Security Squared

Santa Spills On Security

Sharon J. Watson — Mon, 27 Dec 2010 12:42:43 PST

St. Nicholas Reveals Converged Global Security Operations in Exclusive Interview with Security Squared

It is a security operation to rival those of the Department of Defense, Homeland Security and Walmart, taken together. It spans the globe and literally thousands of endpoints ranging from family homes to a vast logistics network, overshadowing any nascent fusion center. It runs 24/7, 365 days a year, capturing, sifting and storing vast quantities of data. Most people are familiar with its ability to "see you when you're sleeping" and "know when you're awake," to judge whether a person has been "bad or good."

Yet very few people, even within the security industry, have appreciated the sophistication of the Santa Total Oversight AKA Comprehensive Intel Gathering system, or STOCKING. In a spirit of giving, however, Santa Claus (a.k.a. Father Christmas, Kris Kringle, St. Nicholas, et.al.) agreed to discuss the broad outlines of STOCKING and his security operations with Security Squared. What emerges is a picture of a modern, converged security network applicable to many enterprises, even those not as time and mission sensitive as that of Old St. Nick.
******

Security Squared: First, sir, we wanted to say how much we appreciate you taking the time to chat with us so soon after Christmas. Also, how would you prefer we address you?

Santa Claus: Oh, Santa will do. I'm glad to talk about STOCKING. What can I tell you?

Security Squared: Can you sketch out its dimensions for us?

Santa Claus: Ho, ho, ho! Be glad to. But I'll leave out brand names. I wouldn't want to spoil anyone's holiday!

Well, let's start close to home. Here at the Pole, we have a pretty extensive physical plant to protect. There's the reindeer barn, the home I share with Mrs. Claus, the Elven condos and our original toy workshop--we still create a fair amount of wooden toys by hand each year, mostly going to grandparents and collectors.

We also have a massive data center here--with mirror sites all around the world, but I can't tell you where. We run our own analytics on that warehouse.

To protect all that, we start with a good bit of perimeter security. We have the shaker fences--polar bears can be a real issue up here. They're hungry, and it's hard to find good Elf replacements. Limited supply pool, you know.

We have surveillance indoors and out--we seem to irritate a lot of privacy advocates and there's always some half-frozen earnest type wandering around up here trying to sabotage STOCKING or a journalist trying to link taxpayer dollars to it.

Our physical and logical access control is all linked up through our identity management system--we manage access rights based on job roles from there. We can also federate identities with some very trusted supply chain partners through cloud computing.

We're big on biometrics: ear prints for the workshop Elves and for the few allowed into the data center; antlers on the reindeer. Some Asian firm actually tried to sneak a reindeer replicant in here but you can't copy the vein patterns in the antlers. Mrs. Claus and I settle for handprints. The only disappointment we had was with a facial recognition system, but I understand our experience there was far from unique.

Security Squared: Tell us more about the challenges of video in your environment.

Santa Claus: We have the cold and the lighting challenges for our outdoor set-up. We have to use a lot of hardened equipment. The megapixel stuff gives a great image for half the year. Then the light goes out for six months, and we have to rely on the infrared and thermals.

Fortunately, the analytics can be pretty simple--anything relatively small moving in the snow and ice up here sets off an alarm. It gets a lot more complicated when you take all the other video feeds into consideration.

Security Squared: Please tell us more about that--how STOCKING transcends your enterprise boundaries.

Santa Claus: So one third of STOCKING is keeping an eye on things here. Another third watches our warehouse, logistics and distribution network. Time was the Elves and I used magic to deliver the goods, but what with globalization, Walmart and Amazon, we were in danger of being marginalized. As it is, what we call our "window of belief" amongst young children gets a little narrower every year.

So we cut some deals with various toy makers. Again, I'm not naming names. But we go for quality--they produce, we fulfill. So we have a pretty quiet warehousing and distribution system we need to keep watch over throughout the year. On our Christmas Eve flight, the reindeer and I replenish at certain locations with regional specialties.

STOCKING mainly makes sure we can track which companies delivered, when and what. And if we ever have a dispute over whether they shipped the whole allotment to us--we're always in competition with some of those big box stores--we have the digital images to match against our intake records.

Security Squared: What about the most controversial part of STOCKING, that is, the home surveillance network?

Santa Claus: First of all, it's very much an opt-in system. The moment anyone in a household ever says "Santa Claus is watching!" we've got the green light. Our analytics can pick up dozens of variations on that phrase. That launches connections to our inventory and fulfillment systems.

The second thing is, we do very little direct surveillance in homes anymore. Once upon a time, it was a much more mystical affair. Now, though, we find children and parents are always snapping pictures, taking videos, uploading them to YouTube and Facebook and tweeting and emailing about them. We have a custom video analytics program that scans for behaviors associated with temper tantrums, bad words, refusals to do chores--you know, general naughtiness. It's sensitive enough to weed out hissy fits caused by staying up past bedtimes versus true nasty behavior rooted in selfishness and entitlement complexes.

It's pretty amazing what we can learn, all from data right there in the public domain.

Security Squared: It seems like that puts a pretty big burden on you to protect that data once you've collected it.

Santa Claus: Absolutely! Ho, ho! In the last three or four years, we've found most of the hacking and theft attempts against us have been to get into our Behavioral Assessment Database more so than any of our toy designs or trying to snag pictures of Rudolph.

We've seen a real uptick in attacks from Eastern European nations and certain Asian locales. Very professional, scary stuff. I'm told they'd like to get the data on children of celebrities, politicians, potential Nobel prize winners for blackmail purposes.

That Australian fellow is a worry, too--he has a talent for recruiting disgruntled souls who will load up a flash drive just so they can say they did. We try to keep the Elves content, but you know, some of them are really tired of following their family tradition and just want to get ear jobs and move somewhere warm. So much as it pains me to say, we have to be wary of the attack from within.

To answer your question then, we have taken many steps to safeguard the BAD warehouse. A simple one was to change our data retention policy. We used to have records dating back to the Great Depression--that's depression with a D. Now when a child's window of belief closes, we dump the records, automatically wipe them from all the mirror sites.

Only a couple of us have access to the data center, and everything we do in there is monitored visually and via a security event and information monitoring system. We've also got our SIEM tied into a physical security and information management system and have defined a bunch of potential correlated events.

Security Squared: Can you give us an example?

Santa Claus: Say there's a disturbance in the reindeer barns. Could be reindeer games run amuck--or it could be a set-up designed to distract us while someone steals a smartphone full of passwords into our apps or a bad Elf tries to alter a warehouse shipment and cover his tracks.

Don't want to give too much away, but the SIEM and PSIM look for certain activities within STOCKING and set up a cascade of response triggers. You know, if our HVAC slips a couple degrees, that will set off triggers, too--losing our heat up here is a critical incident.

Security Squared: How is your security staff trained and organized?

Santa Claus: We are pretty much our own first responders around here, so we're all trained in a lot of emergency procedures. Beyond that, our security Elves don't make much distinction between what's physical security and what's logical. It's all security to them--and to me. I'm head security officer. Anything that jeopardizes my December 24 trip is a security issue to me. Children may not believe in me as they once did, but for those that do, I'm not going to let them down.

Security Squared: Thank you for your time, Santa. Merry Christmas, and happy 2011 to you.

Santa Claus: And to you and yours! Ho, ho, ho!

###

Identity, Access, Secure Collaboration Done the Aerospace Way

Sharon J. Watson — Wed, 08 Dec 2010 09:03:40 PST

The Transglobal Secure Collaboration Program: Influencing identity, access and collaborative transaction security beyond industry boundaries

Competitors one day, partners the next. That's a business model edging its way into a variety of industries, from healthcare and life sciences to manufacturing and finance and even security. It's a model that will draw on the ubiquity of mobile computing and efficient cloud-based infrastructure. It will also require strong security measures to ensure greater protection of intellectual property and competitive data even as companies become more open.

None of this is news to the aerospace & defense industry. And that industry's model for managing collaborative transactions and data exchange securely is poised to influence other vertical industries. That's why Security Squared spent time this month talking to leaders and members of the Transglobal Secure Collaboration Program.

The TSCP is an international cooperative of leading A&D companies and government agencies who work together to figure out how they will exchange data securely. The group's commercial user, or "platinum," members include BAE Systems, Boeing, EAD, Finmeccanica, Lockheed Martin, Northrup Grumman, Raytheon, and Rolls Royce. Government members include the U.S. Department of Defense, the General Services Administration and the Secret Service as well as the defense ministries in the U.K. and Netherlands and the French government.
As DoD trading partners, the Platinum members already are subject to such mandates and formal specifications as Homeland Security Presidential Directive 12 (HSPD-12), many Federal Information Processing Standards (FIPS), the Federal Identity, Credential and Access Management (FICAM) roadmap and more.

Further, the DoD and aerospace industry have invested about $1 billion collectively in just the last two or three years on identity and credentialing security, said Keith Ward, director of enterprise security and identity management for Northrop Grumman and chairman of the TSCP.

Rather than create new standards that might compete with existing mandates, TSCP members figure out how to use their compliance and security investments more effectively, he said.

"We're looking to mitigate the risk related to compliancy and complexity as well as to protect intellectual property in the commercial space against cyberthreats," Ward said. "It's going to take a collaborative effort to do that."

