Interview: The compliance challenge

14 Oct Interview: The compliance challenge

Security Middle East editor, Claire Mahoney talks to Jamil Al-Asfar, senior sales manager, IDIS Middle East & Africa about the challenges involved in supplying one of the biggest bank security systems upgrade in the region

The Middle East has some of the most stringent video storage requirements in the world and nowhere is this more true than in Saudi Arabian banking sector where SAMA (The Saudi Arabian Monetary Authority) most recent standards require that video footage be stored for an entire year.

Earlier in 2019 Saudi Arabia’s National Commercial Bank, the second largest bank in the Arab world, announced one of the biggest financial surveillance system upgrades ever seen in the region, involving at least 1000 NVRs and over 2500 IP cameras which was fully compliant with the new standards.

The technology behind the upgrade came from Korean surveillance giant – IDIS and was the first IDIS solution to achieve full compliance with the new SAMA standards. The project involved a switch-over from analogue to HD IP technology across 400 branches and more than 2580 ATMs with a deadline of 2021. IDIS is working with systems integrator Almajal G4S on the project which has now become a SAMA reference site for other financial institutions

How are the region’s stringent regulations impacting security manufacturers looking to supply the market?

As manufacturers we need the resources to meet compliance requirements. Often, it’s a detailed and lengthy process and that can be a significant overhead. But once you’re there it positions you well to capitalise on opportunities – especially when you think of the large-scale upgrades and infrastructure investments taking place in the region. And of course, you’re competing with fewer vendors because ensuring and maintaining compliance isn’t cheap. Here in Dubai we are lucky in that we have a dedicated technical team and a larger multi-lingual team at our headquarters in South Korea to support us.

Compliances vary for each market sector and country and they are constantly evolving so you need to keep on top of that and be ready to evolve with them. Because IDIS re-invests more than 10% of its annual turnover in R&D we’re well-positioned to keep ahead. New technologies and features needed to meet compliance requirements are systematically added to our product roadmap.

Authorities in the region are rightly proud of the regulations they have put in place as they give organisations and government departments the surveillance capability to prevent crime, quickly identify suspects, and help preserve security and public order. And that’s a benefit to society, as well as to tourists and business travellers who want the assurance of visiting safe and secure destinations.

Why do you think you were successful with this particular tender?

Since IDIS opened its MEA office in Dubai we have focussed on building strong and mutually successful partnerships with the region’s leading systems integrators, such as Almajal G4S. Almajal G4S already had experience of working with NCB and had proven their capabilities in the KSA banking sector. By 2017, together we’d already delivered a significant number of surveillance upgrades for corporate enterprises and financial institutions in the Middle East, albeit on a smaller scale.

The full requirements, set out in the NCB’s tender documents, showed that the bank was determined to maintain its lead in the KSA financial industry.

The project priorities, identified by NCB:

• affordable yet high performance, full-HD surveillance technology
• a smooth migration path from the existing analogue system eliminating downtime
• centralised command and control and distributed management at each branch
• cost-effective ability to store large amounts of video data from 1000s of cameras, cost-effectively, for up to a year (for current and future standards compliance)
• hardware resilience and protection against a range of fault conditions
• high quality recorded footage in all lighting conditions
• a mix and match of cameras and recorders that would meet the needs of corporate offices, branches and ATMs
• competitive installation costs and reduced maintenance burden compared to the bank’s existing system
• faster and easier retrieval of footage.

We responded quickly, identifying that that first challenge to overcome was to minimise upfront costs by proposing an NVR-based and hybrid solution. With our simple plug-and-play approach to installation, we were confident that IDIS would be well-positioned.

Joining forces with Almajal G4S, which had the resources and nationwide deployment capability, we embarked on extensive proof of concept testing. And we beat the competition on all metrics: performance, initial price, and lifecycle costs, and by taking a totally new approach to meeting all NCB’s requirements around hardened cybersecurity, resilience and failover and a full year of cost-effective data retention.

Long retention times are just one of a number of government requirements for security technology. What other compliance challenges specific to the region do end-users and manufacturers face?

