0:03

Hello, I'm Karen Quatromoni, the Director of Public Relations for Object Management Group, OMG.

0:10

Welcome to our OMG Podcast series. At OMG,

0:15

we're known for driving industry standards and building tech communities.

0:20

Today we're focusing on the augmented reality for Enterprise

0:25

Alliance area, which is an OMG program.

0:29

The area accelerates AR adoption by creating a comprehensive

0:33

ecosystem for enterprises, providers, and research institutions.

0:39

This q and a session will be led by Christine Perey from Perey Research and

0:44

Consulting. Hello and welcome back.

0:48

This is Christine Perey and I'm hosting this fireside

0:52

chat today with a colleague, James Cooper,

0:57

and we're going to be talking about security and the issues of

1:02

security around AR devices and AR content in the enterprise.

1:07

James, would you introduce yourself please? Yeah, thank you Christine. So as mentioned, I am James Cooper.

1:13

I am a chief technologist for Advanced Visualization Technologies at Raytheon,

1:17

which is part of RTX. So I've been doing this for a couple of years now,

1:21

really looking at different use cases, needs and opportunities where advanced visualization solutions,

1:26

including augmented reality, might help us meet our needs and stay ahead of the curve. I've also,

1:32

for the last, I think two, maybe three months now,

1:35

been the security committee chair for area.

1:38

So helping to serve on looking at the needs and opportunities really

1:43

focused on security and augmented reality applications across enterprise.

1:47

Perfect. Well, I wrote up a trend in that blog post in January

1:56

suggesting that maybe security would be something

2:00

that could be put into the network. What do I mean by that?

2:06

That the network servers or equipment would have

2:14

information about users

2:18

that would allow them to authenticate without

2:23

having to do a lot of inputs,

2:26

like a password and other things.

2:30

There are other approaches, but I think maybe this year there's going to be

2:38

some developments in that area, but it's just a rumor, it's just an idea,

2:43

and I wonder if you have any concerns about that or if you have any

2:48

opinions and professional opinions about that strategy.

2:54

Yeah, absolutely. So I mean, in my experience here at Raytheon and Aerospace and defense in general,

3:01

network-based security, it's something that we've done for a while.

3:03

It's not as advanced and streamlined as what you were proposing

3:08

there. So it isn't quite a simple matter of plug and play,

3:14

but if you're looking at something like say a standalone AR device and

3:19

versus a company mobile device,

3:21

something that we're really going to deploy as a device that can access

3:26

our company information, there's a lot that goes into how we're assessing both the hardware and the

3:33

software, even the chip sets themselves that are on these devices to make sure that we

3:38

understand the country and places of origin, factories of origin.

3:43

So for us, I don't know if we'll eventually get to the point where maybe we are able to

3:49

just plug it in and through some kind of simpler,

3:52

more straightforward authentication, it'll understand,

3:55

accept who we are. There have been advances made in that way,

3:58

like our company mobile devices where we can use things like facial recognition

4:03

or thumbprint recognition as part of that authentication.

4:06

But there's still a lot of other factors, VPN or single sign-on or other kinds of methodologies that really need to be

4:14

used to authenticate who we are.

4:17

So that's going to continue to be a lot of concern for us is what is that

4:22

sufficient adequate degree of authentication and user validation,

4:26

even role validation. So if I say that, okay, this is Christine,

4:30

I know this Christine, but what access does Christine?

4:34

What's appropriate for her to have? What systems should she be able to access?

4:37

What data, what capabilities?

4:40

So there's a lot that currently has to go into it and how we might approach

4:45

that in a secure sensible manner towards this future

4:49

state is definitely something that's going to require some thought.

4:54

And is that in scope?

4:56

Is that the discussion that you're having in the security committee?

5:01

What are the approaches that are under

5:05

consideration or that are recommended?

5:09

So under the security committee right now, a lot of our activities have been focused.

5:15

Ron Zaha has been leading this effort towards this augmented reality security

5:19

maturity model or SMM. And really we've been having a lot of discussions around what are the different

5:26

levels of maturity for augmented reality systems within an enterprise.

5:32

And there is a lot in there about security and the appropriate levels if you

5:37

have, how users authenticated, how the roles are defined,

5:41

what types of mobile device management or MDM are deployed, all these systems,

5:47

all sorts of factors like that. We're actually having a pretty thorough discussion around these and continue to

5:54

really iterate that on that because it is a really comprehensive and deep

5:59

discussion that warrants a lot of into consideration.