To that end, the group creates what Ward calls "smaller 's' specifications" about how to apply the formal standards and policies coming out of government agencies to their shared business transactions. Further, he said the goal is for vendors to adjust their "product roadmaps" to incorporate these guidelines, further propagating their use. TSCP now focuses on three transaction spaces: secure documentation, secure email and secure identity federation.

The TSCP's "how to guides" in these areas are platform and technology agnostic, said Ward. Its spec for how to implement secure email, for instance, was developed under Microsoft's Exchange server. The Federal Aviation Association used the same how-to guide with IBM's Lotus Notes.

"TSCP is not done in a set way--it's a broad specification," said Dmitry Kagansky, chief technical officer, the Public Sector Group, Federal Division, of Quest Software www.quest.com. For example, he noted organizations are free to handle authentication in different ways within the TSCP guidelines.

At the same time, the group's guidelines ensure the solutions individual companies select are interoperable. Many A&D projects often have to devote significant IT dollars and resources to overcoming proprietary technology used by project partners, said Jeff Nigriny, president and CEO of CertiPath, the A&D industry's PKI bridge.

"The industry has had enough of that," he said. "As long as we're standardizing, we can probably solve the security problems in a very real way while we're doing that.

Wide Influence

TSCP's influence is strong within the A&D industry and is poised to grow beyond it, said organization officials and members.

The TSCP's Executive Forum is made up of C-level executives from A&D companies and federal agencies. "These are key people who can create policy within their organizations," said Ward, noting they also often control budgets.

TSCP also has a legal working group that looks at intellectual property issues. A government alignment committee evaluates international government security mandates and how these match with TSCP initiatives. Other groups include the Export/ITAR (International Traffic in Arms) working group; an architect board and the cyber working committee, of which the U.S. Secret Service is the forensic arm.

Though the user member list may seem small, the TSCP platinum members are important customers of leading vendors. For instance, the group's members represent about 25% of Microsoft's global sales, said Ward.

"We can touch a lot of customers at once," said Kagansky, of Quest Software, which joined TSCP as a vendor member at the urging of Lockheed, which had purchased a Quest tool for internal identity federation.

Kagansky said another advantage to being a vendor member is the ability to influence the group's specifications. "We are involved earlier and can help end users understand what can and can't be done," he said. "Also, the specs that emerge are never a surprise."

In addition to influencing product design, the TSCP provides models to other federal agencies about how to implement transaction security practices that meet federal standards.

"TCSP is pretty far ahead on secure email implementation," said Kagansky. "They're a reference for how others should do this." He further noted that the finance and oil and gas industries also operate under some similar compliance mandates and could benefit from TSCP guidelines.

Some of these guidelines could be propagated to other verticals via entities like Exostar, which offers secure collaboration and identity federation services to the A&D space and is also cross-certified with the SAFE-Biopharma bridge certificate authority in the life sciences industry.

In addition, some A&D trading partners may make only a single component for an A&D project, with the bulk of their business in other vertical markets. Yet as these companies adopt secure collaborative practices so they can exchange data with their A&D customers, they could extend those practices to partners in other industries.

Nigriny noted many of TSCP's specifications are relatively industry-neutral, particularly with secure email and documentation. While some federation specifications are more industry-centric, the TSPC wrote broader attribute and collaboration profiles useful to vendors who work across vertical industries. "The TSCP has done itself a pretty good service by keeping its industry-specific nuances fairly tightly cordoned off," he said.

"A lot of our members keep us in check, in making sure that the value proposition TSCP brings to the table allows them to cross sectors," said JP Calderon, membership director for TSCP. "Federation, secure email, labeling--those are things starting to be leveraged in a lot of industries to protect intellectual property," he said.

Yet TSCP is not trying to include everyone in its member base. "When we look at vendors, we have a process where we do a sanity check, to make sure there's a 50/50 benefit to the vendor and TSCP," said Calderon. He notes members supply a lot of input about what vendors to work with in terms of the challenges they're trying to solve.

"Joint research and development and working where we have synergy together, is the attraction and appeal of TSCP. Some companies get it, some think they can create this themselves," said Ward. He expects membership will grow as synergies become apparent among the government, A&D, and vendor members.

Identity Matters

One of TSCP's focal points is identity federation, in which an identity trusted by one trading partner can then therefore be trusted by other trading partners.

"Before we can even begin to have an intelligent conversation about how to secure them, we need to be confident we know who the people are on each end of the transaction," said Nigriny.

While most enterprises today manage physical and logical access control separately, TSCP follows the government HSPD-12 model that calls for converged access. So an identity could be physical, say, when a contractor visits a federal agency's or partner's facility. Or it could be digital, with a contractor or project co-designer requiring access to online documents.

The work to secure cyber transactions naturally led the A&D companies that had invested significant dollars in logical access credentials to ask why these credentials couldn't also work for physical access, internally and at trading partner facilities, Nigriny said.

"If you look at physical access, it's the exact same problem we have with logical access," he said. "It's about protecting and controlling access to resources. This idea that I can use one credential and do both [physical and logical access control] is a very powerful thing. It's powerful because it means there's a unique identifier in that credential that I have access to and can track when someone's getting into a logical environment or physical environment."

Further, Nigriny noted that use of PKI for physical identity federation means not only that an organization can use a visitor's own credentials but can check in real time to see whether they are still valid.

Converged Credentials Emerge

While conceding that truly converged access control is still fairly rare today, Nigriny said one DoD facility will soon allow physical card readers on its network so that physical and logical access can be correlated, enabling network nodes to contribute to situational awareness. Further, DoD contractors increasingly are showing interest in deploying similar systems at their own facilities, using PIV-I credentials, he said.

Other TSCP members also are shaping the one credential evolution.

Ward, for instance, works at Northrup Grumman, which in October participated in the DHS/FEMA "Autumn Blend" exercise. That consisted of a live demonstration of physical and logical authentication in a simulated emergency at the company's Newport News, Va. shipyard. It included use of federal credentials like PIV and PIV-I authentication, including Northrup Grumman's own converged credential, as well as TSCP authentication specifications.

"The TSCP's next steps are getting those specifications moved into other venues and forums," said Ward.

# # #

Affordable Smart Credentials Delivered by Appliance

Sharon J. Watson — Mon, 15 Nov 2010 16:00:45 PST

ActivIdentity Aims for SMB Market with New Credentials Management Appliance

Using smart credentials to achieve strong authentication is generally thought of as a solution for large companies with sensitive data assets and/or compliance issues along with deep pockets. With its release earlier this month of the ActivID™ Credential Management System (CMS) Appliance, ActivIdentity hopes to change that paradigm.

"This appliance should open up the market for smart credentials," said Chris Harget, director of enterprise markets worldwide, for ActivIdentity. He cited medium-sized medical, finance, manufacturing businesses and state and local government agencies as potential customers.

The CMS appliance enables deployment of smart cards and smart USB tokens for authentication into desktops, VPNs, applications and building access systems. To support these, the box also incorporates a full PKI infrastructure.
The appliance is available directly from ActivIdentity, from value-added resellers and through channel partners. The box with all its embedded features sells for $15,000; a $30 per user license includes the middleware residing on users' computing devices that communicates with the CMS appliance. The enterprise may choose a smart card or USB token for users; the card ActivIdentity would recommend runs about $12-$13 per user, Harget said.

Designed for Easy Deployment

"The appliance really is a one-box solution," he said. Embedded in it are a full credentialing management system, database, PKI, including certificate authority, and best practices for credential management profiles drawn from ActivIdentity's professionals services group.

The CMS appliance database populates with user data from Active Directory or other directory software. In general, the built-in best practices profiles and software wizards enable most enterprises to set up the appliance within 30 minutes, Harget says. More complex integration environments or those lacking any sort of identity management practices could require more implementation time and/or services.

Businesses that have shied away from the expense or perceived complexity of PKI should find the CMS appliance essentially makes deploying PKI a turnkey process. "We've made those capabilities as transparent to the user as possible," said Harget.

While the appliance would not provide a full PIV solution for local government agencies, "they need to get started, and this would supply an infrastructure," Harget said.

Supporting Converged Credentials

The appliance can also enable users to carry fewer credentials because it can provision the same credential for physical access as well as logical access. "We've been thinking for some time now the PACS-LACS convergence should be happening," Harget said.

Last month at ASIS 2010, Hirsch Electronics announced an offering in which Hirsch has put what Harget describes as "a shell" around the ActivID CMS appliance, making its features available through the interface of Velocity, Hirsch's security management platform. With a few keystrokes, then, it's possible for a user's credential to be provisioned for logical access at the same time it is configured for physical access.

"It's a nice story," Harget said, noting that Hirsch has a sizable distribution network.

Enabling Stronger Cyber Security

Harget expects the appliance will appeal to organizations with as few as 200 users, provided they have intellectual property, customer data, and compliance issues to manage.

Another selling point Harget cites is the ability to get more security from a single credential. Many security surveys have shown that cyber-crooks often steal credentials to break into networks, databases and applications. For example, Verizon's 2010 Data Breach Investigations Report cited stolen log-in data as accounting for 38% of all hacks and 86% of the data compromised or stolen. Smart credentials can be a barrier to such identity theft through a variety of means, from cryptography to one-time password generation.

"We're offering an identity assurance level that's streamlined, that insulates the enterprise from a variety of systems, that consolidates credentials and replaces varying levels of security with one strong layer," said Harget.

