In this episode of Security Guy Radio, Chuck Harold & guests discuss the evolution & future of access control technology.
Kurt Takahashi, SVP at AMAG Technology talks about how AMAG’s new applications, Symmetry CONNECT and Symmetry GUEST, extend the value of access control and take it to the next level by simplifying how companies manage their operations and ensure policies are met. AMAG Technology is one of the foremost innovators and suppliers within the Security Industry providing fully integrated security solutions throughout the world and is a leading manufacturer of access control systems, video management & alarm systems.
AMAG’s policy engine, Symmetry CONNECT allows companies to operationalize their business by automating processes to meet audit and compliance issues. Symmetry GUEST visitor management helps better manage the different identities in a facility.
Also, joining us, Paul Bristow & Cherise Gutierrez. Cherise, our Cyber Gal gives us an update on the iPhone San Bernardino case — does the FBI & government really hold the key to 16 million phones now? She also discusses the trump hotel breeches.
Chuck Harold & Guests
Full text of radio show
Please forgive any typos, this podcast was transcribed by my typing pool comprised of volunteer stalkers.
Chuck Harold: There’s my voice okay. Welcome to operation … wait a minute, I got to say this right. Operationalized Version of Security Guy.
Paul Bristow: Well it’s the actual words.
Chuck: Well it’s like supercalifragilisticexpialidocious.
Paul: I can’t say that. Welcome to the show!
Chuck: Welcome back Mr. Bristow.
Paul: Yes, thanks.
Chuck: Wondering .. what you’re up to this weekend?
Paul: [unknown] because it was St. George’s Day
Chuck: Oh, good for you.
Chuck: Well I had quite a trying weekend. There happens to be a rabbit who in my house. Did I tell you that story?
Paul: You did.
Paul: And I told you how to get rid of it?
Chuck: I have some plans.
Paul: Whether electrical.
Chuck: I’m surprised that the police did not shoot the rabbit when they came to my house because the rabbit chewed my panic alarm button and set off alarms. Silent alarm, and I was taken down by the Burbank Police Department at gunpoint wondering what I was doing in the house. And then they had to come in to the house and ask my daughter what she was doing, “Are you okay ma’am? Do you know this man?” “Unfortunately he is my dad” she says. That was nice thing to say…
Paul: So why would a Security Guy Radio have an alarm cord in a place where it could be chewed by a rabbit?
Chuck: No the question is why is the rabbit in a place that’s chewing my cord? Why is the rabbit living in the bedroom? It’s a rabbit… It’s very annoying.
Paul: I like rabbit stew, actually.
Chuck: It’s incredibly destructive. It’s unbelievable. But right now we want to see what’s going on with Cherise? Welcome Cherise, Cybergirl, what’s going on?
Cherise Gutierrez: Hi! Thanks for having me back.
Chuck: Are you dry?
Chuck: 16 inches of rain. Oh my gosh.
Cherise: Yes and you know we live in the Heights and it’s called the Heights for a reason because they build our homes up so high because we do live in a flooding range but thankfully we didn’t suffer any of the flooding. It was more North of Houston that got it unfortunately.
Chuck: Well I’m glad you’re safe, I heard sixteen inches where people could have been killed flooding away, it’s crazy.
Cherise: Horses, yeah, it’s traumatic down here when it rains.
Chuck: What’s the latest in the cyberworld? I know you have another good story to piss me off.
Cherise: Absolutely, Yes, so I don’t to keep rehashing old topics but this is a pretty big one. Wanting to keep on tab with the San Bernardino iPhone case.
Chuck: OH, Yes!
Cherise: Feds recently disclosed that they actually paid an independent consultant to hack the phone and they were successful. But, what’s making more of the news rounds is not so much that they finally cracked it because we knew that was just a matter of time but it’s the amount that they paid to have it cracked. Can you guess?
Chuck: I think it was more than the FBI Director can make before he retires?
Paul: They did say how much it was but I can’t remember.
Cherise: Exactly, 1.3 million dollars.
Chuck: That seems cheap to me. Doesn’t it?
Paul: It does . . . I don’t know.
Cherise: Actually, it’s the highest bounty that has ever been paid for a cyber hack. Can you believe that?
Chuck: Well that kind of sounds like ransomware to me..
Paul: It’s reverse ransomware
Chuck: Yeah, that’s right.
Cherise: You know there’s definitely going to be some good and some bad that come out of this, you know. For me I think the unfortunate part is now the FBI holds the key to unlocking the iPhone version 5c on iOS9 for about sixteen million devices in use.
Chuck: Do you believe it? I’m skeptical. I’m almost thinking it’s a bluff to get Apple off the butt to do something in there. I don’t know, what do you think?
Paul: Well you know what I can’t believe. Feds didn’t have somebody to do this themselves and it doesn’t make sense right?
Chuck: Of course it makes sense. It’s the FBI. The Federal Bureau of Incompetence’s. Sorry fellas but you know it’s true if you work there.
Paul: Authority is famous but incompetent.
Chuck: Famous and incompetent that could be too.
Paul: The photo was famous but incompetent
Chuck: Oh, famous from incompetent that can we . . .
Paul: That was security guy….
Chuck: They really think they cracked it. I mean… let’s talk about that briefly. There are things that are encrypted.
Cherise: They are claiming that they cracked and they didn’t do any kind of integrity damage to the data.
Chuck: Now cracking meaning they broke the encryption code or somebody found the key and unlock it. Which one do you think it was?
Cherise: It’s was probably the combination of both. They have to create and crack the key and then use those techniques on to the code. And so you know in terms of how they did it I believe details will come out. It could only stay a secret for so long.
Paul: For sure is, I’m going to get back to… you mean you must notice stuff. Surely the Feds have got a whole team that work on that. So out of the business, right?
Cherise: They do, but in terms of having the in-house expertise for such a real low level understanding of encryption, the operating system. It takes a multi-talented individual to have these skills to not only come up with the hack and decrypt it but to safely do it and there are not that many believe it or not skilled resources out there with those capabilities.
Chuck: Oh they probably just went to the Federal Penitentiary and pulled out one of those guys.
