think it's unsafe or not for you? Think again."

Their strongest, but absolutely incorrect, claim about online video safety is that "certain compliance regulations must be met by hosting providers to offer video-as-a-service, including SAS 70 , RSA Encryption and ISO 27001-compliance." Not only are these not required but, in practice, today's crop of hosted video surveillance providers rarely meet these 3 elements.

The best characterization of today's VSaaS market is the wild wild west where no regulation exists and numerous small companies experiment with novel solutions. This is great for innovation but terrible for information security. Any security user who is concerned about the security of their off-site stored video should be extremely careful about using VSaaS.

We contacted Cygnus, the publisher of the article, about our concerns. They responded that "The article was updated [link no longer available] as soon as we learned of this misunderstanding, and SD&I is running a note in their May issue to alert readers of the online update." The online version was changed to state those specific regulations 'should be met' rather than 'must' be met.

Furthermore, they objected to our referring to this as an inaccuracy:

"What you refer to as an “inaccuracy” is a subtle language difference between an imperative and a subjunctive phrasing. Having noted that the phrasing could be read both ways after the article was printed, we changed the phrasing in the online archive to clarify the meaning – to clarify that these suggestions were opinions, not requirements. Of course, verb modality changes like this sometimes are not spotted before printing, but we make every effort to correct mistakes or clarify opinions -- as we have done here."

Even the correction is problematic. Saying that they should be met and not informing the reader that they are rarely met is very misleading. It also significantly undermines Axis's case for hosted video being secure. Maybe the providers should be meeting these regulations but since most do not, this more strongly shows that hosted video is insecure - the opposite of Axis's claim.

The article has a number of other misleading elements, primarily conflating Axis's own hosted video offering with the general market including claims about NAS support, cameras only connecting to the service, eliminating complex setup, etc. While these are all strengths of the Axis solution, many rival providers do not offer these features. The article incorrectly implies that these are common or standard hosted video elements.

In disproving the myth that hosted video is too costly, Axis makes an extremely weak case that, "an IP-based hosted video solution in some cases can turn out to be a lower capital expenditure than installing an analog solution for small camera count systems." We've debunked this previously with Axis never responding or disproving our analysis.

Op-Ed or Advertorial

Our other key concern is the article is being presented as an op-ed piece rather than a promotion. Only at the very end of the article is Axis's name even cited. Nowhere in the article is it mentioned that Axis even has a hosted video solution. Despite this, the article has an infomerical tone (e.g., myths busted, truths revealed, think again, etc.). We asked the publisher about the positioning of the article:

"This column is an op-ed piece. The byline [name of the author] at the beginning and the author statement at the end are sufficient and standard credit. The author statement historically appears at the end of any article, whether that is an online article, a magazine column, or a piece from the op-ed page of any major newspaper.

Certainly, we are not trying to hide the fact that Fredrik Nilsson (one of the most recognizable figures in this industry) works for Axis Communications and that Axis Communications sells video surveillance solutions. In fact, we asked Mr. Nilsson to author this column largely because of his very active thought leadership role in the industry. "

While we suspect most integrators do not know who Fredrik Nilsson (or any manufacturer employee) is by name, this approach is common in the physical/ electronic security industry. Nonetheless, we do not believe this is right nor in the best interests of the community of integrators or end users. Indeed, in other technology segments, magazines clearly disclose potential conflicts up front. See a good example of how Network World handled a submission of March Networks [link no longer available] with an up front disclaimer. Additionally, even in our own industry, Info4Security does a better job alerting readers to potential conflicts (see the HDcctv's 'contribution' as an example).

Axis has every right to passionately advocate for their position. However it's dangerous to claim that an obvious promotion for a company's own solution is 'thought leadership.' Creating a new myth and misinforming the community under the guise of such 'leadership' is simply wrong.