1 2
cwh
cwh PowerDork
2/27/16 7:55 a.m.

Kind of nervous even posting this, but this is the brightest group I know, so here goes. A major client has 21 locations. Total of 200 cameras. They want to store recorded video at a central location. I am told that this will require an FTP server with a huge hard drive array. This will be a secure site, as the client is a Bank in the Caribbean. Basically, I need to know what kind of consultant we need to design and implement the system. Client has good IT guys, but this is beyond their ken. Suggestions? Commercial cloud is not acceptable. site visit will be required. You listening, Gameboy? Thanks, Chuck

petegossett
petegossett PowerDork
2/27/16 8:21 a.m.

Do they need to receive the video to the central location in real-time, or is it just a warehouse for backups?

cwh
cwh PowerDork
2/27/16 8:29 a.m.

Pete- At this time we are very early in discussions. It will be a back up, so if there is an NVR (recorder) failure, no data is lost. Real time viewing would be nice, but I don't think mandatory. Need clarification from client.

petegossett
petegossett PowerDork
2/27/16 8:41 a.m.

In that case yes, FTP(actually SFTP - you'll want it secure) would work well.

Although, they likely already have a VPN setup between each branch and their main facility - if it's anything like US banking?

Not knowing much about your DVRs(I've barely spent enough time to figure out the basics of the one I got from you) I'm not sure how to transfer the files off the DVR without human intervention, but I'm sure there's a way. Once the files from the DVR are on a local PC(probably server) at each branch it's a simple process to get the files to their main branch - either via SFTP if there's no VPN, or through an automated task that just copies the files over the VPN.

cwh
cwh PowerDork
2/27/16 8:48 a.m.

Big Dummy here- What is VPN? Also, systems in place transmit video live via internet. Can be real time or a reduced frame rate. They have very good internet there, St. Lucia.

szeis4cookie
szeis4cookie HalfDork
2/27/16 8:52 a.m.

Wait, so they are already streaming the video to a central location? And they already have the camera and DVR portion of the program? I'd think their IT staff should be able to figure out the scheduled transmission of the video for backup/archival - other than automating pulling the video off the camera, it should just be tasks that I would expect a bank's IT infrastructure group to be able to handle. If we're not talking about live streaming the general process should look pretty much like record retention for their other data, just a lot more of it.

Also: VPN = Virtual Private Network. Essentially, the client machine connects securely to a VPN server over the Internet, which grants access to other network resources back at the mothership.

Fueled by Caffeine
Fueled by Caffeine MegaDork
2/27/16 8:57 a.m.

Do you need to own the DVR? Isn't there a cloud service that will do this for the customer? I have no other thoughts other than questioning the need for physical storage. Cloud storage with the right company, would guarantee that the data is never lost..

petegossett
petegossett PowerDork
2/27/16 8:59 a.m.

In reply to cwh:

Virtual Private Network...though really it's probably more of a WAN(Wide Area Network) if their infrastructure is that up-to-date. Regardless, it simply means that users from a branch can access devices/resources at the main location as though they are all in the same physical site(and vice-versa)...although if that were true, their IT team wouldn't be asking about FTP.

To summarize, I expect their network setup is one of the following:

1.) Wide Area Network - from a user and data perspective all devices from all branches are seamlessly connected to the main branch.

2.) Virtual Private Network - users from each branch are able to log into the server at the main branch with their own individual connection.

3.) No direct network connection - seems very unlikely based on what you've told us.

My guess is they don't want live streaming due to potential bandwidth issues. In that case, copying a nightly backup file over to their main server should be easy-peasy.

BoxheadTim
BoxheadTim UltimaDork
2/27/16 9:18 a.m.

If they want streaming back to the central secure site, that's likely a question of bandwidth - you don't want the video stream consume so much bandwidth that it affects the rest of the operations. They may need a second connection for that.

How secure does this transmission have to be? A simple SSL encrypted VPN might be good enough as long as there is no cross-connection to the bank's main network. In that case, a bunch of DSL connections might be good enough to stream the data back to the central site provided the software can handle it.

Otherwise, doing store and forward can probably be done out of hours over their existing network with a few simple scheduled jobs.

Mike
Mike Dork
2/27/16 9:19 a.m.

The proposed system really closely mirrors my own experience.

What are the motives for central storage?

Putting all of these cameras on central storage is expensive.

If it's just central management, it might be a better choice to go with a system that offers that. March Networks Command Enterprise is a good solution for this. Each location gets a Windows server with lots of storage and a copy of March Command Recording Server. The central location gets a Windows server with Command Enterprise. All of the recording servers report system status to the enterprise server, and the enterprise server exposes all of the cameras in the system through a single, centralized database.

If the storage truly has to be central, then you're dealing with some trade-offs to consider. For example, when the network links fail, will you still have video? The client IT staff, or a consultant, need to have enough knowledge about QOS, bandwidth and connectivity monitoring. That goes double if your client is, or may soon buy VoIP telephones, video conferencing, or other time-sensitive protocols. You also need to look at the camera bandwidth in aggregate and determine what your client will tolerate in image quality, resolution, and FPS. It might also help to understand the regulatory and legal environment, and that environment's tolerance for things like lossy video compression. Adjusting FPS and configuring lossy video makes a huge difference in video bandwidth.

The client staff need to be able to coordinate so that all components of the system are talking to an NTP server.

I'm assuming the cameras are preexisting, and are IP. If the cameras are analog, you're also looking at buying encoders for each analog camera. Five to ten years ago, that made sense. Today, I'd suggest pulling and replacing any analog cameras with IP.

