Posted on Fri, May 04, 2012 @ 12:36 PM
The Wall Street Journal recently reported on an emerging travel trend: forgetting your iPad on the plane and leaving it for the next lucky traveler to find. The trend is an outgrowth not only of increasing personal use of tablets, but also a corporate trend toward BYOD, or Bring Your Own Device. Many business travelers are finding that they can accomplish everything they need to on a decent tablet, so why lug that corporate laptop around?
In business, the BYOD trend is fueled by the increasing availability of enterprise applications and mobile web sites that let users get their jobs done on these lightweight platforms. This is no less true in the physical security market, where not a month goes by that we don’t see another “app” designed to manage alarm systems, access control, and video surveillance.
But what happens when you lose that iPad with an access control app that can let people into your office, or peek in on your operations with video surveillance? Is BYOD really a good idea for physical security applications? What are the risks?
There’s a lot of discussion in the IT world about the tradeoff between risks and benefits for BYOD, but also a sense of its inevitability. CIOs and CSOs are, therefore, acknowledging as a veritable unstoppable force and doing their best to keep it safe.
Lets start with the fact that most tablet applications are connecting back to cloud services, so the normal cautions about cloud security all apply to BYOD:
•
- Make sure your providers have adequate cyber security protections.
- Make sure your providers have current SAS 70 or SSAE 16 for their full application stack (not just their 3rd party data center), and ask them to prove it.
• Make sure your providers practice continuous monitoring and use ongoing penetration testing to make sure that their defenses are as good as they think they are.
• Before choosing a cloud security provider, make sure they don’t make you open holes in your firewall—that’s always a red flag, and a vulnerability that no CSO will choose if there is an alternative.
But beyond the usual cloud security provisions, there are a number of additional requirements for secure BYOD apps, especially those with the power of physical security control:
• If the service uses a native application, make sure it doesn’t cache data on your device. While this is often done for performance reasons, it presents a vulnerability if your tablet falls into the wrong hands.
• For both mobile web and native applications, make sure that password information is not stored on the device through one of those “remember me” features. The perils of stored passwords should be obvious, especially for security applications.
• Mobile logins should be governed by the same best practices you would use for any other enterprise application, expiring them when employees leave or change roles, tying them back to your corporate SSO resources, and enforcing the same complexity and change rules for mobile passwords that you do for any others.
The other great peril of BYOD applications is the threat posed by all the other applications that reside on your phone, and whether they’ve been vetted for security. Mobile malware can steal data from other applications just like good old desktop malware. A few safeguards for these risks include:
• Only use applications authorized by your service provider. There is currently a proliferation of “side-loading” apps that you can add to your phone, especially for video, that may not have been vetted.
• Don’t jailbreak your phone (or let employees use jailbroken BYODs) because they are more open to malware.
• Only allow installation from reputable sources, and in the case of “open” platforms, make sure employees do not add applications from random web sites.
• Consider using mobile web applications that run in a browser rather than a native app.
Enforcing all of these considerations will be a challenge. But many in the physical security industry view the convenience of mobile applications to be a big productivity enhancer, so it looks like something we need to collectively figure out.
In any case, don’t leave your iPad on the plane. Unless I’ve got your seat next.
- Steve Van Till
*image credit: blog.damballa.com
Posted on Thu, Mar 22, 2012 @ 09:38 AM
For at least the last decade it seems , not a year has gone by when American manufacturing wasn’t the topic of frequent news stories. Unfortunately, much of the narrative has been a lament that all the American manufacturing jobs were being outsourced overseas, never to return home. But there are signs that this trend is changing, at least in some sectors, and at Brivo we’re proud to be a part of that turn-around.
The fact that there was an observable shift toward domestic production first came to my attention last year in an excellent article in Wired magazine. The original impetus for moving production overseas (off-shoring) was (and still is, in many cases) cheap labor and lower production costs. Recently, however, increases in foreign wages and transportation costs have offset much of the original economic advantages for certain product segments, as noted in the Financial Times. In addition, there are even more important drivers for many businesses moving production back home. Quality, quick turnaround, lower inventory requirements, and protection of intellectual property are all major considerations for many companies seeking contract manufacturing partners in the US. For those who wish to sell to the federal government, “Made in USA” requirements are an absolute.
