From XML to Fault Tolerant IP Video: AMAG Technologies on Convergence, Growth Areas

| 0 Comments | 0 TrackBacks

Page:   1   2   3  Next  »

Pedestrian as they may seem, physical access control (PAC) platforms remain literal gatekeepers for many enterprises. So they can either be a big help or a major hindrance to convergence initiatives, such as sharing identity data with IT and using a single credential for physical and logical access.

AMAG Technologies
often comes up as sources rattle through their lists of the PAC systems they routinely encounter. That's why we wanted to get to know AMAG a little better and find out its take on convergence. To that end, we recently spoke on the phone with AMAG's Matt Barnette, vice president of sales and marketing. Here's the transcription of our wide-ranging conversation, edited for clarity and length.

***********
Sharon J. Watson, Security Squared: Identity management is an area where I am perceiving convergence being talked about and that there is more interest from more companies in figuring out how to link identity data stored in the IT area with the identity data collected by access control platforms like yours.  I wanted to find out if you agree with that perception and talk a bit about your Directory Sync Manager, how that's received in the marketplace, how it works.

Matt Barnette, AMAG
: Those are a couple of good areas. We are certainly seeing some movement in that direction. IT is involved in more and more of the projects. Honestly, during the last 18 months of this recession, that level of integration has tailed off a little bit, only because I think IT budgets are frozen and they are not taking on new projects as much as they were previously. We are really seeing it more now in the government sector, tying together the use of the physical access card for logical access.

SJW: That's pretty much mandated in that sector, is it not?

MB: Using the card as the mechanism to log on is becoming more and more of a standard. In the Department of Defense, there is definitely a mandate to do that but a lot of other agencies haven't rolled that out yet.

SJW: So when we are talking about using a credential for physical as well as logical access, it seems to me your Directory Sync Manager would fit into that picture. Can we talk about how that works?

MB: The Directory Sync Manager allows for that connection between Active Directory or an LDAP and the Symmetry system. It's a piece of software that we've written that allows for that integration so there is a bidirectional communication between the systems. Any changes in the IT system can be automatically updated within our system and vice versa. That's our piece of middleware that glues the two systems together.

SJW: Has that proven to be popular piece of middleware? How has the market received that?

MB
: Honestly it's something we see more and more in the specifications, but when it comes down to actual deployment it probably only happens 10% of the time. There is the decision-making process of what they want in the system and then there is the reality of what's going to get installed. The people involved in the decision-making process aren't involved after that process sometimes. So getting the different groups together--whether it's security and IT, or facilities and IT--on these things tends not to happen as much in the real world.

SJW: I need some clarification. If you don't have your physical access control database linked in some fashion to your LDAP or Active Directory, how can you achieve a single credential? Can you?

MB:
Well, you can. You can use the card for more than one application. The HID Crescendo card can be used for both physical and logical access, and the two systems don't need to be linked. There is obviously dual data entry that would have to occur at that point but that's happening today anyway. The fact that they are using that extra level of security to log on to the PC is an immediate benefit. The fact that they have to enter data into two systems -- there is no savings there so they are basically implementing a process that is more secure but they haven't squeezed out all the efficiencies yet.

SJW:
I heard at ISC West and a little bit at RSA that there are more companies interested in at least streamlining the actual credentialing process--not having to have a card programmed once in IT and then bringing it to another area to have physical access rights put on it, but trying to do it from one system. I'm wondering what AMAG offers in that area, if that's something you can do outside of necessarily having Directory Sync deployed. Can you can you take the data from Active Directory or an identity management system into your system to provision a card for both physical and logical access?

MB: Directory Sync is really only used when you're talking about connections to an Active Directory or an LDAP....Five years ago when our engineers said they had built XML [eXtensible Markup Language] into our system, nobody knew what that meant. Now about 60 to 70% of the systems sold have that option turned on.  

That XML enables integration into just about any third party application. It does require somebody to do some coding, unlike a middleware applet that you can just point between the directory and check a couple boxes. The XML is really a programming language allows you to do just about anything. It still goes along your path of convergence.