For consultants, I'd say you'd want local legal and banking compliance experts to ensure your system meets banking regulation requirements for coverage and business continuity, and produces legally admissible footage. You also would want to have a networking guru on call. This might be as simple as having Cisco Smartnet on everything. You'll want to engage their internal staff for physical security, enterprise risk, information security and compliance as well as IT.

cwh
cwh PowerDork
2/27/16 9:20 a.m.

Using a Cloud supplier brings in a third party, not acceptable. Not sure yet if bandwidth is a problem, but would rather run live video to the server, so if there is a failure no data is lost from the entire day. Many questions that I need feedback from the client.

Fueled by Caffeine
Fueled by Caffeine MegaDork
2/27/16 9:25 a.m.
cwh wrote: Using a Cloud supplier brings in a third party, not acceptable.

Understandable.. You do know the NSA uses Amazon for it's web services and cloud computing. They are that secure.

wae
wae Dork
2/27/16 9:29 a.m.

You might look in to Barracuda's solution. I don't know if the cuda cloud is mandatory for that or not - I really only desk with the BBS, Message Archiver, and AO - but they've got good solutions that don't require a lot of management overhead.

Bandwidth and storage perf reqs are pretty straightforward: how many cameras * published bitrate gets you in the ballpark. Weird fact: low light / full dark consumes more bandwidth than bright light.

If you're sending the video back to the ranch as it were, make sure you have QoS rules in place.

szeis4cookie
szeis4cookie HalfDork
2/27/16 9:31 a.m.
Fueled by Caffeine wrote:
cwh wrote: Using a Cloud supplier brings in a third party, not acceptable.
Understandable.. You do know the NSA uses Amazon for it's web services and cloud computing. They are that secure.

So does the Center for Medicare/Medicaid Services. You and I know that they are secure...but banking regulatory and compliance authorities tend to lag a bit on this sort of thing.

cwh
cwh PowerDork
2/27/16 9:31 a.m.

Mike- My personal experience with March is that I will never use it again. Customer service was beyond atrocious. You do bring up some good points that require feedback from client. You sound like you are in the business.

Stealthtercel
Stealthtercel Dork
2/27/16 10:44 a.m.

I don't think it's a case of "lagging a bit." I expect this is just another example of the noble tradition of British-influenced banking. "The government [microscopic pause for disdainful expression] can do whatever it wants, but This is The Bank, and We will do things Properly."

1988RedT2
1988RedT2 PowerDork
2/27/16 10:55 a.m.
Fueled by Caffeine wrote:
cwh wrote: Using a Cloud supplier brings in a third party, not acceptable.
Understandable.. You do know the NSA uses Amazon for it's web services and cloud computing. They are that secure.

LOL.

Keith Tanner
Keith Tanner MegaDork
2/27/16 11:16 a.m.

Replace "the cloud" with "someone else's computer". Helps with understanding

Fueled by Caffeine
Fueled by Caffeine MegaDork
2/27/16 12:27 p.m.
1988RedT2 wrote:
Fueled by Caffeine wrote:
cwh wrote: Using a Cloud supplier brings in a third party, not acceptable.
Understandable.. You do know the NSA uses Amazon for it's web services and cloud computing. They are that secure.
LOL.

have some reading snark man.

http://www.defenseone.com/technology/2014/07/how-cia-partnered-amazon-and-changed-intelligence/88555/

bentwrench
bentwrench Dork
2/27/16 1:26 p.m.

They should already have a backup solution they just need to add another task to back up recorded data and send to central NAS.

wae
wae Dork
2/27/16 2:03 p.m.

We actually can provide cloud storage in any of the googlezon providers that is good enough for HIPPA, DOJ, & NIST. In fact, if you use the right public cloud provider it's even okay for ITAR data.

That having been said, if the customer or the regulatory body says "no cloud" then that's that.

BoxheadTim
BoxheadTim UltimaDork
2/28/16 10:50 a.m.

I don't think cloudy storage is that good of an idea when we're talking about Terrabytes of data. Plus, there may well be restrictions on where this bank can store data - not that many countries have regulations that are as lax as the US ones when it comes to potentially sensitive data, so there is a good chance that the local regulators won't necessarily allow a bank to smear said data all over other people's data centres that aren't even in the same jurisdiction.

Kylini
Kylini HalfDork
2/28/16 6:29 p.m.

If realtime is not required, I'd setup local Linux file servers with redundant (ideally hot-swappable) power supplies and hard drives. I'd have them rsync over sftp hourly to an off-site service (I hear very good things about rsync.net). As long as the cameras write to files which are discreet chunks, you won't have too many issues compressing and encrypting those chunks as they're written. Also, small, compressed chunks == easy delta updates to keep your bandwidth as low as possible.

I am not an IT professional. I am not certified. Whatever you pick, it'll have to pass the bank's security audit. That's why I recommended rsync.net as your off-site option. They're secure enough for HIPAA, they haven't had downtime in forever, and they can ensure your data stays in approved countries and data centers for regulatory compliance. They're also only 8 cents a GB monthly once you break 10 TB.

PHeller
PHeller PowerDork
2/28/16 9:01 p.m.

Maybe they don't want the ability for anyone to snoop their stuff? The ability for a bank to tell its clients that they don't use third party storage could be an asset.

Mike
Mike Dork
2/29/16 1:45 a.m.

If you are a US bank, the rules for outsourcing the storage of this data are (more or less) covered here, and they're boring:

http://ithandbook.ffiec.gov/it-booklets/information-security/security-controls-implementation/service-provider-oversight.aspx

1 2

You'll need to log in to post.

Our Preferred Partners
sbTcJoOue30bCQyXBizwBUPXiQ2BAU7VUdafTsaHkkCPOO4y6Ip8dCZ6jvHh5Kr9