Paul: I bet they did ask the British Secret Service or those somebody.
Chuck: They probably did not.
Cherise: Why not? So you know are we interested to see where this goes on from here. Now knowing that the government has access to be able to decrypt over sixty million devices essentially. So we’ll see how this plays out in terms of our privacy and protection.
Paul: Well I know when they look at mine anytime. It’s so boring.
Chuck: Well mine is not exactly boring maybe they should look at mine but
Paul: Well I know, I know what you’ve been up to.
Cherise: In other unrelated cyber news. Let’s talk about one of our Presidential Candidate hopefuls. One of his assets is in the spotlight and it’s Trump Hotels. Apparently they have been breached for the second time this year. It’s noted that it’s a credit card breach on their POS System that’s Point of Sales that do all the transactions where the hotel.
Chuck: That’s not good.
Cherise: Yeah, not good. A researcher has disclosed this week that they bound out a pattern of fraud on multiple credit cards and the one thing in common was they were originating from the Trump Hotel Chain.
Chuck: Originally from there? How interesting.
Paul: They should have been using Hilary’s server. They’ve been thinking about, right?
Chuck: He’s not just the fund his campaign because he always spend like six grand in New York
Cherise: And you know they start asking him for comments. And you know he starts of course redirecting the comments and making it about the US and how Cyber Security is obsolete here instead of focusing on the issue at hand because hotel chains.
Chuck: It seems to me that the Trump Campaign and many others should operationalize their technology. Can you say it?
Chuck: There we go. And that’s why we just happen to have someone in the studio as we always do to help us with that challenge and that’s Mr. Kurt Takahashi, Senior VP of sales for AMAG. Welcome to the show.
Kurt Takahashi: Thank you. Appreciate you having me.
Chuck: Now I’m so happy to have AMAG on here. Big operation part of G4S gives us your introduction on what AMAG does and just a broad stroke on it.
Kurt: AMAG has traditionally been known as an access control company for about forty plus years we’ve been in the access control market. The last several years we’ve really changed the way that we do things and we’re really evolving our technology to do a lot of more things just access control.
Chuck: And such as?
Kurt: So some of the interesting things that were doing is we look at the client needs around lot of their risks and compliance and cost issues is we find that there are a lot of challenges with once your install an access control system or a video system or any type of thing.
The biggest challenge that we find is once it’s installed, nobody’s really there to help them figure out what to do with it. For what reasons do they need it. How do they help operationalize what they do every day and so some of the things that we’re doing that’s very unique in the market is that we’re taking that next leap.
Alright, and that’s really what our big shift is in the last couple of years is introducing this concept to the market that we have this very powerful policy engine that sits behind the curtain of our technology. And we’ve also taken another step towards more of the managing that different types of identities in the facilities like a visitor, a contractor or an employee, right? We utilize our policy engine to help automate some of those manual processes that sit behind the curtain. Because most people with their security they tend to just put more people at it.
We talked earlier that a lot of companies are starting to see more requirements around audit, a lot more compliance. As we see companies expanding multi-nationally across the globe and consolidation, we see a lot more requirements that are being pushed down like in the utility market. We see a lot of compliance requirements around Merck or in the petrochem or financial. They are all related and in the cyber side you’re starting to see a lot more requirements from PCI background.
Things of how you store credit card data and things like that. A lot of times it focuses on who gets to go where, why they get to go there, reasons that they go there and lot of companies have to do this manually. You’ll be amazed that when you really start talking to people about what they do every day? How do you get access? How do you request it? How do you audit? How do you re-certify those things? All things that are required for this compliance requirement are all done manually.
So that’s where the big things we’re doing differently and AMAG is we’re introducing some new applications that extend the value of AMAG’s Access Control Platform. We really take to the next step to help automate all those manual processes that exist. All the emails, fax forms, the manual forms, all the reports and the manual transitions to get all these done, we’re automating a lot of that so that it totally simplifies how you do things. But more importantly what it does is that it helps ensure that all those policies are met. Primarily because we’re taking a lot of that manual intervention out of the way.
So when the auditors come in and internal audits are being performed, were able to prove how you do things because it’s all happening in a single location. Trying to consolidate all of those different features into a single user interface so that it makes it simple for the security team, it makes it simple for the end user, it satisfies all the different unique needs of all the different lines of business. So every body’s policies and requirements seem to be changing on a daily basis. So security teams like yourself Paul are very difficult for you to maintain all that. It’s hard to keep everybody happy and stay in compliance.
So when you start having people get access that they don’t belong into right? It becomes very risky especially if you’re into utility, right? We have somebody standing on the substation or your financial institution and somebody’s getting in to your data center or your vault. Or you’re a healthcare organization and you have a heap of requirements that you have to deal with.
When you’re really start looking at it day to day, it’s very difficult for you to maintain all of that because it takes more and more people, it takes more email, it takes more reports, and it’s very difficult for a company to do that. So some of the key things that we are doing is we’re introducing some very interesting extension offers or symmetry access control platform that allow people to do all of that in very simple way.
Paul: Do you have a special team that goes in and does act. Because when we were at Fox and we have a pretty good access control system but we would sit for hours just trying to work it out
Chuck: The permissions, the rules.
Paul: What are we going to do? Do you have a special team that understands peoples business? Because that’s part of… you’ve got to understand the business, right? Before you can go. I mean there’s a huge value at it. I haven’t heard that from other access control companies, nobody talks about that. They put the system in and they walk away. You know and it’s like what should we shall I do with it?
Kurt: That’s exactly what we are trying to do. We have a team of people that go in and we perform what we call like a workshop. Now this is where we really start asking some of those deeper questions about how do you do it today? What do you today? Let’s talk about your technical infrastructure then let’s talk about the different users and what they have to do every day. The different policies and what are your audits and we take it down to that very granular level to say what do you do today? When Chuck needs to act request access from you? What does he have to do? How does it actually…
Paul: I wouldn’t give access at all anyway.