At Brivo, we saw all of these advantages when we began moving more of our production back to the US several years ago. And we’re not alone. Forbes has documented the shift, highlighting quick turn-around times as an important consideration for many manufacturers. Naked Capitalism finds that producers place a high value on the ability to more quickly respond to changes in market demand. For our business, we see producing products domestically as facilitating a greater variety of product line variations, such as OEM relationships with unique branding requirements, or specialty configurations such as high-security FIPS 140-2 versions of our products, to name a few.
At the end of the day, we’re glad to see this trend toward on-shoring, and we believe it’s an important one for our industry. It may be fine if all of our game consoles come from somewhere else, but it’s good to know we can manufacture our own security products.
- Steve Van Till
Posted on Thu, Dec 22, 2011 @ 01:27 PM
Right on the heels of last week’s fake story about Russian hackers comes a real story about Chinese hackers. As reported in the Wall Street Journal, the US Chamber of Commerce was compromised by a spearfishing attack that apparently originated in China. The findings suggest that the attack began with one or more employee email accounts, then spread to infect other servers and resources on the network. An indeterminate amount of data was stolen or compromised.
Spearfishing and other email-borne attacks illustrate the dangers of allowing end users to operate on the same local area network as production server systems. In this setting, a malware infection that originates on one laptop or PC can easily spread to mission critical application servers that run physical security and other building management services. When local security servers share a network with email, one careless mistake by an employee can compromise access control and video systems long before anyone detects the breach. In the case of the US Chamber of Commerce, researchers estimate that the hackers had access to the network for more than a year.
Cloud computing guards against this type of attack by keeping production systems on completely separate networks from end user computers. Software as a Service (SaaS), for example, is an outsourced solution that needs no computing infrastructure on the user’s local area network. Malware and other infections that occur within a corporate LAN therefore have no easy path to the cloud services provider. True SaaS providers operate isolated production networks at dedicated facilities that contain no personal laptops or PCs for just that reason. Administrative personnel access these systems through secure channels that don’t readily propagate malware.
In the ongoing discussion of the relative cyber security of cloud versus enterprise, we think that this immunity to email-borne malware is a clear win for the cloud computing argument.
- Steve Van Till
Posted on Fri, Dec 16, 2011 @ 02:22 PM
It's widely reported that the initial reports of Russians hacking into an Illinois municipal water system are entirely false. The allegation was that they had compromised the SCADA system that controls the infrastructure, and caused a pump to malfunction, thereby depriving the good people of Illinois of drinking water, if not actually invading their bodily fluids. As it turns out, it was just a contractor logging into the system while on vacation in Russia.
The fact that this story was false makes it no less interesting from the perspective of trying to understand the vulnerabilities of the information systems that manage our infrastructure, including physical security.
The first set of questions concern prevention. Have you actually done anything to prevent hackers from being able to gain access to your security systems? If so, when was the last time those measures were validated or audited? Have you ever had any professional “white hat” hackers actually test the information security around your access or video system? If not, what makes you so sure they are safe?
A second set of questions concerns detection. How would you know if a spy or hacker logged onto your security system? Does your system keep any evidence of who logged in, or where they were when they did so? Or would they be able to cover their tracks? Does your staff regularly monitor access to your control systems?
Finally, what’s the extent of damage that someone could cause by hacking into your security system? Could they get into your building? Could they lock people out? Could they cause a life hazard? How quickly would be able to recover? Do you have backup systems?
We’ve written before in this space of the need for auditing, geographic redundancy, continuous penetration testing, and avoiding any system architecture that requires you to increase your network exposure by opening ports in your firewall. The potential threat illustrated by foreign hackers has been discussed extensively in connection with our utility grid, but I’m not sure we’ve really taken stock of it in the physical security industry. It’s probably time we did.
The amazing thing about the alleged case in Illinois is that the organization actually detected access to the system from a Russian IP address, and was able to react to it as quickly as they did. My hat’s off to them. It’s a good lesson for us all.
- Steve Van Till
Posted on Thu, Nov 10, 2011 @ 12:32 PM
Is your security infrastructure prepared for the worst?
