Sponsored One of the greatest barriers to broader cloud adoption is security.
However much the big cloud providers insist that their global networks of bit barns are more secure and tightly operated than those of their enterprise customers, it is those same customers who are ultimately liable for protecting the data under their control. For highly regulated industries like healthcare or financial services, the penalties for a data breach make it simply too risky to process sensitive data anywhere else outside their own systems . This means that they are missing out on the advantages of cloud services, such as greater operational flexibility and the potential to save on some of the capital expenditure costs of on-premise IT systems. Public cloud in particular presents a number of challenges for keeping data secure, largely because an organisation is effectively choosing to run workloads on infrastructure that it does not own or control . While an organisation can take steps to lock down its own systems and deploy tools to detect or prevent intrusion, there are limits on what a customer can do to the cloud provider s infrastructure.
Encryption of sensitive data is now routine both in the cloud and on-premise, but this largely protects data only when it is at rest, stored on disk . In order to be processed, it still has to be in the clear while in memory so that any required operation can be performed on it, whereupon it is vulnerable to being accessed by an attacker that may have compromised the system. In any case, industry experts have long realised that software only solutions simply will not cut the mustard, since they can ultimately be compromised or bypassed in some way . Instead, security needs to be rooted in hardware capabilities that cannot be altered or disabled by malicious code.
There have already been attempts at building security into silicon . Intel platforms have had Trusted Execution Technology (TXT) for some time, while chips based on the ARM architecture have had its TrustZone technology for over a decade . Oracle also added Silicon Secured Memory (SSM) into it SPARC processors when the M7 was introduced. The main purpose of Intel TXT was and is to ensure a secure startup, verifying that low-level code such as an operating system kernel or hypervisor has not been compromised . But this is not a complete solution as it does not prevent malware or an attacker from compromising the system once it is up and running.
Oracle s SSM is part of the software-in-silicon capabilities built into newer SPARC chips, and is designed to guard access to blocks of memory by associating them with a version number . Code accessing the memory block must present the same version number, offering some protection against buffer overruns . But this might not prove much protection against a determined attacker that may have compromised the system, as explained by The Register1 at the time. What is required is some mechanism that can prevent access to data while it is being processed, even if an attacker has managed to penetrate the system . This is no trivial task, since a compromise of the software stack at the operating system or hypervisor level would enable an attacker to simply pluck data out of an application s memory space.
Perhaps the most ambitious move to address this problem is Intel s Software Guard Extensions (SGX), one of the new capabilities introduced to the Xeon server platform with the latest chips based on the Skylake architecture. SGX is designed to allow the creation of isolated and protected memory blocks within the server s memory space, inside which code can be placed in order to safely process sensitive data . These memory blocks are known as Trusted Execution Environments (TEEs) or alternatively as enclaves. To enable this, SGX provides a new privileged execution mode and several new instructions .
These are used at runtime to create an enclave and deploy the trusted code into it, before locking it down . Once created, the enclave memory region cannot be accessed by any other code, and functions inside the enclave can only be accessed via carefully controlled entry points. In principle, SGX is somewhat similar to ARM s TrustZone, but the latter simply divides the entire system into secure and non-secure environments, with hardware enforced separation between the two . SGX, in contrast, enables multiple applications to each have their own enclave for any portion of their code that deals with sensitive data . The upshot of this is that applications running on an SGX-enabled system are split into trusted and untrusted code, with the trusted code deployed in the enclave kept as small as possible in order to reduce the possibility of security vulnerabilities being introduced.
But the chief difference in how SGX differs from previous silicon-based security schemes is that the processor itself is the only hardware component that needs to be trusted . It does not require a Trusted Platform Module (TPM) as the root of trust or for attestation of code, for example, as TXT does. Theoretically, this should mean that SGX enclaves should be secure from prying even if the operating system, hypervisor, firmware, and even Intel s Management Engine2 have all been compromised by an attacker . This is a level of security that was not practical to achieve before chips with SGX became available. The first major outing for this technology is going to come from Microsoft .
In September, the firm announced its Azure cloud platform will be the first to support enclaves secured by Intel s SGX, using servers based on the latest Skylake Xeon processors. How this will ultimately be made available to customers has yet to be fully detailed by Redmond, but the firm said it intends to implement encryption-in-use for its Azure SQL Database service and SQL Server . Azure CTO Mark Russinovich also gave a demonstration of what this might look like at the firm s Ignite conference in September. The demo revolved around a sample HR application running queries against a cloud database with two columns – social security number and salary where the stored value was protected using the Always Encrypted feature . A Stored Procedure was deployed into an enclave then passed the encryption key over a secure channel so that it was able to process queries that reference the encrypted columns.