Kurt: He might be on that watch list. So we really peel it on your back and we try to detail it all out and we can create that as a state the future state then we can apply what we have from our technology base and we can say this is how we can automate it. And it’s not a lot of customization, it’s just a very simplistic way of approaching it but AMAG is the first company in the market to add this type of feature to their access control platform because traditionally you have to go buy another third party application in order to bolt on to your solution.
Paul: What I thought we got to do?
Chuck: There’s a lot of manual program. In other words I get to sit there and flip switches to decide what areas you could go into and how. And you did get there right on time. It was problematic. So this really goes back to the word that I can’t pronounce. It is operationalizing the technology to make it function.
So here is the challenge I always on tell me if you think I’m right or wrong this. So I put a system in and we have 200% turnover on the guard force so I can track them within my building. So the guy I taught to how to use the system and spent a bunch of training on, he’s gone now. And now I got to come back and say, “Okay, let’s train the next guy.” In the old days at the north because of that turnover had to be… the new guard had to be retrained. So you’re optimizing this by using some automatic features taking people out of the system based on rules and things like, is that a good description?
Kurt: Yeah, so we take it from the personnel level, right? So, how you request it? How you approve it, right? How do you audit? It’s all automated on a single user interface, a single platform. The policy engine on the back side of things is what does that if then statement. If this happens to this send an email to this person and then they can approve it and automatically push that down into the access control system or take it out.
On the flip side what we’re also doing is when you take your video surveillance feed and pull that into the access control system that’s also another compelling piece because from a training perspective the guard has to know, what do I do when something happens? An event happens that you see in video it triggers something that has to happen in the access control system and then that guard or that operator then has to figure out, okay what am I suppose to do today? How am I suppose to handle this instance? What am I suppose to do next? So again the policy engine that sits behind the curtain allows to then say, when this happens? Do this.
Check the video. Okay it’s good make a comment. Next do this then email this, then do this. So in ensuring that all those steps are met and that’s what we call our workflow alright. Our workflow engine that sits within our access control platform that helps. Again, take the video feeds and help you decide what to do. That way from a training perspective it’s very automated. You don’t have to you know hopefully that person remembers to make the right decision. We help them guide them through those right decisions and then that becomes completely automated in the back-end.
Chuck: So it’s presenting commands to the guards to do this and do that, that kind of thing.
Kurt: And again historically, you have to go buy another third party piece of software overlay that onto your system and that what’s help you. The nice thing about Symmetry is this all this is built-in to the product.
Chuck: How do you handle temporary visitors? Is this a challenge I just assume it was and found a great product out there that all they do is to visit the management. It plug-ins to other systems and I asked the guy, I don’t get it. I’m glad you exist. But why don’t the big access control companies have it? They focus on who’s cleared and not focus on temporary people because it’s harder to get them in and out of your database. How do you guys handle that at AMAG?
Kurt: So again, we look at the different types of identities. We look at the visitor, we look at the contractor, we look at the employee. So from a visitor perspective a lot of challenge is that visitors brand management systems have is that it’s participation. I’ve talked to a lot of different end users every day and they say, Oh we have a visitor management system and we have a registration form that we do on our portal. You just go then it’s really simple and then you go in there. When you dig deeper you find out that that’s the biggest problem is nobody goes in and does it. So all your visitors just show up to the lobby every day because people are just too lazy to take that next step.
Paul: Oh and they manually be cleared in real time.
Kurt: What we have within our application. We have a visitor management portal and what we do is we made it that much easier. So most people schedule their meetings in Outlook or Google Calendar right so what we’ll do is everybody that you invite to that meeting we will immediately take every invite and we’ll automatically preregister them into the visitor management system but we’ll go again through the policy checks and we’ll say, “hey, are they cleared? Did they sign their NDA? Do we have to notify them of an NDA?” Things like that and then we’ll automatically then send you an email saying, “Paul and Chuck, we look forward to you coming to our facility on Monday. Just park here when you come. Here’s your confirmation number.
Here’s your barcode or you know bring your license.” And then when you come in the whole experience is seamless. And so what we’ve done is we’ve taken that one piece out of the equation of participation so most people again always schedule a meeting in Outlook or Google and then we’ll consume it automatically to make it pretty simple.
Chuck: Even if the guy doesn’t show up, he’s not coming to the place. But he’s got a pass and anyways he does show up so then we don’t have to think about it really.
Kurt: So he shows up, here’s my confirmation code, here’s my barcode, scan them in and it says, oh here’s Chuck. Where’s your ID? Okay, sign here and you’re in.
Chuck: So talk about the rules. So you mentioned NDA Non Disclosure Agreement. And you can actually put something through that invite through Outlook. So I’m, you’re going to send me a pass Paul and you’re going to invite me and I’m going to receive… if it’s the rule or the policy for the company I’m going to receive a Non Disclosure Agreement. And I’m going to electronically sign and say, okay I agree. That’s fabulous!
Kurt: You’ll either acknowledge it or when you come to check-in.
Chuck: Or say, piss off – I’m not going to sign that.
Kurt: Or you’ll sign it on a tablet right when we get there and then we’ll print your badge. But the nice thing is that you’ll be surprised at how many compliance requirements are around at how you manage visitors.
Chuck: Give us some other ideas on compliance issues for that kind of stuff.
Kurt: Yeah, so we’ve talked a lot of aerospace. If you have a lot of foreign nationals that come visit your facilities, a lot of times you have to acknowledge that. You have to deal with the… you have to manage that in a different ways.
Chuck: Because it’s a government reporting requirement.
Kurt: The International Trade Compliance requires you to manage your visitors a little differently. And so if you’re a Petrochem type facility you have to have a special type of safety training. So you got to take a safety video when you get there. Those are auditable things. Depending upon where you’re going everybody has a different compliance requirement that’s why the tool become so important because it’s got to be flexible. It’s got to deal with all these different things but the premise is still the same. You invite somebody, you check, make sure they pass and when they get in you have to acknowledge something or do something and we automate the whole process.
Chuck: We should add some copyright disclosures for Fox… You have to look at that. Right?