It’s a distressing feeling when you’re in the middle of an unfolding disaster, and suddenly it hits you—your plans and resources are being overwhelmed by the event. At this point, you’ll need to ask yourself: How and when will we re-establish services for customers and employees? What will this disaster cost us in terms of revenue, reputation, and recovery expenses? How can we avoid being in this position again?
As a SaaS provider of security management systems, our business is based on the availability of our services around the clock. Failure of a disaster backup or recovery plan has a direct, immediate impact on our ability to deliver the services our customers depend on. We are continuously evaluating and upgrading our contingency plans, but there is nothing like a real emergency to put those theoretical plans to the test.
Earthquakes and Hurricanes
In August, we were presented with the unusual opportunity to test our plans against two very different types of emergencies: the kind you can only anticipate and the ones you know are coming. The earthquake of August 23rd was an example of the former. Other such examples are technological failures, terrorist incidents, hacking events, fires, and loss of key personnel. These events occur without warning and test your processes as they exist. Different from an earthquake, Hurricane Irene falls into the second category where we have some advance warning, such as blizzards, tornadoes, work stoppages, planned technical work, or large disruptive public gatherings..
Both types of disasters can have significant, even disastrous, impacts on providers who have the responsibility to deliver their services around the clock. Let’s examine some factors we have found important in managing each type of event;
Unannounced events: These events are a demanding test of your plans, and advance planning is critical advance planning. Your contingency plan should consider the following;
-
Who is responsible for what aspects of ensuring continuity and recovery?
-
How will the team communicate internally and with customers?
-
What happens if normal communication paths are disrupted?
-
Who takes over if we lose access to key personnel?
-
What happens if you lose key assets expected to be available for recovery--people, facilities, communication methods, etc.?
Forecast events: These disasters should be simpler to manage since you have a reasonable amount of information ahead of time. In addition to the key elements in place for unannounced events you now can focus on additional elements such as;
-
Ensuring availability of key employees by staggering shifts and dispersing locations
-
Plan for accommodations, food, and communication in case of extended events
-
Check with partners on the status of their preparation
-
Communicate what is expected of your employees and customers to assist with the preparation and what communication to expect during and after the event
Getting Ready for Our Disaster Close-up
Both events this past August necessitated activation of our emergency response plans. For the earthquake, we were forced to evacuate our building and re-establish essential services from alternate locations. Our plan had anticipated this occurrence, so we had the infrastructure and procedures in place. Our biggest challenge was communication. Phones, cell phones, and some Internet providers were down, so access to multiple, redundant communications paths was essential.
Our data centers remained operational after the earthquake, but we prepared for a full switch-over to our disaster recovery center in case aftershocks affected the primary sites. Our data center personnel assisted the decision-making by immediate proactive communication on their operational status directly following the earthquake and until normal operations resumed.
As hurricane Irene barreled up the east coast, we were afforded the opportunity to coordinate back-up plans in advance of the event. Our operations team staged technical support and data center resources and prepared to switch operations to our data center across the country, if necessary. Fortunately, Irene passed over and our operations were not impacted at all.
These events provided valuable, live tests of our emergency preparedness and disaster recovery plans. Continuous upgrading and evaluation of these plans are essential in helping you avoid that queasy feeling that an unfolding disaster just got the better of you.
- John Szczygiel
Posted on Thu, Oct 27, 2011 @ 11:36 AM
Kudos to Brad Nieman of Aol Government for writing the pithiest catch-phrase for the Amazon Gov Cloud Summit, held on October 18 in Washington, DC, which I’ve paraphrased as the title of this blog entry. I attended the event virtually, from my desktop, and thought that he captured the spirit of the event just right.
The central idea is that federal buyers no longer need to procure massive systems for every IT need. Instead, they can simply provision the pieces they require—they can “pay by the drink” rather than “ buy the whole enchilada” (if you’ll pardon the mixed metaphor).
Among other things, provisioning is much easier and less expensive than procurement. With today’s cloud services, provisioning usually means nothing more than an e-commerce transaction where you select the services you want from a Web storefront, and just order them. In a mature cloud environment, they should be available immediately.
At Brivo we’ve believed for many years that this is the right way to provide physical security services as well as general IT services. Our customers understand that they do not need to purchase an expensive computer system for every building they wish to secure. All they need to do is provision an online account with the services they need, and it’s available immediately.