Citing the obligatory "quiet period," Harget was not able to comment on how ActivIdentity's pending acquisition by HID Global might affect the CMS appliance. However, extrapolating from common knowledge and assuming shared marketing savvy, it seems likely HID/ActivIdentity could create some very price point-attractive credentials and identity assurance solutions for the SMB market, combining the appliance with HID's economies of scale.

# # #

ASIS 2010 Video: PSIM and CAD

Steven Titch — Mon, 15 Nov 2010 05:59:24 PST

Because physical security information management (PSIM) systems serve as a central point for incident information and communications, they add significant value to computer-aided dispatch, or CAD, systems. Users such as the Port of Long Beach, a Proximex customer, and New York City's Joint Transportation Management Center, a Vidsys customer, are using PSIM and CAD together to manage incoming calls and alarms--by phone, panic button or sensor--and determine and notify nearby responders. PSIM and CAD can be particularly effective in managing and documenting interagency communications during an emergency

At the 2010 ASIS International Seminar and Exhibits last month, we asked PSIM vendors such as Cisco, Vidsys, Proximex and Intergraph about the complementary relationship between PSIM and CAD.

VMS Vendors Shore Up Their Flank

Steven Titch — Thu, 11 Nov 2010 08:07:18 PST

Established video management software vendors, fighting pricing pressure from a new crop of low-end suppliers, are realigning their product lines into scalable tiers in hopes of offering small- to mid-size enterprises more robust and scalable products at might cost more out of the box, but promise a lower total cost of ownership over the long term.

For vendors of any software built on open standards and designed to work across multiple platforms, the principal competitive threat has always been commoditization. This has proved no less so for software that manages surveillance systems. Indeed, small companies such as Nuuo (Taiwan), Argus Surveillance (Canada), Digifort (Brazil) and Luxriot (Latvia), offering DVR, NVR and VMS software for PCs that can be purchased and downloaded off the Internet, are peeling off customers at the low end. They can offer operations, which typically use 20 cameras or less, price points at about $50 to $100 per camera, according to research by IP Video Market.

In response, major North American, European and Israeli companies are adopting a three-pronged approach:

* Use of a single core software engine as a common foundation for a line of tiered VMS offerings targeted at different levels of the market;
* Accommodation of multiple inputs, such as analog and digital, and video formats, such as VGA, H.264, MPEG and HDTV;
* Support of emerging industry specifications such as ONVIF and PSIA, which not only promise greater interoperability among other video equipment, but are likely to extend into the broader ecosystem of IP-based security technology.

In general, these companies see the low-end competitors as a particular threat to sales to customers who have decentralized, dispersed operations under semi-autonomous management. These can be retail and restaurant chains, state university systems, large corporations, and state and city governments. Through new scalable, tiered product lines, the larger vendors hope to pre-empt onesy-twosy buys of low-end software by local management at smaller operations, and instead present corporate or regional security directors with a solution that offers a better cost equation when it is applied across the organization. This not only serves to solidify a long-term relationship between vendor, integrator and user, it provides a way for vendors to protect their distribution channel from Web-based competitors.

At the 2010 ASIS International Seminar and Exhibits last month, vendors such as Avigilon, March Networks, NICE Systems, Milestone Systems and Genetec discussed their responses to the more competitive low-end, and showcased new or recently-introduced products that aligned with their new strategy.

Avigilon's New Edition

Avigilon, for example, unveiled a smaller version of its Control Center VMS, essentially creating two tiers, the Enterprise Edition and the new Standard Edition, both designated Version 4.6.

The Standard Edition is designed as a cost-effective solution to users with limited requirements now but who expect to grow, said Dave Tynan, vice president of global sales and marketing at Avigilon. Like the Enterprise Edition, the Standard Edition incorporates Avigilon's core software engine, known as High Definition Stream Management, supports ONVIF, third-party IP cameras, and Avigilon's HD, H.264 and panoramic cameras, and analog encoders. It can be more cost-effective because users can opt for an initial install with less features than the Enterprise Edition, then add those features as they need them, Tynan said. "The ability is there," he said. "You don't enable it until you need it."

The Standard Edition is aimed at installations between 20 and 50 cameras. The price is 40 percent less than the Enterprise Edition, Tynan said. It is also easier to install. Tynan acknowledges that low-end players are commoditizing the market, and he believes those vendors will be successful in when it comes to small, stand-alone installations--storefronts and small offices that need less than 10 cameras. However, for users who see video surveillance as a component of overall risk mitigation, "expectations have changed," he said. Low-cost VMSs will not meet the performance or compliance requirements needed. "They are not addressing the needs of the user who asks, 'how can I use [video management] to keep my business thriving.'"

March Networks' Command

Meanwhile, March Networks introduced an end-to-end video management system that brings together its existing NVR and VMS line under a single umbrella, from both a marketing and operational standpoint. For its current customers, its new Command software unifies management of all March Networks NVRs they are currently using under a single interface. For new installations, Command offers and enterprise VMS solution without the need for immediate rip-and-replace of analog or VGA cameras and their management systems.

"If you are an existing March Networks NVR customer, we are giving you an evolution path forward, as Command Enterprise will manage not only our VMS solution as well as our existing NVR line," said Net Payne, chief marketing officer for March Networks. "Over time all the features and functions that our customers have come to know as well as the applications that run on top of our NVR platforms will be part of Command Enterprise."

Here, again, the strategy is to provide a common framework on which users can grow a video surveillance system. "We took the same things we are known for and made sure they are in there," Payne said. "You can migrate at the pace you want to."

At the same time, with Command, March Networks, which has a strong presence in retail, banking and transportation, aims to offer a lower total cost of ownership through the software's mass configuration and management capabilities. Command supports ONVIF-compliant cameras and devices and open SQL database standards. It enables users to access video from a variety of operating systems, including Windows XP, Windows 7 and Mac OSX, via the browser, which incorporates the Microsoft Silverlight framework for supporting rich media applications.

Play the embedded video for more of Net Payne's comments on Command's migration strategy.

NiceVision Net 2.0

NICE Systems coins term "entry-to-enterprise" to describe the single scalable architecture concept. At ASIS, the company introduced NiceVision Net 2.0, which designed to deliver more of the core features of NICE's higher end Smart Video Recorder (SVR) software to NiceVision eXpress, the company's bundled package of VMS software for small and medium-sized video surveillance systems.

As reported the week of the show, the eXpress system is a hybrid platform and up to 64 of its 128 ports can be analog inputs. These inputs can then be gradually switched to digital as the organization changes out cameras.

As with the other VMS suppliers, the goal is provide users with a VMS line with an underlying architecture on which they can build. "Use the same platform of your high-end packaging and licensing, but keep it priced for the low level," said Pat Kiernan, director of marketing for NICE Systems. "As their requirements grow, you supply additional licenses."

Although the per-channel price for NICE software is higher, Kiernan points to cost risks that organizations face if too many of their local operations opt for low-cost PC software--it ends up isolated at their respective sites. "It's a danger zone," he said. "These are small offerings on different platforms. In the end, to move up [to an enterprise-wide system] you're going to end up doing a rip-and-replace." Only then, the systems being replaced will be relatively new IP-based systems, not fully-depreciated analog gear.

Milestone Broadens XProtect Line

While NICE is positioning a high-end product for the mid-sized market, Milestone is taking its highly successful XProtect Enterprise VMS, the market share leader in the mid-size segment, and attacking the high-end. Milestone Corporate 4.0, introduced at ASIS, will scale to handle thousands of cameras, using a federated architecture similar to an approached used by Genetec, its principle competitor at the high end.

Federated architecture unifies the management of "islands" of video systems dispersed throughout an organization, said Christian Bohn, vice president of marketing and product management for Milestone.

"The benefit of the Milestone Federated Architecture [is that] we now have the ability to interconnect all these islands into a huge federated hierarchy," Bohn said. "That means a system administrator will have the ability to go off and create federated hierarchies that can encompass different retail outlets, or it could be a Fortune 100 customer which is creating federated sites covering different countries, different campuses and so forth."

More from Bohn on federated architecture in the embedded video below.

At the same time as it is pursuing the high-end, Milestone is packaging XProtect for the low-end. This summer, the company unveiled XProtect Essential 1.0 and XProtect Go. Essential is designed for small businesses and supports up to 26 cameras. License fee is $99 for the first two cameras, $49 per channel after that. A single server configuration--something of an out-of-the-box VMS--runs on Windows 7 and can support a variety of camera formats, including MPEG-4, H.264 and megapixel.

XProtect Go is a free downloadable package although registration is required after 30 days. That the package supports a maximum of eight cameras, limits recording storage to five days and will not send video to thin clients such as smartphones.

So nominally, at least, Milestone offers the broadest range of configurations under its XProtect platform, although its smallest-scale offering can be more accurately viewed as a demo system. Nonetheless, the company is attempting to provide a low-cost entry into IP video while hoping to tie that sale into a viable user migration path.

'Powered by Genetec'

Not to be outdone, Genetec, the high-end market leader, was showcasing its Omnicast SV-16 version for small installations, which it introduced in September. Described by the company as "a network security appliance powered by Genetec's software," the product is essentially a version of Omnicast targeted for installations of under 16 cameras.

The SV-16 is a component of the so-called "Powered by Genetec" initiative designed to create a migration path to higher-end versions of Omnicast. The small version supports all compression formats available on the Omnicast platform, including H.264, MPEG-4 and MJPEG. The SV-16 also supports wireless connectivity and offers up to 500 GB of internal storage.