Chuck: This also makes me extremely nervous. So Kurt what was everybody doing fifteen years ago and we didn’t have this? Pencil and a piece of paper and guards that are just, “you look good to me pal, come on in.” “But I’m a foreign national and I want to steal your stuff.” “That’s okay, come on in anyway.” I mean, I don’t know how we do it, this is really, I’m surprised, I’m happy you have this product, I’m surprised it haven’t been around longer. Right?
Kurt: Yeah, absolutely.
Chuck: How long has this been around by the way?
Kurt: So it’s been around for a couple of years and we actually re-launched it at Azis this past year. Because we rewrote it, we kind of give it a new look and feel. Made it a lot more user friendly. And so we just re-launched it and we’ve got great attention to it.
Paul: How do you check the ID’s to make sure that person is, the person who says he is now. Is that presented to a person or is that or we got some way of…
Chuck: Oh yeah they just swipe them. The magnetic strip.
Kurt: You can use a passport scanner, you could use a driver’s license scanner. You can do that verification, validation, face to face things like that. We also partner with some unique technologies out there that do like facial identity and things like that that validate it that way too. And then we just consume that information into our own base technology so it works well both ways.
Chuck: I mean Cherise are you still with us, underwater, are you still there?
Cherise: Hi, I’m still here.
Chuck: If you have any stories about you know hacking access control systems. Is that anything that’s attacking lately because it seems to me if you want to get in you’d hack and put your own pass and then your inside and nobody know your there.
Cherise: Yes, not necessary hacking the access control but they’re definitely always stories about breaches done by an insider, a malicious insider. Most recently one of law firms in Dallas sentenced a former employee to nine years in prison and over a million dollars in fees and payback costs because he was a disgruntled employee who was actually the IT Engineer.
So he knew his way around the network, took controls it had and when he basically the environment, the network that was unauthorized at the time because he was already let go of the company. He caused a lot of disruption, he turned off services, he deleted a bunch of files, he disabled lot of accounts, he didn’t specify which system he used and broke into but I’ve got to imagine an access control system was probably one of them.
He was caught actually by the company that he worked for is a pretty big company called Locky Lord here in Dallas. And he got caught and now he’s being sentenced to nine years in prison. So this stuff does happen where they do access at the place, mostly from an insider perspective.
Chuck: So Kurt I’m mostly worried about this because this is where we get hit the most is from inside. I’m not worried about a terrorist getting a pass and come into the building. May happen someday but really before it happens your IT department going to get you. How does AMAG handle internal security? Talked about two ways, three way authentications or biometrics you can put on top of this so you really want to make sure that somebody is not a single source or single point of failure, right? Like the one IT guy is the only guy that can work the system and if he’s out everything fails. How does AMAG handle that?
Kurt: I think there are a lot of different layers of authentication from an identity record, right? But again it goes down to one of the key things that you said was. This person was no longer an employee of the company and came back. A lot of times what you see with those types of identity is that they get terminated but there’s a step that gets missed. Their access doesn’t get taken out.
There is a recent case that was on the news at Logan Airport where… I don’t know if you remember this but there is a gentleman that got terminated from one of the contractors and he ended up getting on the airplane and started getting pictures and post a bunch of them on Facebook. The issue usually comes in somebody didn’t take them out of the system. Right again, it’s a manual process.
Paul: And it should be automatic.
Kurt: It should be automatic. It should be policy based.
Paul: How could it be automatic? If he…
Chuck: But if I fire you right now, in theory, I still need to manually go in and say, “Okay, he’s fired.” And I to take him out.
Paul: Well no, if you take… if you are firing somebody you going to do a salary due. You get paying the check. So as soon as you press that button that produce that check.
Chuck: Because you’re tied to the HR
Paul: HR don’t want to be tied into it effect.
Kurt: There’s two ways to do it right. As soon as your record changes in HR, should automatically take you out in the system. It could also if it’s an urgent termination you should be able to click one button and take them out on all of your systems. So again it’s based on how that identity changes within the environment.
Then the other thing too is one of the things that were starting to look at as well is we know where you’re supposed to go. So a lot of times what you start seeing is abnormal behavior. What happens when I start coming in at 2 in the morning. That should be a red flag. What happens when I start trying to access restricted areas that I’m not supposed to have access to? These are all red flags that we should be looking at. So because we have all this data, it doesn’t mean we’re not really using it that well. That’s the thing that were looking out for the future is how do we make sure that we’re looking at all the data all the time because it’s all there.
Paul: Why don’t? Because we used to actually use a lot of data.
Chuck: Remember our famous case. So there’s your famous case Kurt. We had the Fox Network Center live broadcasts facility we’re very serious about people coming and going because it’s on the air, Fox Sports and lots of stuff and so we had a, you know fought with checkpoint or some kind of system. We either manually configure peoples ID’s but one day we had a wallet theft and then over a course of three months we had about thirteen wallets stolen. And were scratch our head gone how is this guy getting on stealing all these wallets. Right cubicles, briefcases. So we took the data, we crunched it and we wrote some queries because this had to be done manually. All the marks with access.
Paul: This was in the day, by the way.
Chuck: This was in 99 right? And I said, “Okay, I got thirty thousand access, control records, coming and going. I have five thousand employees. Tell me which employee out of five thousand was here for all thirteen thefts? And what Paul and I would find was we’ll find twenty or thirty and we’ll narrow it down – it was just one guy. Only one guy that appeared in all these different time frames which were weekends, dayshifts all kind of stuff.
The next closest appearance of somebody showing up was seven of the thirteen times and it went down to one appearance and ten appearances. And then what we did… well that must be the guy, we put a wallet up and camera and sure enough here he comes. That was the guy we caught him, right? Very labor intensive, cost a lot of money to get a programmer in there and do a lot of stuffs.
Do the AMAG systems have some automatic maybe it’s not a great word but automated analytics? Listen I need, here’s five queries I need. I need everybody who came in late, I need everybody that came on a weekend and in the old days we used to call that a hall pass, remember? If you’re walking around the studio and you’re not supposed to be here on a Saturday. We say what are you doing here? Your ID’s not authorized right?
