Cloud and Hybrid Storage for Surveillance

Why this matters

Our companion articles sized the storage in terabytes and turned those terabytes into on-premises disks. This article is about the other place the footage can live — the cloud — and the trap that catches teams who assume the cloud is just someone else's cheaper disk. It is for the security integrator, product manager, or operations lead weighing a cloud or hybrid surveillance system and trying to see the real bill before signing. The numbers that decide it are not the headline storage price; they are the bandwidth to get video up and the fees to get it back down, and both are easy to miss until they arrive. No special background is needed: every term is defined in plain language, and every cost and bandwidth figure is worked out in the open.

The one idea: the price tag is the storage; the bill is the bandwidth

Cloud storage is sold the way disk space is sold — a price per gigabyte per month — and that framing is what misleads surveillance buyers. For a workload that writes a little and reads a lot, per-gigabyte pricing tells most of the story. Surveillance is the opposite case twice over. It writes a relentless around-the-clock stream from many cameras, so getting the video into the cloud demands continuous upload bandwidth that a normal internet connection does not have. And when you finally read it — to export the one incident everyone wants — you pay again to move it back out, because cloud providers charge to take data off their platform.

So the honest way to think about cloud surveillance storage is to ignore the per-gigabyte sticker price first and ask two other questions. Can the site physically push this much video up, all day, every day? — that is the upload-bandwidth wall. What will it cost to get footage back when it matters, and how fast? — that is the egress-and-retrieval trap. The per-gigabyte price is real, but it is usually the smallest of the three numbers, and the two that hurt are the ones the pricing page leads with last. The rest of this article walks all three, then shows the hybrid pattern that almost every real system uses to get out from under them.

Figure 1. The price tag is the per-gigabyte storage rate; the bill is the upload bandwidth to get video in and the egress and retrieval fees to get it back out.

Three ways to put surveillance in the cloud

"Cloud storage" is not one architecture but three, and they differ in how much video crosses the internet and how much stays home. Naming them keeps the rest of the discussion precise.

Cloud-only recording, often sold as Video Surveillance as a Service (VSaaS — surveillance recording and management delivered as a subscription instead of a box you own), sends camera streams straight to the provider's cloud, where they are recorded and managed. There is little or no on-site recorder; the cameras, a network connection, and a browser are the system. It is the simplest model to deploy and the one that hits the upload wall hardest, because every recorded second has to leave the building in real time. Our deployment-models article covers the VSaaS business model in full; here we care about what it does to bandwidth and cost.

Cloud backup keeps the primary recording on a local recorder — the on-premises NVR or VMS storage we sized earlier — and copies some or all of it to the cloud as a second, off-site copy. The local disks carry the live write load and serve fast playback; the cloud copy survives a fire, a theft of the recorder, or a wiped array. It protects against the failure that on-premises storage cannot protect against on its own: losing the building.

Hybrid edge-plus-cloud is the middle ground most products actually ship. A local appliance — a recorder, a "bridge", or a cloud-managed recorder — records continuously on site and uploads selectively: events, short clips, low-resolution previews, and metadata go up, while the full-resolution continuous footage stays local until it ages out or is specifically requested. The cloud handles management, search, sharing, and overflow; the building handles the firehose. This is the pattern the rest of the article builds toward, because it is the one that survives the bandwidth and cost math.

Figure 2. Three ways to put surveillance in the cloud: cloud-only (everything up), cloud backup (local primary, cloud copy), and hybrid (local primary, selective upload). Each moves a very different amount of video across the internet.

The upload wall: why you cannot just record everything to the cloud

Start with the constraint that sinks most cloud-only plans, because it is physical and no pricing tier fixes it. To record a camera in the cloud, its video has to travel up the site's internet connection continuously, and video is large. Work the math with the same figure our retention article uses: a camera's recording load is just its bitrate, the megabits per second it produces.