The per-camera software license allows customers to purchase the number of licenses they need initially and grow their system over time. SV-16 deployments can also be tied into a larger corporate VMS system through Genetec's federated architecture, said Francis Lachance, product manager for Genetec. "It's a good value for small-scale installations, but also for multisite operations," he said.

Access Control Meets Intrusion Detection

Sharon J. Watson — Wed, 10 Nov 2010 10:13:33 PST

We've been wondering when U.S. government security mandates would start influencing enterprise/commercial deployments. The latest version of AMAG Technology's flagship Symmetry access control platform offers one path.

At Security Squared, we don't typically get too excited about iterations of products unless they signal a major technological or strategic shift. What intrigued us about the Symmetry Version 7.0 announcement at ASIS 2010 was that this version is currently available only in limited release to government customers. So we spent a few minutes recently talking with Matt Barnette, senior vice president, marketing, for AMAG Technology. He discussed the features developed for federal users and how those will find their way into enterprise versions of Symmetry 7.0, due at ISC West next spring.

Here are some of the highlights of our conversation, edited for clarity and length:

*****

Sharon J. Watson, Security Squared: Tell me a bit about what's in the latest version of Symmetry previewed at ASIS 2010 and why you're initially targeting government customers with it..

Barnette: What we found over the last four or five years is there were a few product lines in that space where those companies maybe hadn't been investing in current technology and for one reason or another, with the changes in the economy and buyouts, mergers and acquisitions, those product lines are really kind of stagnant.

There have been lots of inquiries from end users of those products about potential upgrades to new systems. We decided to develop our version 7 with the new features specific to that government customer and what those customers really use-- quite a bit of which is a little bit outside of the norm of the commercial-industrial business we would typically do. They are very heavily reliant on intrusion detection. It could be a top-secret office environment where they have SCIF [Sensitive Compartmented Information Facility] rooms, and there are regulations about the data that's stored inside of those rooms and who has access to those rooms. So you need to have a product that has that specific feature set in order to compete in that arena.

We added this functionality, it's a module that's been added to our Version 7.0 software that allows for this intrusion detection aspect. That's on the software side. There's hardware that goes along with that. We've changed and updated the firmware in our panel so that we have a unified solution that can do both access control and alarm monitoring and intrusion detection all on the same panel. You don't have to worry about buying separate parts and pieces. Fewer parts means more efficiency, it's easier to service and maintain. There's a lot of value in being able to do this with our core product line, not having to change out. For existing customers, they can also migrate to this new product, this intrusion management, and not have to change anything they've already installed. It will work on their existing infrastructure as well.

In summary, it's a software and hardware solution. It includes our Javelin series of readers. It has a four-line liquid crystal display on it so the user can get feedback from the system. It's like when you go into your house and you have an alarm system, you can see what the status is, you can arm it and disarm it. That Javelin card reader will provide the users of the system real-time feedback on the status of the system.

As an example, when I walk up to that card reader, I can enter my PIN code or my card number, and it will show me whether that zone is armed or disarmed or if there's a point in a forced situation or has been overridden by somebody. I can see that real-time information on the keypad. I can also enter commands on that keypad so I can lock down an area or unlock an area, all from that user interface on the keypad.

SJW: The intrusion detection modules--will your enterprise customers eventually be interested in those or are there additional features in version 7 that may originally have been conceived for the government and federal market that you're thinking will also have appeal across the private sector?

Barnette: The intrusion management will have a wide variety of applications. In the K-12 education market, intrusion management is a big deal. The smart classrooms now have a lot of expensive computer equipment and audiovisual equipment in them.

We've seen many other applications for this type of functionality in the private sector, everything from education to health care. There's a lot of expensive equipment in hospitals. Typically they're locking down those operating rooms. Now you'd have the ability to go in and enter a number on the keypad, unlock the door, turn off the alarm system, allow access to that operating room and do what you need to do. At the end of that, you can lock it back down or have the system automatically lock it down at a specific time.

SJW: So, Matt, the extra flexibility there is actually being able to do that from the keypad? With access control systems, you have a lot of control depending on where you place your card readers and how you program your software. I'm just trying to understand the subtleties between controlling access and intrusion detection.

Barnette: Right. In a lot of access control systems, you have that functionality but only at the head end where the software is, so the operators have to do that. Traditionally you would have to call the operations center or security officer from that classroom or operating room, and they would have to login to the software to do that for you manually.

A lot of organizations want to decentralize that type of routine task and really push it out to the users. A traditional access control system is a one-way street. You hold up a card to the card reader, it sends data to the panel, the panel needs to communicate to the server. You don't send anything back to the card reader--it's either a "go" or "no go" decision. There's no information that is displayed, there's nothing the user has any ability to do on a traditional card reader.

Keep in mind the [Javelin] card reader is the same unit you're using for access control [and now] intrusion detection, it's not two separate pieces. When you add the intrusion aspect, you're really introducing the ability for the user to have that flexibility of being able to make decisions right there at the card reader, [using it] as your console into the system as opposed to having to go to a computer and do it through your software.

SJW: Were there any generic deployments you're able to talk about or some way your federal government customers have been using this that you can share with me? Or some of the issues and challenges that solved for them?

Barnette: That's where it gets a little tricky. We've installed a very, very large system in the Aberdeen Proving Grounds [in Maryland]. That's about all I can say about that.

We currently have test systems installed for several different departments, including the Marine Corps, Army and are under evaluation by the Navy. The first step for any of these deployments is they have to go through very thorough tests in the lab environment before they can be deployed in the real world environment. We are already in that process now with three very large departments of the military.

SJW: Were there other points you had wanted to emphasize or something I should be asking that I'm not?

Barnette: What we really didn't talk about is the standards or compliance requirements in the government sector, things like FIPS-201, HSPD-12. Our product has been and continues to be capable of meeting those requirements. In the government sector, information assurance as well is becoming more and more important.

The product not only needs to do what you say it can do, it also has to meet these very stringent certifications that are being implemented mostly by the information assurance groups within these agencies. They are looking for vulnerabilities in products. All of these systems are now running on networks so they have to test and make sure it's not going to cause issues on the network, and that there are no vulnerabilities that would allow hackers to get into your security system.

We talk a lot about features and functions and benefits. Compliance and certification are also things that are important to the US government--the information assurance testing as well as the FIPS requirements, including the FIPS 140-2 encryption. We have to go through all of that. Certainly our Version 7 software will continue our legacy of having that certification.

SJW: Matt, will those levels of security meeting federal compliance be woven into the fabric of the product so that enterprise clients will also get that level? Or will those be things that you turn up or turn off depending on the enterprise needs and their budget?

Barnette: They will be sewn into the fabric of the product. Some of these government standards are really irrelevant to the private sector but by and large, most of the enhancements that are made to meet these requirements only make the product more robust for the commercial sector.

# # #

ASIS 2010 Video: Analytics and Video Management

Steven Titch — Fri, 05 Nov 2010 09:45:06 PDT

Video analytics is still trying to get over its reputation for overhype. Most vendors are trying to manage expectations, and its pretty much established that analytics perform well when designed to detect trespassing, loitering or attempts at unauthorized entry. Still questionable are applications such as facial recognition and bag-left-behind. Also low light, foliage and background movement can create problems.

Some vendors are trying a new tack, however, steering away from hype and talking instead about how analytics add value in a networked security environment. When integrated with a video management platform, analytics can used in searched of stored video without pre-set rules. Third-party software and applications, such as Google Earth, can be overlayed on the system. Analytics are even finding applications beyond security. The technology can be used in people counting and other business performance metrics, examples of which surfaced at last month at ASIS.International in Dallas.

During the show, Security Squared visited with several analytics companies to look at the ways analytics, when combined with video management, create a strong value proposition. Our video report showcases interviews with VideoIQ, AgentVI, DVTel/ioimage, ObjectVideo (via Cisco Systems) and France-based start-up Keeneo, along with several demonstrations.

Keeping Clouds Tethered to Enterprise Security Policies

Sharon J. Watson — Mon, 01 Nov 2010 11:56:42 PDT

Don't Let That Hosted Security Service Float On Its Own

At the recent ASIS 2010 conference, several presentations focused on using cloud-based security applications. Instead of installing servers and infrastructure to support access control, video surveillance, storage, analytics and more, security professionals can now contract for these services from third parties who deliver them via the Internet.

It's the "third party" aspect that gives some people pause about the cloud. According to IBM's Institute for Business Value 2010 Global IT Risk Study, the security of computing in the cloud is still prohibiting wider adoption of hosted solutions: 77 percent of respondents believed that adopting cloud computing makes protecting privacy more difficult, 50 percent are concerned about a data breach or loss and 23 percent indicated that weakening of corporate network security is a concern.

Earlier this month, IBM introduced a suite of services designed to help enterprises develop strategies to ensure their use of cloud applications is secure. To learn more about what physical security professionals should consider when evaluating cloud-based solutions for their needs, Security Squared spoke with Jason Hilling (photo below right)
managed security services portfolio manager, IBM Global Technology Services.

What follows is a transcript of our conversation, edited for clarity and length.

************

Sharon J. Watson, Security Squared: I'm trying to help our audience understand what some of the criteria are they could use to evaluate the security of cloud offerings. Are there checklists or particular certifications out there today they can look for?