Kurt: So I would really go as far as calling it analytics because I think sometimes analytics has some kind of widely used name. It really goes back to a fundamental change. We’re not focusing so much on the door and the card reader, the panel or the door. The focus on you, you’re the identity. So if you’re an employee, you’re a contractor, you’re a visitor. We want to try to consume as much information about who you are? What department you’re in? What building you go too? What trainings do you have? Where do you belong? All of those different actions its about you because instead of managing the door, we’re managing you.
So the more information we have about you, it’s easier to report on who you are? Where you’ve been? Why you’ve been there? Who’s approved it? So it makes reporting much simpler. So I wouldn’t go so much to say it’s analytics whereas it’s just smarter reporting because we’re trying to get more information about you by attributes whether its where you park? What building you’re in? What department you’re in? What training? All of those, the more things that we could tie to your identity record the easier it is to report on you.
Paul: Do you find there are still very few companies that sort of work that way from a security department. I used to find it was sort of lack of imagination almost. Because you just did have that . . . You think outside the box
Kurt: I think it’s just you don’t know what you don’t know. For the last, for years people solve this problem with people. And we come and talk to people about this solution, or this way of thinking. You really always get that aha moment. We do this manually, yeah we do this, you talk to the person that’s doing the audits and they just, they cringed because like, “Oh my gosh, I have these ten reports that I have to do and it takes me this many weeks to like compare all the data and it’s just a very time consuming process. So it’s really more about just not knowing what you don’t know and so not many people have taken this type of discussion now neither.
Paul: A very good friend of ours Mike O’Brien always bring saying that if you can think of it with a computer or access control you can do it. But nobody thinks he’s got the imagination of thinking this stuff.
Chuck: Computer Consultant guy’s a genius right so he would say look Chuck I can program what you tell me to program but you’re the guy who thinks about how to catch a bad guy Give two different topics together We had a guy that worked there at the network center. I set up a rule that said that every time that somebody goes to a door that they are not authorized to go to I want to get a report and we found a pattern with this. One guy kept going around hit and try to get into the networks center. Remember that guy?
And we pulled him aside saying what are you doing I didn’t tried to get in there. Oh, there’s a camera there’s the door I didn’t do it you know
Kurt: Fishy that’s Fishy
Chuck: Fortunately we were very tight on programmer doors. Once we made a mistake but these are the type of things I would call an analytic that would say can I by the way can I set up your amexes that would say there is a rule when people hit a door they are not supposed to go to more than twice a day I want to email this right.
So that’s how you solve the problem and then when people know that’s what happens they stop
Paul: There you go .You use your imagination. Yes, think about it
Kurt: Yes, you got a think about it. What it is
Paul: Which is the fun part of access control
Kurt: It gives a fundamental change in thinking because most people think of access control as the door and the card
Paul: No that’s not what they think of access control don’t they fifteen twenty years ago.
Chuck: Now my parents haven’t raised any dumb children but I am not the brightest bulb either right and I am thinking. We were thinking about this in 1996 it’s just logical to us but I think it takes somebody thinking about data and databases as a different way to analyze thing right. So we talked about this before the show and my question to you is. Is Security catching up? Because at one point I thought that it was exponentially behind technology.
The technology is there somebody develops it they built it and then they say go plug this into that company and make it work there you go. Well I don’t have a staff to work it and when I get back from I see watched this a couple of weeks ago. Boy there’s some good products out there and I go they will never work at fox I will never work at Disney because the staff isn’t going to be able to sustain that. Speak to me about what you think the trend of the industry is in our People getting this stuff or they saying I need to, do they force themselves at it. What’s the attitude?
Kurt: I think they are forced to looking at options right because as we see a lot of companies growing through consolidation or global growth rate right. You just don’t have the large teams that you used to and everybody is forced to do more with less right so you’re forced to look at technology known. At Security Space, the concepts that I am talking about are not necessarily new to the industry.
Kurt: And the problem is that the third party software applications that existed out there for last this say ten year or eight year are just have been too expensive so the barrier of entry becomes almost you know it’s very difficult for everybody to take advantage of it so that’s where AMAG and Symmetry is our brand has taken that on to make it more affordable for people solve this challenge so to answer your question, I definitely think technology is moving in the right direction.
It’s getting there it’s getting the users to really understand by compelling you know the benefits of it and why and once they do they’re all in the problem is just now how it’s gonna be affordable so I think you have that technology evolution curve that’s going on right now and it’s really climbing in the right direction and as it gets more affordable people are going to be able to take better advantage of it that’s one of the things we are trying to lead with.
Chuck: So Cherise, at your buzz we have the cyber attacks and there’s always that curve of how to invest in protecting my network and what’s it going to cost me and you know what if China wants to look at my restaurant menu on my server I don’t care and worry about it but they don’t understand that getting to that server may get you into something more confidential right. So, what do you think people are going with this this price benefit analysis of people catch on your side of it that’s a lesson? If I do spend a hundred grand on this I’m going to save a billion on lawsuit. We talked about it several weeks ago. I am not sure people are still getting that part.
Cherise: So you got a put them in different categories owes the haves and have-nots that’s what I like to call on and those that have are typically the enterprise companies with the largest budget they can afford you know six-figure installations of security controls and then you go down to the have nots which are your small to medium businesses that do not have the budget to satisfy the cost of these controls and so you know because of that demand you’re starting to see a lot of companies figure out a way to produce security controls out of affordable cost whether that’s a SAS model you know a service model that’s in the cloud or whether it’s a managed service but companies are starting to get a little bit smarter and try to figure out how to provide solutions at a lower cost point but right now it is very much a challenge in the industry.
Chuck: Has AMAG ever thought of this idea? We take five companies to research with medium sized businesses. You got Me, Paul Fox & Disney here you got some cigars and we are all buddies and we know each other we have lunch we say you know what .What if we got AMAG and we all pitched in about one system because networks are networks but you know the network doesn’t restrict Fox and Disney as far as connectivity once you are connected right has anybody come to you and said, hey can we build a consortium of two or three smaller businesses to pay for this and we just bifurcate the servers and databases and say that’s Disney’s data and that’s Fox’s data and let’s make it work.
