Considering Convergence

Convergence. It is the term now being applied to myriad changes in the security industry. Is it a buzzword or a paradigm shift? Security has evolved into an enterprise concern that affects the way most institutions view their business. Basic access control and surveillance operations that may have seemed mundane prior to 9-11 are now viewed as mission critical. And with advancing technology moving us rapidly from analog to digital and now onto IP-addressable solutions, physical security professionals are being asked to forge new alliances with IT counterparts formerly ignored. This emerging security protocol has led not only to a convergence of technology, physical and logical, but a convergence of security cultures and priorities. For the last two years the editors of ST&D have been leading the way in covering the drivers behind convergence in the security field. This issue we interviewed some of the major security manufacturers and systems integrators in our industry to get their take on what is driving convergence and how it is affecting how we do business.

Steve Lasky, editor-in-chief

ST&D: The number-one convergence impact on our industry has been IP-based products and systems. How has this affected you?

John Moss, president/CEO of S2 Security Corporation: It is our reason for being. Our company was founded to help usher IP-based products into the security industry. Virtually everything we do as a company is IP-based, from the products we make to the Web site we use as our major marketing tool. Our demos are online as well. We definitely eat the IP dog food!

Isac Tabib, CTO of Antar-Com Inc.: IP-based solutions, both for access control and CCTV, are the driving force behind the need to elevate security integrators' level of delivery. That is, we are no longer in the business of installing the card reader, but rather in the integration and delivery of a comprehensive, integrated solution. Since we (at Antar-Com) have a full-time in-house IT department, we feel that we are somewhat ahead of the curve, and as such encountered little or no negative effect. In contrast, we are drawn into, and requested to participate in, large-profile projects, based on our in-house IT capabilities. The convergence needs also put pressure on manufacturers to offer software that is easily integrateable, and that allows easy, yet secure data exchanges. Manufacturers that are slow to react or adapt would be largely affected over time.

Pete Lockhart, VP Technology, Anixter International: IP-based products are just now becoming specified by our customers, primarily as networked devices for remote access or storage. The use of IP-only cameras is increasing exponentially but still represents only a fraction of all cameras being installed. The real convergence impact is in the digital transformation of data, replacing VCRs with DVRs. The next phase is the direct conversion of the analog image through compressors or video servers and sending the images out for viewing by use of virtual video matrix switching software. Once these images are digitized this way, they can be stored, transported and mined just like any other data file. Because it is data, standard IT-based servers are used with all of the possible storage technologies in play from local hard drives, SANs and NAS.

Rob Zivney, VP Marketing, Hirsch Electronics: We had to invest heavily in building competency in our organization and in our distribution channels. We brought IT competence into our Learning Center and our documentation team and into our technical support staff. Yet there has been a significant payoff. Our systems now readily reside on the IT infrastructure the corporate network. This allows us to offer larger systems with greater value to the customer at a reduced total installed cost. We grow and the customer wins.

With the video industry following the access control industry into client/server architectures and PC-based components, the two are becoming more similar architecturally. Our core business was access control. Now it's security management.

Rudy Prokupets, CTO/EVP of R&D, Lenel Systems International: It hasn't really affected us, because Lenel's entire system architecture has been IP-based from the beginning. The concept of a Total Security Knowledge Management Solution, which we introduced in 1998, has a distributed IP-based architecture. Thousands of corporations and institutions around the world have been using our IP products since then. They've experienced the benefits of implementing IP-based security systems ease of installation, lower total cost of ownership, and the ability to use the existing corporate infrastructure.

Fredrik Nilsson, general manager, Axis Communications: Convergence affects Axis very positively. The company entered the market because of convergence, offering IP-based print servers since 1992 and the world's first IP-enabled network camera in 1996. Since then, Axis has fully focused on true IP-based solutions like the network camera and video server. In the last quarter, 70 percent of Axis' revenue came from network video products, making it our largest and fastest-growing product group.

Anthony Hanseder, VP Product Marketing, HID Corporation: Thus far, the demand for IP-based HID products has been relatively small. We have encountered chatter in the industry about IP-based products and we've seen a number of companies make product announcements, but have not witnessed any mainstream adoption from the major OEM players. The smaller hardware and software startups are doing development; however, it is not clear they will be able to significantly impact adoption. Significant impact in our industry generally comes from the larger OEMs. At HID we always evaluate market trends and review our product and technology development mix to ensure we're aligned with market dynamics.

