Are serious corporations really moving their video security systems to the cloud, or is that just hype that’s spilled over from the consumer market?
The answer is that, while most corporate security projects are still deployed on-prem, cloud deployments are now growing at a faster rate (Omdia, 2024). This trend signals a shift in priorities—and if you’re reading this article, chances are that you’re responsible for deciding the priorities for a security project.
With that in mind, let’s look at how cloud-based video surveillance works in comparison to on-prem and hybrid deployment. We’ll cover the pros, cons and answers to frequently asked questions. In our discussion, we’ll reference our own XProtect® video management software (VMS) and Arcules video surveillance as a service (VSaaS).
Starting with what we already know can help to demystify cloud deployment. So, let’s look at a setup that many of our readers will be familiar with; a traditional on-prem VMS deployment. In the above image, we have an XProtect installation consisting of two sites (A and Z) and a management component. Everything’s installed on the customer’s site (on either physical or virtual machines), camera footage is stored on local recording servers and the management server is in their corporate data center. Video stays in the local area network and upgrades are done manually.
Pros:
- Feature-rich: In an on-prem setting, XProtect customers can have full access to the software's capabilities without the limitations of bandwidth, latency or data transfer costs.
- Many integrations: Thanks to our open-platform approach, XProtect also supports a wide variety of integrations. Some of these involve heavy-duty analytics, which are often better handled with on-prem servers.
- Stability: An on-prem setup isn’t dependent on internet connectivity, which can mean greater stability.
Cons:
- Manual updates: On-prem updates typically require manual intervention, such as downloading and installing patches, configuring settings and potentially dealing with compatibility issues. This process can lead to downtime and requires IT personnel to manage it directly.
- Remote access complexity: In the case of XProtect, security personnel can have remote Web Client and Mobile Client access. However, due to cybersecurity risks, you would need to set up a VPN to be able to remotely access the Management Client and Smart Client.
- Expensive to scale computing and storage: As demand increases and the security system needs to scale, additional hardware (servers, networking equipment, etc.) must be purchased and installed, leading to high capital expenditures (CapEx).
With our Arcules VSaaS, video security lives in a cloud-hosted service (Google Cloud) as opposed to an on-prem data center. This cloud-hosted service is managed, upgraded and even monitored for performance by the VSaaS vendor. Think about the other SaaS services you know (Dropbox, Salesforce, etc.); VSaaS has that same model where you access the service over your web browser from pretty much anywhere. Let’s look at two types of VSaaS: gateway-based and Camera to Cloud.
Gateway-based VSaaS
When comparing the above image with the on-prem diagram, you might also notice that the devices at each site have changed. The recording server has been replaced with a gateway device, which is our bridge to get video to the cloud. A gateway can help make the most of the cameras that you already have. It talks to the camera and the cloud. Gateways can be sized to handle several cameras, and you have multiple gateways per site to handle larger projects.
Camera to Cloud VSaaS
You also may have noticed that there is a third site (a “Small Site”) in our Arcules VSaaS setup, above, where there are very few devices on-site. Imagine that this is a new site and, as the name suggests, it’s not a very big location. Because it’s new, there aren’t any cameras installed yet. In other words, this site is a great candidate for a different type of VSaaS deployment model that we call Camera to Cloud (or cam-to-cloud). With cam-to-cloud, we can take advantage of the processing power of the camera itself with gateway software running on the device. This gives us a very clean installation with a physical camera being the only equipment you need on-site.
Both gateway transmission and cam-to-cloud are available with Milestone Arcules and can be used side-by-side within the same project.
With VSaaS, security operators can view videos over the internet. There’s no need to make changes to firewalls, build VPNs or open ports. This is just outbound traffic which many IT departments are a fan of. If a Arcules user is on-site, they can pull video directly from the gateway, reducing bandwidth usage.
Pros (Gateway):
- Smooth setup and maintenance: As with any VSaaS, customers don’t have to spend IT resources on updating the software, as this is managed by the vendor. Arcules operates over port 80 or 443 depending on your encryption. As those ports are likely already open for your internet service provider, there shouldn’t be any work needed on the firewall side.
