Considerations for Seriously Secure Control Room Solutions
Creating the best possible control room or command center requires more than just streamlining your solutions to generate a functional and comprehensive view of your operations across the enterprise. There are a number of different factors that your organization will need to take into consideration beyond what video surveillance, emergency communications and alert system technologies they will support. In addition to all the inherently crucial aspects of mission-critical environments, we’ve identified a few additional security measures below that you may want to consider as you construct your company’s control room.
AV-over-IP solutions that use standard TCP/IP communication through standard switches and routers, provide a broad variety of lock-down options for security conscious customers. By using a standard network, customers can lock down their own network tools, switches, routers according to their own security protocols and using familiar network monitoring tools.
Three options to configure the network, with different levels of security and flexibility, all feasible with Userful’s solutions:
- Fully Air Gapped: Completely detached from the network. The server drives the displays via its own air-gapped network with dedicated router and switch.
- Partially Air Gapped: The server is either connected to the LAN but not the Internet (in the case of Userful, it gives access to internal sources/resources but not to Userful Cloud), or connected to the internet but with no connection to the LAN. In our case, the Userful server would be accessible via Userful Cloud and would be able to display web-based resources but would not have direct access to internal sources. Any sources on the LAN that do need to be displayed could be captured via an HDMI capture.
- Fully Integrated: Though a fully integrated deployment provides the most flexibility, we recognize that some security conscious organizations may prefer to begin with a full or partial air-gapped approach and work their way up (for example, while their organization becomes familiar with Userful’s software stack). When it comes to a Userful deployment, there are a variety of ways of configuring the Userful server and network to isolate traffic from your main network. We suggest running the Userful server from its own router, however customers can alternatively utilize a dual NICs strategy in the server with one NIC talking just to the zero client’s receiver devices and the second NIC just talking to the corporate network. Both strategies fully isolate the video traffic and ensure flexibility on set up.
Role-Based Access Control
Control rooms within enterprises are the epicenter for managing both operational and physical security. Userful’s latest innovation, role-based access control (RBAC), focuses on this critical function by enabling control room administrators to designate and restrict specific features and permission levels based on customizable teams.
With role-based access control, management can create permission structures to build accountability and reduce potential security gaps caused by human error. This is a crucial feature for large enterprise customers as administrators will be able to determine in advance what kind of access role different users can have, providing an additional security measure that is required in a modern work environment.
For additional information on Userful’s role-based access control feature, visit Userful Support.
Industry Standard Hardware and Locked Down OS
Hardware-centric solutions require media players, thin clients (or similar hardware) to connect the solution to the display. Userful uses zero client receivers, enabling a highly secure connection as it is not exposed to the host network, including zero client discovery traffic. There is no viable path for launching an attack point from this device, no operating system and no hard drive—just a few bites of memory (enough to store a host name and a serial number).
Userful is a complete solution installed on bare metal, so you don’t need to manage the base OS yourself (unlike many video wall solutions that essentially function as a software application layer running on top of a separately maintained and supported desktop Operating System). The use of a locked down operating system ensures an extraordinary level of security compliance. With unfamiliar proprietary hardware, the IT team will need to perform rigorous testing to ensure that the embedded operating software is safe and trusted, which increases costs and delays the startup process.
Standard server and network allows customers to extend their best practices and firewalls for BIOS and network systems to their displays. These software-centric solutions that are 100% browser managed to eliminate vulnerabilities found in third-party apps.
Locking the Userful PC/Server in a secure—and ideally video monitored—server room (or closet) significantly reduces any risks of unauthorized and undetected physical access to the server. In stark contrast, many commercial video wall solutions mount the controller directly behind or below the displays themselves in a public—and often unmonitored—location. This unfettered access of the controller increased the user’s susceptibility to a host of easy physical tampering, trojans, loggers, theft and other risks.
Threats to an organization are not limited to physical security, and command centers can process data from a wide range of sources, offering risk mitigation and safeguarding business processes throughout the enterprise. Security is paramount in the architectural approach. By providing the option to operate with no internet connection, assign permission levels and operate with a locked down software you can ensure security and peace of mind for your enterprise.