Jason Hilling, IBM: What people need to think about is that securing the cloud is all about securing the data that's within it. That's a common IT practice that we've all been comfortable and familiar with, developing and refining over the many years we've been supporting enterprise networks inside of our own data centers as well as in hosted data center environments.

When you think about putting data in the cloud, like digital video data, you need to look at it from a methodology perspective. You need to assess the types of data or types of workloads that are going to work for your organization in the cloud, because security isn't a one-size-fits-all endeavor. Every individual vertical industry has different requirements and different regulations it needs to adhere to. There really isn't a single silver bullet recommendation that says, go watch for XYZ. You need to strategically look at the workloads and understand, from a risk tolerance perspective, which are the ones that can be moved outside of your organization.
Then you need to look at the appropriate governance model to wrap around that data: know what regulations your organization is susceptible to, know what types of governance frameworks your IT security policy is mandating you use to ensure data remains secure. Those are the security measures that need to apply to that cloud environment where that data is being stored. That applies whether it's the public cloud, private cloud or even a hybrid cloud.

From that point, you then work on enabling the cloud. That means actually getting the data out there. Once you do that, you need to monitor that environment to ensure the security protocols identified when you established that governance model are actually effective.

Sometimes they're inherent in the actual cloud platform itself. Sometimes they're built in. At times they won't be, because cloud providers struggle to build a single cloud that is secure for every individual tenant moving data into the cloud. Then you have to periodically assess whether that cloud remains secure.

A lot of this work is very similar to what we do in IT management in our own data centers but the cloud, being a relatively new concept, is something that people tend to struggle to wrap their arms around in terms of how their existing IT processes are aligned with taking advantage of the benefits of cloud. That's part of the reason why IBM launched facilities planning and assessment offerings recently.

We recognize the cloud can absolutely be secure if there's planning and forethought and strategy put into taking advantage of it. In the meantime it's important that organizations understand the methodologies they can use to take advantage of cloud. We put out some professional services offerings that focus on helping customers understand cloud security, a strategic roadmap actually looking at how they could securely take advantage of the cloud.

SJW: One of the things I had understood about how the cloud is being used by various companies is that the cloud application is not necessarily always under the IT department's control. Someone put it to me once that a business unit with a credit card can set up some cloud applications.

Hilling: I think you raise a really important point. In recent IT risk surveys that IBM released this year, one of the things we've learned is in about 47% of organizations, their risk management processes are [in] silos between individual business units. When you have different approaches toward risk management being taken by different departments, that is significantly problematic. What's the common message being communicated to the end users about how to manage risk and how to apply IT controls across the environment?

It really speaks to a need for overall risk management and IT security policy to be more closely attached to how the business is actually being run--at ensuring that procedures and policies and decisions being made are actually factoring in IT risk and IT related issues.

That's really a fundamental change in methodology for many organizations. As compliance becomes a more important and dominant aspect of how we run our businesses, things are certainly trending in that direction. Your comment about the ease with which new cloud applications can be turned up, that someone with a credit card can just roll something out into a department, speaks to the level of urgency that organizations need to apply toward beginning to standardize their risk management frameworks for their organizations; beginning to de-centralize their risk management function; consider establishing a dedicated risk management capability in the organization; and then ensuring there is uniform application of risk management policy across the business with suitable education of all users at all levels of the organization to back up and enforce those changes in policy.

SJW: So Jason, from your perspective, it would not be a good idea for any particular department to launch a cloud app without sitting down with the IT department and working through it together.

Hilling: I think it's important that when a company decides to introduce new risks into the organization, driven from any business unit, that those risks be effectively looked at and assessed against the overall business's tolerance for risk and its overall IT policy structure and governance. So when it comes to taking advantage of services outside of the organization that require moving sensitive information into a third party's hands, that absolutely becomes something that affects the organization's risk posture. It essentially affects their compliance posture. That's not just internal IT policy, that's also potentially external regulatory requirements that the business might need to adhere to for legal reasons or because they're in a particular vertical market.

Today's environment is a little bit more tightly controlled or needs to be more tightly controlled than perhaps the environment of 5 to 8 years ago. That means we are probably beyond the days in which individual groups selectively make their own IT decisions without validating how those decisions affect the larger organization if we're trying to operate from a risk tolerance and security-minded decision framework.

SJW: If I am one of these departments and I'm interested in an application, are there specific certifications or guidelines that would help me know that I'm at least bringing a quality cloud vendor to their attention?

Hilling: There are governance frameworks that help to provide the core principles under which these cloud implementations should be designed, built and secured, like ISO standards. These represent security best practices. Customers should look for providers who have taken those design principles into consideration. They should also look at service provider certifications such as SAS 70. That's a potential example of a given service provider's commitment to confidentiality. integrity and availability of the information that goes into the cloud.

Various functional areas should be looked at from a security perspective when a particular cloud provider is considered. IBM has actually built its entire security portfolio around what we call the Security Framework, and the Security Framework identifies all of the major domains in security for which organizations need to direct attention.

Each one of those framework areas provides interesting insight into the types of security protocols and measures that the cloud provider might need to consider. The framework includes governance and compliance; people and identity--how are we systematically and programmatically controlling access in the cloud environment; data and information--how we actually secure the underlying data that's residing there, keeping it separated from other tenants of the cloud environment; applications and processes--do we have the right controls in place to ensure the applications are running in a secure environment and the environment itself is properly locked down from one customer to another; network, server and endpoint controls--how is the fabric of the cloud itself being protected to ensure that the entire cloud is always available; all the way down to physical infrastructure--whether through video cameras, key cards, armed guards at the front desk, how do we ensure the actual facility that houses the infrastructure remains secure as well.

All of those domains really need to be considered. Most of those domains feed into the various governance frameworks we mentioned earlier. That's the starting point of that assessment process. So as we talked earlier about creating a governance model and understanding what regulations and requirements apply to the workload you selected, that provides a framework for the types of things that need to be considered in that process.

SJW: I'm glad you mentioned the SAS 70. I was going to ask about the type I and type II certifications and if those were designations that people should look for. It sounds like they are.

Hilling: They are. The type II certification is a service provider-focused certification. When you look at the cloud, you are really contracting with a service provider, especially if you're going to a public cloud. In that type of environment, you want to make sure that service provider has mastered the process of the administering customers--turning customers up, turning customers down--and keeping data segregated, making sure their systems are properly patched and secured, with all the availability standards in place. The SAS 70 does a good job of helping to provide a basic starting point for that level of assurance.

SJW: Jason, one other thing I wanted to touch base with you on. This fits into that security framework you just ticked off for me. You'd mentioned one of the key areas is people and identity and how do we actually control access to the cloud. One of my personal points of interest is whether there is something in the [physical security professional's] toolbox they can use to help the overall enterprise with that particular security task of controlling identity and access to the cloud. From your position, is the kind of access that physical security professionals deal with just completely different from what's happening in terms of controlling virtual identities getting into the cloud or do you see any natural touch points between the two?

Hilling: As time goes on, we look toward this intersection point of physical and logical security as being one of the key advancements we'd all like to see from a security perspective-- that intelligent understanding of 'user John just badged in in our Atlanta, Georgia, office but an IP address in China is logging in as John to this application.' Being able to put those two pieces together intelligently is absolutely where the customers and the market and the technology want to get to.

Now that we are all attached to the network in some way, shape or form, whether through local devices or laptops or sitting in our offices...and data is now sufficiently being stored in the cloud in massive volumes in real time and our computing power has become advanced enough that we can, in real time, process billions of these data entries all at once and be able to actually make intelligent decisions and analyses off of that data, we are arriving at a point where the technology is maturing enough to allow us to begin to make those intersections happen, to [turn] those intersections into commercially available tools.

The next thing that has to happen before you can begin to see that take widespread hold is to see buying centers start to come closer together. Today we're still selling to two very distinct groups in the organization that are generally responsible for physical security and IT security. Certainly some more progressive organizations may have begun to build stronger linkages but they do remain largely separate.

As regulatory mandates begin to get more proscriptive and start to require more stringent controls over data from the physical as well as the logical perspective, we'll probably start to see some of those integrations begin to take place. Most likely we'll see them in particular verticals, some of the more highly regulated areas like financial services and possibly government.

I do think there is logical sense to join those together. The technology has matured to enable that to happen. Now we need to see some organizational change to further enable it.

SJW: Is the rise of cloud computing itself driving any of the convergence between physical and logical IT? Do you need that level of security more often when you're thinking about putting more of your infrastructure, data and apps into the cloud?

Hilling: I think it makes logical sense to think about it. But I can't say at this point in time I could build a distinct connection between the adoption of cloud and the integration of physical and logical security. I wouldn't say I have the data to support making that kind of leap at this stage.

SJW: Were there other points you wanted to make?

Hilling: From our perspective, the message we really wanted to communicate when we when we did our cloud launch was that the cloud can be a secure environment for customers if it's leveraged strategically. In general, the IBM perspective is that the cloud can go beyond just being secure. It can actually in some cases be more secure than the traditional legacy network environment.

Part of the reason for that is cloud delivers many of its benefits in terms of reducing costs and improving efficiencies by leveraging purpose-built environments built from the ground up to perform a very specific function. Because of that intelligent design, it's sometimes easier to actually engineer security into that type of environment. Most of us are familiar with legacy network environments where they grow based on business need, which is unpredictable and changes frequently, and you may end up with this kind of a hodgepodge, heterogeneous environment of all sorts of technologies that don't necessarily natively interact, and you have to figure out how to lock them all down.