- Device agnosticism: In the case of Arcules, many of our customers opt for edge storage because it lets them use the cameras they already have.
- Optional gateway storage: You can choose to set up your gateway device(s) with hard drives to retain video footage. This helps in scenarios where immediate cloud transmission is impractical due to bandwidth limitations, cost considerations or regulatory requirements that mandate local data retention.
Cons (Gateway):
- Limited features: Gateway devices typically have limited processing power compared to cloud infrastructure, which means they support a limited range of features.
- Limited integrations: Here we have the same limitation as with core features. More heavy-duty integrations require significant computational resources that go beyond what’s possible with a gateway.
- Hardware required: Some network administrators prefer not to have any hardware on-site. But with Arcules, the gateways are Linux rather than Windows based, so there’s no SQL database to manage. It’s relatively straightforward.
Pros (Camera to Cloud):
- Simple and cost effective: In this scenario, the only hardware you need on-site is your security cameras. The gateway software and storage live on advanced IP cameras.
- Less bandwidth: Video only gets called up to the cloud when security operators need to view it, which means a lot less bandwidth usage. This is aided by the fact that analytics can be executed on the camera rather than in the cloud.
- Advanced analytics: Cam-to-cloud Axis cameras, which work with Arcules, come pre-installed with analytics. You get advanced AI-based video analytics for object detection and classification that can be used to trigger alarms, present occupancy level and heatmaps in the Arcules interface. No matter which type of Arcules deployment you use, analytics are available at no additional cost.
Cons (Camera to Cloud):
- Specific hardware: A limited number of cameras currently support cam-to-cloud, so this setup is likely best if you haven’t yet purchased hardware for your respective sites.
- Limited features: VSaaS is still new compared to VMS and, as such, even Camera to Cloud setups don’t have the same feature list.
- Limited integrations: We want our customers to enjoy open-platform video technology with both our VSaaS and VMS products. However, the above point applies here too; there aren’t as many cloud-based integrations available yet for Arcules as there are for VMS. There is not currently an SDK for Arcules, but there is API documentation.
Now let’s consider deploying Milestone’s VMS fully in the cloud. For XProtect customers, having every component deployed in the cloud can be a viable option for single-server/single-site installations. In such scenarios, you can “set it and forget it”—record video in the cloud and only go in when you need to do an investigation.
Pros:
- Easy for small projects: If you’re considering XProtect Essential+ or Express (designed for smaller, single-site projects), then a full cloud deployment could be of interest.
Cons:
- Scalability: Issues arise when all VMS components are hosted in the cloud for large security projects due to bandwidth, latency and internet connectivity challenges. As such, XProtect customers using Professional+. Expert or Corporate variants are more likely to consider one of the following hybrid options.
The cloud-hosted image above is almost the same as the original on-prem diagram. This adds up when we remember that the cloud is just someone else’s computer. The same rules of a traditional VMS still apply. We’ve seen customers migrate parts of their VMS to the cloud when closing some of their data centers and/or when they’ve experienced a lot of growth due to mergers and acquisitions. The global, flexible nature of the cloud often helps facilitate rapid expansion.
In a "hybrid cloud" XProtect setup, you’d move the management component of XProtect from on-prem to the cloud. The management component runs on a virtual machine in the cloud. You own and control the configuration, data and maintenance while the virtual machine is what you’re renting. Recording servers and all the camera data can stay local.
When it comes to networking, how does this cloud-managed VMS compare to VSaaS? As mentioned, VSaaS is pretty much plug and play, and doesn’t require a lot of effort from your IT department. With cloud-managed VMS, you use a VPN to make the cloud network work as if it was part of your physical network. In this context, users and recording devices can securely and directly communicate with the management component and any other components that live in the cloud.
Pros:
- Scalability: If you need to add 1,000 cameras via the XProtect Management Client, you can simply resize the virtual machine in the cloud in a matter of minutes. The same goes for storage. You can back up video to the cloud for disaster recovery or extend the storage of your local site by offloading video to the cloud. In the cloud, you basically have a recording server with unlimited storage.