Kurt: So a friend of mine that is up in the Bay Area they did that. But from our prospective we have our main product line is AMAG Symmetry access control right and then we also have a video platform which is called Symmetry complete view where our Symmetry Connect and Symmetry Guest which is Identity management application it is a hosted solution it’s a SaaS model. So we have made it so that you don’t pay this big cap-ex upfront for licenses and software we have made it to be a hosted solution that anybody could take advantage of it so its again it goes into you have a great technology but if nobody can afford it and nobody can use it then it doesn’t really do anybody good.
So we have really tried to get rid of this having to force people to get outside and go buy another third party software to tie into it. We try to make it as simple as possible for people to take what they have or look down from the road in an enabling perspective to say here’s our access control platform here’s our video platform lets integrate those two together for better total cost of ownership in the workflow the policy and then how do we take it to Gaston Connect to operationalize even bigger areas of risk where its audit was how people get places so those services from our Symmetry Guest and Symmetry Connect perspective are hosted solutions so makes it easy for people to participate in it.
Paul: I think I was reading in the news the end users sees almost the Microsoft appearing product. Is that wrong?
Kurt: Absolutely, you know if you look at our user interface it looks exactly like word. Right. So it’s for the users simple
Paul: So how did you get it pass Microsoft?
Kurt: We are Microsoft co partner.
Paul: Right right.
Kurt: So that’s the nice thing it’s not the bunch of custom docs up. Its off the shelf technology that we have brought into is not difficult to maintain
Chuck: G4s is in lot of government spaces with guarding. Correct?
Kurt: Insight…Ahhmm I am not sure that they’re in government as much as they are in commercial
Chuck: Okay, I thought they–
Kurt: They are in government but mostly clear facilities I believe
Chuck: Okay. So let’s take a giant g4s client we are finding your client saying, hey, listen I gotta a guard here want to put an AMAG connection to it. Does it work better? Is it better for client if they did that integration?
Kurt: Yes. Absolutely because we get incredible insight from our partner company right sister company what we call G4S secure solutions right so they were the largest guarding companies in the world and I don’t think people realize how big they are and it affords us a lot of great insight from those users because they are the ones doing that day to day work. So getting the feedback from them and then really building our technology so that it helps make their job easier that that’s the best feedback we can get so we do a lot of partnering with our secure solutions company because you know they are in there every day fighting that battle and they are the ones that are seeing you know if we could have only done this differently or how do we do this or how do we bring more value that client that where AMAG from a technology perspective we could really leverage that together.
So I was kind of look at it from an AMAG perspective if I am just going out there to sell an access control system you know the values not as great but as I tie together my video platform I tie my guest in my Symmetry Connect as I build those all together the value proposition changes dramatically like just like on the G4S side right we have a consulting risk consulting firm we have a guarding team we have an integration team but we are very much separate in that regard but from a guarding perspective it brings a lot of value to bring technology to the operation.
Paul: So the figure has always been a problem with gold companies. They never bring the technology wise solution together with the guards.
Chuck: It’s a turnover problem. It’s another company it’s a computation alone. One way, you know getting the guard too.
Paul: I think. Several companies try
Kurt: So that’s the nice thing about you know our technology is we can be as small as a two reader system to a twenty thousand reader you know fifteen thousand camera system with hundreds and thousands of identities all managing through the whole process we can scale from super small to the largest in the world. You know we do business with bank of America we do with IBM we have some of the largest companies in the world and our system scales right we also have you know we could be doing this office right so it doesn’t really matter what we do with it once we install it
Chuck: We may have to do this. I have a new stalker. Yes I have a new stalker on LinkedIn Yes. It’s Litty from the Northern Iles. You know, what it is right the Northern Coast of Ireland England
Paul: Wait, what are you talking about? Northern England.
Chuck: It’s called Northern Isle England – it’s a beach down in … it’s a linked-in stalker – we need some access control to watch.
Paul: England or Scotland.
Chuck: So here’s a question I have so we are Bank of America we used that as a client as an example and I’m assuming if somebody opens a door in Italy and who so ever was the in charge of the GSOC knows is that a good description?
Chuck: How do you handle globalized compliance because may be you’re not allowed to use your access control system the way we use it in America in Italy may be there is privacy laws may be there’s all kinds of things right. So how do you handle it?
Kurt: Depends on the client situation we could reach the servers to keep the data localized for their country so everybody’s different everybody has different sets of requirements and so that really boils down to architecture of how do you segregate the data how you keep it safe and secure and so its really not a problem
Chuck: Not a problem may be that’s because these big companies coming into. We plugged it in and turned it on for you and then the guy disappears and they have no sustainability or workability on it
Kurt: I think it’s around the approach of how you design the architecture right both from the physical architecture to the data architecture and that’s what our team does really well
Chuck: Tell me about some different compliance challenges you guys have had and what you can plug in this. I mean to my head let’s talk about what I used to think about I thought about OSHO all the time right?
Chuck: HIPAA! People don’t think about that even in a studding wine because you had this studio nursing office
Paul: or more
Chuck: Right! What’s another one?
Chuck: That’s a big one
Kurt: So all of those have when you think about all those compliances except HIPAA, CFATS, SOX, PCI right all of those compliance have the same core element how did somebody get access? How did they request it? Who approved it? Did they get down in the system appropriately? How did you and how did you audit the report on it right in so what you find is that if I in a traditional model and you probably even saw this at Fox right if I needed a request access from you Paul I would just send you an email right then you had to find out who’s the owner of the area that you are trying to get access to.
Then you have to send an email with Chuck and then Chuck reviews based on whatever the policies are chucks got a review that and say okay is Kurt ok? Does he has the right training does he have this okay he’s good then he has to send you an email back and then you have to send it to somebody to go and manually type that into the access control system right
Kurt: So that our Symmetry Connect does it says let’s get rid of all that because when I report on that I get all those emails I get all those reports I got to do all that What we will do is we give you a single place to request it’s a self service portal You going to say I need to go to Burbank well what building do you need to go I need to go to you know 4000 Boulevard street lets says right and it says okay I need to request this building this store click, click why do you need to go there I need to go there for these reasons the system because of the policy and you automatically know it needs to go to Chuck.