And the business model follows suit. If you want access control for three doors or surveillance video from three cameras, then that’s all you pay for—by the drink, and by the month or by the year, depending on how your budgets work.
That’s provisioning, not procurement.
- Steve Van Till
Posted on Tue, Oct 18, 2011 @ 12:19 PM
We’re all familiar with that one scene in practically every crime show these days that makes anyone remotely familiar with the security industry roll their eyes - the classic “Zoom and Enhance.” The typical scene starts with surveillance footage shot from 500 feet in the air and a couple detectives determined to solve a heinous crime with less than 15 seconds of grainy black and white footage. One detective catches a reflection in the corner of a pedestrian’s sunglasses and instructs his “video” team to “enhance” the frame, leading to an image clear as day, and effortlessly solving the crime. You may have asked yourself, can this really be done?
Zoom
Today’s PTZ cameras are indeed capable of “CSI” style optical zoom with cameras ranging from 1x to 32x zoom and beyond. The demand for higher resolution video has caught up to the security industry (for the most part) with many manufacturers offering “HD” and megapixel video images. In the video link below, we have an AXIS P553 PTZ Camera in operation – look what it can do zooming in at only 18x!
The optical zoom function is only available live, so there isn’t much you can do if your hardware wasn’t at your intended zoom level. If you want to “zoom” in on a still picture or frame, you’re still limited to your hardware specifications. In the picture below, there is an example of the “zoom” capabilities available today. With the higher resolutions available on cameras, you can capture video and a larger area (16:9) without compromising detail.
Enhance
We can enhance… kind of. Enhancement of a still picture can be accomplished using compressed sensing (CS). It’s a mathematical tool capable of creating high-resolution photos from low-resolution shots. At the very basic level, it works by repeatedly layering colored shapes into the areas where there are missing pixels to achieve what’s called sparsity, a measure of image simplicity. In the far right part of the image below, 10% of the pixels exist and CS is used to make a sensible image. Currently, this technology is being researched for medical (MRI) and military (radar) applications.
Fortunately, if you just have noisy or grainy video (not incomplete like the example above) there is help available today. Thanks to products like Adobe Photoshop and Adobe Premier with plug-ins like Neat Video and Topaz Enhance, we can easily remove the noise and produce a usable clip. While many ways to remove or reduce noise exist, the most common method of noise reduction is to apply noise reduction to each frame. If you have more than one image of the same item (video frames), you can layer the two and apply image de-noising to both images and then combine them. The more technical names of these methods are Spatial (noise reduction in each frame), Temporal (noise reduction between frames), and Spatial-Temporal (a combination of both).
Topaz enhance is a plug-in that uses Temporal video de-noising. Watch the whole video, or skip over to 3:55 to watch it process each frame, and then produce a before and after clip.
So, yes, we are able to zoom, and we’re able to enhance. But, as you’ve seen above, don’t count on CSI’s pseudo-scientific enhancement to be available any time soon.
- Joelle Katz
Posted on Thu, Sep 08, 2011 @ 10:24 AM
How tight markets can be good for those who are savvy in services
So let’s continue the investigation of where to find opportunities in the market by looking at another potential indicator … employment growth.
While Moody’s Economy.com projects an overall growth rate of just 1.5% in employment for 2011, there are sectors that are projected to form the leading edge of the upward curve.
The hottest sectors are Mining, Professional Services, Leisure & Lodging, Healthcare, and Education. You’ll notice here that Lodging tops the list of largest construction decline and yet is high on the list for job growth. In this case you won’t find new construction, but you may find more security opportunities generated by a growing work-force.
The moral of the story is simply that as times change, your targets move and you must adjust your tactics to match the opportunities that exist. This probably includes adjusting your sales targets and even the way that you sell. In a down economy, cash is king and customers are probably less interested in capital expenditures. What a great time to be providing leased systems, managed services, and any product that helps your customer avoid capital expenses or lower their overall cost of doing business.
It reminds me of the final scene in the movie “Tin Men” about two guys selling aluminum siding during 1963 in Baltimore. As the two lead characters walk off into the sunset lamenting the lack economic opportunities, you see a VW bug pass by and a McDonald’s sign being hoisted in the air.
To quote Winston Churchill ….
“A pessimist sees the difficulty in every opportunity.
