Cloud systems offer a lot of utility, and for many users may be more secure than what that user could implement on their own, but they still have the inherent risk that you are trusting the operator to be smarter than you are. (or, at least as smart as you).
That's a good point. So Arcules or Hikvision Hik-Connect? Which cloud service do you trust more? :)
On a more serious note, I do think all cloud video surveillance providers are going to have to seriously define their process / procedures for allowing access to accounts / users. You will still need to trust that what they are saying is truthful / correct but at least it provides shows some thought / attempt to restrict access.
Such wonderful spin from Andreas. It's the good old "WE are the victim here" sob-story. Painting the employee as a snitch with some ulterior motive is just the icing on the cake.
I have no reason to believe that Arcules is any better or worse than anyone else in their handling of account access. They're probably better than Amazon and their Ring team in Ukraine, but that's an extreme example - and evidently most people don't really care. I think you'll find that this is the case here as well.
In principle, the employee is correct - it's a security hole that Arcules employees autonomously can add user accounts (w/o logging it!). They can probably watch the cameras as well (probably w/o having to create a user account on their customers system). The question many users are asking is this: So what?
I think we're sometimes overestimating the value of good and robust security to the regular users, and we're inflating the importance of it. Only to then be using it to beat each other over the head. All the while making all sorts of unreasonable assumptions about motives and completely ignoring Hanlon's razor.
This posturing can be confusing to honest employees, who thinks the companies are being serious. The employee then discovers a security hole, and to their surprise, she is met with shrugs and meh's... under pressure from the customer and with no support from the company, the poor fella reaches out to John, and now everyone is a suspect that person is probably not working there anymore.
To be sure, there are cases where security plays a major role, but surely no-one who takes security seriously would use a VSaaS solution, or even consider expose their VMS/NVR/DVR directly to the Internet.
I'm guessing that the whistleblower, snitch, rat, whatever you want to call him/her is OK with being identified (to Arcules). I hope that's the case, otherwise it's pretty clear that IPVM is not the place to share such knowledge.
surely no-one who takes security seriously would use a VSaaS solution, or even consider expose their VMS/NVR/DVR directly to the Internet.
That's not correct. From their internal messages, I saw 2 large companies that are household names and another that was a serious financial firm that was using (or at least piloting) Arcules.
So while I agree with you about most Ring customers not caring about the Ring / Ukraine security incident, Arcules is going after large and sophisticated customers that definitely care.
To your point, though, I was surprised these customers would even consider Arcules, given their overall issues and general risks of putting cloud-connected devices inside their enterprises. That said, Arcules has a lot of money and connections via Milestone. The question becomes can Arcules close / take over such accounts.
I'll agree that THIS customer took it seriously, and Arcules (seemingly) didn't - hence it escalated. Since I haven't seen the emails, I don't know how hard the whistleblower pushed for escalation, but it seems to me that reaching out to you was the last resort and so here we are. Ring users have little recourse against Amazon, and there's probably a stipulation buried in the 100 page EULA about this sort of thing.
I'll agree they take it seriously, but in weird way; Like if I was "serious" about my health by reading a lot of articles about the consequences of a bad lifestyle and worrying a lot, but never actually exercising and living on a diet of donuts, coffee and fried chicken.
I expect the guy at the counter will tell you that fried chicken is not actually bad for you, and reminisce about his great granddad who ate a bucket of chicken every day, smoked 20 unfiltered cigarettes a day and lived to be 110 (he probably also worked in an asbestos factory since the tender age of 9).
Sure, I am exaggerating here, and so the question is - can an end user reasonably expect a secure VSaaS system, which - obviously - entails defining what "secure" means.
I think, in principle, it can be done - and with a level that even I would consider safe, so I don't blame the clients for assuming that Arcules has actually done it, and then wondering how on earth Arculess (which is how I will spell it from now on) staff was able to add some random user to their account. That sort of thing just smells bad. Like when the authorities find a rotten, molded piece of meat in the fridge of a restaurant, and the owner (predictably) says "that was a one-time incident, and we cleaned it right up within 10 minutes!".
I guess having thought about it a little longer, I'll say this: I think there's a case for VSaaS even for companies that are serious about security. The question is - how do you prove that a VSaaS solution is secure without making the code publicly available?
What a shame. Some rules for professional VaaS/SaaS solutions:
The provider has no access to any customer related data or configurations.
A customer’s administrator has no access to it‘s own (video) content. Even a provider‘s administrator has no access to it (we use end to end encryption).
Any event/configuration/accident has to be documented in a protected protocol. A manipulation of this protocol has to be prevented or documentated (we use a blockchain).
These and several more rules prevent professional service providers from loosing confidence from the customers. And they are according to well known data protection and data security laws and rules. A cloud solution consists of a technical and a psychology part. Both is missing her.
I was selling network security in 1993 when "network security" was a packet filter on a router. At that time very few people had access to any WAN resources. That dynamic has shifted dramatically. The problem is not VSaaS security per se, it is that other companies that rely on VSaaS may not be as picky about security protocol as you are. For example, I still see people with their login information on a sticky note on their computer. I see people that are casual about the applications they download to their cellphones. The issue with VSaaS is a similar issue with security in an IoT environment, the more people that have access to a network resource, the more insecure it is. Home Depot and Target were hacked because a 3rd party heating and A/C technicians downloaded malware to their PCs. That malware jumped from wireless thermostats to the computer network. in the past few months I have spoken with many integrators that, in their quest for recurring revenue, are pushing cloud solutions like Arcules. I am not suggesting that VSaaS offering should never be considered. What I am suggesting is that it is a decision that should not be taken lightly. The security risks are not negligible and integrators would do well to cover risks and security strategies with their clients.