To date, Intel s SGX has had only limited traction, but Microsoft s Azure cloud is widely used by large enterprise firms, and seems likely to drive interest in this method for keeping data secure while it is being processed . If it proves a hit, we can expect to see it implemented in more platforms, both in the cloud and on-premise there is certainly scope for a technology that can keep data secure, even if malware has compromised the server your application is running on. No single security technology can ever be totally bulletproof .
However, such attacks can be mitigated if the rest of the platform is carefully designed, and SGX means that Intel s latest Xeon chips offer the best foundation currently available for a platform capable of keeping the most sensitive data secure.
Sponsored by Intel
After record setting negotiations, four parties have finally presented a coalition in the Netherlands. There are a fair number of cyber security measures in the preliminary agreement, which will serve as a guideline for the government s term for the coming years.
Following the elections of 15 March1, three of the four larger parties in the Netherlands started coalition talks a task that was viewed as difficult from the start.
With the Liberal Democrats and Christian Democrats as the largest parties, it would be difficult to reach consensus with the biggest winner Green Lefts and the centre-democratic Democrats 66 (D66). After Green Lefts eventually dropped out of the coalition talks, a new attempt was made with the Christian Union, a painfully slow negotiation process that was concluded on 10 October with a coalition agreement.
As opposed to a few years ago, the new agreement has a rather large number of sections on IT security pointed out by many in the industry by counting the use of the term cyber , which appeared eight times in the 70-page document that outlines the new government s plans for the country over the next four years. An important factor for adding so much IT to the agenda would be D66, the centre party with MP Kees Verhoeven2 as a well-known spokesperson for the digital agenda.
Law on intelligence and security-agencies
Of particular interest in the agreement are amendments to the controversial law on intelligence and security agencies3, which will go fully into effect on 1 January 2018. A group of petitioners recently successfully collected enough signatures4 to start a national referendum to try to rescind the law, which would give intelligence agencies the power to use dragnet methods for collecting information on many people in a single area . Most criticism of the law revolves around the supervision of an accountability taskforce, of which some is too vague.
Even though the WiV will go into effect regardless of the outcome of the referendum, the new coalition has decided to evaluate the law within two years . If the supervision is indeed not enough, the law can be altered if necessary.
Use of zero days
Another controversial law, the Computer Criminality Act III, will also be slightly altered . Newly detailed plans in the agreement specifically mention the use of zero-days by law enforcement5, and gives stricter rules for police and intelligence agencies to use these. Specifically, zero-day-technology can only be bought and used if required for very specific cases . Also, vendors of such software will be screened by the Dutch national intelligence agency AIVD to make sure software is not also sold to dubious regimes . As with the WiV, this policy will now also be evaluated every two years, and law enforcement has to release statistics on the use of zero-days on a yearly basis.
A lot of these measures are seen as both good and bad by experts . Good, because a new evaluation clause has been added and several safeguards have been built in to prevent abuse . But privacy activists had hoped for more severe measures like scrapping parts of the laws entirely.
Investing in the country s digital capacity
The coalition plans to spend an extra ‘ 95m to lay out an ambitious cyber security agenda and to increase the country s digital capacity . The new funds will be divided among several departments like the Ministry of Security and Justice, Defence, Foreign Affairs and Interior. An extra investment of ‘ 275m a year will be put into digital forces within the Dutch army, starting 2020, to increase cyber capacity in the armed forces. A particularly increasing role will be designated for the National Cyber Security Center6 (NCSC), which advises the private sector on security practices and will be taking on a bigger role in preventing cyber crime and attacks in the future. Also new is the intention to make revenge porn illegal, or the posting online of pornographic material of an ex as a way of revenge after a bad breakup .
This would probably be broadened to any form of posting nudity online of other persons, though the agreement keeps the terms vague most likely to allow for interpretation. A particularly high-profile case of revenge porn dominated the Dutch technology news earlier this year, as a young girl sued Facebook for refusing to hand over information on who uploaded a video of her . The case got some international attention when Facebook, after a long legal battle, was ordered to hand the information over7 in 2015.