So our message to customers is really they need to not be afraid of the cloud. They need to take active measures to understand how that cloud can be used effectively in their environment, and they need to be comfortable with taking advantage of it. Some of those services we've launched are actually security services delivered from the cloud --log and event management and vulnerability assessment. From our perspective, that emphasizes our point that we believe in the cloud and the efficacy of the security so much so we're developing and delivering security solutions from the cloud itself.

###

ASIS 2010 Video: Inside Dallas P.D.'s Video Surveillance Operations Center

Steven Titch — Fri, 29 Oct 2010 11:58:02 PDT

The Dallas Police Department's outdoor video surveillance system is considered one of the most successful deployments of an IP-based mesh wireless network for urban security. Its vendor, Firetide, claims it is the largest all-wireless city surveillance network in the U.S. Security Squared accompanied attendees on their visit to the department's video surveillance operations center at Dallas City Hall, part of the program at the 2010 ASIS International Seminar and Exhibits.

Sony and Panasonic digital pan-tilt-zoom cameras, along with power units and antennas, are mounted on streetlight and traffic signal poles. The cameras cover downtown and the outlying areas of Uptown, Jubilee Park and Jefferson Boulevard. The mesh wireless system permits both redundancy and efficient use of radio bandwidth by balancing load intelligently among the many routers and nodes of the network. Video is managed by an OnSSI Ocularis system.

The DPD credits the network as instrumental in reducing street crime, vandalism, street-corner drug dealing, loitering and prostitution. In addition to comments from DPD Capt. J.R. Bragge and Sgt. Rosalind Perry, our video shows examples of the Dallas cameras catching a car break-in and mugging. In both cases the video led to arrests. Our video also includes a look at how Lextech Labs technology is pushing surveillance video to iPads and iPhones.

The DPD says the surveillance cameras have resulted in more than 2,100 arrests in 2010 alone. Overall crime has dropped 35 percent in the downtown area, and 59 percent in the Jubilee Park neighborhood since 2007, the year the first cameras came on line.

ASIS Notebook: Smart Cities Begin With Security Systems

Steven Titch — Wed, 27 Oct 2010 10:07:36 PDT

Vendors see security as key component of "smart city" plans. Also, Raytheon's Clear View, megapixel on the march, and more.

Among the most notable of patterns at 2010 ASIS International Seminar and Exhibits two weeks ago in was the emphasis on public sector applications both in exhibitor booth demos and in press interviews.

Not so surprising since security purchasing has remained strong from federal to local government levels, and despite budget constraints, it's an area that cities and states are still regularly funding. Firetide, OnSSI and systems integrator Bearcom, for example, hosted a tour of the Dallas Police Department's operations center that's supported by the mesh wireless video surveillance network of some 150 cameras covering parts of downtown.

But beyond the tours and demos, more vendors say they see urban security as a critical element of "smart city" initiatives that are gaining attention worldwide. These plans, spearheaded by major computing and networking companies like IBM, Hewlett-Packard and Cisco Systems, envision large but flexible IT infrastructures supporting intelligent traffic systems, smart energy grids and seamless connectivity with IP-enabled consumer platforms, such a smartphones and tablet PCs. Security, nonetheless, is the initial application that opens the door to a large-scale smart city project, executives at Cisco, Firetide and March Networks all said.

Cisco, for example, paired the introduction of its Physical Security Operations Manager (PSOM) with its announcement of a smart-city pilot program in Holyoke, Mass.

Cisco's Smart+Connected Communities initiative is positioned as transformative in terms of re-inventing a broad cross-section of city services, yet its first phase will use Cisco IP Interoperability and Collaboration System (IPICS) to provide an integrated radio interoperability system for police and fire departments to support the effective deployment of first-responder services.

For its part, PSOM, a physical security information management-like tool, provides a unified interface to manage IPICS, Cisco Video Surveillance Manager and Cisco Physical Access Manager from one console.

Cisco, however, tends to shy away from the PSIM label, pointing out that its PSOM incorporates technology from Proximex, Vidsys and Intergraph, all considered PSIM players in the own right. Cisco positions PSOM as an integration platform that lets users better exploit Cisco's own network IP hardware and software in security applications, a market strategy on which it has settled after several fits and starts.

When it first entered the physical security sector in 2007 after its acquisitions of BroadWave and Ipixx, Cisco's initial bent seemed to be toward IP cameras and video management software. That shifted when it announced an alliance with Pelco at last year's ASIS. Now, with a product strategy more conducive to security interoperability, Cisco seems to be relying heavily on its networking clout and brand awareness to offer smaller and lower-capitalized vendors of IP-based security gear a path to the truly large government business managed by major IT contractors. As Craig Cotton, senior director, product marketing for Cisco's Physical Security Business Unit, Cisco's seeks to be an "integrator for the integrators."

Cisco is not alone. A month before ASIS, March Networks, along with seven other Canadian telecom and networking companies, announced formation of the Secure City Technology Alliance (SCTA). The group brings together suppliers of equipment ranging from intelligent mass notification systems to backhaul microwave systems to high-capacity sensor message routers, all of which easily fit into large-scale urban emergency operations centers.

In its own version of integrating for the integrators, the alliance allows individual SCTA members to offer users pre-certified interoperable equipment out-of-the-box from other SCTA partners. March Networks, for example, can offer its video management systems with BelAir Networks' wireless network systems and Benbria's mass notification system. Users always have the option of choosing other vendors, but SCTA sees more to be gained through a broad partnership based on interoperability.

Like Cisco, Robert Wu, SCTA managing director and vice president of alliances and corporate development at March Networks, sees urban security networks ultimately fitting into a larger IT and telecom infrastructure. Cities and towns are no longer configuring their IT networks and applications in isolation of each other because it is too expensive and inefficient to do it that way. "Wireless networks cannot be built for a single function," he said, using one example. "There are applications for security, smart grids, meter reading and WiFi hotspots." All of these can contribute to a to a return on investment while securing the environment and making local government more IT-friendly for citizens.

Established integrators also responding to this trend closely. ADT is raising its profile on the IT side. "Enterprise risk strategies, PCI [payment card industry], Sarbox [the Sarbanes-Oxley bill] all tie back to IT," said Bruce Sachetti, director, information technology, new product introduction and convergence at ADT Security Services. "The security function is rolling under the CIO."

In the public sector, IT organizations see security centers as equivalent to any other network operations center, and view PSIM as tool to unifying management, Sachetti said. But that's not to say they view PSIM as a simple appliance. In fact, he said, IT managers are more likely to appreciate the complexity and sophistication of the software. "For the IT guys, [PSIM] is much like an ERP [enterprise resource planning] or CRM [customer relationship management] system," Sachetti said. "They think IT should install it and provide support."

Raytheon's Command and Control Entry

Although tucked away on the far end of the exhibit hall, Raytheon's introduction of Clear View, a platform for integrating sensors with video management, attracted significant attention.

When a sensor is triggered, the system automatically focuses video on the source and begins tracking. Raytheon was demonstrating a border protection application that could turn cameras on a suspected illegal entry if the individual tripped a ground sensor. Cameras would then zoom in and track the suspect. At the same time, once a person or object triggers one alarm and draws video attention, the system will not repeat the alarm if the same person or object triggers another sensor. This keeps the number of alarms down while focusing the attention of security operators on the immediate problem, said Kevin Stevens, strategy and planning consultant for border security at Raytheon Homeland Security and a retired deputy chief of the U.S. Border Patrol.

The suspect's location and movement could also be projected onto an aerial view of the area, which also could show his or her relative distance from the camera, Stevens said. Should the suspect disappear behind foliage or rocks or another obstruction to visibility, onboard algorithms would calculate the suspect's movement and direction while out of sight and pick-up surveillance upon re-emergence. Raytheon demonstrated the system with individuals on foot and with vehicles.

The system can be "configured on the ground," added Curt Powell, director of transportation and border security for Raytheon Homeland Security, and adapted to a user's current requirements. Clear View provides command and control functions via a single interface that can be overlaid on top of existing applications, using a service-oriented architecture, and will work with existing sensors and cameras, Powell said. Changes can be easily made. The system is available now, he said, with pricing based on configuration. While the company was demonstrating a wide area border protection application, the system is also designed to work in smaller installations at single sites. "We're all getting sensory overload," Powell said. "This is the glue that brings it together."

Megapixel Posed to Dominate

Large users, in particular, have discovered that megapixel cameras have "non-traditional applications," said Raul Calderon, vice president of business development for Arecont Vision. In Asia, cameras are being used for freeway traffic monitoring, T-Mobile is using them in retail stores to generate information about shopping patterns, and Google is using them worldwide to monitor data centers, he said.

Arecont Vision was just one of many camera manufacturers introducing new megapixel models at ASIS, Axis Communications, March Networks and FLIR were among others. But the greater significance lay in how the new cameras are accelerating the evolution of network-centric security.

Users are discovering that megapixel cameras, even when compared to standard digital cameras, yields more image data that can be applied to data processing functions above and beyond security. Megapixel, for example, improves video analytics simply because there is image detail for the software to work with. People-counting applications can be more accurate.

Meanwhile, prices continue to fall. In a post-ASIS report, IPVideoMarket declared declining megapixel prices as one of four major market trends. New megapixel cameras were priced 10 to 15 percent lower on average than preceding models, IPVM found.