An optimist sees the opportunity in every difficulty”.
For me this economy looks like an opportunity.
- John Szczygiel
Posted on Wed, Aug 24, 2011 @ 09:05 AM
How tight markets can be good for those who are savvy in services
It’s no secret that the US economy has been stumbling along for most of the past three years. The road to recovery has been bumpy at best. However, if you can clear away the fog of bad news you will discover sectors of the economy that are actually performing quite well.
Since much of the growth in the security industry is tied to new construction, the current situation represents a distinct challenge. According to statistics from the US Census Bureau (see first chart below) construction spending today is roughly equal to the levels we observed in the year 2000. We ascended the mountain of growth from 2003 to 2008 only to now have been hurled back onto the valley floor.
So where do you look for new business when there are few contruction cranes in the air?
For Integrators looking to sustain or increase relative growth rates (which I hope is everyone) this represents a large obstacle that requires real thought to overcome. One way to sustain growth in this low construction environment is to focus on those industries that are in fact growing. Yes, some industries are actually still growing. To find them let’s look at two indicators of potential opportunity.
Construction & employment as indicators of potential opportunity
Organizations that are building new facilities or moving into new office space in completed facilities are usually growing and probably have new needs for physical security. According to the US Department of Commerce, overall construction in the first half of 2011 was 5.4% below the same period in 2010. So, we’re not off to a good start. However, if we peel back the data and check individual industry sectors we see a slightly more attractive environment. Take a look at the data below which was extracted from the June 2011 Department of Commerce report on construction.
You can see here that some traditional hot targets for security spending like Public Education and Manufacturing are showing rapidly slowing construction rates in the first half of 2011. Meanwhile, Commercial, Healthcare, and Utilities are all generating substantial new construction projects. If you haven’t changed your vertical marketing focus from three or four years ago, you may be targeting markets that represent very thin opportunities.
One great resource to slice through this data is the USA Today's money page where you can sort the data by industry, state and even by major metro area. This is a good place to start if you are interested in understanding your local market conditions a bit better.
But new construction is not the only measure of growth or indicator of potential opportunity. Many organizations have plenty of space and don’t need to make large investments in new construction.
In part two of this blog I’ll take a look at another potential indicator of opportunity, namely, the growth in employment.
- John Szczygiel
Posted on Thu, Jul 14, 2011 @ 08:25 AM
Every so often you have a real-life experience that perfectly encapsulates a much bigger theme. Last week was such a week, and theme was cloud computing and the reliability of our nation’s security infrastructure.
It all started when I went to my local airport to board a flight to Chicago. As usual, I had used my airline’s option to have an electronic boarding pass sent to my mobile phone, rather than using the traditional paper boarding pass. This spares me the trouble of printing one out, and it’s actually a more secure document than its paper equivalent. I win, the environment wins, and the traveling public wins.
The trouble began when I presented my phone to the TSA agent at the security checkpoint. “Sorry,” he said, “our whole system is down and we can’t scan electronic passes. You’re going to have to go back and get paper.”
I had never seen this happen before, so I was a bit surprised and had to ask why. The TSA agent was very helpful: “It’s because they upgraded the operating system on the local servers. It took the whole network down. They’re hoping to have it fixed later today.”
I got my paper pass easily enough and went back through security, but the thought that a local server upgrade could take down a critical national security function was deeply troubling. I wondered if the software vendor had done enough testing, or if perhaps the local server environment was just different than what they had tested on. I wondered if the technicians who installed it had made a mistake, or if the application software just wasn’t compatible with that new operating system patch.
And, of course, I wondered if this whole unfortunate episode could have been avoided with a cloud solution. In that case, there would have been no local server that needed upgrading. There would have been no waiting for technicians to come back and fix the problem. There would have been no need to roll back to older software. And there would have been no breach in security.
I made it to Chicago just fine, but only because there was a paper alternative. Unfortunately, for most security systems, there is no such thing as a paper backup solution. When local systems fail, bad things happen.
In the larger discussion about how reliant we’ve become on the cloud and the Internet, this whole traditional systems failure—due to nothing more technically challenging than upgrading an operating system on a local server—is a reminder of just how far the cloud has taken us.
Up, up, and away, friends.
- Steve Van Till