Cybersecurity: balancing security and accessibility10 January 2018
Having previously considered the challenges presented by the proliferation of networked AV systems, before revealing the practical implications, Ian McMurray concludes by looking at what is achievable in terms of levels of security without accessibility suffering.
It would, of course, be reassuring to believe that, given the appropriate attention, the security of an installation could be guaranteed. Realistically, however, that’s unachievable – but that’s not to say that the effort shouldn’t be undertaken.
“While 100% security is the goal, the target is constantly moving,” Rainer Stiehl, Extron VP of marketing for Europe, points out. “However much time, effort, and expertise you put in, nothing will be 100% secure. For example, we have seen acceptable cryptographic key length increase as computing power has increased. The best strategy is to minimise the risk vectors and acknowledge that the best installations used a layered approach to secure important resources.”
Paul Zielie, manager, enterprise solutions, Harman Professional Solutions, sees things similarly.
“Security is a balancing act,” he says. “The need for systems to be accessed, combined with evolving threats, means that no system can ever be considered 100% secure. In general, even systems which are very secure tend to become less secure over time. This is because vulnerabilities which were previously unknown are discovered and published and that knowledge can be used to attack a system which has not corrected the vulnerability. That’s why patches and periodic risk assessments are required to make sure the system continues to meet the required security posture.”
And then there’s the users…
“100% security is never achievable as you always need to take into consideration human error,” says Keren Lipshitz, director, head of control and solutions division at Kramer Electronics. “You should take all necessary measures to secure the installation – first, by utilising the existing technology and second, by training users how to use the system correctly to minimise those errors.”
While it’s important to have established best practices and base security settings, security is always in support of business goals
Paul Zielie, Harman Professional Solutions
The complete security of an installation may, then, be an impossible dream – but there are mitigating factors. Foremost among these are accessibility and ease of use. All data, for example, could theoretically be made wholly inaccessible. Similarly, a complex signing-on process could be implemented that would maximise the chances of only authorised users being permitted on the system – but with a consequent loss of productivity. A balancing act needs to be performed – a balancing act that also recognises, for example, the differing security requirements of a bank and a sports bar, as Zielie points out.
“While it’s important to have established best practices and base security settings, security is always in support of business goals,” he explains. “The amount of effort, time, and cost that is spent on security depends on what the business goals are and the assets they need to protect, which varies between organisations – and often between applications within an organisation. There is no one size fits all security profile.”
Stiehl has a good analogy.
“It’s important to consider that the relationship between security, accessibility and ease of use is elastic, with each occupying one side of a triangle,” he explains. “If you only focus on one area, you will limit the effectiveness of the remaining two, effectively changing the shape of what is implemented.”
“Understanding where to draw the line is more about understanding the needs and risk tolerance of the customer more so than picking an arbitrary demarcation point between security and accessibility,” he goes on. “Each installation and site governance has unique requirements.”
“There’s always a balance between security and ease of use needed in AV installations,” says Kenneth Noyens, advanced technical support manager at Crestron EMEA. “When thinking about security, it’s important to understand the impact when the system is compromised. If people need to enter a 15-character password that needs to contain special characters to be able to start presenting in a closed room, you’re making your system too complex to be used. The impact of someone starting a presentation in that room with only a four-digit password should be evaluated to see whether it is acceptable.
“You have the ability to specify your target security level in our Crestron security audit tool,” he continues. “This way, we advise you, from a manufacturing point of view, about the minimum security settings for your devices. At any time, you should evaluate together with the end-user to set a decent level of security – but still make sure that people can easily use their systems.”
In the same week that the BBC reported the Huddle security issue, it also reported on a study by Which? – a consumer advice magazine – that ‘connected toys’ including the Furby Connect, i-Que robot and Cloudpets were fundamentally insecure, with a recommendation that they should be withdrawn from sale. The moral of the story? No matter what it is, or how insignificant or trivial it may seem: any connected device represents a potential security risk that needs to be identified and eliminated. It’s better, as the saying goes, to be safe rather than sorry.