It's more common to tie the HR system into security because they are the first people to know when somebody is fired, then the first to know when somebody is fired. From HR, data can then be sent down to the access control system or to the IT Active Directory and even downstream further to the IT phone system. That may be a serial connection that connects those downstream or it may be parallel going to two or three systems simultaneously.

You see that quite a bit because that's a logical flow from HR.

SJW: Any other trends or core issues that you are seeing in the area of identity management or single credentials, credential management, you'd like to touch on?

MB
: We talked briefly about the government sector. That's something that's continuing to evolve and change. New card technologies have been coming out in the government. Every agency seems to do it own thing. There are standard outlines about how those things should be provisioned but there are different interpretations of that and there are oddities that occur that make it more complicated.

We didn't talk about single sign-on. There is a push in that direction as far as logical access single sign on... It's become an expensive task for IT departments to take on the password reset function. A lot of organizations, especially the banking organizations, have so many different systems they have glued together over the years that require their own set of log ons that we are seeing a lot more interest in a single sign-on type of application as well.

Page:   1   2   3  Next  »

Pedestrian as they may seem, physical access control (PAC) platforms remain literal gatekeepers for many enterprises. So they can either be a big help or a major hindrance to convergence initiatives, such as sharing identity data with IT and using a single credential for physical and logical access.

AMAG Technologies
often comes up as sources rattle through their lists of the PAC systems they routinely encounter. That's why we wanted to get to know AMAG a little better and find out its take on convergence. To that end, we recently spoke on the phone with AMAG's Matt Barnette, vice president of sales and marketing. Here's the transcription of our wide-ranging conversation, edited for clarity and length.

***********
Sharon J. Watson, Security Squared: Identity management is an area where I am perceiving convergence being talked about and that there is more interest from more companies in figuring out how to link identity data stored in the IT area with the identity data collected by access control platforms like yours.  I wanted to find out if you agree with that perception and talk a bit about your Directory Sync Manager, how that's received in the marketplace, how it works.

Matt Barnette, AMAG
: Those are a couple of good areas. We are certainly seeing some movement in that direction. IT is involved in more and more of the projects. Honestly, during the last 18 months of this recession, that level of integration has tailed off a little bit, only because I think IT budgets are frozen and they are not taking on new projects as much as they were previously. We are really seeing it more now in the government sector, tying together the use of the physical access card for logical access.

SJW: That's pretty much mandated in that sector, is it not?

MB: Using the card as the mechanism to log on is becoming more and more of a standard. In the Department of Defense, there is definitely a mandate to do that but a lot of other agencies haven't rolled that out yet.

SJW: So when we are talking about using a credential for physical as well as logical access, it seems to me your Directory Sync Manager would fit into that picture. Can we talk about how that works?

MB: The Directory Sync Manager allows for that connection between Active Directory or an LDAP and the Symmetry system. It's a piece of software that we've written that allows for that integration so there is a bidirectional communication between the systems. Any changes in the IT system can be automatically updated within our system and vice versa. That's our piece of middleware that glues the two systems together.

SJW: Has that proven to be popular piece of middleware? How has the market received that?

MB
: Honestly it's something we see more and more in the specifications, but when it comes down to actual deployment it probably only happens 10% of the time. There is the decision-making process of what they want in the system and then there is the reality of what's going to get installed. The people involved in the decision-making process aren't involved after that process sometimes. So getting the different groups together--whether it's security and IT, or facilities and IT--on these things tends not to happen as much in the real world.

SJW: I need some clarification. If you don't have your physical access control database linked in some fashion to your LDAP or Active Directory, how can you achieve a single credential? Can you?

MB:
Well, you can. You can use the card for more than one application. The HID Crescendo card can be used for both physical and logical access, and the two systems don't need to be linked. There is obviously dual data entry that would have to occur at that point but that's happening today anyway. The fact that they are using that extra level of security to log on to the PC is an immediate benefit. The fact that they have to enter data into two systems -- there is no savings there so they are basically implementing a process that is more secure but they haven't squeezed out all the efficiencies yet.