Donald Taylor, VP Marketing, Dedicated Micros: We see much more interest and demand for managing video over networks. We view this as a significant opportunity for Dedicated Micros.

ST&D: Putting the physical access control system on the business network introduces network security issues for both the access control system and the business network and raises the availability requirements of the business network. Have you encountered any issues or learned any lessons in this?

Moss: This is a real concern in some cases. In many applications for larger companies it's not a problem. They have advanced network gear that can isolate the security equipment from the rest of the network and protect the communications in a way that's transparent to the security system. At S2, though, the products we make are consumed by small companies as well as larger ones. To accommodate the needs of these smaller system users, we are incorporating SSL (secure sockets layer) encryption for our user interface, and SHA-1 authentication for device-to-device communications.

Lockhart:The current enterprise-level networks are some of the most robust and stable transports available, especially when compared to most currently installed proprietary access control systems. If proper IT/IS cyber security policies are included in the original design of the IP-based access systems, there should be no major problems in the implementation. Good working knowledge of these IT cyber security requirements and their use is mandatory for it to succeed.

Prokupets: From the beginning, Lenel's OnGuard security solution was built for use with existing business infrastructures. Of course, we regularly have discussions with IT groups and our customers to ensure that the system is designed for optimal performance and offers the functionality that customers need. A physical access control system's impact on the business network was a relevant issue five or six years ago, but it isn't now. I published a white paper in ST&D back in 1998 in which I noted that properly designed, network-aware security applications should consume only a fraction of the corporate bandwidth. The bandwidth requirement of a security system is negligible with respect to the business network as a whole and has very little impact on performance of business applications. A well-designed security system can function reliably without interfering in mission-critical business applications.

Zivney: Independent of the network path, the security industry has increased the requirements for encryption. AES Rijndael encryption standards which exceed triple DES are being required between client and server, and between server and controller. We are seeing similar DESfire requirements between the card and reader for smart cards. Soon everything will be encrypted. If the IT department is involved early, they can be a good partner.

ST&D: Have you made security video available on the corporate network or used the corporate backbone for video transport? Do have any advice to give to anyone considering this in the near future?

Lockhart: Video is currently being deployed across corporate LANs and WANs all of the time. The only real constraint is bandwidth allocation and utilization. On the LAN side, any well-designed, 100 Mps switched infrastructure should handle video. The issue is what well-designed means, and that is why the IT people must be an integral part of any video surveillance system design. For remote access and transport over WANs or Internet connections, pipe size is the only real problem. The newer codecs of MPEG-4 and H236/264 allow for allocating bandwidth utilization by controlling frame sizes and rates to available throughput. This along with internal QoS software of most edge devices can make this work quite well. But as in the LAN design, the IT/WAN folks must be part of the design team.

Moss: We both make products that make video available on networks and we have video available on our own network. If you're not careful, video can soak up a lot of bandwidth needlessly. We've done several things to address video in a bandwidth-conserving way. First, our products implement something called video proxy a technique for reducing the number of connections required to each individual camera. Second, we cache images and only transmit them when they have changed, and then only at the size of image being requested.

Even with all of that, however, we have increased the outbound network capacity. Typically you'll find that network bandwidth is sold as so much outbound and so much inbound. Usually the inbound value is much higher because the scheme is set up to support people who surf Web sites and thus require a lot more data in than they send out. With video, this balance can reverse you're sending more out than you get in. As a result, when increasing bandwidth, be sure to increase it in the right direction (namely, outbound) if you're transmitting video.

Zivney: IP cameras, such as those made by Axis, are intranet and Internet optimized. They work well with our systems. Fortunately, we built a browser into our front end and added a Web server to support IP cameras embedded into our graphics package. However, it came together easily for us and our customers because both Hirsch and Axis followed IT and Microsoft standards. We have also interfaced to AD digital video recorders using the AD API. The interface for both video and control is via TCP/IP, so the DVR, or DVRs, can be located next to our server or connected via the Web anywhere in the world.

Prokupets: Yes, we have done both extensively. In fact, we deployed the largest IP video installation in the world at Cisco Systems. To date, it has more than 2,600 cameras in operation around the globe. My advice for anyone considering using the corporate backbone for video is to balance customer requirements with available network bandwidth. Understand your system architecture, frame rate, compression rate, and the priority of business applications versus digital video needs based on quality of service, the number of video streams and available bandwidth. With proper design and careful consideration of the bandwidth required for the video stream and the customer's surveillance needs, video applications can utilize the corporate network without interfering with day-to-day critical business applications.

