The IP Camera Lock-In Trend: Meraki and Verkada

Meraki's camera models are fairly limited and currently don't comply with local regulations in much of the Arab Gulf region. Many Meraki network customers may not necessarily want their cameras. 

Currently testing their D50 model and its slick technology with easy setup and convenient access. It will be hard for them to break into organizations with out having 3rd party support. No company will be removing their extensive camera network to install a new trend. 

For Meraki cameras are only an accessory to their systems. Their business model is strongly aimed to retail or multisite and based mainly on network switch, access point and firewall managed by their platform. Of course a camera can be an easy upselling for retail, using an already present (and well performing) cloud management platform.

But, being an accessory, can be removed from lineup easily. I would not build my surveillance system (that usually has a lifespan of many years) on a network vendor that sells cameras...

Some background before I get to the Meraki cameras: I'm an IT person biased toward open-source solutions, working professionally with open-source going back to the 1990s. My degree is in Physics and I have a photography hobby. I spend a lot of money and time on photography, so my expectations for what the IP cameras should do is very high, no doubt beyond what many IPVM customers or integrators need or think about. 

I came to IPVM because of IPVM's transition to Ethernet cameras. I was introduced to Panasonic network cameras that a nearby church wanted to make work ~10 years ago. We eventually installed several of those Panasonic cameras and they worked well for many years. 

I'm going to explain why we now use Meraki network infrastructure to give context at the end to how I view the Meraki cameras. BTW, we fully embrace PoE Ethernet switches and Axis cameras. 

About 5 years ago, a professional associate introduced me to Meraki Security Appliances (routers) when they first came out and our company gradually started using them. Now, we're pretty much all-in with Meraki Security Appliances, because they work well and they incorporate Cisco's most advanced IT security research (Cisco Talos) in the Meraki "Advanced Security" license for their routers. Yes, it's an annual license with high RMR to Cisco, but the tradeoff is fair, in our opinion, because of how much work you're able to leverage on the security research and implementation side by Cisco.

Network security and integrity is only as good as its Security Appliance and the people who manage the Security Appliance. If you have the world's greatest IPVM installation on a LAN that doesn't have an enterprise grade Security Appliance with up-to-date threat intelligence, analytics, and hands-free remediation capabilities, you're leaving an attack surface that may not properly notify you of an intrusion into the network or data exfiltration. Witness the OPM Data Breach, where my own OPM records along with 21.5 million other American's records were stolen. At this point there have been so many significant data breaches that everyone should be concerned about the entry/exit points to the LANs where we do our work. Meraki is top-notch here, and if setup properly, Meraki Security Appliances could have prevented or informed about several of the largest data breaches. Security rules get updated daily, and firmware usually gets updated twice a year. So two thumbs up on all the Meraki Security Appliances. The Meraki Security Appliances beyond the least expensive models are manufactured in Taiwan. 

The next Meraki item that works really well are their Wireless Access Points (WAPs). Competitors have lower cost products, but those lower costs products are mostly manufactured in China. The Meraki WAPs cost a lot up front but regular firmware updates keep them up-to-date, and the recurring monthly fee for the WAPs is much lower than with the RMR for the Security Appliances. The Meraki Wireless Access Points are manufactured in Taiwan. 

The Meraki switches are where you must make a decision to really embrace the Cisco Meraki philosophy, because Ethernet switches that cost 1/5 what the Cisco Meraki Switches cost generally work OK, although there are no analytics on low end switches, and if a low-end switch or one of its devices fails, you can spend hours trying to figure out what's wrong. For Meraki switches, you'll likely be notified by email in real time when something goes wrong and the analytics direct you to the exact problem and the location of the problem. There's no way to deliver this level of functionality and not have RMR, and we've used a lot of open-source software for a long time. As with the WAPs, the recurring monthly for Meraki switches is much lower than with the Security Appliances. The Meraki Wireless Access Points are manufactured in Taiwan. 

That brings us to Meraki cameras and Meraki's now discontinued VoIP phones. Cisco is a company that has grown through many acquisitions by moving fast wherever it sees an opportunity. Sometimes they hit a home run on a new acquisition, and sometimes they decide after 10 years to let an acquisition go - Linksys. During Cisco's evolution, the payment models for customers has shifted from:

Pay a lot up-front, with the vendor even making money on financing the purchase cost

Pay less up-front, but pay an annual license fee to the vendor

Pay much less up-front, but pay a recurring perpetual license fee to the vendor

We've seen Microsoft embrace this payment model too, and Wall Street's opinion is that in a tech environment that's highly deflationary, the third option is the best way to try to maintain high public market value. Office 365 is a good example where there is more value delivered via the third option, so the transition has been successful. WeWork is an extreme example of the third option. 

When I realized that the Panasonic IP cameras weren't going to take me where I wanted, I asked an ISC East vendor which camera line could I embrace and not have to change from a few years down the road. After asking me a few questions, he told me Axis, and I've stuck with Axis, and am pleased that they were acquired by Canon due to my photography side. Since an Axis camera is basically an open-source server, I am able to email camera images in near real time, and to archive Axis camera images regularly using all our open-source infrastructure. We haven't yet had a need to use commercial image logging and cataloging software, but if we get to that point, I'd still try to incorporate as much open-source technology into that project as possible (FreeNAS for network storage). The last Axis outdoor camera that I bought, an AXIS P3364-L outdoor dome, cost $855 in Nov, 2016. It's PoE powered by a switch that's 100 feet away, it works great, and there is no recurring fee. The camera was made in Poland.

