It has been about a year and a half since a new security regulation — GDPR — was implemented. Effective in the EU, this regulation has also affected many international companies and provided an excellent example of a high-level security standard for other countries. Among other areas, the security industry was shaken by GDPR implementation.
In spite of many talks on the subject, some common misconceptions reveal that not everyone fully understands how it works. We are sometimes asked: is your software GDPR compliant? But this does not make sense! The software itself is not the data processor; instead, the end customer’s company is. Our developers wear their fingers to the bone, creating instruments that will help your customers achieve GDPR compliance. But storing a sandwich in the fridge does not satisfy your hunger. Installing the software, no matter how dandy, does not automatically guarantee 100% compliance with a security standard.
Is there something else in our power to assist? At this point, we would like to highlight the existing security features and remind you how they are related to GDPR, helping you build the most secure CCTV system ever.
Feature : Elaborate user permissions and resource grouping.
Granting permissions one by one for a long list of resources is enormously time-consuming. To speed things up, we have added grouping for all resources in CORTROL Console. With just a few clicks, you can create suitable access profiles (permission sets). When adding a new user, put him/her into the necessary groups and then grant individual permissions on top. Detailed permissions include temporary access to the video archive (e.g., user can only access the last N days), and stream access selection (video/audio/data/VCA) for both live and archive mode. For your convenience, CORTROL VMS supports both internal and AD/LDAP users.
Why: Convenient, flexible access management with a high degree of detail.
On top of that: CORTROL Monitor features automatic logoff after a specified inactivity period. Also, you can prompt users for a login reason every time they connect to the server.
If not used: Using a single administrative user account on all occasions is convenient yet insecure. If you employ automatic client login, better use dedicated accounts with limited permissions to prevent data breaches.
What: Detailed audit log.
CORTROL VMS records every user action, and stores action history in a separate database. It also keeps track of all essential server events, like restarts and configuration backup. Using E&A, you can add other events triggered by different resources to audited as well. The audit information is textual: it does not require extra terabytes for storage. Furthermore, CORTROL allows extracting any part of the log into a CSV file.
Every step you take, I’ll be watching you, © Gordon Sumner.
Why it matters: auditing is an efficient way to track all changes in the system configuration. It is also the tool you will need to handle the consequences of a data leak (I hope you will never have to!).
What if you do not: you may have to handle mysterious configuration changes or discover uploaded video clips from the archive to Youtube without a chance to learn who did it. But yes, you can disable auditing via Console from under the administrative account.
The Crypto Bit
What: Encryption on all levels.
All CORTROL databases are encrypted by default. The data flow — server-to-server and server-to-client connections, both TCP and HTTP — can be encrypted at will. A recent software update also introduces HTTPS for the server-camera connections. For the video archive: you can protect every storage item with a different password. In-software archive access is shielded by user passwords. Therefore, clients decrypt the archive automatically. Anyone accessing the proprietary archive format (unreadable by third party software) with our Portable Player will have to enter the password. One more precaution: several databases instead of one add extra resistance against corruption.
What for: Help enforce integrity and confidentiality, protecting you from accidental data loss or damage. Unauthorized parties with malicious intent cannot gain access to your data.
Do you need it: Imagine anyone breaking into the system with hassle-free access to all resources. Unencrypted passwords pose even more threat: there is a chance the same user accounts are applied elsewhere within the establishment.
Privacy MaskingIn case you missed it: Motion filter upon video export.
The logic: If the video information leaves the data collector’s jurisdiction, they need to make sure the unnecessary details are not revealed to the third party. This data appertains to the confidentiality principle of GDPR, providing anonymization to protect the identity of personal data. Upon extracting any video clip and before converting it into a standard file format, you can choose to blur certain scene areas. The masking may be either permanent or motion-based.
Can you live without it: quite, as long as the video is not exported. Or, as long as you are under no [legal] obligation to use masking.
The news: An option to remove archive and protect it from deletion.
All CORTROL servers now offer a possibility to delete selected parts of the video archive at will. Consequently, there is a “counterpower” to protect any part of the archive from being deleted.
This one is rated “The TOP 1 Contradictory CORTROL Feature”, allegedly being a potential threat to the archive integrity. Hence, this feature is disabled by default and can only be activated by the system administrator explicitly. To stay on the safe side, keep this setting disabled, and prevent even users with elevated rights from having the “delete” button in CORTROL Client (Monitor).
After enabling this setting, you can remove the parts of the archive, which are no longer required — without having to wait until quotas are applied. This step improves your compliance with the data minimization principle of GDPR. You can delete a specific part of the footage, should you be requested to do so. Per-server and per-channel recording quotas and event-driven recording also complement to the storage limitation principle.
Pros: only collect and store the data you need, and get rid of the rest. As GDPR obliges data processors to be able to remove personal data upon request, CORTROL provides a perfect tool for this.
Cons: maybe a bit too powerful of a tool, so grant this permission with extra care. Practice shows, you can spend years living happily without it. However, if its usage is inevitable, it is just one click away.
CORTROL VMS presents many components aimed at improving your current and future installations. Whether its GDPR compliance, other security principles, or merely common sense.
All CORTROL footage has a watermark on it. For the native archive format, the watermark is added and verified automatically upon playback. If any frame does not have it — e.g., being broken or modified — the software will notify you. For the video clips exported in common formats, and snapshots, watermarks are appended as well. A tiny validation tool comes along, allowing watermark verification with a single click.
Speaking of fulfilling the information accuracy principle of GDPR: this one seems to be natural in the security industry, as the video information is quite unambiguous. However, if the video is stored in low quality, there may be doubts. It cannot serve as evidence; it may not be enough to prove the location or identity. CORTROL allows storing video of virtually unlimited frame resolution, accompanied by audio and other supplementary data. Thus, you gain a more precise identification of the objects of interest.
CORTROL Global, amongst its enterprise features, also offers archive replication. If you have used it already, you probably remember that replicas are copies of the original archive tracks. Stored in different physical locations, they serve as additional protection from data loss.
And, should someone wish to execute their rights to access to the information you store about them, CORTROL has all the tools to ensure a fast and effective process:
- rapid motion-based search and video sequencing
- event-based recording and bookmarks
- video export in standard formats with watermark validation
- own portable player to ensure data readability without CORTROL installation
Do you think we have missed something? Let us know!