Storing of email addresses
Hidden away somewhere else in the agreement is the addition of email addresses in the Municipal Personal Records (the Basisregistratie Personen), with little more details given other than that email addresses will be stored safely and encrypted . There’s also a small line about increasing the security of DigiD, the digital login system Dutch citizens can use to login to government services to do their tax returns or view their student loans . There have been talks for years about replacing DigiD in favour of a new system called eID8, which has been in an experimental phase for a while but has not been rolled out yet.
Internet of things security standards
For suppliers, the coalition plans to introduce security standards for internet of things appliances9, though how these standards are to be implemented remains to be seen . This had been a longstanding wish of D66. The agreement also mentions a possible import ban for appliances that don t follow security practice, although was not detailed.
The coalition agreement is so far just an agreement the four main parties have set up, but it s far from definite . The new coalition will be small with a majority of only one, with 76 seats in a house of 150. The parties ideals are also far apart, so only a few dissidents in the coalition might mean a law could fail to pass.
However, after more than eight months of negotiations, Dutch MPs will probably not be looking for hard internal clashing.
- ^ the elections of 15 March (www.theguardian.com)
- ^ Kees Verhoeven (twitter.com)
- ^ controversial law on intelligence and security agencies (pilpnjcm.nl)
- ^ successfully collected enough signatures (nltimes.nl)
- ^ the use of zero-days by law enforcement (www.computerweekly.com)
- ^ National Cyber Security Center (www.ncsc.nl)
- ^ was ordered to hand the information over (www.computerweekly.com)
- ^ a new system called eID (joinup.ec.europa.eu)
- ^ introduce security standards for internet of things appliances (searchsecurity.techtarget.com)
NOW THAT ALL that iPhone business is out of the way, I’ve had time to get back to my occasional series on building a smart home . This time, I’m going to talk about security cameras.
Now, we’ve had a ludicrous number of these offered up for review over the summer, with different pros and cons . Some offer face recognition . Some detect whether you are at home or away . But they almost all have the same thing in common. To paraphrase Richard Ayoade, it’s an “automatic lock-in situation” . Unlike other parts of the smart home, there are very few options to mix and match security cameras, which is surprising as CCTV been around a lot longer than most of the other things in the sector.
It’s unsustainable, but at the moment, to make the most of almost every camera you’re about to see requires you to sign up to a bespoke cloud service from that manufacturer. Yes, most of them work without a fee, but in a very stunted sort of way and they still won’t work with other brands. What’s particularly frustrating about this is that there actually is a standard for home security cameras .
It’s called ONVIF . But none of the big brands are supporting it . Even D-Link, who co-founded ONVIF and many of whose cameras in the past were ONVIF compatible, have come out with something bespoke. So first, let’s talk about a simple old school solution . A DVR – digital video recorder – which will take any generic cameras.
The one we’re using is made by Annke1, it starts at 99.99 with no camera, or for 169.99 you can get one with four wired camera included . Which seems like a bargain to us. Wired is a bit fiddly, so you might want to consider getting some wifi cameras . In theory, the Annke recorder will detect any wifi cameras on the network that are compatible and you can wire them in. The other option is to use your NAS .
Synology have a great surveillance manager package as part of their NAS range (I’m using a Synology 216+2 from last year) and that will pick up all your wireless cameras . Then the only reason to use the Annke would be to wire in your wired set-up . That’s a bit belt-and-braces (but not completely daft either). Right, having got that out of the way, if you want something more modern, there are a lot of options, so let’s have a look at the major ones . And before I am too down on them all, let’s remember, almost all of the below still work with IFTTT . And in the unlikely event that doesn’t mean anything to you, we’ll tackle it another time, but even a smart home virgin needs IFTTT in their life.
Ring Stickup Cam
The Ring ecosystem is primarily aimed at a “perimeter fence” outside your home . And it does so beautifully, offering motion detection that is exceptional, with very few false positives .
Ring’s “hero” product is its video doorbell, which we’re saving for another day, but the unique selling point of the Stickup Cam is the (optional) solar panels which means you can put it up and forget about it most of the time, and definitely worth the extra investment . Even in midwinter in the gloomy UK, it was able to sustain over 90 per cent charge most of the time. All Ring cameras come with the option to select the “field of vision” for alerts, from under its nose, through to halfway across the garden, though it’s worth noting that the further out you go, the more false positives you get . We had issues with buses on the main road, but reangling the camera fixed that. Incidentally, we asked if Ring had any plans for an indoor camera and they told us they did not, which means it will never be your “all in one” fix, but there’s equally no reason why you can’t put up Stickup cams indoors, though you’ll lack the definition and the whistles and bells of other indoor systems.
