How Mobotix and Genetec Combine Their Efforts to Improve Integration and Cybersecurity
"The big question is how you store your data"
Under the leadership of its new CEO Thomas Lausten, Mobotix has taken measures to restructure the company’s operational units, its organization and to transform the company to be more open for partners and integration. One of its main integration partners is Genetec. At IFSEC in London, GIT SECURITY had the opportunity to talk to Mobotix CEO Thomas Lausten and Pierre Racz, CEO of Genetec, about their cooperation and the cybersecurity threats our industry is facing.
GIT SECURITY: During the last year, Mobotix has developed a new more open approach. Can you explain what this means regarding cooperation and third-party integration?
Thomas Lausten: The strategy means that we move from a closed Mobotix product universe to opening up our systems. This will enable us to enter new markets and our partners can react more flexibly to specific needs and cover a wider range of projects with our systems. We now include the H.264/ONVIF industry standard in our products, so they can fulfil customer needs and it is possible to use our cameras within third-party video management systems (VMS) and integrate them more easily in projects. In the future as part of our product development we will develop interfaces together with our integration partners to make integration projects easier and to unlock the possibilities artificial intelligence offers. Genetec is a major partner for us and we are working very together very closely to get a deeper integration.
What does the integration work look like?
Thomas Lausten: We have met at CTO level before to discuss and develop the plans for a deeper integration that goes beyond standards. Our teams are now working on the integration and have produced the first results. We are more and more involved in bigger projects where some of our customers ask us for a bigger VMS that goes beyond our own VMS offering but offers the same security standards.
Pierre Racz: Our motivation in general is that we find hardware beautiful and our Security Center software makes that beautiful hardware sexy. We have combined some of the unique features of Mobotix with unique control features on our side so that we can deliver a deeper level of integration to our joint customers.
Can you give us examples where users benefit from this integration work?
Pierre Racz: On the control side of our software you can go into Mobotix high resolution systems and zoom around in the pictures and get sub-streams out of the complete picture. You can manage these streams individually and you can apply the Genetec Privacy Protector for privacy requirements and for GDPR compliance. On the storage side, customers can either store the big stream out of the camera or only sub-streams. What we are bringing to the table is our hybrid storage architecture where we can move data simultaneously to the cloud. Our next joint development is to blur both the pictures displayed on the premises and the pictures stored in the cloud if you choose this option. Our architecture of choice allows customers to optimize costs and to store data on their own systems or in the cloud or both.
Thomas Lausten: The features that help our customers to be GDPR compliant are very important for us as there is a focus on this topic at the moment. The big question is how you store your data. GDPR has brought some interesting new aspects and it is as important as cybersecurity for us. One of the reasons we are partnering with Genetec is that they are true experts here and they have raised this topic years before others started to look at it. We know that privacy and cybersecurity is hardwired into the Genetec approach to software development and it is in our DNA as a technology company with German roots to have a strong offering here.
You mentioned cybersecurity and GDPR. What advantage do you think your products have here compared to others?
Thomas Lausten: Cybersecurity has become a concern changing the market’s approach to video technology. Customers are asking: Where are the pictures going? Who has access to them? Mobotix cameras are very well prepared in this respect and we have developed the Cactus Concept that includes our measures to increase cybersecurity. One part is our Cyber Protection Guide, a guideline that describes how administrators can implement secure system configurations. It explains what you need to do to protect your entire video infrastructure against third-party access. Opening-up our proprietary technology towards other companies’ systems doesn’t mean that there aren’t any boundaries necessary. Our proprietary software and chips remain important and where we open-up our systems we take a very careful look at potential partners and if we can trust them. On the technical side, to have control of our own Security Operation Center (SoC) gives us an advantage when it comes to cybersecurity but also when we work on interface development. It is not only easier for us to develop interfaces for our own software and for the integration with third-party software and VMS partners like Genetec, but also helps us to create artificial intelligence solutions.
Pierre Racz: I could not be happier with GDPR. We are on a mission to demonstrate that liberal democracies do security in a different way than authoritarian countries – especially in how we protect an individual’s right to privacy. One can look at security cameras as a type of robot, and these robots must not do harm to us by being overly intrusive or violating our rights to privacy. In a sense, we are implementing the “Three Laws of Robotics” and, if you want, GDPR is in a sense inspired by Isaac Asimov‘s „Three Laws of Robotics“.
How do you guarantee privacy within your systems?
Pierre Racz: Inside the system we either get rid of all personal identifying data or put it into secret vaults. Names of cameras and badge holders go into this secret vault so that a system administrator sees only numbers and not what they correspond to. In other words, we are separating the roles of system operators from that of system administrators. We give clear rules and for most scenarios you are either one role or the other. To have access to all data you need two persons to agree to look at the data together. For example, when our Genetec Privacy Protector blurs the video you need the chief security and the chief privacy officer to insert their smart cards to watch the unblurred video. Other protections we deploy include certificates that make sure that systems do not get tampered with and that no unauthorized equipment appears on the network. We encrypt video at the source or as close as possible to the source. From this moment all stored data is encrypted. Our system has the option to use chipcards to gain access to the stored video. With this system every action is recorded, giving the customer a full audit trail of who accessed what files, on which date and of any changes made to the video.
At the moment everybody is talking about GDPR. Do you see the same level of awareness for Cybersecurity?
Pierre Racz: Not really. We need more regulations that make technology providers responsible for what they offer, especially if their equipment can negatively influence the security of our democracies. We’re only now starting to see some governments take a proactive role in implementing rules and regulations around technology providers in our industry.
Thomas Lausten: Within our industry we definitively need to raise the awareness if we are to appropriately restrict access to security data. There are huge risks and there is a big gap between the risks and the behavior. Some say “Yes, we take it seriously”, but they don’t follow through with the necessary actions to ensure this.
Pierre Racz: I am not getting the sense that governments take cybersecurity seriously enough. We need to empower the end-users that they make their providers of technology accountable by taking out cyber malpractice insurance. We can’t wait for the governments to solve this, but we can make sure that the free market solves it by making providers accountable for the damage that is caused by their unsecure products. Big organizations that store data for their clients simply cannot afford to have security gaps as they would be heavily fined if they make faults. These organizations invest heavily in security while IT departments in other companies only just get enough money to “keep the lights on”. Like with the Sarbanes Oxley act, there should be no excuse for companies or managers to neglect cybersecurity, no matter how big or small the organization may be. Sharing data creates value in our society but it needs to be done in a responsible way. The technology to protect data is there with authentication and encryption technology at hand, and secure cloud technology is available to help us efficiently manage, store and share this data. We need to raise the awareness around authentication, encryption and the cloud so that end users use it and invest in it. From my point of view, it is a societal choice like the decision to invest money in environmental protection.