Citing IMS Research findings that forecast that by 2014 50 percent of IP cameras will be megapixel of HD, Calderon sees megapixel cameras fast becoming the norm. In addition, he said, the consumer market is setting user expectations for image quality, be it on HDTV screens at home or cameras on smartphones, which on some models, are now as sharp as 8 megapixels. "There's no reason for standard definition," Calderon said.

Quick Hits

Next Level Security Systems (NLSS) will begin shipping its flagship NLSS Gateway appliance after the show, said Jumbi Edulbehram, vice president of business development. Gateway is a platform that unifies management of video, access control, two-way audio, analytics, intrusion detection through a browser-based interface.

The Gateway, announced last March, is concluding beta-testing, Edulbehram said. With the product, NLSS hopes to reduce the cost and complexity of IP security integration. "We've bundle a lot of functionality into the appliance: video, analytics, remote management and provide it cost-effectively," he said.

Gateway will be available in two versions. GW3000, priced at $4,995 to end-users, is aimed at larger enterprise users. A GW500, or Mini-Gateway model, is priced at $2,495 and is targeted at smaller installations. The equipment, however, is scalable. Number of channels supported depends on configuration, choice of video resolution and whether certain features, such as analytics, are selected. Both models incorporate ONVIF and PSIA specifications. Multiple Gateways can be combined for collaborative distributive processing. Digital video formats supported include H.264, VC-, M-JPEG, MPEG-2 and MPEG-4 for HD and SD video, and it supports access control panels and readers from one door to hundreds, Edulbehram said.

****

Pivot3 is looking to leverage its scalable networked storage technology to attack the growing market for hosted security. Pivot3's technology permits large video files to be stored across numerous servers, boosting overall efficiency of the server farm by using space where it is available.

Efficiency and economy, combined with the necessary reliability and uptime needed for video has been Pivot3's main selling point for end-users, but the company is finding the same sales pitch can be attractive to independent software vendors and hosting companies looking to broaden their base.

Thus far, Pivot3 has won a contract from DIT Beveiliging, a Netherlands for company, which is using Pivot3's Scale-out Application Platform to host video surveillance. Pivot3 also has contracts with ~~deals from~~ Ciphaus and DeviceLogix, ISVs in Seattle and Texas respectively, that use Pivot3's Scale-out platform for hosted data storage. ~~and Digi Systems, an Oklahoma-based system integrator.~~

Right now, the hosting model appeals more to ISVs, who have more experience with it. But Caswell agrees with many who say that hosted security can replace revenues security integrators are losing to tighter margins. The fact that these revenues recur makes it doubly attractive. The only barrier is wariness brought on by unfamiliarity with the news aftersale model that some smaller integrators have trouble getting past. Caswell urges reluctant integrators to view matters from the user perspective. For a small store, with two to four cameras, a hosted solution means better quality video without the high bandwidth requirements. When intelligence, transmission and storage are outsourced, Caswell said, video surveillance moves "from a capital cost to an operational expense."

ActivIdentity Extends Potential Reach of Two-Factor Authentication

Sharon J. Watson — Wed, 20 Oct 2010 12:35:23 PDT

In a move that makes two-factor authentication more affordable through greater support of soft tokens and mobile devices, ActivIdentity Corporation today released 4TRESS Authentication Server 7.0. The platform is being marketed heavily to banks to protect their online customers and supports 15 two-factor authentication methods designed to thwart increasingly common cyber-attacks by strengthening proof of the physical identity of the person initiating a transaction.

How It Works

4TRESS sits in the background, its work largely transparent to the end user, who continues to interact with the "channel management system," such as an Internet banking site, said Julian Lovelock, director commerce markets worldwide, for ActivIdentity in an interview with Security Squared.
The Internet banking system prompts the user to authenticate; the user could enter, say, a password created by a one-time-password (OTP) token. The Internet banking system then queries 4TRESS through an authentication policy code that basically asks if the user may be given access to a specific application or service, such as retail banking.

In turn 4TRESS checks the policy set up for that channel and specifically what kind of the credential is valid for the user, such as password or token, then will validate it using the correct algorithms. It then records the transaction in the audit log and sends a message back to the Internet banking system authenticating the individual.

Great Online Appeal

Lovelock said that while this 4TRESS release is initially being marketed to the banking/financial services industry, its features are applicable to many other customer-facing enterprises trying to protect high-value transactions and/or data. Those could include online gaming sites, airline mileage redemption sites, healthcare providers, online retailers storing credit card data and more.

"One of the things we've done in this release is to provide two factor authentication models that don't require a user to be issued a separate device," said Lovelock. 4TRESS 7.0 supports authentication methods like soft tokens, essentially applications downloaded to a mobile phone, PC or within a browser, as well as "out of band" authentication, including SMS. In out of band authentication, an individual may receive a phone call, text message or email over a separate channel, such as a second phone or mobile phone, to authenticate a transaction under way online or in a store.

"It's much more cost effective for an organization to deploy two-factor authentication now that it does not have the cost of issuing physical tokens associated with it," he said.

ActivIdentity sees mobile and smart phones becoming increasingly integral to authentication processes, both as authentication devices and as platforms in need of secure authentication, said Lovelock. "We are looking at how to better secure the phone and putting credentials on the phone to allow it to vouch for identity and secure transactions from the phone and also how we're enabling the phone to be used as part of the authentication process even when that's happening on a different channel."

The Path to Physical Access Control

4TRESS 7.0 also offers enterprise and government entities significant features, Lovelock said. "This release in fact has a reasonably sophisticated directory integration that will let 4TRESS be deployed in an environment with five or six different directories.

"It's almost got a virtual directory capability and references multiple different directories as user master references," he said. "So you can still have a single authentication infrastructure even though your users are spread over multiple different directories."

4TRESS 7.0 also supports authentication of users to cloud-based applications through protocols like SAML and RADIUS.

Future releases of 4TRESS will work toward the more grounded endeavor of converging physical and logical access control, beginning in the federally mandated FIPS 201 Personal Identity Verification (PIV) credential space, according to Lovelock.

In those next generation releases, 4TRESS "essentially will act as an identity provider that recognizes the PIV card as a valid authentication mechanism. It will be able to assert identity based on the PIV card to other relying party systems or to service providers that might be within the infrastructure or might be in the cloud," he said. "They might not understand the identity as defined as by the PIV cards but 4TRESS would be able to assert the identity in terms they did understand using a protocol such as SAML.

"That gives a very good model for an organization that's deploying PIV C or PIV I cards or in government spaces that have deployed PIV cards and want employees to be able to use multiple different applications and authenticate to them using the PIV card," Lovelock said.

The Acquisition by Assa Abloy/HID Global

Last week during ASIS 2010, Assa Abloy, parent of HID Global, announced its intent to acquire ActivIdentity. HID has physical/logical access control strategies in place, and ActivIdentity's current efforts in similar work should be complementary to those.

"Our understanding is the acquisition is driven by HID's desire to push this physical-logical convergence story," said Lovelock.

"If you think about how 4TRESS plays within that world, we're going to have to support a number of different authentication models," he said. "That's where 4TRESS is actually really powerful, because it gives you that flexibility to support a number of different logical access authentication models. Then there are a number of ways you can tie that in to physical access so it's converged around a single device."

# # #

ASIS 2010: Some Initial Impressions

Steven Titch — Tue, 19 Oct 2010 05:50:08 PDT

The article below appeared in yesterday's e-newsletter, Convergence Callouts. Subscribers have a jump on the material, but we opted to make it available to all readers. Look for more ASIS coverage this week.

I've been writing about the transition to digital and IP video for several years, and after spending three-and-a-half days at ASIS International in Dallas last week, I'm happy to say that the market is at last truly grasping the significance of this shift. This is largely due to the fact that the industry now has something more than sizzle to sell.

Up to last year, when it came to communicating the benefits of digital, vendors had little more than concepts and the occasional prototype to offer. Like any disruptive technology, appreciation comes through actual use. Users who have deployed megapixel cameras certainly knew they would see the difference in image quality. They also knew that digital video could be transmitted and managed across multiple platforms. The value proposition of the benefits, though, remained elusive until they had product in their hands.

In short, jargon about pixel counts and lines of resolution takes a back seat when you can view and manipulate real time surveillance video on an iPad.

The rapid and energetic convergence of wireless, networking and HD video consumer electronics is a sub-story to the digital video revolution in surveillance. CSOs and CISOs now know what HD looks like. They go home to 16 x 9 plasma HD flat screens that can provide indisputable visual proof of an umpire's blown call. Meanwhile, Apple's iPhone and Google's Droid finally have delivered on the promise of mobile broadband. Usually it's business that leads the applications curve, but in video security, it's the other way around.

I'm not saying that these systems are easy to engineer. Significant back-end integration is still necessary (and poses both technical and competitive challenges for physical security integrators). Users are learning, however, that the investment is worth it because they can get digital video--and its inherent information--to more people faster. What's more, the information is delivered via platforms that are familiar - smartphones, text messages, social networking, to name three.

Not if, but when

That's why the question today for most organizations about digital video is not if, but when. One of the major product trends at ASIS from established VMS companies was their introduction of IP video and video management for the medium- to low-end. As Eric Fullerton, chief sales and marketing officer for Milestone Systems, told me, "We don't want people to choose analog over IP simply because they don't have the budget." Milestone, Avigilon, Genetec, March Networks, NICE Systems and Timesight all in some way announced versions of their high-end video management software for small and medium-sized systems. Even in cases where these vendors may have had an existing package targeting the SME segment, that offering is being replaced by a version that contains or adapts the core software in the higher end system.