The increased storage requirements in the region are almost legendary in the industry. Organisations face either a costly upgrade or the expense of additional storage hardware when compliances came into play a few years ago. In some countries and sectors compliances were rolled back to more realistic level to give technology time to catch up. Today 120 days is pretty standard across most countries and sectors, but customers will often want to retain footage from cameras for longer where they cover higher risk areas such as entrances, check outs or cash desks.

Most reputable video management software (VMS) will allow users to configure retention by camera or by site, depending on their needs. The industry has seen a steady reduction in costs for storage hardware, but still there’s more burden on end-users than manufacturers.

In the Saudi banking installation the requirement to retain a year of full-HD footage presents a significant challenge, particularly in remote desert locations. An NVR approach is a more cost-effective way of meeting this challenge than a server-based solution. A shared cloud is rarely an option for mission critical surveillance and is prohibited as an option in some regions. Cloud storage has prohibitive cost due to the scale of most implementations and the retention periods.

For a manufacturer, adapting to evolving compliance requirements, especially those concerning storage, shouldn’t be an issue, particularly for vendors that have been quick to adopt H.265 and those that have developed their own advanced compression technologies such as IDIS Intelligent Codec.

So that’s what users need to check for. Dual codec lets them view in H.264 whilst eliminating the need for hardware upgrades and still reaping the storage benefits. Traditional industry approaches have meant jerkier images as the trade-off for bandwidth savings. But advanced compression technologies alleviate this frustration, delivering faster, smoother searching with clearer images, and up to 90% savings on bandwidth and storage when combined with Motion Adaptive Technology (MAT).

I’d say the need for a centralised monitoring capability across such a vast area is probably more of a challenge because control room operators need stable UHD quality video transmission to give them high-performance real-time monitoring and recording without any degradation of image quality. And with an NVR-based system you’re really going need server-crushing throughput, the best compression technologies and dynamic multi-stream control.

And then there’s the challenge of varying light conditions. In the Middle East you always have to allow for a wide variation of light intensity, and so unsurprisingly wide dynamic range (WDR) is a compliance specification in many countries. Therefore manufacturers need to be constantly testing light handling performance as they develop new camera models for various applications. And while almost all manufacturers claim WDR, results can vary and there’s often no correlation performance and price. So even an expensive camera from a reputable brand can fail the stringent compliance testing in the region.

Is there a drive to unify compliance requirements across the region? And which countries do you feel are leading the way?

SIRA in Dubai is certainly setting the standards in the UAE, across several market sectors, especially when it comes to high performance image capture in all lighting conditions, system specification, assessment and inspection requiring close attention to detail at each stage to ensure a robust level of protection. And SIRA demonstrated forward-thinking when you remember the millions of visitors who will attend Dubai Expo 2020, for whom safety and security will be paramount.

In Qatar there are rigorous security policies, which are implemented by the Security Systems Department of the Ministry of the Interior (SSD-MOI). Businesses such as gold retailers are required to install advanced measures including IP-CCTV systems.

SAMA is definitely leading the way in the competitive Arab banking sector. KSA is determined to maintain its lead the world in Islamic banking, and ensuring security is critical to that success. The new regulations signal that intention and other Arab banks are now taking SAMA’s lead and looking towards the authority for best practice advice. And in doing so SAMA is unifying the compliance requirements in banking across the entire region. The IDIS project at NCB is used as a reference for other financial institutions looking to comply with higher security standards. NCB hosts other banks, along with representatives from SAMA, demonstrating how the IDIS solution offers a new way forward.

Having to upgrade systems to meet regulations is obviously a huge cost to the banking sector how are manufacturers such as yourself able to ease that burden and soften the blow for end-users?

The failover and resilience requirements can be a challenge. A standard industry approach to providing failover is to engineer devices into the system at each facility or ATM – but this is both complex and expensive, with additional hardware and services typically adding costs of between $200 and $500 per site, depending on the nature of the set-up and, of course, regional labour rates.

To avoid this, users should look for in-built, pre-configured solutions that have no additional cost. For example, temporary failover functionality means that if there’s instability on the network the camera will save to an internal recording buffer to avoid a break in data. Look for cameras that come with a built-in SD card. With IDIS Smart Failover, once network stability is restored, the SD card will automatically transfer footage back to the NVR.