A floodlight camera is on the way too . Solar panels are extra.3
Speaking of floodlight cameras, our second contender, and easily the most French, is Netatmo, a company we adore for its chic design and superior ideas . No, the cameras aren’t universal, but they have more whistles and bells than you can shake a baguette at. The most important of these is the brilliant facial recognition, that came a good two years before most of its rivals, and still wipes the floor with them. It can tell you who has just got home, and you can decide how long since you have seen that person should be counted as them being “out” .
With a bit more integration it could be incredibly powerful at detecting friends and foes . It can spot pets and random animals, and combines them in the newer Presence camera with a powerful spotlight triggered by movement – and you can even select if that movement is human or animal. Best of all, the indoor camera (Welcome) stores to SD card by default, so there’s no cloud service to worry about, unless it sees someone coming too close, as if to attack it, or disconnect it . In that case, a picture of their face goes straight to Netatmo’s servers for you to download and pass to the police. In short, it is on paper the perfect system .
The only major problems are price (its premium) and we’ve found the set up a little temperamental . Just a little mind . On the whole, if we had deep pockets, we’d go for this . No brainer.
That may surprise you . After all, isn’t Nest supposed to be the daddy ? Well yes and no . The build quality of the latest indoor and outdoor cameras is nothing short of spectacular . But Nest is designed for use with an ecosystem and unless you want to go “all in” then it becomes a brick pretty quickly . With Nest, as you’d expect from Google, almost everything is cloud based and without paying a subscription the camera alone does very little, is compatible with nothing else and generally really irks me.
Latest UK releases are an indoor camera and an outdoor camera . The main differences are that one is on a stand, the other on a magnetic holder, and the outdoor one can be connected directly to the mains supply. As we were putting this piece together, we heard that Nest were planning a whole new range of stuff . But with so much of the features like facial recognition completely cloud dependent, it feels like we’re reviewing the software not the hardware, and unless you are already tied into the works with Nest framework, it’s probably not the best buy here . And that’s from a Googler.
A more refreshing alternative comes from Blink . The cameras may feel a bit flimsy but they are full-featured, even down to a light, and best of all, the price includes cloud storage . They’re completely wireless with a battery that should last around two years . At present, there’s little in the way of integration but it has IFTTT and Alexa and that’s a ruddy good start . Meanwhile, motion detection wakes up the camera and starts in filming . An outdoor version is on the way, but we kind of like it as it is, a cracking indoor system.
Each camera comes with a hinged wall mount which can only be tilted in one direction, but if you need it to pivot automatically, this really isn’t the camera for you . But the remote quality is superb for checking on the go and not being tied into a monthly fee is a major, and we mean, major, selling point . If this starts to get adopted by the likes of SmartThings then it’s going to be major. Most importantly, the modest pricing means its one of the few systems here that doesn’t make me baulk at the idea of kitting every room with them and still having money to eat.
Logi Circle 2
While we were impressed with the Logi Circle’s promise, it didn’t really do a lot . In fact, it felt more like a webcam than a security product, which given Logitech’s pedigree, isn’t that surprising. The new Logi Circle 2 is a slightly different proposition . It’s waterproof and can be chopped and changed between a range of accessories from an outdoor mount to a flexible arm . There’s even a suction pad so you can stick it to glass and monitor outside from inside.
This makes it the most versatile item we’ve seen, though many of the accessories are yet to come to market . It also now has IFTTT and Alexa support and can interweave with the original Circle camera, but again this is a solution that works best with its own kind . Cloud recording is premium and expensive, and we’ve had reports from testers that viewing the camera remotely is almost unwatchable compared to some others. Both Logitech and Nokia need to decide why they are in the home security camera market before releasing much more.
The newly rechristened Nokia Health (better known previously as Withings) has a similar French chic to the Netatmo . With such a gorgeous range of watches and body sensing nick nacks, it’s difficult to know exactly where the Home fits . It has a separate app and doesn’t really do much for an otherwise tight ecosystem. Its USP is its ability to measure air quality and tell you when it is less than good . Which is great, but for something that is otherwise for keeping an eye on the house, seems a bit misplaced.
We’re told that as Nokia evolves the old Withings range, its place will make more sense, but in the meantime, you’re left with this as the “odd duck” of the list . And yes, storing recordings comes courtesy of an additional charge.