- Less bandwidth: In a hybrid setup, operators can still view videos directly from the recording server on their local network. This reduces the bandwidth load as you don’t need to pass video over internet links. It’s mainly the management element that will take up traffic as it’s sent to the cloud.
- Remote viewing: Client access from anywhere is one of the things that the cloud does very well. There are even some options to virtualize the XProtect Smart Client application. In other words, you could have a fully equipped VMS client with all the bells and whistles through a web browser as opposed to a heavy-duty PC.
Cons:
- Manual updates: The same updates and upgrades that are normally required with XProtect still apply even when it’s deployed (or partially deployed) in the cloud. This is one of the key differences between VSaaS and cloud-managed VMS.
- Limited integrations: Some integrations, such as those with physical hardware (e.g., access control systems), rely on direct, low-latency communication with on-premises devices. These integrations often require local network access to operate efficiently and reliably and so moving them to the cloud might not be feasible.
Imagine that the above image represents a healthcare organization. They have several buildings on their main campus. There are hundreds of cameras running fall detection analytics. A full-time security staff works on-site. For these headquarters, video recording happens locally with XProtect. But this organization also has locations in rural areas. Local IT support can be difficult to find in these more remote areas, which only have a handful of cameras each. In this context, Arcules can be a great solution.
Pros:
- Ease of use: Security staff on the main campus can use XProtect as the enterprise VMS and pull in the remote Arcules cameras. They can see both XProtect and Arcules feeds in their security center without having to switch between applications.
- IT optimization:There’s no need to build a VPN connection to each rural pharmacy or clinic. Instead, you’re building a single secure connection to the cloud.
- Access to integrations: Having an enterprise-grade solution for the central site means having the infrastructure to support heavier video analytics.
Cons:
- Limited to XProtect Corporate: This setup relies on a Milestone Interconnect license for a remote and central site, which is currently limited to XProtect Corporate. While the Interconnect license normally comes at an additional cost, we’re waiving this license fee for customers looking to integrate with Arcules.
- Complexity: This is a recent type of setup, and so requires a bit more time to get started. In certain cases, the up-front effort is worth it. Learn more about expanding a VMS installation with VSaaS.
- Q: Which analytics are available with Arcules?
A: Cloud-based analytics include forensic search (people, vehicles, color), camera blur detection, camera rotation detection, people counting/occupancy status, people detection with custom regions, parked vehicle counting with custom regions and traffic heat maps. Camera-based analytics include fence guard and people count (AXIS), People Count (BOSCH), cross-line detection, intruder detection, loitering detection, object detection and scene change (iPro). These are available at no additional cost from Milestone’s side.
- Q: What access control integrations are available with Arcules?
A: Arcules currently supports Genea’s access control platform. This involves a cost associated with being a Genea customer, but there’s no extra charge from Milestone to be able to use the integration.
- Q: How many cameras are too many for the cloud?
A: If you have more than 100 cameras on a specific site, then Arcules probably won’t be feasible due to the required bandwidth and storage costs. But this number is just a ballpark; a system integrator can help you use a calculator to figure out what makes the most sense. You can also have multiple gateways per site, so keep that in mind.
When it comes to XProtect, if a customer has more than 50 cameras per site, they might consider using local storage for recent footage and cloud storage for archival purposes, ensuring a balance between cost, accessibility and redundancy. But it really depends. We also have customers with large installations running entirely on the cloud.
- Q: Is there an increased security risk in the cloud?
A: No. There’s always a risk when something lives elsewhere, but the risk is very small. There are shared responsibility models that outline the responsibilities of a cloud service provider (CSP) and the cloud customer (the user or organization using the cloud services) in terms of security and compliance. Imagine that a cloud-managed system goes down. You’re not going to lose all of your security video. It’d be the same as if you had an on-prem recording server go down or have to reboot; there’s a lot of redundancy under the hood. Cloud providers do a great job; their systems are very durable which makes your information very safe.