In NCB’s case not only does that give peace of mind, it saves the cost of calling out engineers to retrieve the SD card, which can save up to $150 per visit depending on the location.

Where video capture is non-negotiable, users will also need to consider another level of redundancy that will automatically step in to ensure continued recording across an entire system in the event of a critical incident such as a flood, fire or a complete power outage.

The NCB install was a huge undertaking – especially as the bank was moving from an analogue based system – how did the installation team ensure this was as smooth as possible?

Finding a smooth migration path from the existing analogue system, without downtime, was paramount. If there was an incident that couldn’t be investigated using video footage this could have resulted in SAMA penalties.

Almajal G4S started with a complete control room upgrade, implementing IDIS Solution Suite video management software to link in the existing analogue system, using IDIS Encoders connected to legacy DVRs, establishing centralised management and control across all NCB facilities.

That meant that as we upgraded 100s of branches and ATMs, NCB were still able to centrally manage both IDIS IP surveillance and the old analogue system from the same user interface. No facility was ever left without CCTV protection. The IDIS solution also delivered a cost and work advantage at every stage.

The IDIS complete one-stop-shop solution means that all devices and software seamlessly connect through simple IDIS DirectIP® plug-and-play technology, for faster installation. In fact connecting an IDIS camera to an NVR takes just three minutes. This degree of labour saving was significant on such a large-scale implementation, cutting costs and avoiding project overruns.

IDIS’s For Every Network (FEN) capability, which uses peer-to-peer technology, also allowed Almajal engineers to quickly name the branch or ATM and connect the system to IDIS Solution Suite, eliminating the complexity usually associated with multi-site surveillance. Not only did this further speed up deployment, Almajal G4S engineers didn’t need expert knowledge of routers or specialist networking skills.

DirectIP also standardises cybersecurity because it acts as a mutual authentication system so that when cameras are connected to IDIS NVRs, both devices authenticate each other automatically. This meant Almajal G4S engineers didn’t need to manage 1000s of IP addresses and associated passwords during implementation – eliminating the risk of human error.

What are some of the technical issues that you have to overcome specific to the locations and the size of the network?

SAMA requires an unprecedented level of resilience and redundancy to be built into surveillance systems to ensure stable and continuous image capture, particularly since surveillance equipment needs to operate 365/24/7 in often dusty environments and extreme heat.

NCB were also impressed with the resilience of IDIS NVRs and eSATA devices. Not only did IDIS have the lowest industry hard disk drive failure (HDD) rate, its IDIS iBank is a proprietary file structure with in-built RAID 1 and RAID 5. This gave assurance that, even in extreme cases of damage, video data could be automatically restored and restructured, making it possible for IDIS NVRs and external storage to run high-performance playback. So, that challenge was overcome, and industry norms far exceeded.

The other big challenge was latency and bandwidth via satellite connections. Many of NCB’s ATMs are in remote areas that lack readily available Wi-Fi or cabling. Instead, they rely on satellite connection to the NCB network, so signal strength and stability can be affected by weather conditions such as the strong winds common in desert environments. Satellite internet comes with speed limitations and is around 25 times more expensive than cable internet. This lack of bandwidth and speed results in a higher latency, which was a challenge because NCB wanted high quality recording that would provide a visual audit trail of transactions and the ability to easily and quickly retrieve footage.

And once again, in the event of network instability and failure, it could result in a loss of recorded footage and SAMA penalties. One way around this would have been to increase bandwidth by paying more to the satellite company, but NCB were determined to keep running costs low.

IDIS were able to solve this problem with optimized network bandwidth through dynamic multi-stream control, an important feature of IDIS Solution Suite. It detects overloads and helps prevent network strain. And, importantly, it improves the control room operator’s quality of experience in the face of varying network bandwidth.

Further, IDIS cameras all use temporary failover, recognise when the network is unstable, and save to an internal recording session buffer (NLTSrec, up to 60MB). Once the network connection is restored data is automatically transferred to the NVRs. So, there is no data to break and importantly no need for Almajal engineers to make a maintenance visit.

Pull quote: “The new regulations signal that intention and other Arab banks are now taking SAMA’s lead and looking towards the authority for best practice advice. And in doing so SAMA is unifying the compliance requirements in banking across the entire region.”