If we wanted to setup an AXIS camera with SSL encryption to the offsite storage, we could do that for a new installation with a bit of work. But if you have a lightweight Meraki Security Appliance like the Z1 at the remote site with the AXIS cameras, and a separate Meraki Security Appliance where you're trying to view the camera from, there is de facto end-to-end encryption over a VPN tunnel, without having to do much in the way of configuration or setup. That's a huge win for ongoing maintenance and remote troubleshooting. So don't write out Meraki Security Appliances just because you don't like the RMR model for their network cameras. 

In terms of addressable markets, I've noticed that Meraki often mentions the Educational and Retail markets, neither of which I'm engaged in. Educational IT seems to be a bit of an island, different than corporate IT, until you get to larger colleges, where they have full-time staff that negates the need for a consultant. Smaller educational institutions probably welcome the empowerment that the Meraki infrastructure gives their staff, who are less technical than IPVM readers.

Someone mentioned the need for a persistent WAN connection. Anyone in the USA with a business or school that does not have a persistent WAN is at a huge disadvantage. To the extent that schools still exist without persistent broadband WAN connections, I suggest people push those schools to correct this deficiency. Any modern school library must have Internet access, and non-VoIP phone systems are disappearing, and within a few years there will be zero support for non-VoIP phone systems. 

On the other hand, we do business with a large publicly traded multinational enterprise ISP, Cogent Communications, and they're almost 100% Cisco enterprise network infrastructure (different from Meraki) and 100% fiber optic connectivity. This is the future - cheap, persistent, robust bandwidth delivered over fiber optic cable. I suggest people migrate toward this mindset of cheap, persistent, robust bandwidth and build your business on that premise. 

Sorry for the length of this post, hopefully there's some useful info here for at least some of you. 

--

J Robert Burgoyne in NYC

I agree with David that convenience and simplification generally win in the marketplace. We can lament that this is happening or accept it, try to leverage the principle, and move on. 

Michael, circa 2019, unless a facility is critical infrastructure such as a power plant or national defense facility, the facility is not likely to a) be manned 24x7 with someone who watches the LAN, and b) not have a robust WAN connection to the Internet.

Without a robust WAN connection to the Internet, there's no offsite visibility into the analytics of the LAN. I can't see significant clients planning for a future without a persistent WAN connection or being OK with a lack of LAN analytics. Newer Security Appliances (routers) come with LTE failover to insure persistent WAN connectivity for locations where the primary wired ISP is not robust. 

Another function that requires persistent WAN connectivity is enterprise Single Sign On authentication - SSO. Gone are the days when onsite authentication without cloud based backup or primary authentication was adequate. This is something I ignored for years, but many enterprise applications now insist on a cloud based SSO such as Microsoft Azure Active Directory (AAD) or similar offerings from Amazon Web Services (AWS) or Google.

Cloud based secure authentication isn't free if you want analytics and the ability to reject login attempts from unknown locations, lockout repeated login failures, etc. But you the administrator also gain the real-time ability to grant or revoke access to all SSO enabled systems and applications - for example to revoke system access, including keycard access to a facility, for a disgruntled employee. I can think of many use cases for security where a persistent WAN connection is needed and desirable.

As for bandwidth, I have 100Mbps FiOS in my apartment (~$100 monthly) and our key locations have 1Gbps Cogent Fiber Internet connections (~$1,000 monthly). Under such circumstances, you're better off using the bandwidth as an available resource to create redundancy and disaster recovery capabilities instead of being concerned about saturating the pipe. If you've never done a daily 500GB offsite backup it seems intimidating - but it's not a big deal anymore.

Most regulated businesses now have statutory obligations for offsite backup and archiving of data and improved Cybersecurity policies per the NIST Cybersecurity Framework's guidelines. A recent Cyber E&O Insurance application I looked at asked a lot of questions about offsite backup and internal system access controls. 

Hi

I haven't read all the replies and posts on this interesting and long thread.

I am somewhat skeptical when it comes to "Cloud" and physical security. Relying on the Internet for everything is not very wise IMHO. I am at ease with backing up my security videos on the Cloud but to make it the main and only conduit/container to my evidences leaves me unsettled.

Now we get to the point where a company owns my security camera? 

 Certain things can be rented. Some must be outright owned ... 

Poll results from 200+ votes, members strongly against such IP cameras:

Doing a bit of quick math - the 108MB upload over 24 hours is inline with our 10-20KBPS per camera. At first I thought the spike was someone on your side pulling footage but it is likely indicating a firmware upgrade. 

Meraki advertises 50KBPS per camera on their website though reverse math on the upload shows the camera was operating at under 1KBPS. 

I multiplied 20KBPS x 60 seconds x 60 minutes x 24 and converted to MBPS and divided using the same logic with the Meraki upload. 

So speaking of all this, I stumbled across an ad somewhere last night. One of the big ISP's here in canada had an offering for "Smart Surveillance".

Kind of surprised me, as I had not been aware Shaw was now installing cameras. A quick look around the web and it seems like they are selling Meraki.