Security industry technologies continue their rapidly accelerating advancement. Again, this is not new news. Neither is the fact that cyber attackers are increasingly targeting the expanding attack surfaces of networked physical security systems.
So, I’m beating the drum again for vendors of SaaS products to document the cybersecurity aspects of their offerings. In addition to the questions you already have in mind for GSX 2023, I’m suggesting the additional questions below.
I’ve excluded questions about drones because if you have a possible use case for them you very likely already have a list of questions ready.
Artificial intelligence (AI) is not a product per se, but a broad category of software that includes cloud-based applications and device-embedded software whose applications are finding their way into many types of cyber-physical systems, including security system deployments.
AI is arriving via software components, integrations with AI SaaS services, as well via embedding or hosting in security devices. The avalanche of AI capabilities warrants a separate set of questions which can be found in its own article, "AI-related Questions for GSX," that will be posted soon on SecurityInfoWatch. That’s where questions about robots will be included.
1. PRODUCT SECURITY. Where can I find your company’s specific guidance on secure product configuration and deployment?
Vendors should be able to point you specifically to such guidance, which hopefully has been released or updated within the last few years. I have updated my own list of companies who provide guidance on security product deployments, Physical Security Hardening Guides in 2023.
At the end of last year, I had to remove several vendors from that list because they took down their online guidance. I’m hoping that this year we can instead expand the list.
Many new industry entrants with cloud-based offerings come from the IT domain and understand the need for product security. However, only three physical security industry companies that I know of (established incumbents Brivo Systems and Eagle Eye Networks and newcomer Alcatraz AI) have joined the STAR Registry (Security, Trust, Assurance and Risk) of the Cloud Security Alliance.
In the on-premises world, the perimeter security, access control, and intruder alarms management systems from Gallagher Security have well-documented built-in system security, including end-to-end data encryption that extends out to the RS-485-connected field devices – an industry first.
It complies with the ICD-705 US SCIF Standard, a USA Intelligence Community Directive that provides physical and technical standards for all Sensitive Compartmented Information Facilities (SCIF), as well as the UK CPNI CAPSS standard around cyber security for critical national infrastructure.
2. PRIVACY AND DATA GOVERNANCE. What support do your products provide for GDPR compliance?
The toughest privacy and security law in the world is the European Union’s General Data Protection Regulation (GDPR). For certain types of data, this includes the ability to automatically anonymize the data before sharing or exporting it.
Privacy and data governance are business issues whose importance to security system deployments is increasing significantly, because of the rise in non-security business operations data generated by security system analytics. Some leading manufacturers have begun providing features that facilitate the proper handling of system data that has privacy considerations.
Requirements vary depending on the type of product. Axis Communications provides versatile dynamic privacy masking for late model cameras with its deep-learning enabled AXIS Live Privacy Shield software that runs on the camera. It is available as a free download for supporting cameras, and the AXIS Live Privacy Shield can list them for you.
Cameras with that feature can provide both a privacy-masked stream and a non-masked stream, supporting a variety of activity surveillance and evidentiary privacy needs, such as medical facilities and educational institutions have. This capability helps simplify conformance to security video PII handling requirements.
3. INFRASTRUCTURE MANAGEMENT. What new features to you have that improve management and administration for large-scale deployments?
Today’s technologies are broadly networked to a much greater scale than a decade ago. If you have a regional national or global network security system, ask about features that facilitate the management of large-scale deployments.
The user experience has historically been poor for enterprise-scale systems in five aspects: device and system lifecycle management, real-time operations use, reporting, configurable CSV or SQL data export (sometimes presented as integral with reporting functionality).
4. CLOUD CHARACTERISTICS. How specifically does your cloud-based offering make use of the six key characteristics of cloud computing?
In 2023, it is still surprising to me how many cloud services salespeople can’t answer that question! This can also have some application to on-premises equipment that is cloud-managed. Additionally, for enterprise-scale systems that deal with real-time alarming and alerting, how is containerization utilized to enable cost-effective large-scale simultaneous notifications and automated responses?
5. RISK SCENARIOS. What types of end user risk scenarios do your new or improved features address?
Vendors should be able to describe the risk situations that new or improved features were designed to address. Before the new feature, how did things work? Now how will they work using the new feature?
6. OPEN PLATFORM. Does the platform have an Open API, meaning that it’s published online and freely available? What are some examples of its use?
Integration continues to be a strong source of security systems value. Some platforms are more “open” than others, and some APIs are more mature than others (a function of time and product advancement). Ask to hear about examples of how the API is used for systems integration.
7. DIGITAL CERTIFICATES. What use do you make of digital certificates for encryption and/or device identity?
An increasing number of IT departments are requiring that encryption and system device authentication utilize digital certificates. Few non-cloud security system software applications use certificate-based encryption.
When it comes to device authentication, few vendors make on-premises hardware devices that use digital certificates to authenticate themselves to their cloud data center. The first cloud-based physical security systems to do so are the Eagle Eye Cloud VMS and the Brivo cloud access control system.
8. SENSOR OR OTHER DEVICE PROTOCOLS. Do you support MQTT or other publish-subscribe event message protocols?
We’re seeing an increase in the number of products that support people 2D and 3D people counting, queue monitoring and human presence detection. New to the physical security industry is the adoption of the publish-subscribe protocol MQTT, which is an IoT protocol for lightweight, publish-subscribe, machine to machine network communications.
It’s designed for connections with remote locations that have devices with resource constraints or limited network bandwidth. Widely supported in the IoT world, its use in physical security devices enables their participation in smart building and smart city systems. The relatively new AXIS D4100-E Network Strobe Siren also supports MQTT protocol (as well as other protocols) for activation.
9. BODY-WORN TECHNOLOGY. How can we pilot the technology to understand the impacts of any system complexities, manual process or procedure requirements and the do’s and don’ts for individuals wearing the technology? How is data privacy accounted for? What are the care and maintenance requirements?
As I mentioned last year, one pizza franchise implemented body cameras because of an increase in negative customer reports about the pizza delivery experience.
One surprising result shortly thereafter was a 20%+ increase in sales, due to delivery personnel being on their “best behavior”, in some cases going beyond their training requirements to provide a high quality of service. Body-worn technologies of all types can have beneficial impacts above and beyond the initial security or oversight driver for adoption.
Ray Bernard, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). In 2018 IFSEC Global listed Ray as #12 in the world’s top 30 Security Thought Leaders. He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Follow Ray on Twitter: @RayBernardRBCS.