This is the 53rd article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
The exponential advance of information technologies requires an exponential advance in the application of data protection.
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 Legacy: How you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1: Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2: A look at the different H.264 video frame types and how they relate to intended uses of video.
#51 H.264 - Part 3: Once seen as just a marketing term, ‘smart codecs’ have revolutionized video compression.
#52 Presence Technologies: The proliferation of IoT sensors and devices, plus the current impacts of the COVID-19 pandemic, have elevated the capabilities and the importance of presence technologies.
#53 Anonymization, Encryption and Governance: The exponential advance of information technologies requires an exponential advance in the application of data protection.
#54 Computer Vision: Why a good understanding of the computer vision concept is important for evaluating today’s security video analytics products.
#55 55 Exponential Technology Advancement: The next 10 years of security technology will bring more change than in the entire history of the industry to now.
More to come about every other week.
Data is just data. It resides somewhere (including human memory) until someone decides to do something with it. Then, the possibilities for good and bad are seemingly endless. Four decades ago, electronic physical security systems involved very little data. Few people had an interest in that data, and life within the physical security industry was simpler, as were its products.
Exponential Growth of Security Data Use
As readers already know, in the past four decades information technology has advanced at an exponential rate and keeps on advancing – now at a steep upward climb. That exponential advancement also applies to the types of data being generated, and its sharing and use. Sharing data is a big part of what makes the data valuable. It’s also what expands the data attack surface, and complicates the privacy issues.
IT’s continuing convergence with electronic physical security products and systems means that the amount, use and value of data from devices and security systems is also growing exponentially. The problem is that the explosive growth of data generation and use in security devices and systems continues to outdistance the secure data handling capabilities being provided by manufacturers and service providers, with currently only a few exceptions.
Privacy as a Critical Issue
Privacy concerns over the use of personally identifiable information (PII) grow greater every year, as do the needs for strong privacy protection. This prompted the European Union to issue its General Data Privacy Regulation, which declared location information to be a type of PII, thus bringing physical access control and surveillance video content into the fold of data needing special protection. Many non-EU countries have adopted regulations with similar requirements, and so have some states in the U.S.
In Austria, one of the first three GDPR fines that country issued (a $5,400 USD fine) was for a small business’s failure to provide a warning sign to passersby that the sidewalk in front of its front window was subject to capture by an indoor video surveillance camera. A Danish taxi service was fined about $187,000 for not sufficiently anonymizing the taxi ride information that it stores for five years.
COVID-19 Has Data Impacts
Now, complex health-related information data privacy issues have come into play via facility security-related pandemic preventive and protective measures. COVID-19 is driving significant changes to facility occupancy and use. The previous Real Words or Buzzwords article, Presence Technologies, delves very specifically into the details of data privacy and data governance. It touches on performing contract tracing with privacy, providing an example contract tracing technology that has been thoroughly vetted for its information security including privacy. Readers dealing with COVID-19 employment issues, or who are not familiar with data privacy or data governance, should read the Presence Technology article if they haven’t already.
Anonymization, Encryption and Data Governance
A recent look at the landscape of physical security industry products shows that most are still far behind business information system current technology designs, particularly regarding:
- anonymization of reported and shared data
- utilization of certificate-based encryption
- enterprise data governance support for device and system data
These capabilities should be implemented in a general and flexible way that satisfies the spectrum of use case requirements of customers, rather than as one-off customizations on an individual customer basis.
Many vendors have told me that they only implement “advanced IT capabilities” at the request of specific paying customers. First of all, such capabilities only seem “advanced” to such vendors because they are not current in their product development practices. These practices are the norm in the IT world and in many business and manufacturing sectors.
I doubt such vendors have explained to their boards of directors that they have adopted a technology strategy of not staying current with technology advances, which puts them at a competitive disadvantage – especially for large customers. Companies who are already ahead of their competitors in such product capabilities are likely to have no trouble staying ahead simply by paralleling the pace of competitor product advancement. Typically, however, companies in the lead work to widen the competitive gap. It’s a winning long-term strategy.
Data governance assures the availability, visibility, usability, integrity and security of the data employed in an enterprise. Visibility means knowing what data is available where, and ensuring that business functions for whom the data has value are aware of that data and can obtain appropriate access to it.
Data governance is a strategic function that does not directly deal with data, but sees that the people, policies (including technology policies and strategies) and processes are in place and functioning as they should be to manage the data assets.
