In the first part of this feature, we revealed how the industry is responding to emerging security concerns from end users. Here Ian McMurray looks at the increasing sway the IT department has in security matters with the manufacturers recognising this reality more likely to see success.
When it comes to customer security goals, Crestron’s Toine C Leerentveld, who is technology manager, control solutions is clear where their priorities lie.
“The security threats that most users are concerned about is getting access to management pages and controlling devices on the network,” he says. “But while this is important, users should also be concerned about how their devices are protected and hardened on the network so that they do not become an attack factor for people to get access to their other devices. Security is imperative; therefore, dealers and integrators should be invested in making sure network administrators can properly authenticate their devices and reduce the likelihood of an attack.”
Addressing at least some of that concern, Barco announced in February that its ClickShare wireless collaboration tool had received ISO 27001:2013 certification. However, Barco’s David Martens is quick to point out that ISO 27001:2013 is not a technical product security certification, but rather confirmation of the security of processes and the work environment in which the product was created – which is no less important (see boxout).
“Buyers can rely on security claims if they are supported by reports of independent parties or certifications,” he advises. “Otherwise, they have to be taken with a pinch of salt. Buyers can always ask for an independent technical penetration testing report, or ask a third party to execute a penetration test.”
There is, he goes on to explain, an EU-wide effort to define the EU Cybersecurity Certification Framework under the Cybersecurity Act Proposal. This will be based, he says, on agreement at the EU level on the evaluation of the security properties of a specific ICT-based product or service – but, he adds, it is still unclear how this will affect AV equipment where it converges with some ICT products. Given that the European Commission seldom moves fast, it’s perhaps unlikely that it will happen any time soon.
Identification and resolution
So, until then, how should those concerns be tackled? AVIXA is not the only organisation to have produced a guide.
“Crestron has several guides and tools that help harden the network to the level that the customer and their IT department requires,” notes Leerentveld. “In addition to our guides, Crestron has created a Security Audit Tool that integrators can run for our devices, and it will quickly tell them whether or not they are meeting their organisation’s requirements. If the devices do not meet these requirements, the tool will provide resolutions to these issues, securing their network quickly and easily.”
AVMI’s Stuart Davidson makes the interesting point that there is often a choice when it comes to whether or not a piece of equipment needs to be network-attached.
“The best mitigation is physical segregation,” he believes. “We have to consider the benefits of adding devices or services to a network against the risk. But, where there are sufficient operational or service benefits to be gained from integrating with customer networks, we must choose products that provide the best security.”
Davidson goes on to explain how his company considers very carefully the potential risks to customer data.
Basic measures
“We’ll always specify suitable equipment that includes security measures such as certificate-based authentication, integration with active directories and the capability to disable unwanted, insecure ports and protocols,” he explains. “We don’t overlook basic measures, of course, such as changing passwords from the factory default and ensuring security updates and patches are up to date.”
For Leerentveld, the responsibility must begin with the end user.
“AV buyers should first have a very good view of the solution that they want to build, how it will be deployed, who will use it and what are the usage purposes,” he says. “A risk assessment based both on this knowledge and on the security features of the AV equipment that will be deployed, should give a good view on the biggest risks and how to mitigate them. AV buyers or integrators could, for example, limit the physical access to equipment, implement LAN segregation, and so on. In this whole exercise, knowing the security features of the AV equipment is a very, very important step in the buying/deploying process.”
Increasingly, of course, it is the case that what the IT department says must happen is what must happen. As Davidson remarks: manufacturers seeing the most success in enterprise are those who recognise the needs of IT and incorporate them into product design. Learning more about those requirements is key to success.
“It’s all about skills and having the right mindset when creating and deploying a solution,” believes Martens. “There are relevant training and certification courses available in the IT/product development area from which AV installers/integrators could definitely benefit – and any AV installer/integrator should get those competences on board as soon as possible.”