SJW:
I heard at ISC West and a little bit at RSA that there are more companies interested in at least streamlining the actual credentialing process--not having to have a card programmed once in IT and then bringing it to another area to have physical access rights put on it, but trying to do it from one system. I'm wondering what AMAG offers in that area, if that's something you can do outside of necessarily having Directory Sync deployed. Can you can you take the data from Active Directory or an identity management system into your system to provision a card for both physical and logical access?

MB: Directory Sync is really only used when you're talking about connections to an Active Directory or an LDAP....Five years ago when our engineers said they had built XML [eXtensible Markup Language] into our system, nobody knew what that meant. Now about 60 to 70% of the systems sold have that option turned on.  

That XML enables integration into just about any third party application. It does require somebody to do some coding, unlike a middleware applet that you can just point between the directory and check a couple boxes. The XML is really a programming language allows you to do just about anything. It still goes along your path of convergence.

It's more common to tie the HR system into security because they are the first people to know when somebody is fired, then the first to know when somebody is fired. From HR, data can then be sent down to the access control system or to the IT Active Directory and even downstream further to the IT phone system. That may be a serial connection that connects those downstream or it may be parallel going to two or three systems simultaneously.

You see that quite a bit because that's a logical flow from HR.

SJW: Any other trends or core issues that you are seeing in the area of identity management or single credentials, credential management, you'd like to touch on?

MB
: We talked briefly about the government sector. That's something that's continuing to evolve and change. New card technologies have been coming out in the government. Every agency seems to do it own thing. There are standard outlines about how those things should be provisioned but there are different interpretations of that and there are oddities that occur that make it more complicated.

We didn't talk about single sign-on. There is a push in that direction as far as logical access single sign on... It's become an expensive task for IT departments to take on the password reset function. A lot of organizations, especially the banking organizations, have so many different systems they have glued together over the years that require their own set of log ons that we are seeing a lot more interest in a single sign-on type of application as well.

<!--nextpage-->

SJW:  Have you seen any impact from the discussions of cloud computing on the kinds of access security people are looking at?

MB
: The problem with that from your security function is that there are a lot of privacy laws in effect now. Even large entities like Google who have hundreds of millions of dollars in security infrastructure in place still can get hacked. Credit card companies have been hacked over the last couple of years.

If you are collecting biometric information like fingerprints and iris scans, having that information reside out in the cloud can certainly open up an organization to potentially very expensive [risk]. In California, if your data has been put at risk, you have to send notification of that to everybody who's potentially been compromised in that database. That process alone can be very expensive. Then you're subject to all sorts of lawsuits as well.

Certainly there are products like Brivo: you pop it on the network, and it allows for what most people would consider cloud computing, with servers behind a wall in a data center. We offer similar capabilities. Our group for technology has a data center up in Boston, it's a UL-rated central station, to manage the hea- end for the customer. It allows them to attach the panels to the network. It is more of a controlled environment, with security precautions, it's not just going out to the wild wild West.

SJW: Matt, as you see your customers embracing cloud computing for other functions, like Salesforce.com, or putting their data in the cloud for whatever reason, is that having any influence on how they are letting people authenticate to networks or how they make sure they know where they are physically as they get to that data?

MB: I haven't seen as far as the security world much of that happening at this point. Certainly they have to be authenticated into their local machine if nothing else. This stuff is so new I don't think a lot of organizations have come up with IT policies surrounding what information you should be putting up there as opposed to keeping it more under lock and key or on your local hard drive or network servers.

In the security world, there is somebody actively monitoring real-time alarms in most of the applications we're involved in. The web doesn't lend itself well to that because browsers by default were not built to be dynamic so you have to do all kinds of tricks to make them actually refresh and update the display of graphics and things. It's not really what the browser world was built for--having a graphical map of your facility and floor plans and having icons on there blink and change color based on the status. It's becoming more and more viable but it's still not perfect.