Take a common modern camera: 1080p resolution, recorded with H.265 (the current efficient surveillance codec — see the Video Encoding section for why it roughly halves bitrate versus the older H.264). That camera produces about 2 Mbps. Now scale to a small-to-mid site of 40 such cameras, all recording continuously to the cloud:

40 cameras × 2 Mbps = 80 Mbps of video, produced continuously
80 Mbps sustained upload, 24 hours a day, 7 days a week

Eighty megabits per second does not sound like much next to a gigabit office link — until you notice the word upload. Most business and retail internet connections are asymmetric: the download speed is large, but the upload speed, which is what surveillance needs, is a fraction of it. A connection advertised as "500 down / 50 up" cannot carry 80 Mbps of upload at all, and even one that can will have nothing left for anything else and no margin for the busy-scene spikes that push bitrate above the average. Push to 4K cameras (about 4–6 Mbps each on H.265) or to 200 cameras, and the required upload climbs into the hundreds of megabits — a dedicated, symmetric, business-grade circuit, priced accordingly.

Common mistake: budgeting cloud storage but not the upload circuit. Teams price the per-gigabyte storage, sign up, and then discover the site's internet connection cannot push the video up. The footage that does not fit the pipe is simply lost — the camera records nothing, or the cloud service silently drops to a lower resolution and frame rate to fit, so the "recorded" video is worse than what the camera can see. The upload circuit, not the storage subscription, is the first thing to size for cloud recording, and on many sites it is the more expensive of the two.

This single wall explains a pattern you can see across the market: the vendors who advertise "cloud" surveillance do not actually stream every raw frame to a data center. Verkada's cameras analyze on the device and hold footage locally, sending the cloud only previews and metadata — on the order of 20–50 Kbps per camera at rest, thousands of times less than the raw stream — and pull full video up only on request. Eagle Eye Networks puts a local appliance called a Bridge on each site that records locally, buffers a day or two of video, and uploads intelligently as bandwidth allows, riding through network outages and congestion. Both are hybrid systems underneath the "cloud" label, for exactly the reason the math just showed.

Figure 3. The upload wall: 40 cameras need ~80 Mbps of sustained upload to record cloud-only, more than most asymmetric business links can give. Hybrid uploads only events and previews — a few Mbps.

What cloud storage actually costs: three meters, and the one that bites

Suppose the upload pipe exists. The cost of holding surveillance footage in the cloud runs on three separate meters, and the danger is that buyers read only the first one. This mirrors the three-meter view our cloud analytics-cost article uses for compute; for storage the meters are storage, egress, and retrieval.

Meter one — storage, per gigabyte per month. This is the headline price, and it is cheap. On a major cloud, hot, instantly-readable object storage runs about $0.023 per gigabyte per month in 2026 — roughly $23 per terabyte per month. Colder, slower classes cost far less, down to archive tiers near $1 per terabyte per month, a span our storage-tiers article walks in full. Reading the storage meter alone, the cloud looks like a bargain.

Meter two — egress, per gigabyte moved off the platform. Cloud providers let data in for free but charge to take it out. Egress to the internet starts around $0.09 per gigabyte — about $90 per terabyte — and that fee lands every time you pull footage back to view, export, or move it elsewhere. For most workloads egress is occasional. For surveillance, the entire point of the archive is that you will one day pull a chunk of it back for an incident, an investigation, or a legal request — so the egress meter is not an edge case, it is the use case.

Meter three — retrieval, the price and the wait to thaw cold data. The cheap archive tiers that make cloud storage look free are not instantly readable. To read data from a deep-archive class you first pay a per-gigabyte retrieval fee and wait — minutes to hours for some classes, up to 12 hours, or up to 48 hours for bulk retrieval from the deepest tier. That delay is fine for compliance backups you hope never to touch. It is unworkable for footage a guard needs to see now.

Put the meters together on the 40-camera site. At 2 Mbps continuous, each camera writes about 21.6 GB per day; 40 cameras write roughly 864 GB per day, so a rolling 30-day archive holds about 26 TB (the same figure our retention article derives). Now read each meter:

Storage (hot class):   26,000 GB × $0.023/GB-mo  ≈ $600 / month, just to hold 30 days
Pull back one day:        864 GB × $0.09/GB       ≈ $78  per day exported
Pull back the full 26 TB:  26,000 GB × $0.09/GB   ≈ $2,340 to retrieve the month
Same 26 TB in deep archive: 26,000 GB × $0.001/GB ≈ $26 / month — but 12–48 h to read

The storage meter says $600 a month — affordable. The egress meter says a single serious investigation that exports a week of footage from several cameras can cost hundreds to thousands of dollars in transfer fees alone. And the retrieval meter says the tempting $26-a-month archive tier cannot hold active surveillance footage, because nobody can wait 12 hours to review a break-in. The cloud is cheap to fill and expensive to empty, which is the exact opposite of how surveillance footage is used.

