Advisory
Verkada & cloud-video residency — what changed post-2021 breach
After the 2021 breach exposed footage from thousands of client sites, Verkada published an expanded security architecture. Here's what it actually addresses — and what clients still need to verify.
Affects
The 2021 Verkada breach was a watershed for cloud video. A super-admin credential, reused and phished, gave an attacker access to live feeds across client environments. Verkada responded with a multi-year security and governance rebuild.
The rebuild improved the platform materially: credential policies, access controls, and audit trails are stronger than they were. What it can't address is the trust boundary itself — putting video and access data on someone else's infrastructure means you're trusting their personnel, procedures, and detection.
For most commercial sites that's a reasonable trade. For regulated sectors — healthcare, cannabis, financial services — the residency, portability, and audit questions still need explicit answers in writing before adoption.
Mitigation
What to do this week.
- 01Confirm data-residency policy in writing. Canadian cloud region for any PHIPA-adjacent deployment.
- 02Enforce SSO + MFA on all admin accounts. Remove shared admin accounts entirely.
- 03Document your incident-response dependency on the vendor — what you expect from them, and in what time frame.
- 04Keep a written exit plan. Cloud-locked hardware is hardware you've rented, not bought.
Sources
Want us to apply this to your system?
A 30-minute remote review against this advisory, no obligation. We'll tell you on the call whether you're exposed and what the fix looks like.
Book a review