Chuck gets an email request. Quietly goes in looks at it use it in the portal ok good click as soon as he hits ok it goes right down to the access control system it removes all those emails all those steps it even ensures that the information gets into the access system so that when I have to go on auditing it lets say it is a SOX audit, I don’t have to pull all those reports. I just go into my page and say okay who has access to my area while these five people are good these five people are not – Yes Yes Yes no no no click ok automatically goes into the access system.
It removes all those steps in between automates the whole process but then more importantly when the auditors want to look at it you’re able to prove your levels of enforcement because you show how all this works within the self service portal and the audit takes care of it. Because it all there in the place I don’t have to pull reports and emails from all these different places to try to prove that I did it right it’s done right every time.
Chuck: Now let’s talk about fraud and authentication there’s always somebody they think they are smarter than the system right Ah we had something similar at Fox you get an access number it went to your desk and you put in the past and had to come to me to prove it
Paul: I always remember one of the issues and it’s some sort of interesting part of finger bowl access control that one day we found that we were in a circle of authorization and there wasn’t anybody actually at the top that was authorized to actually authorize the circle. Remember that? And I have always been with that one issue do we aid do we say we went way too many there’s nobody that’s actually authorized
Chuck: Well Kurt says that the rule authorizes it but for full authentication and accountability Paul’s right somebody has to be the guy that says here it’s my policy it’s my rule so something does screw you can come back and do something with that. We have things like dongles and biometric things to log into these systems that the high administrative levels to approve these policies to get those things in there and to prevent somebody from you know being on the inside and hack in the systems
Kurt: So that’s what we leverage you know the best tools so that a single sign-on is a perfect application for that we integrate into activate directories so the moment you log into your workstation right you are authenticated to the networks as you can get your email
Chuck: Yeah but I don’t you don’t know that’s me that could be my secretary.
Chuck: So you give your secretary your password because you want it to
Kurt: so that would be more on the cyber side right because you would have some type of authentication tool to get in that’s not something that we do we don’t go into that side because that’s logging into the actual workstation itself
Chuck: So, Cherise, people would have to come on in work on that
Kurt: That’s right
Kurt: We are behind the curtain of IT login they’re the experts we are not going to get into that space much but once you log into your workstation you have access to your applications you are authenticated into the system so now we are trusted person using the system
Chuck: Here’s what you need. You need a do a little of this on this show it’s a little embarrassing sometimes a good idea sometimes a bad idea you guys could do this easily because every monitor has a camera so you could use facial recognition so to know that I am sitting at my terminal to know that I am putting in that pass and it takes a picture of my face and go yup that’s chuck in there typing at that end because at the sea level you have given your password to your secretary to your vice-president levels to go and do that shit I don’t want to bother with it and that’s not actual authentication right?
Kurt: That’s true
Chuck: that’s a free video by the way
Kurt: I will make up a note of that one
Chuck: Cherise what would you recommend to do some authentication on top of that system what would you put in front of a biometrics of fingerprint
Cherise: You could do the biometrics you could do aahaa..
Chuck: Some raster scans are pretty fast now out there I’m just worried that I mean that it’s only human error the buzz is
Paul: So actually that brings up a question I will be doing is biometric taken off the wider everybody for ten fifteen years ago I mean everybody was talking about fingerprints and you know with the facial recognition I mean is it all people still use in a majority of people still use in what we call
Kurt: I think a lot of people still using the traditional method I think they are very interested in the biometrics and we start to see a lot of interests so you are at ISC West you see a lot of stuff
Paul: It’s been in for years but you never get to see it operational.
Kurt: It started to get closer and then we have a good partner of ours that does in motion identity work you just wall up to the door and you are the identity record so it looks like your face your gate everything
Chuck: Oh I don’t know that partner we could just say it’s all right
Kurt: FST is one. But there–
Chuck: I think that’s right
Kurt: So, there’s FST there are couple of them out there that we have integrated into our platform because we do think that it’s gonna move in that direction because people want to validate and verify
Chuck: But that’s still on your end of it that’s a terminal ending point for your system we plug into it for work and that’s not what you are manufacturing
Kurt: That’s not what we are manufacturing.
Kurt: I think the next thing you are going to see is a lot of Bluetooth readers, right because people want to use their smartphone as credential
Chuck: Yes I know I have seen that.
Kurt: That’s one area but that’s problematic right
Chuck: We had a show few weeks ago that said brought your own you got that one remember that bring your own device it’s a new thing that saves money and Cherise you can jump on this one I know you know about this but 90% of all breaches are because people don’t care what’s running on the phones
Paul: All I see in Star Bucks is they are having a problem swiping his figures because it won’t accept it
Kurt: I do think that’s something people are interested in but it hasn’t hit something it’s still something into development. I mean HID as done a really good job by the way we’re actually been manufacturing our own Bluetooth readers welted to help with that effort but again majority of people still use their plastic card
Paul: Cherise if you got a Bluetooth reader can you actually steal someone’s identity through you can right?
Cherise: It depends on what data is been transferred through the Bluetooth communication absolutely.
Kurt: I would say to that tough I don’t think that they are any less. They are more secure than the card.
Chuck: Well! If I had that pairing thing put on a phone let say I work with you I don’t want to screw up my phone lets say can I use something for your phone and I put that pairing device that Samsung uses to transfer data and turn that thing on I could be taking stuff off your phone you didn’t even know nor that you would know.
Kurt: I think there’s a lot of investment in that technology but again I think by in large people are still using plastic cards
Chuck: So what’s AMAG working on I know you must have some secret pro lab stuff going on for this you won’t to preview anything?
