Access Control Meets Intrusion Detection

| 0 Comments | 0 TrackBacks
We've been wondering when U.S. government security mandates would start influencing enterprise/commercial deployments. The latest version of AMAG Technology's flagship Symmetry access control platform offers one path.

At Security Squared, we don't typically get too excited about iterations of products unless they signal a major technological or strategic shift. What intrigued us about the Symmetry Version 7.0 announcement at ASIS 2010 was that this version is currently available only in limited release to government customers. So we spent a few minutes recently talking with Matt Barnette, senior vice president, marketing, for AMAG Technology. He discussed the features developed for federal users and how those will find their way into enterprise versions of Symmetry 7.0, due at ISC West next spring.

Here are some of the highlights of our conversation, edited for clarity and length:


*****

Sharon J. Watson, Security Squared:
Tell me a bit about what's in the latest version of Symmetry previewed at ASIS 2010 and why you're initially targeting government customers with it..

Barnette: What we found over the last four or five years is there were a few product lines in that space where those companies maybe hadn't been investing in current technology and for one reason or another, with the changes in the economy and buyouts, mergers and acquisitions, those product lines are really kind of stagnant.
 
There have been lots of inquiries from end users of those products about potential upgrades to new systems. We decided to develop our version 7 with the new features specific to that government customer and what those customers really use-- quite a bit of which is a little bit outside of the norm of the commercial-industrial business we would typically do. They are very heavily reliant on intrusion detection. It could be a top-secret office environment where they have SCIF [Sensitive Compartmented Information Facility] rooms, and there are regulations about the data that's stored inside of those rooms and who has access to those rooms. So you need to have a product that has that specific feature set in order to compete in that arena.
 
We added this functionality, it's a module that's been added to our Version 7.0 software that allows for this intrusion detection aspect. That's on the software side. There's hardware that goes along with that. We've changed and updated the firmware in our panel so that we have a unified solution that can do both access control and alarm monitoring and intrusion detection all on the same panel. You don't have to worry about buying separate parts and pieces. Fewer parts means more efficiency, it's easier to service and maintain. There's a lot of value in being able to do this with our core product line, not having to change out. For existing customers, they can also migrate to this new product, this intrusion management, and not have to change anything they've already installed. It will work on their existing infrastructure as well.

In summary, it's a software and hardware solution. It includes our Javelin series of readers. It has a four-line liquid crystal display on it so the user can get feedback from the system. It's like when you go into your house and you have an alarm system, you can see what the status is, you can arm it and disarm it. That Javelin card reader will provide the users of the system real-time feedback on the status of the system.

As an example, when I walk up to that card reader, I can enter my PIN code or my card number, and it will show me whether that zone is armed or disarmed or if there's a point in a forced situation or has been overridden by somebody.  I can see that real-time information on the keypad. I can also enter commands on that keypad so I can lock down an area or unlock an area, all from that user interface on the keypad.

SJW:
The intrusion detection modules--will your enterprise customers eventually be interested in those or are there additional features in version 7 that may originally have been conceived for the government and federal market that you're thinking will also have appeal across the private sector?

Barnette: The intrusion management will have a wide variety of applications. In the K-12 education market, intrusion management is a big deal. The smart classrooms now have a lot of expensive computer equipment and audiovisual equipment in them.

We've seen many other applications for this type of functionality in the private sector, everything from education to health care.  There's a lot of expensive equipment in hospitals. Typically they're locking down those operating rooms. Now you'd have the ability to go in and enter a number on the keypad, unlock the door, turn off the alarm system, allow access to that operating room and do what you need to do. At the end of that, you can lock it back down or have the system automatically lock it down at a specific time.

SJW
: So, Matt, the extra flexibility there is actually being able to do that from the keypad?  With access control systems, you have a lot of control depending on where you place your card readers and how you program your software. I'm just trying to understand the subtleties between controlling access and intrusion detection.

Barnette
: Right. In a lot of access control systems, you have that functionality but only at the head end where the software is, so the operators have to do that. Traditionally you would have to call the operations center or security officer from that classroom or operating room, and they would have to login to the software to do that for you manually.

A lot of organizations want to decentralize that type of routine task and really push it out to the users. A traditional access control system is a one-way street. You hold up a card to the card reader, it sends data to the panel, the panel needs to communicate to the server. You don't send anything back to the card reader--it's either a "go" or "no go" decision. There's no information that is displayed, there's nothing the user has any ability to do on a traditional card reader.

