One word we are hearing more and more in the physical security space is convergence. Typically, however, the word convergence in physical security means that products that were historically analog-based or digital running on a self-contained network are now being introduced in IP-based versions that can run and be controlled via browser interface.
Still, these diverse systems have proprietary platforms and do not interoperate or communicate with other manufacturers’ (or even their own) systems in other areas of physical security, much less with IT security. The convergence they are referencing is only a part of the bigger picture that will have to be addressed in the long run.
Profound Events Change the Nature of Security Analyzing
how we got where we are today is useful for determining how we might get where we need to be in the future.
The history of physical security is as old as the history of civilization. As long as there have been people on earth, there has been a need for them to protect the goods, places and other people around them. Earliest history shows that societies built walls and armies, and people of means used guards and weapons to control access to their property and to protect what they had.
In more modern times, the post-World War II era was the beginning of a technology revolution that spanned the globe and changed the paradigm of business. With the development of electronic capabilities and applications came the growth of physical security as an industry unto itself, with many providers rushing in to provide their own proprietary systems.
As businesses grew from one to many physical locations, these providers continued to install the systems with which they were familiar, each as a standalone system.
The past decade has profoundly changed the way businesses look at physical security and the need for risk management at the corporate level. The emergence of the Internet, the events of 9/11, Hurricanes Katrina and Rita, and corporate fraud scandals have brought about the need for businesses to make fundamental changes in their operations.
These changes are aimed at maintaining best practices in the corporate environment, keeping their premises, personnel and property safe, and avoiding the possibility of personal or corporate liability from the government. Physical security is an important part of this new charter, from both the standpoint of corporate governance and for protection of assets and business continuity.
Haphazard Deployment Results in Too Many Silos
With the recognition of the increased importance of physical security came the growing recognition of the need for communication between the disparate systems that had been installed over time, along with the need to develop policies that would be adopted globally in real-time across all security systems.
When these systems, including computerized physical access control, video surveillance, sensors to detect fire, carbon monoxide, etc., were initially put into place, interoperability was not an issue that was fully considered. Corporate managers were focused on top-line growth of the companies, not foreseeing that their methodology of securing physical location and their employee base could one day become management challenges.
Unknowingly, these managers were creating a tremendous problem of disparate proprietary systems across enterprises with multiple business processes solving the same business issue at various locations. The deployment through time of these siloed systems opened the door for myriad security breaches.
For example, a terminated employee in one access control location could easily walk to another location managed by a different access control system and gain an illegal entry to corporate premises. Likewise, a forced door entry or a surveillance breach alarm would be handled locally and would not automatically be reported to corporate security in real-time. With no standardization, there was no centralized organizational control and management of disparate systems.
Explosive corporate growth and Internet and Internet protocol (IP)-based networking only exacerbated the issues.
4 Pain Points for Security, Business, IT to Address
While it is clear that action must be taken to remedy the situation, there has been no one solution that would solve the problem. Any processes implemented by management are manual in nature and dependent on individuals taking actions in response to physical security incidents.
As a result, there is no way to put global policies into place automatically, nor is there a holistic overview of incidents and events. The cost of maintaining continuity of operations across disparate systems and locations is immense, along with the exposure to risk and liability.
The four pain points resulting from the divergence caused by the evolution of physical security, the need for corporate governance and the growth of IT are as follows:
1. Lack of integration of disparate physical security systems utilizing a single protocol that crosses platforms — This is true convergence as we define it. Businesses need to bring every physical security, fire, HVAC, lighting, video, access control, alarm and IT security system together such that the data set originating out of them is commonly understood by all systems seamlessly. The user should be able to monitor systems and set policies in real-time without worrying about underlying systems technology.
2. Inability to standardize rules and policies within and across the physical security environment — Most corporations have very location-specific physical security applications and tools. A cardholder who works in a building in Topeka, Kan., cannot use his or her card to enter another corporate location in Madrid, because they have two separate access control systems. Terminated employees’ access may still be active in locations outside their home base. Policies need to be centrally determined, deployed and managed in real-time from a single Web-based dashboard.
3. Lack of automation of processes across the enterprise — Since the physical security environment is both location specific and characterized by myriad noninteroperating technologies and vendors, business processes also become localized, not connected and manual in nature. As a result, the system is plagued by human error, higher cost of operation and maintenance with no way for corporate management to review and oversee what is actually happening across all its locations from one dashboard.
Processes like new hires, terminations, changes in roles, security events, compliance management, etc., have sub processes in IT as well as physical security domains. These should be seamlessly connected and converged, with periodic reports summarizing events and offering the opportunity to make any needed policy changes.
4. Noncompliance with corporate governance standards — The government is watching corporations more closely than ever, and corporate heads are well aware of the new regulations requiring disclosure and transparency to prevent fraud. In addition, these standards require certain methodology to be followed in the design and deployment of physical security infrastructure. Any business can become a target of audits at any time, and data forensics will ultimately show every transaction and event that has occurred in a given period of time.
In short, companies have to stay clean, and without complete control that is managed at a top executive level, this is practically impossible to accomplish. At the minimum, a policy-based system should provide an ability to conduct change/configuration management and infuse segregation of duties within physical security infrastructure.
Software Layer Is Key to Achieving True Convergence
There has been a growing involvement of IT management across all business operations, including communications, finance, sales, etc., and executive management has seen this as a means to achieving the interoperability to address the pain points above.
While this would seem to be a natural evolution, as the IT backbone runs across all facilities and operations at an enterprise level, without the ability to communicate with dozens of disparate protocols across multiple platforms there is no way to implement this solution fully.
Furthermore, the challenge of creating the software to do this job is far beyond the scope or capabilities of a typical IT department. Particularly for growing corporations, the risk exposure increases exponentially each time a new satellite, office or system is put into place.
The solution? Big-picture convergence will ultimately be accomplished in the form of a software layer that covers every physical security event, operation and transaction across all locations of a corporation, in a unique policy-based paradigm.
As it is clear that the need for compliance, risk management, interoperability and financial accountability will continue to grow, strategic security management systems that are policy-based will become essential to businesses of all sizes in the future.
Substantial research and development is being expended in favor of this philosophy and figures to make true convergence, or Convergence 2.0, reality sooner rather than later.
Ajay Jain has more than 20 years of experience in the IT and security industries, and is currently president and CEO of Milpitas, Calif.-based Quantum Secure Inc. In 2002, his start-up, Mokume Software, was acquired by Versant Corp. Jain can be reached at info@quantumsecure.com.