ST&D: What role has IT been taking in the procurement process for security systems?

Prokupets: IT has been taking a very active role even a proactive one. IT people are principally leading the discussions surrounding security system purchases. They are defining the standards and rules regarding which technologies can be introduced into the corporate infrastructure. The IT department is demanding that security systems be open architecture and corporate standards-compliant, so that such systems can be integrated with existing IT applications and properly supported.

Zivney: Generally, they provide the infrastructure and leave the application expertise to the facilities or security department. They can be friend or foe based on how well we follow their rules and how early we bring them into the process. Obviously, they can reduce the total installed cost because they have a pipe already installed between point A and point B. They also have access to incremental budget dollars, which can be pooled with the security budget to do more with less.

Nilsson: In most cases, IT departments are very active in the procurement process, and in many cases the IT department is driving the process. The main driving factor for making the move to a full IP-based surveillance system is the benefit of having several systems running on the same infrastructure, using the same IP switches and PC servers for video storage and management as for all other IT functions such as e-mail, Web and file servers. Most companies centralize the procurement of IT equipment and standardize on certain brands to keep service costs down.

Lockhart: Depending on the overall impact of the transport and data storage requirements of the system, IT will take a bigger role in the system design and funding. In the case of heavily dispersed remote monitoring and in all cases of IP device purchase and installation, IT will probably take direct control of the project.

Tabib: IT is rapidly replacing the security department in the process of overall design and implementation. One of the main reasons is the fact that security systems are becoming more sophisticated, riding the corporate WAN, and thus necessitate more IT involvement.

ST&D: How commonplace is physical access control systems integration with HR and IS systems provisioning? What factors will accelerate or hinder that trend?

Moss: It's reasonably common in the largest corporations, but not so much elsewhere. Part of the problem is that the enterprise software systems that these corporations rely on are customized during their implementation cycles, so there is no easy way to make an interface that works for all customers. We approach the task of making it easier to exchange data with our systems by supporting open standards such as ODBC and XML. We also export data as CSV files that can be read in Excel or other programs.

Zivney: It is reasonably common now and growing. We see this more frequently when someone is upgrading their existing system and wants to do a one-time import of the existing person and credential databases or reuse existing cards. It is not just HR, but also includes administration as is found on college and university campuses where student enrollment changes perhaps three times a year and involves the dorm, cafeteria management, the student union, computer rooms and labs.

The most significant factor accelerating the trend towards interoperability between the business and building systems in the enterprise is the emergence of standards based on XML and Web services. oBIX (OASIS) is a leader in that effort. BACnet is also developing XML interface standards while simultaneously developing access control protocols to interoperate with HVAC and fire. The DHS is dictating interoperability and demanding standards. SIA is responding aggressively and is now developing new industry standards for interoperability.

Prokupets: For Lenel, it's not a trend it's a fact of life. In every one of Lenel's mid-size or larger enterprise installations, there is integration with HR and IS systems. Any change in an employee's status such as hiring, termination or access privilege change must be immediately reflected in the access control system. There must be automated real-time synchronization of the cardholder data between the security system and the HR system. Without that, there is an information gap, which means that the data exchange must be done manually. That's why such a level of integration is essential if a security system is to be beneficial and effective, if it is to achieve its full potential.

Nilsson: Several of Axis' customers have installed applications with integrated physical access control and IS access control. Other functions that are commonly integrated are network video and HVAC. Typically, only larger corporations with thousands of employees are interested in these fully integrated systems. However, we estimate this to be a growing trend also for mid-size corporations in the near future, further fueling the convergence trend. An improved economy will accelerate the pace in which companies install integrated systems, which will save them money in the long term.

Lockhart: The next paradigm shift will be in how access control is and must be integrated into and with the HR and IT functions. The main drivers are 1. common database with HR/payroll, 2. time and attendance with biometrics and common database, 3. IT cyber and biometric interfaces to control access to input devices, and 4. bi-directional, smart card technologies to update the card, kill it, or perform other transaction-level requirements. Drivers here include HIPAA and Sarbanes-Oxley compliance.