Kurt: Yes the biggest thing is we are still really moving down the road of our Symmetry Connect and Symmetry Guest platform because we really think that’s a game changer there isn’t another access control company in the space that does all that we do so that’s a huge different thing for us. There’s other great companies out there that provide the solution that’s just very expensive and it is third party software so for us this is really where we are pushing and I think when we look forward to the future we are going to continuously evolve into the biometric space we’re going to go into the Bluetooth space just because industry is going to require it so but for now for the next year or so this is really what we are focused on we will try to push this forward because the need is gigantic
Paul: Let’s take a look at industry what are you looking at you are going to break into it you haven’t get into it yet
Kurt: So when you think about it I think we have over thirty five thousand installs across the world right. So it’s the key for us in this industry is perfect for it because anybody that has a compliance requirement or even an internal audit requirement can utilize this service because it so difficult to manage that data it’s a process and it’s a huge game changer again nobody else can do it and you know we really are ahead of the game and from a cost perspective we’re enabling people to take advantage of it.
Chuck: I am not sure break in is the right term to use for that But just saying . . . So well really I’m rethinking this now I am not thinking of calling this access control but I am thinking of calling this compliance control that brings in everything risk control I mean there’s so many things that I can keep track off it’s just not necessarily an access issue or it’s an internal access issue
Paul: Oh well is that a compliance?
Chuck: But Yes it’s a kind of compliance control
Kurt: We all say that there’s three main compelling reasons that nobody does anything right Its going to be based on risk, its going to be based on compliance and its going to be based on cost either one or all three of those business drivers are going to be present and that what going to drive people to do something about problem that’s what our system addresses all through
Chuck: Now see the operationalized… (sound muted)…it’s a technical process to integrate it into day to day operation that’s what best describe it. What level do you think you need to operate this? I understand the admin level but there could be some that gets database management and like kind of thing it feels and I guess but can the average guard now that you know basically an apple iPhone or android I mean these are people that can now utilize this technology
Paul: But there’s Microsoft
Chuck: But there’s lot of people the garbage can’s we are little behind the curve on that level right so you think its
Kurt: Absolutely. That’s the beauty of it that we can put it to a mobile device we could do it on a work station right again like from a visitor management prospective we made it so easy that you have to do it schedule a meeting in the network. I like that part
Paul: It’s pretty
Kurt: So the idea is to take this very complex problem and simplify it.
Chuck: We do think we did that.
Paul: Oh we probably did.
Chuck: No, we did something similar like that.
Paul: We stole another idea.
Chuck: We should put that in a box there and we would be billionaires right now. We were the first people to know. We are too far right as though access control is it says come on in
Kurt: Think about how long it’s taken to you know get to this point
Chuck: No, we were doing this in 1996. Hiring people to program a program access and it kind of bunch of people said that we can start solving crimes with it and then how would you do that?
Paul: But we did what you were talking about we are a third party and we are sucking it all technology down doing that thing and then push it back in an hour.
Chuck: There are other cases there where somebody has stolen two tape deck worth seventy five thousand dollars each. So I took all the phone records at the studio and then ran them in a database against adds the recycler Out of fifteen hundred recycler one guy has same number at the studio and he was selling the thing. so we knew that it was our bad guy.
Kurt: How long did it take you?
Chuck: It took us around a week because we had to get the problem. Is getting the data from the phone switch I don’t know how to do that. We just had to do an export command I don’t understand what you are talking about. It really took a button pushing to do it but getting the data from the people and now the data is already in your system and that’s a way of pushing a button to get some queries.
Paul: I mean it was do some. Really!
Chuck: Yes But we caught the guy. He is very surprised looks to me that easier
Chuck: Right Anything else you want to tell us about AMAG I’m really happy about this I was a little worried that this technology was too far for people to grab but its seems like a match matching some rows and getting people understand why it’s important and may be they are not completely driven by cost now but by a need that’s going to give internally the investment
Paul: I just think that the fact that you are saying that is they are sucking the information now that’s it
Chuck: I have I think I got to ask I touched down earlier Are you still finding the resistance from HR to integrate into their systems?
Chuck: Really? Because HR never really wants you in their system
Paul: I think they have come round.
Kurt: Yes they are pretty common now. So they say you are consuming it you are not pushing anything back. You are just you know and it helps them a lot it helps them in their processes too
Chuck: Oh you mean they can say I am not going to give you this
Kurt: Oh Yes certain data you can have certain data you cannot have
Chuck: Are you guys worried about how do you encrypt the data that is the last thing we want to talk about is? How is it encrypted? How is it protected you know. Because you have a lot of data moving in between lot of servers inside a company may be a big enterprise company how do you handle that? I mean if one guy gets it can he get everything or you bifurcate the fields in the databases to…
Kurt: So you know that all of our services are behind the IT’s firewall so it’s always very protective of their own ways of protecting the data. But then you know data-center have our hosted solutions and we go through rigorous penetration tests and different third party tests for all of our different clients already so to me it’s really I don’t think its its
Paul: You run your own data-center or do you
Kurt: We do, we have our own data-center in Burlington where we do all of our Symmetry Guest and Symmetry Connect services out of there.
Chuck: Do you think most people are reluctant to do the cloud stuff or they wanna keep stuff on their in house
Kurt: Its interesting because there are certain protocols where we can do host we cannot like if you go to utility space they’re just there’s no way right but then you know in the financial sector they are willing to do this so it just depends so I think you think that will be difficult but you’re starting to see more likelihood of people going to that because its just cheaper they time it to that it takes something to get up and running the amount of infrastructure required to support it maintain it as IT teams are getting smaller you know the hosted environment is becoming much more popular so services are always easier to get approved because its an apex versus and cap-ex.
Paul: Services are rolled in it as well which is you know which doesn’t have any delay
Chuck: Kurt Takahashi VP Sales AMAG thanks for coming up this has been a fascinating discussion. Miss Cherise from CyberThreatBeGone.com. Thanks for joining us again in this great discussion
Cherise: Thank you
Chuck: Give us your website Kurt
Chuck: That’s very easy
Kurt: Yes. Thank you very much
Chuck: Thanks for coming in and thanks Cherise, thanks for joining us in Security Guy Radio. We will see you next week.
Security Company Advertising Opportunities
Click here for information about security company advertising or promotion opportunities on Security Guy Radio.
- Be a guest speaker in your area of security expertise
- Promote your Security Product or Service
- Let us create a Video Show Infomercial for you
- Security Company Advertising on this website
- Sponsor a show on public safety & security