Menu

To News overview

Retailers combat shrink
Quick Escape
Smart card flexibility
Protecting the priceless

Closer together but keeping their distance
 Send to a friend     Print this page


by Michael Lawton

Everyone is talking about convergence, but what could it look like for the security industry a few years down the line?  And how will physical security be managed in the IT environment?  Future Lab spoke to someone who has views about The Future.

"CONVERGENCE"

That’s the word written in big letters above the desk of most people involved in security issues today. Every morning they look at it and they say, “Hm!  Good idea, but I don't quite trust it. All those hackers getting into our locks!”

But Ed Chandler of the Silicon Valley-based security consultancy Security by Design says, “In the last five years, I haven’t done any systems that haven’t been on a WAN or a LAN. It’s simply not a debate any longer.”

One breakthrough came with Virtual LANs—software solutions that allow sets of data to be separated within a single WAN/LAN. That allows, for example, a “security” network to be built inside a corporate network. But Ed warns: “You have to be very careful management-wise to integrate with the IT organization which maintains the VLAN, because it’s easy to break.”

That’s what went wrong when the Nimda virus struck five years ago. “Security was flying under the radar of the IT departments of the big corporations,” says Ed. “Security people had been going to the local IT guy and getting an IP address, and corporate IT didn't know what was going on. They thought they had the network under control, and were patching and updating according to the book. But the security equipment under the radar wasn’t being patched. The IT guys simply couldn’t clear the networks when Nimda struck. So they had to remove security from the networks altogether.”

Ed believes that wouldn’t happen now. “The most sensible approach seems to be to determine which devices need which level of care and feeding from the IT infrastructure,” he says. Devices built on a generalized OS platform require more care than Plug and Play Network Appliances, which have their own OS and get their own dynamic IP address.

But permissions and set-ups are the responsibility of the security division, not the IT people. “IT people don’t want to understand camera views and door hardware,” says Ed. They’re far too time consuming, people-centric, and devoid of standards to them.”

They are also a bit more like building work. Cameras and door hardware are not like most IT stuff because you have to drill and screw in order to install them. But Ed has a request when it comes to the control products.

“We desperately need security manufacturers to make them look and feel more like IT,” he says.

And by that he means: “Off the walls and into the racks!” He also thinks you shouldn't need a screwdriver to install a security control panel.

With the increasing use of Ethernets for moving information around, the possibility exists for simultaneous convergence and separation. Ed has a vision.

“Routers with Network Address Translation would be priced so you could have one in every IDF closet in the corporation. The corporate network understands the IP to the router, but below the router everything is invisible to the network. Below the router, switches with Power over Ethernet would go to IP locks, cameras, doors etc. We’re going to be able to take integrity messages and move them through the routers directly to the security system and not via the network operation center. That way we could manage the security infrastructure in the security environment, and the information about integrity would be below the router, so that only the exceptions would be pushed through.”

Currently network intrusion detection is usually a big program which protects whole systems. Chandler would like to see a slimmed down version built into routers so that anomalies could be identified below the router.

“We manage exceptions, so it doesn’t make sense to send huge amounts of information through the network when most of it only shows that everything is working normally,” he says.

“I've had several conversations recently with folks looking at rules engines to discern anomalies. Security people are getting smart on that,” says Ed.

All this means, on one level, less contact between the security network and everything else. Where the bandwidth requires, Ed suggests running dedicated cables from the routers to the main distribution frame. But the whole system will still be working on standard network protocols and using standard ports. And at some point, the security system and the rest of IT will be running along the same wires, even if security is on a VLAN.

In addition, the two systems will have to talk to each other at the database level. Security wants to be sure that its information about who can enter which parts of which buildings is up to date with the Human Resources’ list of staff and functions, and the purchasing department’s list of contractors. This can be done by spoking the various databases around a skeletal central database hub with strict controls as to what information is passed between them on a need-to-know basis.

Ed describes it as “publishing and subscribing.” HR publishes the fact that John Doe has left the company; the central database subscribes, and in turn publishes. The Access database has a subscription to that kind of information and reacts accordingly, but the purchasing department’s database doesn’t get to see it. In addition, Access doesn’t have to know that John Doe was suffering from depression, and HR doesn’t have to know which doors he was allowed to open. “All communication goes through the hub,” says Ed, “there are no sidelines and the minimum amount of information gets moved around.”

Such structures already exist, but Ed is currently working on a rules engine that uses company roles to automatically assign a clearance level, so that, when someone is hired, their card is pre-programmed with just the appropriate access rights.

So convergence is no pipe dream—the cutting edge is already shaping convergence for the future. Ed Chandler believes that the people who carry out physical security and those who look after IT systems will be moving closer.

He sees the CSO getting more into IT, because of new legal data protection requirements which companies have to fulfill.

“The CSO understands liability, culpability, investigation, tort, criminal and administrative law. The CIO understands quality of service, bandwidth, resiliency, and process integrity. But privacy laws like Sarbanes-Oxley in the US or the European Privacy Initiative are putting a big strain on organizations which cross physical and logical boundaries. The CSO and the CIO are better able to package solutions for today’s environments when they each bring their respective strengths to the converged environments,” he says.

Comments

This article has 0 comments:
Name:
Subject:
Comment: