In the coming years, we can expect to see systems based on several new architectures that provide integrated security management across the enterprise. These new systems will bring enterprise-class control to organizations for which it has not previously been cost-effective.
Enterprise-level systems are different from their nonenterprise cousins because of their potential for immense scale, distributed architecture, level of integration and the implementation of global policies they require. Traditionally, the cost of these systems reflected their scale and level of integration, putting them economically out of reach for all but the largest organizations. That too is changing.
Enterprise Systems Unify Security Measures, Maximize Resources
The goal of implementing an enterprise system is twofold. First, it provides a unified framework around which a set of security policies can be implemented for better security. Second, it offers economic benefits that derive from sharing resources at a lower cost. Consider this example that shows both of these factors at work: An organization of 5,000 people loses one of its members. It could be a terminated employee, a graduated student or a retiree. In any case, it means the privileges that individual once enjoyed must now be revoked.
The typical organizational workflow involved in ridding an enterprise of one of its members touches many systems and can potentially cross a lot of geography. Not only must the departed member no longer be granted access to the physical facilities, he or she must also no longer be granted access to the information facilities and systems.
Oh, yes, and let’s not continue to pay someone who isn’t there. The human resources (HR) and payroll systems must also be updated. If the departure is unexpected, then there is a premium on the ability to coordinate all of these systems quickly.
You might be surprised to learn that in the vast majority of corporations, schools and other large institutions, the workflow involved in terminating a member (or to be more positive, adding a new member) is not usually integrated. Multiple sets of hands — often in multiple facilities — process the request to add or remove a person. One system handles physical access, another handles logical (data) access, and so on.
It stands to reason that the larger the organization, the more hands are involved (at a greater expense) and the more likely something will fall through the cracks (with less security).
New Generation of Technology Allows Greater System Complexity
It’s convenient to think about the scale (or “bigness” if you prefer) in two dimensions. Vertical scale is the number of objects in a system, such as card readers or cameras. Horizontal scale, on the other hand, refers to the complexity of a system, or how many functions or other systems are integrated by it.
An example of horizontal scaling would be the integration of an HR or data security system with a physical security system. Much of the buzz about “convergence” in recent years speaks to the depth of horizontal integration with previously unrelated systems.
Implementing security for a large corporation or college campus often means hundreds or thousands of access control points, cameras and alarm points. This immense vertical scale is often a characteristic of enterprise systems, although not always.
Most large companies, for example, have many more small facilities than large ones. Those smaller facilities may have a relatively small number of alarm, access control and video points, while the system as a whole has to support a relatively large number of sites.
Achieving scale is one of two major issues in implementing enterprise-wide systems. Designing policies that work is the other.
First-generation, host-based systems reached their scale in a brute-force manner. If a small system worked using a small computer, then a large one could be made to work by using a large computer. This was the scaling philosophy behind many of the early enterprise systems, such as Lexington, Mass.-based Software House’s CCURESystem 1 Plus — one of the most popular systems of its day.
Second-generation client server systems, such as CCURE Central or Pittsford, N.Y.-based Lenel’s OnGuard, can achieve greater scale by using a system of networked regional servers. Each of these servers is responsible for a given geography and connected to a master system that maintains a consolidated database.
These systems utilize network infrastructure to provide connectivity, and users can be located anywhere the network reaches. Clients communicate directly with the master or regional servers through the wide area network (WAN) for monitoring and administration.
There is a third generation of architecture that is making its way from the IT and telecommunications world into the physical security industry: thin client, Web-based network appliances.
Network Appliances Facilitate Almost Boundless Scalability
As the name implies, third-generation systems are thin client systems, using Web browsers to deliver their user interfaces. (“Thinness” refers to the lack of need for specially installed — or fat — client software.) All of their components are network-connected, and integration among multiple systems occurs over the network that connects them.
They are called “appliances” because they are special purpose computers with embedded software that handles a particular application, such as physical security or voice over Internet protocol (VoIP) telephony.
Scale among third-generation systems is created in one of two ways. The network appliances may communicate with one another (called peer-to-peer networking) or the network appliances may coordinate through an enterprise server.
The peer-to-peer method has the advantage of not requiring additional computers beyond those inside the network appliances themselves. But peer-to-peer scaling still has limits. The largest systems coordinate through an enterprise server that keeps a copy of the global configuration database and distributes or collects data from the network appliances it manages.
Third-generation, server-based systems have significant advantages when it comes to scale because both the data and the workload are fully distributed to the network appliance end-points. The amount of work the enterprise server then has to do is reduced compared with second-generation systems.
As a result, third-generation systems are considered infinitely scalable. Since the network appliances are generally inexpensive and self-contained with embedded software, they require little maintenance and can be placed at each remote site in the network.
This makes it possible for system users at a remote site to perform local monitoring and management functions without having to connect back through a WAN to an enterprise server. In fact, a network appliance deployed to a remote site in the enterprise can operate completely on its own, if needed.
This lack of dependence on a central server for data input and monitoring makes the third-generation architecture more robust than its predecessors. The loss of any site on the network, remote or central, does not affect any other site. Complexity is reduced and single points of failure are not present in this architecture.
Systems Can Be Configured for Smaller Enterprises as Well
Usually, when one speaks of scalability, the question is raised whether a system can be stretched to fit larger applications. But scalability swings both ways. Smaller sites requiring advanced capabilities need large system functionality but small system scale. These applications demand a system that scales down rather than up.
While traditional large systems can often be deployed on smaller computers, their complexity usually means an expensive deployment and constant supervision — hardly an optimal situation for a small remote site.
Third-generation network appliances, on the other hand, are naturals for scaled-down applications. Their network appliance form factor hides their complexity and makes them very straightforward to deploy. Also, because they are intended for use in remote facilities, they can be completely remotely controlled, right down to system level functions such as backup and reboot.
Of course, network appliances do have limitations of scale.
A DS-2 or DV-IP DVR from Dedicated Micros of Chantilly, Va., for example, is a network appliance that performs digital video recording. It’s limited to 16 cameras per device, but the company’s NetVue ObserVer software package (free download from its Web site) overcomes this limitation by allowing control of multiple remote DVRs. While ObserVer is a PC-installed, fat client application, the DVRs themselves offer a Web interface that requires only a browser for use.
Broadening the Application Via Horizontal Scaling Capabilities
So far, much of the discussion has concerned vertical scaling — making systems with lots of points of control. But what about horizontal scale — making systems that are more complex?
First-generation systems achieved horizontal scale by connecting multiple systems to a single master management system, often by a serial data connection. This usually meant the systems were collocated, had proprietary communications formats and were reliant on the master system (which became a single point of failure).
The second-generation systems in use today have improved on this situation by connecting components on a single network, thus eliminating the need for collocation and often reducing dependence on the master system.
The third-generation approach to adding complexity places Web-based network appliances from multiple manufacturers on the same network. Each is responsible for its own application and communicates with related appliances by means of an application programming interface (API).
The most current APIs are based on XML, an IT standard for complex data communications (sort of ASCII, but for complex, networked data). Santa Ana, Calif.’s Hirsch Electronics and AMAG of Torrance, Calif., among others, have announced XML-based interfaces to their products.
As an example of horizontal scale, take a look at the diagram above, which shows an S2 NetBox, a Dedicated Micros DS-2 and a Milestone XProtect system connected to a network. To make it more interesting, there are two sites, each with a local area network (LAN), and each LAN has an Internet connection.
The NetBox is a network appliance that handles access control and alarms and provides an integrated user interface for video management as well. The DS-2 is a network appliance that connects analog cameras, and the XProtect system is a PC-based network appliance that operates a network video recorder (NVR) for IP cameras (many of which have their own embedded Web interfaces and qualify as network appliances themselves).
An interesting thing about this system is that it is not a “large” system by conventional (read “vertical scale”) standards because it does not support many points. But it is complex (read “horizontal scale”) because it integrates multiple complex functions. To the buyer, though, the best thing about it may well be its cost reflects its vertical scale (relatively small) more than its horizontal scale (relatively large).
How to Deal With the Legacy Problem and Keep Current
So, now you’re sold on the idea of scalable, reliable and flexible third-generation systems, but what about the systems you currently have? While the lack of standards in our industry hampers easy replacement of legacy systems, there are options.
In the access control world, many card readers support the Byzantine but popular Wiegand data interface and will connect to new, third-generation devices. The more advanced card access solutions easily support existing card formats so credentials won’t have to be exchanged. In addition, electric locking hardware and alarm points are generally compatible across systems, so these can remain.
Similarly, most analog video cameras have interfaces that are supported by common video servers. These video servers from Taiwan’s Vivotek and others support analog camera inputs and put IP video streams out. Network video recorder systems such as XProtect will then treat the old analog cameras like new IP cameras.
In the final analysis, third-generation systems are still young but growing rapidly. They offer the advantages of lower lifetime cost of ownership, scalability and ease of deployment. And, there are often relatively easy migration paths away from older equipment. Check out network appliance-based systems at the next trade show. Small is big when it comes to this approach.
John Moss is CEO of S2 Security Corp., a developer of network appliances that capitalize on the convergence of IP networks and physical security systems. A 25-year veteran in the security industry, Moss is the founder and former CEO of Software House, now a unit of Tyco Int’l, and a member of the SSI Hall of Fame.