- Q: When I store XProtect video in the cloud, does it have the same security as with an on-prem server?
A: Yes. It’s the exact same security that you can use on your site. We can use XProtect to encrypt video directly on the drive itself, so even someone working for the cloud provider couldn’t access it. The cloud even supports encrypting the EBS virtual hard drives. So, you could have encrypted video living on encrypted hard drives—as secure as it gets! Because of privacy concerns, we sometimes hear that schools or hospitals have qualms about the cloud. They might say, “I can’t use cloud because this is student or patient data.” But then we find out that the same school is using Blackboard or Classroom services, and that the hospital shares medical records with external specialists. That’s all in the cloud. It went over the internet. There was no carrier pigeon involved. But it was still absolutely secure.
- Q: Who owns the data and video? Do we own it if we end our cloud service?
A: You can access it as long as you’re renting the space. If you stop paying, you’re going to lose the video. It would be the same if you were leasing a physical NVR on-site and then you didn’t pay your lease, and someone came and took the NVR back. There are ways to offload/export video for safekeeping though. It’s still your data.
- Q: Is there an additional cost to use XProtect in the cloud?
A: No extra charge from Milestone. You’ll be paying for the base license, device licenses and any Care or extension licenses. But there’s no SKU for XProtect in the cloud. You will of course be paying the cloud provider, but that cost substitutes or even minimizes what you would otherwise pay for on-prem servers. You’re also choosing a recurring monthly cost over a large initial expenditure. The benefit is that you get to “right size” it. Instead of needing 80 terabytes of storage but buying 100 to be on the safe side, you rent what you need when you need it.
- Q: Are you on your own renting the cloud space, or do you work with Milestone to get the cloud space?
A: Just as you’d need physical machines for an on-prem deployment, you’d have to go directly to the cloud provider—Milestone doesn’t resell those resources. This can actually be a benefit, as your organization might already have a purchasing agreement in place with a specific cloud provider. There might even be a mandatory spend stipulation so moving some XProtect components to the cloud could even help you get the most out of what you’d have to spend anyway.
- Q: Is it true that you can deploy XProtect on any cloud, but the easiest is AWS?
A: Correct. Our pre-built, automated template is based on our developers working closely with the AWS team. We have a couple of publicly available customer stories about XProtect on AWS: the City of Fishers and the City of Vicente Lopez, Buenos Aires. But we also have customers who’ve deployed XProtect on Google Cloud and Microsoft Azure.
At the beginning of this article, we mentioned changing priorities. Cloud-based and hybrid solutions are increasingly popular because they help:
- Minimize the strain on IT resources: It's a challenge to hire and retain skilled IT professionals. Considering the sheer number of devices and the network demands of video security systems, organizations want to remove some of the load from teams that are already bootstrapped. They’re willing to pay to outsource some (if not all) the maintenance and hosting.
- Redistribute spend: We increasingly hear that customers do not want to go to their board of directors or a committee to ask for a large up-front investment that might detract from another area of the business. It’s often preferable to move video surveillance operational expenditure (OpEx). This explains the growth of VSaaS as well as the preference for hybrid VMS solutions that take advantage of the scalability of the cloud.
- Ensure connectivity and cyber resilience: Cyber security is a very relevant concern. While there are still concerns around the safety of cloud technology (see our FAQs section), some organizations see it as a safer option. The VSaaS model takes all the intelligence off production networks and straight onto the cloud. This gives organizations the ability to access video data 24/7 without needing VPN tunnels or getting into the production network to view camera feeds. At the same time, cloud infrastructure can enhance the enterprise cyber resilience that comes with a product like XProtect while providing a solid backup service.
As of today, only a handful of vendors provide both VMS and VSaaS solutions. And even fewer let you use them in the same setup. Milestone Systems is one of them. We are a global leader in device-agnostic, open-platform video security. Cloud isn’t our core offering; it’s simply a vehicle to help our customers scale their efforts with XProtect® and/or Arcules.
Keen to learn more? Please send us a message or book a demo.