Keep in mind the [Javelin] card reader is the same unit you're using for access control [and now] intrusion detection, it's not two separate pieces. When you add the intrusion aspect, you're really introducing the ability for the user to have that flexibility of being able to make decisions right there at the card reader, [using it] as your console into the system as opposed to having to go to a computer and do it through your software.

SJW: Were there any generic deployments you're able to talk about or some way your federal government customers have been using this that you can share with me? Or some of the issues and challenges that solved for them?

Barnette: That's where it gets a little tricky. We've installed a very, very large system in the Aberdeen Proving Grounds [in Maryland]. That's about all I can say about that.

We currently have test systems installed for several different departments, including the Marine Corps, Army and are under evaluation by the Navy. The first step for any of these deployments is they have to go through very thorough tests in the lab environment before they can be deployed in the real world environment. We are already in that process now with three very large departments of the military.

SJW: Were there other points you had wanted to emphasize or something I should be asking that I'm not?

Barnette
: What we really didn't talk about is the standards or compliance requirements in the government sector, things like FIPS-201, HSPD-12. Our product has been and continues to be capable of meeting those requirements. In the government sector, information assurance as well is becoming more and more important.

The product not only needs to do what you say it can do, it also has to meet these very stringent certifications that are being implemented mostly by the information assurance groups within these agencies. They are looking for vulnerabilities in products. All of these systems are now running on networks so they have to test and make sure it's not going to cause issues on the network, and that there are no vulnerabilities that would allow hackers to get into your security system.

We talk a lot about features and functions and benefits.  Compliance and certification are also things that are important to the US government--the information assurance testing as well as the FIPS requirements, including the FIPS 140-2 encryption. We have to go through all of that. Certainly our Version 7 software will continue our legacy of having that certification.

SJW: Matt, will those levels of security meeting federal compliance be woven into the fabric of the product so that enterprise clients will also get that level? Or will those be things that you turn up or turn off depending on the enterprise needs and their budget?

Barnette:
They will be sewn into the fabric of the product. Some of these government standards are really irrelevant to the private sector but by and large, most of the enhancements that are made to meet these requirements only make the product more robust for the commercial sector.

# # #

We've been wondering when U.S. government security mandates would start influencing enterprise/commercial deployments. The latest version of AMAG Technology's flagship Symmetry access control platform offers one path.

At Security Squared, we don't typically get too excited about iterations of products unless they signal a major technological or strategic shift. What intrigued us about the Symmetry Version 7.0 announcement at ASIS 2010 was that this version is currently available only in limited release to government customers. So we spent a few minutes recently talking with Matt Barnette, senior vice president, marketing, for AMAG Technology. He discussed the features developed for federal users and how those will find their way into enterprise versions of Symmetry 7.0, due at ISC West next spring.

Here are some of the highlights of our conversation, edited for clarity and length:


*****

Sharon J. Watson, Security Squared:
Tell me a bit about what's in the latest version of Symmetry previewed at ASIS 2010 and why you're initially targeting government customers with it..

Barnette: What we found over the last four or five years is there were a few product lines in that space where those companies maybe hadn't been investing in current technology and for one reason or another, with the changes in the economy and buyouts, mergers and acquisitions, those product lines are really kind of stagnant.
 
There have been lots of inquiries from end users of those products about potential upgrades to new systems. We decided to develop our version 7 with the new features specific to that government customer and what those customers really use-- quite a bit of which is a little bit outside of the norm of the commercial-industrial business we would typically do. They are very heavily reliant on intrusion detection. It could be a top-secret office environment where they have SCIF [Sensitive Compartmented Information Facility] rooms, and there are regulations about the data that's stored inside of those rooms and who has access to those rooms. So you need to have a product that has that specific feature set in order to compete in that arena.
 
We added this functionality, it's a module that's been added to our Version 7.0 software that allows for this intrusion detection aspect. That's on the software side. There's hardware that goes along with that. We've changed and updated the firmware in our panel so that we have a unified solution that can do both access control and alarm monitoring and intrusion detection all on the same panel. You don't have to worry about buying separate parts and pieces. Fewer parts means more efficiency, it's easier to service and maintain. There's a lot of value in being able to do this with our core product line, not having to change out. For existing customers, they can also migrate to this new product, this intrusion management, and not have to change anything they've already installed. It will work on their existing infrastructure as well.

