9 questions to ask your vendors at GSX 2018

Sept. 18, 2018
Asking how products and features address real security challenges can help you see through marketing hype

Security industry technologies are rapidly advancing in the areas listed below. Collaboration among technology partners is at an all-time high, as there are more reasons and opportunities for collaboration.

Note that the numbers in parentheses (#12345) are the vendor show floor booth numbers.

  • Cybersecurity. Just over three years ago, only two security industry companies – Axis Communications and Cisco – had published product cybersecurity hardening guidance. Today, 20 security industry companies provide hardening guidance and have product cybersecurity features – with Lenel Systems and Mercury Security joining the list this year. However, many companies still do not, and so those who do are listed in Question #1.
  • Infrastructure Management. Today’s technology is interconnected and evolves significantly through software and firmware updates. Technology infrastructure becomes a critical issue the larger your deployments are. How do you regularly update firmware on hundreds or thousands of cameras? Axis Communications (#2251)has released its Axis Device Manager software, an on-premises client-server application that provides many management features for its products, including user and password management and digital certificate management, two camera deployment cybersecurity features that have been long overdue. Even more exciting is the Viakoo (#2943) release of its Camera Firmware Update Manager (CFUM) – a cloud-based system (with a small video server software component) for managing firmware for multi-site and high-camera-count deployments. You will also see CFUM at the Stanley Security booth (#2417), as it is a key component of their STANLEY IntelAssure service.
  • Standards. A cybersecurity point of improvement is the use of current (i.e. not outdated) IT standards, such as 256-bit AES encryption (not DES or Triple-DES/3DES), TLS 1.2 for HTTPS communications (not TLS 1.0 or any version of SSL), Simple Network Management Protocol (SNMP) 3.0 (not 1.0 or 2.0). Version numbers for protocols and standards are more important than ever before – and not all companies are keeping their technologies fully up to date. When encryption or network protocols come into the discussion, this is a point to check on.
  • Facility Physical Access Management. Access management is an area of physical security management that lags way behind the modern tools and approaches of IT. This is one reason why Lenel Systems (#2825) has introduced real-time Policy controls for access management into its flagship product OnGuard, as well as many other improvements well worth looking at. Other companies who have already stepped up to that plate are AlertEnterprise (#671) and RightCrowd (#930).
  • Open Platforms. Having a published open API (Application Programming Interface – the way two applications talk to each other) is the way forward not just for Amazon, BestBuy, Google, Facebook, IBM, Microsoft, and Netflix but for the security industry as well, and industry companies are catching on to that fact. See my recent article on The API Economy and the security industry. I have linked to some of the security industry online Open API documentation as evidence of that progress: Brivo (#2135), Eagle Eye Networks (#2135 with Brivo), Lenel Systems (#2825).
  • AI, Big Data, Machine Learning and Robotics. Not all AI is for robotics, but all robotics use AI and machine learning. Check out the robots from Turing Video (#620). Often big data technologies are involved when there is a lot of data to deal with. The new generation of video analytics uses machine learning to build models of video scenes and eliminate nearly all false positives to provide highly actionable event and activity recognition. Updated analytics from Bosch Security (#2243), Agent Vi (#2251 with Axis), and Briefcam (#538) are worth checking out.
  • High Business-Value Integration. Be sure to stop a the Axis (#2251) booth to hear more about how organizations like Aalto University students and Rock Hill Schools have discovered how to use analytics running on Axis cameras that have Lightfinder technology to monitor building lighting usage and reduce energy consumption (detailed white paper here).

This year “artificial intelligence” (AI), “machine learning”, and “open platform” are among the hot buzzwords. While not as hot, “cloud” and “mobile” are two aspects of modern technology that are unavoidable. When you hear those terms, it becomes important to differentiate between yesterday’s technology “re-described” for marketing purposes, and advanced next generation technology that brings valuable new capabilities. The questions below should help.  

This Year’s Vendor Questions

To keep this article simpler than my previous show “questions” articles, I’m no longer making separate questions for end users, integrators and consultants. End users are now more tech-savvy, and integrators and consultants are increasing their understanding of end user needs. One set of questions will work fine now, where a few years ago, that wasn’t the case.

  1. Cybersecurity. Do you have a system (or product) hardening guide?

A hardening guide recommends cybersecurity measures to apply to the vendor’s product or system.