Common mistake: archiving active footage in a deep-cold tier to save money. The per-gigabyte price of a deep-archive class is irresistible, so a team routes all recording there. Then an incident happens, someone requests the clip, and the system needs 12 to 48 hours and a retrieval fee to produce it. Deep-archive tiers are for footage you are legally required to keep but realistically never watch; anything that might be needed quickly belongs in an instantly-readable class, with its higher monthly price. Match the storage class to how fast the footage might be needed, not to the lowest sticker price.

Cost meter	Typical 2026 rate	When it fires for surveillance	The trap
Storage — hot/instant class	~$0.023 /GB-mo (~$23/TB-mo)	Every month, for all retained footage	Looks cheap, read in isolation
Storage — deep archive	~$0.001 /GB-mo (~$1/TB-mo)	Long-retention footage you rarely watch	Not instantly readable — slow and fee'd to read
Egress (data out)	~$0.09 /GB (~$90/TB)	Every export, investigation, or migration	The whole point of an archive is to read it back
Retrieval (thaw from archive)	per-GB fee + 12–48 h wait	Pulling footage from a cold/archive tier	Too slow for an active incident

Rates are representative 2026 figures from a major cloud provider; exact numbers vary by provider, region, and contract — confirm against current pricing. The pattern, not the precise cent, is the point.

The hybrid pattern: keep the firehose home, send the cloud what it is good at

Both the bandwidth wall and the egress trap point to the same answer, and it is the one most production systems reach: keep the heavy, time-sensitive work on site and use the cloud for what it is actually better at. This is the hybrid edge-plus-cloud storage pattern, and it is worth drawing because the savings are large and specific.

The local appliance — an on-premises recorder, a bridge device, or a cloud-managed recorder — does three jobs the cloud cannot do economically. It absorbs the continuous write load on local disks, so the 80 Mbps firehose never touches the internet. It serves instant playback of recent footage to anyone on site, with no egress fee and no latency. And it acts as a buffer that rides through internet outages, holding a day or two of video so a dropped connection never means dropped recording. The on-premises storage architecture we covered earlier is exactly this local layer.

The cloud then receives only the thin, valuable streams. Event clips and the metadata that makes footage searchable go up continuously but cost almost nothing in bandwidth. A low-resolution preview of each camera supports remote viewing without shipping the full stream. And a selective backup — the most important cameras, or footage flagged by analytics — is copied up for off-site protection. The result is dramatic: the same 40-camera site that needed 80 Mbps of continuous upload to record cloud-only now needs only a few megabits, because it is sending events and previews rather than every frame. Verkada's 20–50 Kbps per camera and Eagle Eye's buffer-and-forward bridge are two commercial expressions of this same pattern.

The hybrid model also reshapes the cost. The local recorder is a one-time hardware purchase that carries the bulk of the storage; a recorder and its disks typically cost a few hundred to a couple of thousand dollars and last three to five years, with storage upgrades a separate few thousand. The cloud subscription then covers only the backup copy, the management plane, and overflow — a far smaller monthly bill than holding every terabyte in the cloud, and one that avoids most of the egress exposure because routine playback is served locally. Industry integrators put the hybrid total cost of ownership roughly a third to a half below an all-cloud design for a multi-site deployment, which is why it dominates real installations.

Figure 4. The hybrid pattern: the local appliance takes the continuous write load and serves fast playback; only events, previews, and a selective backup go up. Upload drops from ~80 Mbps to a few Mbps.

When cloud storage beats buying disks — and when it does not

None of this makes the cloud wrong; it makes the cloud a tool with a shape. Cloud and hybrid storage win clearly in several situations, and lose in others, and the decision is usually a short one.