Tabib: For most large accounts, the integration with HR platforms is very common. Using the Software House C Cure 800 product, we achieve that via the use of an ODBC connector. The lack of any standards prevents more sophisticated connections for data exchanges. Recent establishment of the Open Security Exchange Committee will hopefully create a common guideline for all manufacturers to follow.

ST&D: Do you expect to see security solution middleware coming more from the security systems integrator's side or the IT side?

Moss: I'd expect to see it come from the IT side, because the level of complexity of the IT-side products is much higher. Consider an interface between your security system and something like SAP or Peoplesoft. You can bet that Peoplesoft is a lot more complicated than the security system, and the special knowledge to operate Peoplesoft is usually only found in big IT departments.

Tabib: Most large corporations have already shifted a large portion of the security design and implementation to their IT departments. We witness a growing shift from the security manager to the IT manager. Furthermore, most security integrators are not yet equipped to design and deliver a networked solution that is on the caliber expected by the experienced IT department. As such, corporate IT is for the most part charting the way.

Zivney: Neither. The standards mentioned for the previous question will significantly eliminate or reduce the need for middleware. To support the standards and the intent of the standards, the manufactures will have to step up and ensure the interoperability. If testing labs emerge as they have for BACnet, then third parties such as NIST may step up and validate fundamental interoperability.

Taylor: We are seeing security IT focusing on this presently, but we expect more traditional IT vendors to become influential.

Prokupets: I don't expect security solution middleware to come from either side, but rather from the security system manufacturer. This new software will be available as a security system middleware platform, allowing other manufacturers of security systems, IT partners and independent software developers to build their own security applications on top of the platform. This is really the essence of security middleware.

Nilsson: We see a lot of new companies, many with an IT background, popping up with software solutions for video management applications that can store and manage network video. For the large systems, most middleware applications today come from the large security companies, while the IT companies haven't attacked this higher-end market yet.

ST&D: What are the most confusing (or frustrating) elements or impacts of convergence for customers, integrators and manufacturers?

Tabib: True convergence of physical and IT security is in its infancy. For the most part, within the corporate structure, security and IT are still miles apart; typically reporting to different managers, using different budgets, and utilizing radically different skill sets. As such, a "marriage" or convergence of the information available/needed by each entity is yet to take place. The technology is here. Additionally, the skill set needed to integrate and configure such convergence is yet to be developed by most integrators. Lacking this knowledge makes it difficult for the average integrator to mention, suggest or discuss the benefits of convergence to the end user. A major education process has to continue to take place, through platforms such as this, in order to propagate the needs and benefits of convergence to both the IT and security departments.

Moss: I'd have to say that understanding networks is probably where I see things break down most. Today's IP networks require a lot of special knowledge (although better products reduce the need for that as much as possible). Much of what one has to know about routers, port forwarding, transports, and so on comes from experience. There's no one book that you can just read and figure it all out. I expect to see professional organizations in the industry begin to offer more network training over time. Security installers have to learn about networking or the IT network installers will learn about security equipment first.

Nilsson: As a manufacturer, the most frustrating thing is the time it takes to educate the market a market which was just recently educated on DVRs being the latest and greatest. It is hard to make them all realize that the DVRs already use yesterday's technology. As with all new technologies, there are a lot of myths that are created because of misunderstandings, rumors and even falsehoods being spread by end users, vendors and channels not benefiting new technologies, or being afraid of change

Lockhart: The old world analogers do not want to admit that digitization is both inevitable and required. The fact that once in digital format the transport over IP networks becomes natural means a complete shift in skill sets.

Prokupets: Two things come to mind. The first is a lack of understanding of what the word "convergence" implies. Convergence can occur on many different levels on the physical level, the data level, the middleware level. A point of confusion is that there's no clear definition of what people mean when they refer to convergence.

Zivney: As PC technology moves to the controller level, new architectures will bring new features and benefits. Existing systems can quickly become legacy systems, and manufacturers move rapidly to offer the new technologies. As the new products appear on the market to comply with the new standards and bring more value to the enterprise, there will be significant upgrading of systems not seen since the Y2K gold rush. Of course, once again everyone will have to invest in building competence in the new technologies, especially XML.

Hanseder: Even though the industry is moving towards an IT environment where open standards should become the norm, it does not appear that mainstream products and systems are moving in that direction and adopting an open standard approach as quickly as the market demands. If existing systems remain proprietary, resistance to adoption will force both software and hardware manufacturers to rethink their product strategies.