SJW
: There is a question in the industry about using device management versus physical security information management platforms [for situation management]. There can be a number of systems wired into the access control platform or the video management platform and that becomes the event management platform. Then there are the PSIM platforms from CNL, Mer, Proximex, etc. Can you talk about what you see as the fundamental difference between the two, the device management platform and PSIM, and how they complement each other?

MB
: There is always going to be a need at the high end of the market for [companies like] CNL or Orsus or Proximex because they are doing something that's very specific, tying together systems that are out on the forefront of technology.

I don't think you're going to see those products used in 80% of the customer base; it's probably really only 1% of the customer base. Those are typically government, military, municipalities, utility districts, high end commercial applications.

We are continuing to add more and more features to our product over time, and it's becoming more like a command and control interface, although we're not calling it that. There's still going to be a need for these high-end overlay products that tie in multiple subsystems from various manufacturers. That is such a specialty item that I don't think any of the core access control companies or VMS companies are going to be able to provide that level of integration. There are just too many subsystems to possibly stay on top of all of them.

SJW: With your system becoming more sophisticated, why do you not want to call yourself a command and control platform?

MB: At some point in the future, we may have enough functionality in there where it makes sense to do that. But our goal is not to be an overlay, to take over competing systems from our major competitors. That model hasn't ever really worked well. If you look back at the history of the access control world, if the customer isn't interested in eventually moving from their current platform to the new platform, talking to panels that were made by various manufacturers and writing integration to those panels typically hasn't really gone well.

We tie into all these different video manufacturers, and we partner with companies like CNL and what they are providing is the integration to those other subsystems that we would really never get into.

<!--nextpage-->

SJW: Matt, what else had you come prepared to talk about that we haven't?

MB: What we didn't talk about much was IP video. It wasn't that long ago that we were saying IP video is a new horizon, and now it's become the de facto standard. We're obviously investing heavily in that area, that's one of the core pieces of the product that we believe will be a growth driver for the next five years.

It's not only being able to manage IP video but actually engineering our own IP video products. A lot of [products on the market] are taking it for granted that networks are robust and stable and have enough bandwidth available. In reality, in a lot of cases that's not true. We don't see a lot of people putting redundancy into these systems.

When you're implementing a security system, it's got to be reliable and it seems on the video side, the security director is at the mercy of their network infrastructure. If there are outages for whatever reason or bottlenecks because of too much data, they are just being stuck with the consequences. That's not really an approach you can have long-term. So we're developing products to minimize bandwidth as much as possible on the network, to minimize storage requirements. Although storage is getting cheaper, the the amount of storage people want is getting much larger. How do you get that equilibrium between enough storage and keeping costs under control and providing that the fault tolerance on the video side?

That [fault tolerance] seems to be an issue that very few people are really grappling with right now

SJW: I saw interest at RSA about the actual security of video management systems and devices on the corporate IT network. A lot of IT professionals were there to hear that presentation expressing concern about whether the cameras and video management platforms could be a point of entry for hackers, malware, viruses and so forth.

MB: That is an issue that needs to be looked at more, the IT security of these things. Because of the work we do for the government, we are going through FIPS 140-2 certification and [military testing] so there's quite a bit of hardening that has to go into the system to meet these different standards. Certainly there are all kinds of devices connected to that [IT] network, and each one has to be evaluated.

SJW
: Any other thoughts you care to share today?

MB
: We're investing in our technology for our core access control business, we're investing in technology for video and the tight coupling of access control and alarm monitoring and video management. The trend is doing more with less so having a very tight coupling is key for an operator to take action upon [an alarm] and not have to spend time figuring out what happened.

Right now there's a big surge on the government side in intrusion detection systems. In a lot of high security areas, you need to use a card or PIN, you have to be able to turn the alarm system on and off, there are certain regulations with how the data is transmitted from that closed-circuit system back to a command center for monitoring. We're seeing a lot of movement in that direction. There doesn't seem to be a real great product handling that, so we're investing heavily to add that functionality and go after that market.

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/214

Leave a comment