Cloud or hybrid storage is the stronger choice when the deployment is spread across many sites, because central cloud management beats maintaining a recorder at every location and the per-site footage volume is small enough to upload comfortably. It wins when off-site survival matters — when losing the building to fire or theft must not lose the footage, which local disks alone cannot guarantee. It wins for small sites of a handful of cameras, where the upload fits an ordinary connection and buying and maintaining a recorder is not worth it. And it wins when the team values no hardware to own — no disks to replace, no rebuilds to manage, no capacity to forecast years ahead.

On-premises storage stays the stronger choice when many cameras record continuously at one site, because the upload wall and the egress fees make holding that firehose in the cloud both physically hard and expensive. It wins where fast, frequent playback is routine, since local reads are instant and free while cloud reads are neither. And it wins where regulation or policy requires footage to stay on site or in-country, which the next section takes up. For most systems above a few cameras, the answer is not cloud or on-premises but the hybrid split — local for the firehose and fast reads, cloud for backup, management, and reach — chosen by walking the questions below.

Figure 5. Choosing cloud, hybrid, or on-prem storage: branch on site count, continuous camera load, available upload, playback frequency, and residency or off-site-survival needs. Most multi-camera systems land on hybrid.

Where the footage lives is also a privacy decision

Moving surveillance footage to the cloud moves personal data to the cloud, and where that data physically lands is a legal question, not just a technical one. The following is engineering guidance, not legal advice — confirm specifics with qualified counsel — but a builder needs to see the shape of the rule before choosing a region.

Two limits sit on top of cloud surveillance storage. The first is retention: under the EU General Data Protection Regulation (GDPR, Reg. (EU) 2016/679), the storage-limitation principle (Art. 5(1)(e)) says personal data must not be kept longer than necessary for its purpose, and the European Data Protection Board's video-specific guidance (EDPB Guidelines 3/2019) treats footage accordingly. Cheap cloud archive tiers make it tempting to keep everything forever; privacy law sets a maximum that caps how long you may, distinct from the operational minimum of how long you must. Our retention-policy article covers this two-sided limit, and a lifecycle rule that auto-deletes footage at the legal maximum is the practical control.

The second limit is where the data crosses borders. Sending EU footage to a cloud region — or to a provider — outside the European Economic Area is an international transfer governed by GDPR Chapter V, which requires a legal basis such as an adequacy decision, standard contractual clauses, or binding corporate rules. A subtle point trips up many teams: choosing an in-region data center does not, by itself, settle the question. The EDPB's transfer guidance (Guidelines 05/2021) treats a disclosure to an importer in a third country as a transfer regardless of where the bytes sit, and a cloud provider whose parent company is subject to another country's law may face legal demands to produce data even from an in-region facility. The transatlantic mechanism most US providers rely on, the EU–US Data Privacy Framework, was upheld by the EU General Court in September 2025 but remains under appeal at the Court of Justice (Case C-703/25 P, no hearing scheduled as of mid-2026) — a live reminder that cross-border arrangements can shift. The safe engineering default for sensitive surveillance footage, especially anything biometric, is to keep recognizable video in-region and treat the cloud destination's legal exposure as part of the design.

Figure 6. Footage in the cloud is personal data that may cross a border. GDPR retention limits cap how long you keep it; Chapter V governs where it may go — and an in-region data center does not automatically settle the transfer question.

Where the standards fit: ONVIF Profile G does not care where the bytes live

For all the difference between a disk in the rack and a bucket in a data center, the surveillance software reaches recorded video the same way in both cases, and that is what makes the cloud-versus-local choice a free architectural decision rather than a rewrite. ONVIF is the common language that lets cameras and recording software from different makers work together, divided into profiles by job. The profile that governs recorded video is ONVIF Profile G, the open standard for recording and retrieval — current version 1.1, published October 2025 — which standardizes how a system controls recording and how it searches and replays stored footage (FindRecordings, FindEvents) across vendors.