In summary, it's a software and hardware solution. It includes our Javelin series of readers. It has a four-line liquid crystal display on it so the user can get feedback from the system. It's like when you go into your house and you have an alarm system, you can see what the status is, you can arm it and disarm it. That Javelin card reader will provide the users of the system real-time feedback on the status of the system.

As an example, when I walk up to that card reader, I can enter my PIN code or my card number, and it will show me whether that zone is armed or disarmed or if there's a point in a forced situation or has been overridden by somebody.  I can see that real-time information on the keypad. I can also enter commands on that keypad so I can lock down an area or unlock an area, all from that user interface on the keypad.

SJW:
The intrusion detection modules--will your enterprise customers eventually be interested in those or are there additional features in version 7 that may originally have been conceived for the government and federal market that you're thinking will also have appeal across the private sector?

Barnette: The intrusion management will have a wide variety of applications. In the K-12 education market, intrusion management is a big deal. The smart classrooms now have a lot of expensive computer equipment and audiovisual equipment in them.

We've seen many other applications for this type of functionality in the private sector, everything from education to health care.  There's a lot of expensive equipment in hospitals. Typically they're locking down those operating rooms. Now you'd have the ability to go in and enter a number on the keypad, unlock the door, turn off the alarm system, allow access to that operating room and do what you need to do. At the end of that, you can lock it back down or have the system automatically lock it down at a specific time.

SJW
: So, Matt, the extra flexibility there is actually being able to do that from the keypad?  With access control systems, you have a lot of control depending on where you place your card readers and how you program your software. I'm just trying to understand the subtleties between controlling access and intrusion detection.

Barnette
: Right. In a lot of access control systems, you have that functionality but only at the head end where the software is, so the operators have to do that. Traditionally you would have to call the operations center or security officer from that classroom or operating room, and they would have to login to the software to do that for you manually.

A lot of organizations want to decentralize that type of routine task and really push it out to the users. A traditional access control system is a one-way street. You hold up a card to the card reader, it sends data to the panel, the panel needs to communicate to the server. You don't send anything back to the card reader--it's either a "go" or "no go" decision. There's no information that is displayed, there's nothing the user has any ability to do on a traditional card reader.

Keep in mind the [Javelin] card reader is the same unit you're using for access control [and now] intrusion detection, it's not two separate pieces. When you add the intrusion aspect, you're really introducing the ability for the user to have that flexibility of being able to make decisions right there at the card reader, [using it] as your console into the system as opposed to having to go to a computer and do it through your software.

SJW: Were there any generic deployments you're able to talk about or some way your federal government customers have been using this that you can share with me? Or some of the issues and challenges that solved for them?

Barnette: That's where it gets a little tricky. We've installed a very, very large system in the Aberdeen Proving Grounds [in Maryland]. That's about all I can say about that.

We currently have test systems installed for several different departments, including the Marine Corps, Army and are under evaluation by the Navy. The first step for any of these deployments is they have to go through very thorough tests in the lab environment before they can be deployed in the real world environment. We are already in that process now with three very large departments of the military.

SJW: Were there other points you had wanted to emphasize or something I should be asking that I'm not?

Barnette
: What we really didn't talk about is the standards or compliance requirements in the government sector, things like FIPS-201, HSPD-12. Our product has been and continues to be capable of meeting those requirements. In the government sector, information assurance as well is becoming more and more important.

The product not only needs to do what you say it can do, it also has to meet these very stringent certifications that are being implemented mostly by the information assurance groups within these agencies. They are looking for vulnerabilities in products. All of these systems are now running on networks so they have to test and make sure it's not going to cause issues on the network, and that there are no vulnerabilities that would allow hackers to get into your security system.

We talk a lot about features and functions and benefits.  Compliance and certification are also things that are important to the US government--the information assurance testing as well as the FIPS requirements, including the FIPS 140-2 encryption. We have to go through all of that. Certainly our Version 7 software will continue our legacy of having that certification.

SJW: Matt, will those levels of security meeting federal compliance be woven into the fabric of the product so that enterprise clients will also get that level? Or will those be things that you turn up or turn off depending on the enterprise needs and their budget?

Barnette:
They will be sewn into the fabric of the product. Some of these government standards are really irrelevant to the private sector but by and large, most of the enhancements that are made to meet these requirements only make the product more robust for the commercial sector.

# # #

No TrackBacks

TrackBack URL: http://www.securitysquared.com/cgi-bin/mt/mt-tb.cgi/258

Leave a comment