Canary has been around a while now and as such should be a no-brainer, representing as it does, an all-in-one system with camera and siren . This was recently augmented by the Flex, an indoor-outdoor camera that can run off battery or mains, and sticks up with a magnetic grip like the Nest (and with a similar build quality). Where Canary comes unstuck from our point of view is that, alongside the usual proprietary cloud subscription, it is way behind on integration . So much so in fact, it doesn’t even have an IFTTT channel .
Weirdly, its only current integration apart from the ubiquitous Alexa is with US-only smart home hub Wink . Which is a shame as it has all the makings of a powerhouse . We’re told Canary is “always looking into” new partnerships . We hope that means soon as we like Canary.
Arlo is the system all the others want to be when they grow up . It’s far from perfect, mind you, with a huge clunky hub which attaches to your router required to use its wireless cameras . Add in the fact that although, yes, they’re wireless, but they guzzle fairly expensive batteries (123A size, if you’re interested – price them out and sob) . The good news is, Arlo is a bit more willing to open up its system and will play nicely with Gideon, SmartThings and of course IFTTT.
The Arlo Q range adds a plug-in camera with 1080p definition and the Arlo Pro adds ethernet . Both work without the central hub. The big kicker is the pricing . This is a premium product from the Netgear stable, and one that you need to commit a couple of grand to doing inside and out properly, if that’s what you’re planning.
Somfy is a company better known for electric window blinds, but it recently took over MyFox and has rechristened it as Somfy Protect . The new flagship is a very similar product to the Canary, with a super-loud alarm alongside the camera.
But Somfy goes a step further, using the Somfy One as a hub to a network of cameras, motion sensors, and keyfobs . Some of these are hangovers from the MyFox days, with the keyfobs doubling as presence detectors to arm the alarm when everyone is out of range. Somfy’s “Intellitags” which mount on doors are similar to a part of the Netatmo offering . Both work without the need for a magnetic sensor, relying on an accelerometer to check if there’s been movement . Somfy’s work far better though, and although it has some way to go, the Somfy One offers more integration than the Canary.
The rest of the range varies in price but creates a great ecosystem.12
Perhaps the biggest disappointment on the list is D-Link’s new sub-brand Omna, which is primarily aimed at Apple HomeKit users, and boy do we know it . In fact, Android users, are faced with the bleak prospect that in order to use it, they need to update the firmware, and to do that, they need an Apple Homekit device . Seriously, that’s how badly thought out this is. But it goes on . Omna, a device from a member of the ONVIF alliance, doesn’t support ONVIF, but instead has a you guessed it proprietary cloud service.
D-Link has something of an identity crisis right now . Its cameras now run on three different systems, with some supporting its smart home platform, while other, seemingly identical items don’t . D-Link desperately needs to work out who it is, find a single system and stick with it . Quickly.
Aukey IP Camera
Aukey’s proposition is simple . Good camera with tilt and zoom . Slightly Chinglish app . Cheap enough to do the whole house, but little room for integration . And if that’s what you need, Aukey’s camera is one of the better of the myriad of similar looking items on Amazon . Don’t expect miracles, but for a simple solution that records to an SD card (yay no cloud server!) you can’t get much better
In summing up then, any attempt to set up a home security system at the moment means taking a gamble . You either go for the simple solutions that sit alongside the rest of your home but don’t form a particularly exciting addition to it, or you buy into a system that may or may not integrate in a few years time. But there’s one more thing to consider .
If you got an alert whilst sitting on a beach somewhere telling you there was someone breaking into your house, would you actually want to know ?
It seems like an obvious answer, but in reality, it’s a moral maze.
- ^ Annke (www.amazon.co.uk)
- ^ Synology (www.amazon.co.uk)
- ^ Ring Stickup Camera (www.amazon.co.uk)
- ^ Netatmo (www.amazon.co.uk)
- ^ Nest Cam Outdoor (store.nest.com)
- ^ Nest (nest.com)
- ^ Blink (www.amazon.co.uk)
- ^ Logi Circle (www.amazon.co.uk)
- ^ Nokia (www.amazon.co.uk)
- ^ Canary (canary.is)
- ^ Arlo (www.amazon.co.uk)
- ^ Somfy One (www.amazon.co.uk)
- ^ Omna (www.dlink.com)
- ^ Aukey (www.amazon.co.uk)