The boundary is the same one we drew for on-premises storage: Profile G standardizes the interface to recorded video, not the medium that holds it. A retrieval request looks identical whether the footage sits on a local RAID array, on a bridge appliance's buffer, or in a cloud bucket on the other side of the world. Remember the rule from our ONVIF explainer: ONVIF guarantees a baseline both sides conform to, not the storage beneath it. For the commercial overview of how the profiles map to real products, Fora Soft's guide to ONVIF profiles in security systems is the companion read. That clean separation is exactly what lets a system start on local disks, add a cloud backup, and later move older footage up to an archive tier — all without the application changing how it records or retrieves, because every path still speaks Profile G.

Where Fora Soft fits in

Cloud and hybrid storage is the part of a surveillance system where a tidy demo and a sustainable bill come apart, because the demo never tests the upload pipe or the egress meter. Fora Soft has built video streaming, real-time video, and computer-vision systems since 2005 — more than 625 shipped projects — and surveillance sits where all three meet. When we design or integrate a VMS, we size the upload circuit against the real continuous bitrate before anyone signs a cloud subscription, and we default to the hybrid split: the local appliance takes the firehose and serves fast playback, while the cloud carries events, previews, search, and an off-site backup. We match each storage class to how quickly the footage might be needed rather than to its sticker price, keep recognizable video in-region where privacy law requires it, and hold the whole design behind the ONVIF Profile G interface so storage can move between local and cloud without touching the application. The accuracy-vs-performance habit applies directly: we plan for the day the footage has to come back fast and intact, because that — not the healthy upload graph — is when cloud storage is judged.

What to read next

• On-prem storage architecture: NVR, SAN, NAS, and RAID
• Storage tiers: hot, warm, cold, and archive
• Retention policy: how long to keep footage, and why

Download the cloud & hybrid storage decision guide (PDF) — the three deployment models at a glance, the upload-bandwidth budget formula, the three cloud cost meters (storage, egress, retrieval) with the deep-archive warning, the cloud-vs-on-prem crossover questions, the in-region/residency note, and a blank sizing worksheet.

Call to action

• Talk to a surveillance engineer — book a 30-minute scoping call to talk through your cloud video surveillance storage plan.
• See our case studies — 250+ shipped projects across video streaming, WebRTC, OTT, telemedicine, e-learning, surveillance, and AR/VR.
• Download the Cloud & Hybrid Storage Decision Guide — One-page printable guide: the three deployment models (cloud-only, cloud backup, hybrid edge+cloud) at a glance, the upload-bandwidth budget formula (cameras x bitrate = sustained upload), the three cloud cost meters (storage, egress,….

