One of the reasons that IP video systems are becoming increasingly popular for security video surveillance is the flexibility that a networked solution can provide. System components and video display workstations can be located at any point on the network. This allows users to access live and recorded video from anywhere on the network, whether it is in a security control room or on a manager’s desk.

The implementation of identity authentication management (IAM) is therefore fundamental to ensure the integrity of IP video systems. IAM is implemented in the system’s video management software. This software is at the heart of an IP video system and manages the display of live camera feeds from the network, handles the recording to networked video recorders (NVRs) and provides a suite of tools for analyzing recorded video. Video clips can be exported from the software for evidential purposes. The issues of IAM also extend to the authentication and protection of these exported clips.



User Management

IAM is supported in IP video systems through the use of sophisticated user accountfeatures that allow a system administrator to customize user accounts accordingto the role of the user, thus preventing them from accessing unauthorized functionalityand sensitive video feeds not appropriate to their role or position. IndigoVision’sControl Center video and alarm management software, for example, implements useraccounts and is typical of high-end IP video systems.

When Control Center is first installed, a single user group is automaticallycreated, containing the initial system administrator account. The administratorcan then create other users and user groups. Each user must be a member of auser group and this group governs the level of the user’s access to administratorfunctionality.

The three levels of user groups are full administrators, restricted administratorsand operators. Full administrators have access to all the management softwarefunctionality. Restricted administrators have access to all functionality, exceptfor the creation, deletion and modification of user accounts and groups. Operatorsdo not have access to administrator functionality and cannot change the sitedatabase. Each group can have multiple members, and multiple groups can havethe same level of access, thus allowing multiple, full and restricted administratorsin the same site database.

User access permissions enable the administrator to specify restrictions on howeach user interacts with objects in the site database (camera, monitor, relay,etc.). The administrator can grant or deny access permissions for operator usersand user groups. For example, a camera has the following access permissions thatcan be granted or denied, which allows the user to:
  • List – see this object in the site explorer
  • View – view live video from the camera
  • Playback – playback recorded footage from the camera
  • Record – start and stop on-demand recording jobs from thecamera
  • Control – control PTZ cameras
  • Transmit – transmit audio to camera
  • Export – export recordings and take snapshots from camera
By having feature-based permissions, the administrator can tailor access to asite object based on the actions a user will be performing. For example, a userwhose sole job is to review recorded video would need list, playback and possiblyexport permissions, but would not need view, record, control or transmit. Ifa user tries to view a camera without view permission, control center would informthem that they do not have permission to do this. Full and restricted administratorshave all access permissions to all site objects by default and this cannot bechanged.

User access permissions are set up in a similar manner to setting permissionson files and folders in a Windows-based system. Access permissions are hierarchicaland can be inherited from the object’s site. In this case the administrator specifiesthe access permissions for the site and then all objects in the site inheritthese permissions.

User groups speed up configuration because access permissions for site objectscan be applied to user groups. All users in the group then inherit the same accesspermissions, eliminating the need to set up permissions for each user account.




User Authentication

When an administrator creates a user, login authentication is chosen. The system supports two methods of authentication: password authentication and Windows account authentication.

Password authentication requires the user to enter an individual password at each login. For Windows account authentication, the administrator selects a Windows account that authenticates the user. This can be an account on the local PC or on a Windows Active Directory domain. When the user tries to log on, the system checks whether the account of the currently logged on Windows user matches the one that authenticates the selected account. If yes, the user is granted access.



Video Lockout

Video lockout allows an authorized user to prevent all other users from viewing live or recorded video from one or more cameras while an incident is taking place. This means that all video being viewed is stopped immediately and can only be viewed by the authorized user.

When a “lockout” occurs, the system suspends scheduled recording and immediately starts recording to a designated “lockout” NVR. Users who can no longer view video are informed that a “lockout” has taken place.



IP video surveillance systems can provide the user with unparalleled levels of flexibility and access to live and recorded video. Oliver Vellacott, CEO of IndigoVision, explains how today’s IP video systems implement IAM

Audit Log

Such a design provides an audit logging function that enables certain actions to be logged. User actions, such as login, log off and view recorded video can be logged in an open database connectivity (ODBC) compliant, for example, SQL Server or MS Access, or in a text file. This can help administrators track the actions users were performing and when they were performed.


Public Key Encryption

Public key encryption is a modern, standard method for encrypting digital data and is used in a wide range of applications, such as protecting bank details, Internet transactions and ensuring secure computer communication, not just for protecting video content.

A key is basically a very long string of binary digits typically containing over 1,000 bits. Public key encryption uses two such related keys: a private key and a public key. The private key is used to encrypt the data to be protected and is kept totally secret. The second half of the key pair, the public key, can be used to unlock the data. With the public key it is possible to see the data but it is not possible to modify the encrypted data without the private key.

There is a dual layer encryption system comprising of both digital signature and watermarking technology. The use of a digital signature offers strong cryptography using industry-standard public key encryption techniques, to secure the video data. The digital signature is then “hidden” within the video itself using a watermarking technique making it invisible when viewing the video in a standard video player or when the actual raw bytes of data are directly examined.



Watermarking

Watermarking is the process of adding information to the actual video content itself. A watermark may be designed to be visible, for example for copyrighting, or invisible, for content protection or secret communication.

Watermarking is the more traditional approach to protecting video content and has been used extensively in analog video systems. However, its suitability for the protection of digital video is less justifiable as digital techniques, such as public key encryption, are far more powerful, secure, faster to compute and simply more suited.

In one design, watermarking is used to hide the digital signature of a file within the video itself, in order that the hidden signature is totally imperceptible to the human eye. This adds a further level of security and confidence that the video cannot be compromised.



About the Source

Security Magazine thanks Oliver Vellacott of Indigo Vision. He was previously a manager with a background in intelligent camera products.


IP video software offers instant playback to those with the proper authorization.

SIDEBAR: Exporting Video

Protection of exported video is important to ensure that vital information, suchas the time and date of an incident, the duration of video clip, the identityof an intruder, a license plate or any other vital information is accuratelypreserved for evidential purposes. There are many ways and reasons, maliciousand accidental, that an exported clip can be modified in an insecure environment,for example:
  • A file can be shortened in duration to remove incriminatingevidence.
  • A file may be imported into a third party editor and videomodified.
  • The internal time associated with the video in the file maybe altered to give the impression that the video was recorded at a differenttime.
  • Frames, or segments, of video may be removed or re-ordered.
  • Individual video pixels may be altered in the file.
  • Video corruption can occur through faulty file storage.
An authentication process can detect all of the above scenarios.By using separate software, it is possible to authenticate the exported clipat any time to determine whether any such tampering has occurred.