The idea is to offer users an easy way to shift incrementally from analog to digital, then set an upgrade path as users grow their installations. Additional features and functions, such as storage and analytics, can be purchased a la carte as needed.

Speaking of analytics, digital video is also giving users a better handle on the capabilities and limitations of the technology, while sparking vendors to develop better algorithms and interfaces. Digital and megapixel images can boost the performance of analytics, and, since the digital video is data, it can be processed into information that can be presented graphically, such as a bar chart showing foot traffic by hour.

Finally, the networking benefits of digital video may help larger users navigate the often confusing terrain of physical security information management (PSIM). Again, once agencies begin to integrate and manipulate video data through geophysical databases like Google Earth and route them through computer-aided dispatch and mass notification systems, the increased value and utility immediately become tangible.

Integrated security, illustrated

In fact, the whole value proposition of convergence and integration got a practical demonstration during ASIS. One night during the show, several laptops were stolen from the Moog booth, which was in the field of view of live IP cameras mounted in the adjacent Milestone booth. Using Milestone's XProtect software equipped with an archiving system from Rimage and BriefCam's Synopsis viewer, which allows users to search hours of video to find key events within minutes, the Dallas Convention Center security staff was able to get a high-resolution picture that could positively identify the thief as an employee of the nighttime service staff. When confronted with the video, the employee confessed and implicated at least two other employees as part of his ring. He returned the stolen Moog equipment, along with products stolen from another recent trade show. He and his confederates were fired and will likely be prosecuted.

NICE VMS Upgrade Boosts eXpress

Steven Titch — Wed, 13 Oct 2010 06:23:57 PDT

NICE Systems has introduced a new version of its video management software, upgrading and enhancing its existing line of IP-based VMS systems and streamlining them into a three-tiered solution targeting installations from low-to-high end.

NiceVision Net 2.0, introduced Tuesday in Dallas at the 2010 ASIS International Seminar and Exhibits, is designed to deliver more of the core features of NICE's higher end Smart Video Recorder (SVR) software to NiceVision eXpress, a bundled package of VMS software for small and medium-sized video surveillance systems that NICE introduced at last year's ASIS.

"Users can enjoy a very large set of features that were originally enabled in [NiceVision] Enterprise when they start with the eXpress package," said Nir Hayzler, vice president of product marketing at NICE Systems. These features include analytics and multi-site recording, he said. "It's the same core of software as Enterprise," Hayzler said. "Upgrade is easy."

NICE's so-called entry-to-enterprise strategy is designed to counter competition from an influx of new Asian suppliers with low-priced low-end systems. Like Milestone Systems and Avigilon, which also have organized their VMS lines in scalable tiers, NICE hopes to offer a low total cost of ownership to small but growing enterprises which they can later upsell to larger, more robust VMS offerings that new entrants at the low-end lack.

The eXpress system is a hybrid platform and up to 64 of its 128 ports can be analog inputs. These inputs can then be gradually switched to digital as the organization changes out cameras. "It's not all or nothing," said Pat Kiernan, director of marketing for NICE Systems. "Users don't have to throw out an initial investment when moving from analog to digital."

After eXpress, the line then expands to NetVision Professional as the user elects to purchase licenses for the additional features and functions. The top-of-the-line NetVision Enterprise is priced according to configuration.

Hayzler emphasized that NICE is not positioning eXpress directly against low-end VMS suppliers such as Nuuo, and instead are targeting customers who today may have a requirement for a low number of cameras, but who plan to grow to the point that they will ultimately need the features of NICE's larger-scale systems. Although the NICE pricing is higher than Asian competitors, both Hayzler and Kiernan say eXpress, with its SVR core, offers a lower total cost of ownership over the medium- and long-term in terms of performance, features, power requirements and space.

Eye on Access Control at ASIS 2010

Sharon J. Watson — Wed, 13 Oct 2010 05:45:52 PDT

News from AMAG, HID Global, Johnson Controls, PlaSec, Quantum Secure, and S2 Security

Access control-related announcements are getting their share of attention as day one of ASIS 2010 wraps up.

The day's breaking news was that Assa Abloy, parent of HID Global, is to acquire ActivIdentity (NASDAQ: ACTI). Purchase price was not mentioned in the release, but the company's market value is about $152 million, with FY2009 revenues of $62 million. At RSA this past spring, ActivIdentity told us the next big thing in physical access control would be the use of digital certificates on smart cards.

It'll be interesting to see how HID Global digests ActivIdentity, especially in light of its other announcement of interest: its intent to partner with Sony to create embedded contactless smart card readers for laptop PC manufacturers. The reader platform would support Sony's FeliCa contactless card technology, deployed now in 67 million mobile phones in Japan, along with HID's iCLASS credentials. Details in the release were sketchy, though it would seem logical such a platform would enable a company to get more utility from its iCLASS investment.

AMAG Technology Unveils Government Version of Symmetry

For a preview of future enterprise versions of AMAG's Symmetry access control system, check out its new Symmetry Homeland V7 system, available in limited release only to government users. The system, described as a "complete overhaul" of Symmetry and incorporating the Windows 7 look and feel, is evidence of AMAG's focus on helping government and military agencies meet FIPS and other federal security requirements, according to Kim Rahfaldt, public relations manager, who spoke with Security Squared last week about the release. The new system is compliant with a range of federal standards and will support PIV-compliant credentials as well as TWIC.
The system also incorporates intrusion detection and management alongside access control features, an integration that Rahfaldt said AMAG customers and government prospects have been demanding. "It's not a common integration in a single system," she noted.

More on Intrusion Detection

S2 Security is demonstrating its integration of DMP's XR500 Command Processor Panel with its NetBox line of appliance-based access control and security management. The DMP panels are IP-based, as are the NetBox appliances, so there's no need for hardwire connections between the intrusion detection panels and the access appliances. S2 also says it's been seeing demand for intrusion detection services.

Johnson Controls Upgrades P2000

The international systems integrator is showing off a variety of upgrades to its security management system, including new integrations with IP-based reader/controllers, popular digital video recording systems and Fujitsu's PalmSecure vein recognition scanner.
"The new features came out of listening to our customers. They wanted increased flexibility and the ability to leverage IP-based technologies," said Kathy Roberts, senior product marketing manager, security solutions, for Johnson in a pre-show interview with Security Squared.

Roberts said the company is emphasizing the P2000's integration capabilities and is featuring two interactive scenarios demonstrating integration with fire and building automation systems at its ASIS booth.

PlaSec Gets Into Video

PlaSec, which delivers access control via an open source-based appliance, is touting Version 2.5 of the same, which features a new "tight integration" with the Exacq line of digital video servers. That lets PlaSec associate video clips with access events and alarms, plus users can control PTZ cameras and view live or recorded images from within the appliance's monitor.

The company's appliances draw identity data directly from "authoritative sources," usually an enterprise directory. Further, PlaSec is an ArcSight Common Event Format (CEF) partner, so it can share physical access event data with the IT security industry's leading monitoring tool.

Quantum Secure's Quad Version and San Francisco Airport Deployment

Quantum Secure, which specializes in physical identity management, is demonstrating SAFE 4.0 at the show and formally announced its deployment of that solution at San Francisco International Airport. Airport security professionals there use SAFE to manage more than 18,000 identities, two disparate physical access control systems and smart card technology.

Highlights of the latest SAFE version include stronger compliance and risk management modules; enhancements to its visitor identity management capabilities; and more self service request support.

# # #

Be sure to check out the links below for recent in-depth coverage on many of the companies above.

Inovonics Combines Sensors, Location and Mass Notification

Steven Titch — Tue, 12 Oct 2010 07:20:56 PDT

Inovonics Wireless Corp. has introduced a situation awareness system that weds the company's wireless sensor networks with advanced positioning technology and mass notification.

Inovonics' Radius, announced today in Dallas at the 2010 ASIS International Seminar and Exhibits, is an end-to-end IP-based wireless monitoring solution that pinpoints the location of mobile alarms and responds via text message or voice call, said Mark Jarman, president of Inovonics.

Radius monitors any Inovonics' security and sensor end devices and "interfaces with fire, access control, building management systems and then channels data into a mass notification system with a text-to-speech engine," Jarman said.

The Radius system is built on Inovonics' EchoStream repeater technology, which Jarman described as an "intelligent repeater network" that can work well in hostile RF environments. But key to the wireless system value proposition is that designed to work with pendants, chips and tokens carried by employees and other personnel, Jarman stated. The mobile feature extends on RF pendant and mobile sensor systems that Inovonics has developed for the senior care industry.

When a potential life-threatening event occurs, it is automatically transmitted to Radius. The system then processes and locates the position where the event is taking place and alerts the appropriate authorities immediately so they can get help and move affected people to a safe location.

The system will work with standard off-the-shelf servers, Jarman said. The company will sell through distributors, value-added resellers and systems integrators. Pricing varies by network configuration, but system designed for a 500,000-square-foot facility, supplying ten executives with two RF pendants each, plus five more for a human resources department, would range from $12,000 to $17,000 for integrators, Jarman said. Radius will be available in production quantities by the close of ASIS, he added.