This remains the top question as cybersecurity is a top concern for end users, integrators, security designers and specifiers. The following companies, listed with their document links here, have published hardening guides or cybersecurity guidance: Axis, Bosch Security, Brivo, Cisco, Dahua, Eagle Eye, Genetec, Hanwha Techwin, Hikvision, Lenel Systems, March Networks, Mercury Security, Milestone, OnSSI, Salient, Sony, Tyco Security, Viakoo, and Vivotek. If a vendor has products or systems that connect to the network, hardening guidance is appropriate.

  1. Cloud Security. For cloud companies: Do you have a published vulnerability handling policy and documentation describing your company’s product (or cloud service) security program?

Cybersecurity professionals look for the three indicators of a cloud vendor’s cybersecurity maturity:

  • Product hardening guide.
  • Security vulnerability handling policy.
  • Descriptive documentation of the company’s product security program.

You don’t need to ask this question of the companies who have hardening guides. Most of the security industry companies with hardening guides also have published vulnerability handling policies, and many have descriptive documentation about the product security program or internal cybersecurity team. Yet many security industry companies still don’t have a clear idea of what a product security program is. Listen closely to how vendors answer this question, as the differences between answers can give you insights into the relative ranking of vendors.

  1. Infrastructure Management. What new features to you have that improve management and administration for large-scale deployments?

Today’s technologies are more feature-rich and more complex than ever before and are broadly networked to a much greater scale than a decade ago. If you have a regionally, nationally or globally network security system, ask about features that facilitate the management of large-scale deployments. Also see this article’s introductory on Infrastructure Management.

  1. Cloud Characteristics. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?

There are several companies who have products that are supported or augmented by cloud-based services, as opposed to companies with fully-cloud based offerings. When you hear the word “cloud” be sure to understand what functionality resides in the cloud and why it is in the cloud. Sometimes the product is cloud-hosted but was not built as a cloud-native application. This question will tell you how well cloud engineering has been applied to the system or application.

  1. Risk Scenarios. What types of risk scenarios do your new features address?

Vendors should be able to describe the risk situations that the new features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature? Hopefully, there will be a significant difference. This year vendors have more to say on this topic.

  1. Open Platform. Does the platform have an Open API, meaning that it’s published online and freely available? What type of API is it (such as REST, SOAP, RPC)? What are some examples of its use?

Integration is emerging as a strong source of security systems value. Some platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement). Ask to hear about examples of how the API is used for systems integration. Some are mostly used by technology partners, and others are very useful for IT department integrations with customer applications, such as with an Identity Management System for physical/logical access control system integration.

  1. Artificial Intelligence (AI). Ask about AI algorithms and data models.

Some systems use AI in the cloud, and some have it built into product firmware, while some systems utilize both on-site and cloud-based AI.

Where do the AI algorithms reside? Who develops and improves the AI algorithms? How does the product get updated for AI improvements? Does it build a data model? Where does the data model reside? How it is backed up? Who owns the data model that is built with your company’s or your facility’s data? Last year I found that few vendors could answer such specific questions.

  1. Intelligence Augmentation (IA) and Machine Learning. How does the IA functionality of the system help with security response? What does machine learning to do make the system, and my security personnel, more effective?

Intelligence augmentation (IA) is where humans and computers solve significant problems cooperatively. A good example is BriefCam (#538) video synopsis. IA is a significant time compressor and force multiplier, whereby a single individual with an IA tool can in minutes do work that without it would take several hours or days.

  1. Standards. What encryption standard is used or what version of network protocol is used?

The use of outdated encryption and network protocols introduces cybersecurity vulnerabilities. This was a sore point in the industry just a few years ago and is getting better now – and so is worth checking on.

About the Author:

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. Follow Ray on Twitter: @RayBernardRBCS.

About the Author

Ray Bernard, PSP, CHS-III

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (www.go-rbcs.com), a firm that provides security consulting services for public and private facilities. He has been a frequent contributor to Security Business, SecurityInfoWatch and STE magazine for decades. He is the author of the Elsevier book Security Technology Convergence Insights, available on Amazon. Mr. Bernard is an active member of the ASIS member councils for Physical Security and IT Security, and is a member of the Subject Matter Expert Faculty of the Security Executive Council (www.SecurityExecutiveCouncil.com).

Follow him on LinkedIn: www.linkedin.com/in/raybernard

Follow him on Twitter: @RayBernardRBCS.