Until recently, the worlds of IT and AV have mostly maintained a polite distance. IT received word of an issue when a customer purchased the AV solution with the need of a server to host a service or integrate with calendaring or conferencing systems linked to a corporate directory.
That has started to change with the introduction of AV over IP and other technologies that have begun to take advantage of the existing IT infrastructure to link AV resources together. Where before there was dedicated infrastructure between these resources that remained isolated, now newer AV devices can ride over the IT backbone, access the Internet for cloud services, connect to internal services/resources, and use multicast technologies.
There still seems to be a polite distance between AV and IT, which is the problem. IT might even not be invited to the table until the product is purchased and installation is underway. This is the wrong time to start discussions with IT and security.
I joined my company, an AV integrator, last year, and have observed less than efficient interactions between local AV teams and corporate IT/security. Not always, but enough that mentioning it seemed necessary.
Why is this important and a concern of security? Because many AV integrators/vendors do not have the IT expertise to integrate into an enterprise IT environment. Is it a concern? Most companies want video conferencing, room or seating reservation systems, digital signage, and other AV related solutions. So chances are you will be told to make it work. If so, best to help find the answer than being told to work with an already purchased one.
AV systems over the IT network are bandwidth hogs (some video transport methods require 10gb links per source) that can have many endpoints located around the network. Some of these services also require multicast, corporate mail/calendaring access, or internet access. As you can imagine, there is an excellent chance that the AV integrator will not have the required IT knowledge to know how to secure these services properly. They might not consider the risks to the network or services.
This scenario also describes some AV vendors that are new with enterprise IT programming and security standards. Some of these vendors have chosen practices or methods that lean toward ease of use than accounting for modern security practices.
The goal of this article is not to single out any particular vendor, integrator, or customer but to give IT security practitioners a ‘heads-up’ on the AV world and the continuing drive to leverage IT infrastructure and services. Better to get to know your corporate AV team and have them come to you early in the discovery process, than find out after a high risk, but a really cool tool is purchased, and now senior management is eager to use.