Data stewardship is the direct management and oversight of an organization’s data assets to help provide business users with high-quality data that is easily accessible in a consistent manner. Data stewardship ensures the integrity, usability, and security of the organization’s data.
Data stewardship is tactical in that each data steward’s focus is on a particular set of data being used by or generated by a particular business function. It is typically a role assigned to someone who already has data handling responsibilities, expanding them to assure that the data is handled in the way that the organization intends.
The definitions above are based on those in a whitepaper I wrote for the Security Industry Association titled, “Big Data and Privacy for Physical Security,” which you can read online or download.
Both data governance and data stewardship have a role in assuring that data anonymization and data encryption are fully in use as appropriate for the protected data in all its uses.
Anonymization is the process of removing personally identifiable information from raw data, resulting in anonymized data that cannot be associated with any one individual. This includes assuring that differing sets of anonymized data can’t be correlated in a way that can achieve individual identification.
Data anonymization has been a GDPR requirement for over two years. With one exception (explained later) that covers many video product manufacturers, I have not yet encountered a security industry manufacturer who has researched the uses of anonymization and the advantages that it would provide their customers regarding data sharing.
For one thing, anonymized data can be shared freely outside of security, such as for marketing and business operations purposes. I have seen data being shared in specific deployments that is anonymized data, but that anonymization has generally occurred by happenstance rather than by design forethought. The exception is with systems integrations developed by security integrators that have intentionally anonymized the data after collaborating with customers about their data security and privacy requirements and practices.
Video masking, whereby faces of individuals may be optionally blurred for exported video, is a type of anonymization. I have been told that at least one video management system accounts for that in operator privilege assignments, whereby some operators who are allowed to export video may only export video with faces and vehicle number plates masked.
I have seen video manually exported and then edited by investigators to achieve masking of other aspects of the video, such as school logos on outerwear, jewelry, hats with insignias and other person or small-group identifying information. Masking of a face may not be enough if, for example, the only a blond-haired individual in a group is wearing the group’s logo jacket. In such a case the individual is still identifiable, and that data was not truly anonymized.
Hopefully machine learning will be applied to video export masking, so that a rules-based approach can be taken that eliminates the need to manually edit exported video, which is a time-consuming process.
Vendors please note: I’d like to hear about such capabilities and I’m happy to update this article upon learning of them.
The physical security industry has made good strides in the encryption of data in motion and at rest.
Encryption is the best technology we have to protect information from bad actors, governments, and service providers, and it has developed to the point that it is virtually impossible to break—when used correctly. —Electronic Frontier Foundation
However, some manufacturers still use outdated and vulnerable encryption methods and practices. Standards-conformant certificate-based encryption is the strongest – as long as certificate vulnerabilities can be addressed in a timely manner via revocation and replacement of compromised or expired certificates. Shorter expiration dates provide a higher level of assurance.
Device and System Authentication
Digital certificates are also used for the authentication of devices and systems within and across networks. This enables a high degree of trust for allowing devices and systems to both give and receive data in a trusted environment context, such as can be found in smart building and smart city applications. See the recently released white paper on smart city technologies and applications from Eagle Eye Networks.
User Control Over Methods of User Data Protection
It should be no surprise that large enterprises want to be in control of the methods used to protect their corporate data. This is what data governance and data stewardship establish.
There can be widespread variations on the use of digital certificates and encryption in third-party products – as opposed to applications and systems developed in-house. For large enterprises, this can be a data governance nightmare. Thus, some enterprise customers have established a policy to require a certificate-based encryption capability that allows the customer to specify or provide the digital certificate used for encryption, also replace – individually and en masse – certificates that are in use.
This enables the customer to quickly re-secure its data and communications when a certificate’s issuing authority is reported to be compromised. Essentially, it allows the customers to control the security of their own data.
Bud Broomhead, CEO of Viakoo, a company who specializes in management of IoT security hygiene at very large scales, explains, “Our enterprise customers have focused on automated management of certificate and firmware updates, as well as device passwords, as their top priorities for reducing cyber risk. Distributed IoT devices such as IP cameras, access systems, lifesaving medical equipment and point-of-sale systems need automated cyber hygiene processes to be effective at scale; manual methods are too slow and costly to stay ahead of new vulnerabilities.”
Defaulting to Current Secure Technology Practices
Physical security industry manufactures should default to building standards-based security capabilities that are preferred by leading customers into their products, not simply what’s acceptable to average prospects or the existing customers base. To do otherwise is to deliver products and systems that don’t protect customers and their assets as well as we know we could and should.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of ASIS International.