Managing and migrating aged legacy systems

You have just finished reading another article (just a few short pages from here), or maybe you just attended a webinar and had your appetite whetted for a high-level video analytics software package equipped with the magic of algorithms and new meta data capabilities. Perhaps, during a recent trade show, you saw a demonstration where the latest in ID technology - image capture, live comparisons and other data gymnastics - were performed.

"Integration" has come to mean the ability to seamlessly manage disparate databases and elements of your control system in one big, happy, easy-to-use, intuitive desktop application. That's what you have isn't it?

Now, let's get back from the future to your current control systems - a mostly reliable patchwork of systems and subsystems that were installed over the course of perhaps decades. During that time, your organization has grown, moved, merged and now has a cornucopia of security control products and providers - all designed and installed by many dealers and integrators. The many systems include different ideas of what constitutes a standard installation technique, a mish-mash of different components and separate means of interacting with the functions of each "sub-system."

So a bit of the technology boom blasted right by you? Are your security controls systems limiting your ability to deter, detect and respond to security threats? Does the current hardware and software you employ limit your ability to perform accurate forensic analysis of events and perform investigations?

Advances in the consumer electronics market and advances in electronic security control hardware and software offerings leaves many a consumer and security purveyor wondering, "Can I catch up?" - or worse, feeling left behind. End-users must be able to respond affirmatively when asked: "Will you have the data needed for an investigation when called on to produce it?"

The technology boom is facing a lackluster marketplace. Limited budgets are facing off against pent-up needs and the relentless need to mitigate risks or perhaps the need to meet compliance or insurance requirements. Many companies are struggling to understand their options during these challenging economic times.

The market is responding - albeit slowly - to these changes in fortune and do not require the wholesale removal and replacement of the old with the new. Challenges are being met with hybrid products designed to use older technologies and provide a bridge to newer features and data management capabilities.

My friend Ray Bernard and I have presented at many seminars, and topics surrounding both emerging technologies and convergence have been hot for some time now. When we have discussed the changes in technologies and the desire for migration, his comment is that in the IT space, convergence is more than a decade old and they have summed it up as the management and distribution of voice, data and video using common IT and network equipment (wired or wireless) and over a common IP data network infrastructure.

With the development of many other IP-centric devices, we must now think of security systems as "IT Systems" and understand the full spectrum of convergence. The security space is playing catch-up.

How Do I prepare?

As the late Dean Ralston said when I attended undergraduate school, "Plan your work and work your plan." It is the best advice that both a freshman and a migration strategy can have.

There have been many seminars and sessions and volumes of reference materials on methods to aide those tasked with a migration project. Regardless of the methods, it is universally understood that a clear understanding of your current circumstances requires some form of cataloging.

The plan should start with identifying your project team. Perhaps not only security but, facilities/engineering, your IT department and operations need to be drawn together. Your goal is to ensure you have not only mitigated risks, but also integrated the overall organization's needs. Woven into the fabric of your assessment are those things often in the purview of CPTED (Crime Prevention through Environmental Design).

So what should to be done about this migration of aged legacy systems? It is not something you should try by yourself.

Your job does not typically include just managing a security control system - it also includes ongoing examination of your enterprise's risks and vulnerability assessments. Are you addressing both day-to-day operational issues along with situations which may be emergencies or disaster scenarios? Is there willingness in the C Suite to confront the brutal facts of the current situation? Without a will, there may be little or no way. Getting this message delivered may require early involvement with a trusted advisor - which means having the right group vetted to arm and assist you.

Organize by looking at how things are interconnected - you may see how you can redirect or use alternate pathways and devices. Take advantage of existing resources to ensure you are developing a testable specification that is concise, unambiguous and easy for others to read. Your specification should define functional requirements in verifiable terms - not to specify how requirements are to be implemented and met.


Documenting your existing systems' infrastructure as it relates to wiring types and their location is critical. Some, but not all of this may have been provided when original systems were installed. Unless you had someone managing this piece of data, it is likely to be incomplete or out-of-date at best. This forensic assessment may require the acquisition of a third-party provider, trusted advisor and/or the current provider of your security controls.

This documentation should include all of your systems - intrusion detection, access controls, video surveillance, critical process/condition monitoring, infrastructure, power cabling and any other security applications you may have deployed for asset tracking, package delivery management, visitor management, ID management, audio systems and perimeter control devices and systems.

If you are verifying the operation of your systems on a regular basis, you are likely to have developed an internal checklist of components. The verification of system operation and functionality is one of the tenants of system management. Hopefully, some scheduled process is in place now and reports and materials used to document operations are available for your use.

The chart on page one of this article, which I call a Security Component Location Chart (SCLC), is one I have used for years. Regardless of what form you use to illustrate this type of information, the end-result will enable verification of location(s) and components installed.

This chart should be created with IT's assistance regarding the location of and availability of network drops and current locations of communications. Additionally, you should engage facilities management to ensure you have identified the locations and availability of power, how it is managed at the facility, back-up, and availability of dedicated circuits for your control system.