6:03

Are the standard MDM platforms,

6:08

I don't need to name any by name,

6:12

but are the ones that we used for managing laptops

6:17

and cell phones and other devices appropriate and

6:21

ready for managing AR devices as well?

6:27

Yeah, no, that's been part of the consideration here at Raytheon.

6:30

We're looking at more of these augmented or other XR devices

6:35

and saying for the ones that are tethered to your PC are less of a

6:40

concern because you're matched more on the computer.

6:43

But as we're increasingly looking at these standalone mobile devices,

6:47

we really do need to look at that MDM component.

6:51

And there are a number of companies that are the non-traditional.

6:54

They're emerging out in the last several years saying that they are around

6:58

really to manage these XR devices, but they're new players.

7:02

We would still have to go through and do a lot of vetting of their capabilities

7:06

and do deep dives. And there is, in our industry,

7:10

there's a lot of consideration about cloud architecture. Of course,

7:12

a lot of these tie back into the cloud and especially the commercial cloud,

7:16

and that can be a real showstopper for us.

7:19

I was thinking that exact, those were the words I was thinking. Yeah.

7:24

But I think that there's also a

7:28

edge that can be deployed on an enterprise

7:33

network and also, let's see,

7:39

5G, maybe there's some capabilities that are inherent to 5G

7:44

that could serve when you deploy a private 5G

7:49

network. Is that the case? Are there special services there or not?

7:56

So there is definitely some consideration about separate non-production

8:00

networks versus actual deployed come corporate networks.

8:04

We do have several of those kinds of paradigms here at the company,

8:08

and I know others out there have as well. Again,

8:11

a lot of discussions around these types of things in the security committee.

8:15

So sometimes it is through an MBM,

8:18

and there are some of the more traditional ones out there that you mentioned

8:22

that that exists now on some of these devices or deploy all the devices.

8:27

But even without that, notwithstanding,

8:30

there are times when you might look at it and say, okay,

8:33

it doesn't really make that much sense. It doesn't bring that much value to deploy it on our company factory network,

8:38

for example. So there is a secondary network that might be more secure.

8:42

Maybe it is an edge network like you're talking about,

8:45

or maybe it's just some logically separated other division of your company

8:49

network. But that's definitely another way that we are looking at enabling security for

8:55

these devices. It's more to manage.

9:00

It increases the complexity of the integration and the

9:04

management. I'm sure. It certainly does.

9:07

Yeah. Are there some other security trends that

9:15

you as a professional in this field really need to keep on top

9:20

of? And you feel that AR professionals would be,

9:25

well-served to know and understand what those trends are?

9:29

What else is happening? Is it, let me just preface this before you answer to say,

9:36

many of the devices that you might be

9:41

evaluating are really developer devices and not

9:45

production devices. They're created to help developers experiment,

9:53

explore all the capabilities. So there are things that are open that in a production device you wouldn't have.

9:59

There are of course the reverse some things that are closed where developers

10:04

would like them to be open access to different kinds of cameras,

10:07

different kinds of sensors from below the operating system itself.

10:12

But I'm wondering if there are security trends

10:17

that aren't AR specific, but that we can

10:22

apply or learn from.

10:26

Yeah, I think so. I had a couple of thoughts about this,

10:29

thinking about the questions ahead of time, and one of the things I think is interesting right now of course is that a lot

10:36

of the really prevalent AR or MR devices that are out there have

10:41

been developed with a little bit more of industry and focus enterprise and

10:44

focus. So people like yourself and myself who've been looking at this with an

10:49

enterprise eye for years,

10:52

we've seen these technologies and tried to understand what capabilities they

10:55

bring, and we've had our enthusiasm about 'em.

10:59

But of course nowadays with things like the MedQuest three or the Apple Vision

11:02

Pro, there is this significant renewed interest.

11:06

I dunno if it's going to be yet another hype bubble or if this is going to be

11:08

something more sustained. But I think part of what we need to look at too are these newer technologies

11:13

such as, say when smartphones came into the corporate environment,

11:17

there's going to be this influx of these devices of interest. A lot of people,

11:22

all different levels of the company are going to want to see how do we bring

11:25

these devices in? Where are they going to be usable?

11:29

How do we actually bring value to ourselves and our customers with them?

11:32

And so studying those trends about how to onboard these devices and do it in a

11:37

way that makes sense and is secured,

11:39

I think that's going to be a big thing really starting this year.

11:44

The other thing that I really thought about,

11:46

I've been given a lot of thought about is of course there is a tremendous amount

11:49

of talk these last couple of years about ai.

11:53

It's been there for years and years, for decades and decades, of course,

11:55

but these last couple of years with generative ai,

11:59

with chat GPT and midjourney and whatnot,

12:03

there's been a ton of discourse around that,

12:06

and I have been seeing a number of talks,

12:08

and I've even given talks at Raytheon about the intersection of AI

12:13

and xr, and there are a lot of security concerns around ai,

12:22

about the kind of information you're putting into it and training it with about

12:26

the accuracy of the information that's providing you. Of course,

12:29

we've seen cases where it provides inaccurate or fabricated information.

12:33

Exactly. Hallucinations. Yeah, yeah, absolutely. So now,

12:38

if this information is right in front of you,

12:40

right in front of your eyes and it is affecting how you perceive the world

12:45

itself, that's going to be a whole different consideration about our interaction with

12:50

this artificial intelligence. So on the one hand,

12:54

having gen AI might reduce the costs and the time necessary to

12:59

make AR experiences, but on the other hand,

13:03

the risks associated with introducing

13:08

information that has not been canned and previously

13:14

vetted and examined everything, that risk is so high.

13:19

Maybe that's prohibitive. So it's a

13:25

compromised and maybe we can't live with that compromise.

13:29

The costs are too great compared to the benefits or proposed benefits.

13:34

Right? Yeah, agreed. Yes. Yeah. Yeah, that's a really interesting point.

13:41

And it's not been years, it's just been months.

13:48

We're still at the beginning of this cycle.

13:54

So do you think that there are people in your company who

13:59

just are focused on AI and they're going to come to you,

14:03

or maybe they already have and said, you're in visualization, James,

14:10

how are we going to work together? Is there that kind of crossover or collaboration potential with

14:17

you? Oh, absolutely. Yeah.

14:21

We company's made pretty significant investments in AI research and development,

14:26

so we actually announced a product, I think it was just last year,

14:29

maybe a couple of years ago, talking about our first actual commercially released product that has AI

14:34

integrated into it. And so we're always looking at what is the next way that's going to bring

14:39

capability, efficiency, safety,

14:43

all these other considerations to our business and to our customers as well.

14:46

Yeah, yeah, yeah, exactly. Yeah. This not, it sounds so new,

14:51

but you're right that machine learning and

14:57

related fields have been around. Well,

15:02

this is very exciting. I hope to see the results of the

15:08

security committees, the maturity model very soon.

15:12

I think that'll be exciting and hopefully

15:17

open a lot of people's eyes about how to approach these delicate

15:21

subjects, and I hope that having

15:27

some solutions maybe will be appropriate in the network,

15:31

and we'll just have to take it on a case by case basis.

15:36

Yeah, yeah, absolutely. It is going to be a good time.

15:41

We're definitely going to be looking at where security is currently a big

15:45

concern and where we might take it in the future.

15:47

So there's going to be a lot of good discussions coming up.

15:50

Yeah, I think security in the past has been sort of a

15:55

headache, but now I think it's

16:01

addressing the security issues.

16:05

Like you had privacy by design and now

16:10

perhaps more and more people proposing solutions are going to have security by design built in from

16:18

the ground up. And that's an important shift for the enterprise, especially the,

16:24

I mean, I don't want to say, especially for highly sensitive,

16:27

all companies are sensitive about their intellectual properties.

16:32

I've never run into a company that said, oh, it doesn't matter.

16:35

Just let 'em have whatever's on our network

16:40

doesn't exist. It's just not realistic.

16:45

I mean, looking at network security,

16:48

but even we've talked before about the last summer's research project,

16:53

which had to do with really building in using the development tools

16:58

to build in security the right settings and the right library

17:02

calls to be able to build insecurity from the application, from the start.

17:05

Looking at that full spectrum across the board of how we can better secure our

17:10

information and our systems and our end users. Exactly as you said,

17:14

it applies across the board. It is not just from my industry or any other secure industry, so to speak.

17:20

It really applies across the board. Right.

17:23

That's a great place to summarize and

17:28

to conclude today's fireside chat. Thank you so much for your time and making this possible.

17:33

I appreciate your insights, James.

17:37

Alright, thank you Christine. Thank you.