References

1. ONVIF Profile G (recording and retrieval), ONVIF. The open standard for recording control and for searching and replaying stored footage (FindRecordings, FindEvents) across vendors — the interface the surveillance software uses regardless of whether the footage sits on a local disk or in a cloud bucket. Establishes that ONVIF standardizes the recording/retrieval interface, not the storage medium. Current Profile G Specification v1.1 (October 2025). Tier 1. https://www.onvif.org/profiles/profile-g/ (accessed 2026-06-09)
2. Regulation (EU) 2016/679 (GDPR), Art. 5(1)(e) — storage limitation, European Union. The principle that personal data, including video footage, must be kept no longer than necessary for the purpose — the legal cap on retention that constrains cheap cloud archive tiers. Tier 1. https://eur-lex.europa.eu/eli/reg/2016/679/oj (accessed 2026-06-09)
3. Regulation (EU) 2016/679 (GDPR), Chapter V (Arts. 44–50) — transfers of personal data to third countries, European Union. The rules governing transfer of personal data (including surveillance footage) outside the EEA, requiring an adequacy decision, standard contractual clauses, binding corporate rules, or a derogation — the controlling source for cloud data-residency decisions. Tier 1. https://eur-lex.europa.eu/eli/reg/2016/679/oj (accessed 2026-06-09)
4. EDPB Guidelines 3/2019 on processing of personal data through video devices, European Data Protection Board. The video-specific guidance applying GDPR to surveillance, including the data-minimisation and storage-limitation expectations for recorded footage. Tier 2 (issuing-body guidance). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-32019-processing-personal-data-through-video_en (accessed 2026-06-09)
5. EDPB Guidelines 05/2021 on the interplay between Art. 3 and Chapter V of the GDPR, European Data Protection Board. Establishes the criteria that define an international "transfer" — including that a disclosure to an importer in a third country is a transfer regardless of where the data physically sits — the basis for the in-region-is-not-enough point. Tier 2 (issuing-body guidance). https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052021-interplay-between-application-article-3-and_en (accessed 2026-06-09)
6. Amazon S3 Pricing — storage classes, request, data-transfer (egress), and retrieval pricing, Amazon Web Services. First-party pricing for hot object storage (~$0.023/GB-mo), deep-archive classes (~$0.00099/GB-mo), data-transfer-out/egress (from ~$0.09/GB), and archive retrieval fees and times — the basis for the three-meter cost model. 2026 pricing. Tier 3 (first-party). https://aws.amazon.com/s3/pricing/ (accessed 2026-06-09)
7. Amazon S3 Glacier storage classes — retrieval options and times, Amazon Web Services. First-party documentation of archive retrieval tiers (expedited/standard/bulk) and the minutes-to-48-hours retrieval times that make deep-archive classes unsuitable for active surveillance footage. Tier 3 (first-party). https://aws.amazon.com/s3/storage-classes/glacier/ (accessed 2026-06-09)
8. Cloud vs. Hybrid Cloud Security Camera Systems: How Cloud Video Storage Works, Verkada. First-party engineering explanation of the hybrid architecture — on-device processing and local storage with only previews and metadata to the cloud (~20–50 Kbps/camera at rest), pulling full video on request — confirming why "cloud" surveillance is hybrid in practice. Tier 4 (vendor engineering). https://www.verkada.com/blog/cloud-video-storage/ (accessed 2026-06-09)
9. VSaaS and the Eagle Eye Bridge: buffering and bandwidth management, Eagle Eye Networks. First-party description of the on-site Bridge appliance that records locally, buffers a day or two of video, and uploads as bandwidth allows to survive outages and congestion — the buffer-and-forward expression of the hybrid pattern. Tier 4 (vendor engineering). https://www.een.com/vsaas-video-surveillance-moving-to-cloud/ (accessed 2026-06-09)
10. EN IEC 62676-4:2025: Video surveillance systems for use in security applications — Part 4: Application guidelines, IEC / CENELEC. System-level guidance for planning surveillance recording and storage, including availability and integrity of stored footage across local and remote storage — the framework treating storage availability as a design requirement. Tier 1. https://webstore.iec.ch/publication/68479 (accessed 2026-06-09)
11. IP camera bandwidth and bitrate per resolution and codec (1080p/4K, H.264/H.265), Reolink / SCW / industry technical references. Corroborated bitrate-per-camera figures (1080p H.265 ~1–2 Mbps; 4K H.265 ~4–6 Mbps; H.265 cutting ~30–50% vs H.264) — the basis for the upload-bandwidth math. Tier 5 (institutional/technical). https://reolink.com/blog/ip-camera-bandwidth-calculation/ (accessed 2026-06-09)
12. EU–US Data Privacy Framework upheld; Latombe appeal pending (Case C-703/25 P), EU General Court / Court of Justice of the EU (via IAPP). The September 2025 General Court ruling upholding the DPF adequacy decision and the pending CJEU appeal — the basis for treating the transatlantic transfer mechanism as valid-but-contested as of mid-2026. Tier 5 (institutional/analyst reporting of a court record). https://iapp.org/news/a/european-general-court-dismisses-latombe-challenge-upholds-eu-us-data-privacy-framework (accessed 2026-06-09)

Where sources disagreed, the official standard and law were followed and the controlling fact stated plainly. Cloud vendor and integrator marketing tends to lead with the per-gigabyte storage price; the first-party AWS pricing documentation and the bandwidth math show that egress fees and the upload circuit dominate the real surveillance bill, so the article foregrounds those and treats the storage rate as the smallest of the three meters. On data residency, the EDPB transfer guidance (Guidelines 05/2021) overrides the common assumption that an in-region data center settles the GDPR question — the article follows the guidance and flags the discrepancy. The EU–US Data Privacy Framework is stated as valid but under appeal, consistent with the court record as of mid-2026.