Needless to say, building and construction changes which may have occurred during the life of your system may have already made some device locations and their connection infrastructure obsolete and less than useful. Other challenges may emerge like how you and your facility management deal with abandoned communications wiring and devices, or abatement issues as they relate to disturbing areas where asbestos or other hazardous materials may have been used in years past.

All of this information will give you and your organization a realistic view of the existing "infrastructure" and conditions enabling you and your selected provider a reasonable starting point for determining how best to perform any migration strategy.

Naturally, once this information is developed, it must be managed like any other proprietary information - safeguarded and distributed only as your risk management plan provides.

Project Management Skills

Your selected vendor's project management expertise will be put to the test. They should be required to provide a detailed project plan that establishes time-lines and provides the detail associated with all tasks. Prior to beginning any migration, the vendor must ensure that risks and down times, if proposed, are agreed to in advance. Staffing may be affected or additional resources may be needed - without a detailed implementation plan as to what may be affected and if additional resources are required, you may never know about those requirements until you are blindsided by them. Be mindful of contingency planning as it relates to potential temporary staffing which may be needed to ensure ongoing operation.

It is not my intent to make a mountain out of a mole hill. Some migrations of aged legacy systems are straightforward due the limited size and scope of the migration. You may only be planning on migrating several devices or moving to a new platform, such as a new network video recorder and the programming of some alarm inputs. However, if you contemplate doing it on a nation-wide basis over hundreds or even thousands of locations, the task becomes complicated and complex by virtue of size and logistics.

In either case, the size and scope a plan must be formulated and presented. This is generally not a task for two men with blow torches and a pickup truck, but an organized, trained group able to anticipate and address the many items both large, small and in some instances, minute.

Project responsibilities are most effectively executed through a highly structured Project Management process. Find out if your provider's project managers have centralized responsibility for all aspects of assigned projects - including the authority to task engineering resources, procure materials and allocate installation resources as required. They should have direct access to senior management through regularly scheduled weekly project review meetings and unscheduled meetings as required.

Project oversight is best when maintained with a Project Management software program, which manages all key/critical milestones of the project including construction schedule, material delivery schedules, manpower loading requirements, etc.

What are your New Functional Requirements?

The top view of where you would like to take your security controls will also provide you with a vetting process for vendors. Your migration plan should also include determining which integrators and technology organizations can and have demonstrated their ability to perform the many tasks associated with migrations like yours.

Your contracts team leader should help shepherd a thorough qualification process for vetting providers. Naturally, this would include verifiable references which demonstrate their having successfully met the challenges of not only performing migrations to newer technologies but whose organizations are focused on network-centric solutions and have the resources to invest in training and infrastructure needed to ensure provisioning innovative use of technology for their clients both now and in the future.

A willingness to offer innovative methods and a solutions approach vs. a product presentation and response will prove very telling to your advisor's capabilities and their point of view. Often, budgetary constrains test a provider's ability to propose a design and implementation process which may be phased in. Providers with an eye on demonstrating and maintaining a long-term relationship will be most likely to offer a logical phased approach to migration.

Any phased approach still requires a trusted advisor to help map out and identify immediate short- and long-term objectives and options. Providers who are in touch with emerging trends and technologies and whose organizations have product and solution testing procedures in place are good bets and help minimize risks associated with new technologies adoption. An ongoing dialog between you and your provider will ensure a successful migration.

The challenge remains one of solution alignment, attention to details (the plan) and engaging a provider who has the processes and people committed to a successful migration from your aged legacy system to one which provides the results you require - not just removal and replacement for the sake of being new.

Howard J. Belfor, CPP, is director of training for ADT Security Inc.

Finding a Guide for the Hybrid World

It goes without saying that the industry has brought forth many "products" aimed at bridging the old to the new. Product sets include database migration services intended to move your current application(s) to the newer, faster, better system. This typically does not occur without a thorough audit of the database to ensure accuracy - and in some instances, database migration is a painful as just reprogramming new parameters, definitions, naming conventions and the like.

Integration where quality and reliability are foremost in your selection process will require verification and testing. Many systems exist in the market that provide encryption, back-up utilities, e-mail and text messaging, elevator controls, video integration, integrated photo ID badging, smart card and biometric device integration and alarm panel integration.

Hybrid devices abound with Digital Video Recorders. Your advisor will need to help you understand not only compression issues and data capturing techniques and storage capacities, but also how this serves the solution vs. a product need.

On the list of provider must-haves are:

1. A thorough understanding interaction between design and the challenges which must be met to satisfy all codes - local and federal - for life safety, etc.

2. A robust knowledge of and verifiable network-centric certifications as well as manufacturer product certifications are needed, ensuring that expectations can be met or at least can be aligned to product realities and limitations.

Migration provides an opportunity to explore virtual security operations center potential available with new technologies. Lastly, your exploration of system migration strategies and solutions provides an opportunity to take stock of all of your risk assessment assumptions and ensure you and your team are in alignment.