Real Words or Buzzwords?: Enterprise Class - Part 3

Editor’s note: This is the 10th article in the “Real Words or Buzzwords?” series from SecurityInfoWatch.com contributor Ray Bernard about how real words can become empty words and stifle technology progress.

The scope of the term “Enterprise Class” is of sufficient breadth and depth that it requires three articles to cover it. The first article looked at the technology trends having the greatest impact on what Enterprise Class means today. The second article looked at the requirements for Enterprise Class systems that specifically address the needs of applications with high user counts and wide geographic distribution.

This article provides a checklist that security systems integrators, specifiers and end-users can use to evaluate and compare offerings that are labeled "Enterprise Class." The checklist also includes Enterprise Class deployment factors. That’s because if you purchase Enterprise Class technology but don’t provide an Enterprise Class deployment, you won’t get Enterprise Class performance. To rate some of these items for a product under consideration, you may have to visit one or more deployments that are addressing similar requirements to your own. You can also use this checklist to comparatively rate technologies and deployments across multiple sites. This can be helpful for establishing upgrade priorities.

Advancing Technology

It is important to note that, due to the continually accelerating advancement of the information technologies on which electronic physical security systems are built; security systems technologies are also continually advancing. This means that the nature of deploying technology has changed. Gone are the 5- to 10-year rip-and-replace security system life cycles of the previous 40 years. In-place systems must be upgradeable deployments that customers can update and evolve according to their security and business operational needs, as relevant new technology advances become available.

The chief challenge for veteran security professionals (end-user customers) and for security industry veterans (manufacturers and service providers), is to change our thinking to take continual technology advancement into account. When you see super-computers that talk to you being advertised on TV as the “new employee” you can hire (IBM Watson), you know we’re in an entirely new era of computing technology. And it’s just beginning.

Technology advancement itself is just one of the reasons why Enterprise Class has become a moving target. Other reasons have to do with the fact that as technology evolves, so do organizations evolve, and so does the nature of doing business. It’s a changing landscape with rapidly changing risks and keeping up with this evolving customer landscape is probably the greatest challenge the traditional physical security industry has ever faced.

About This Checklist

Many of these checklist items are not specific to Enterprise-Class applications and could be applied to any application. However, this checklist overall is focused on system attributes that are critical for enterprise-scale deployments. Human workarounds that are tolerable for small systems don’t scale up to larger systems, and this factor is not always considered when expanding from a small scale deployment.

Note: Don’t excuse any operational shortcoming because “that’s the state of technology today.” Did you know that current-generation motion-detection video analytics automatically account for tree and shrubbery motion, flapping signs on fences, rain, clouds and other non-relevant motion? Regardless of whether a shortcoming could be resolved with current technology, it is important to identify all shortcomings as advancing technology is more than likely to address them.

Enterprise Class Application Checklist

1). High Availability. This applies to cloud data centers, as well as corporate internal data centers, and to servers operating within the data centers. (For example, the data center may have dual power, but does the server have dual power inputs so it can benefit from it? If not, does the UPS the server runs off have dual power inputs? Does the server itself have dual power supplies? These questions are what the Notes field is for.) 

• Data Center Uptime Guarantee:

o   None
o   99.9%
o   99.99%
o   99.999%

• Battery Backup:

o   4 hours
o   8 hours
o   24 hours
o   48 hours
o   72 hours

• Emergency Power:

o   Yes
o   No

Notes: ____________________________________________________________________

2). Reliability. Security systems are complex and reliability must be considered for each aspect of the system. Add to the suggested items below, to include the aspects of the product or system that are operationally important to users, whether highly reliable or not. For items that are not 100 percent reliable, describe or rate the reliability shortcoming. This includes but is not limited to: Camera offline rates, false alarm rates, nuisance alarm rates, detection failure rates, and quality lapses such as jittery or jumpy video.

• Detection rate:
• Data capture rate (such as for vehicle plate recognition):
• Response time to user actions:
• PTZ tracking:
• ______________________:
• ______________________:
• ______________________:
• ______________________:
• ______________________:

3). Data redundancy, backup and recovery. Cost may be a factor depending upon database size. In non-cloud on-premise applications, backups should be automatic, with full weekly backups and incremental daily backups. Cloud-based redundant databases in differing geographic locations can be superior to ongoing backup snapshots, although offline backups may be more affordable if temporary data outages are acceptable.

• Database redundancy:

o   The set of disks or other media that contain the redundancy set are separate from the disks that contain the datafiles, online redo logs, and control files (Yes / No)
o   The redundancy set is separate from the primary files in every way possible: on separate volumes, separate file systems, and separate RAID devices (Yes / No)

• Database backups:

o   Backups can be made in real time, without requiring database use to be shut down (Yes / No)
o   Partial recoveries can be made, for cases where data has been accidentally deleted or mistakenly replaces (Yes/No)
o   Both backup and recovery have been tested with your own data (Yes / No)
o   Backup and recovery times are known based upon the nature of your data (Yes / No)

4). Cloud Computing Characteristics. Many capabilities, including anytime/anywhere application access, require cloud computing. Some applications are hosted in the cloud, and are web-based, but are not designed as true cloud computing applications. By this I mean that they don’t support the five essential characteristics of cloud computing as defined by NIST: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. The application attributes below go beyond what NIST defines for cloud computing, but that’s because we’re qualifications for the Enterprise Class label. Cloud system provide many high-value capabilities that are only available via a cloud- based service. Thus, the capabilities of cloud-based application are on an accelerating growth trajectory, while those of client-server based systems are not.

• Cloud-based Application:

o   Fully-cloud based
o   Some features available via cloud-application
o   Cloud application is on the manufacturer’s roadmap
o   No plans for cloud application

5). On-demand self-service/measures service. This essentially is self-service provision of application features, activating the service is the same as placing an order for it, and you can add and remove features from the cloud application according to the basis of your subscription (often monthly). What’s great about this is that you get to try out a feature for a nominal cost, without jumping through hoops to do so. No emailing of license files, no reseller or manufacture participation needed.

• Feature activation:

o   Instant self-service activation (Yes / No)
o   Instant self-service de-activation (Yes / No)
o   Billing is done upon completion of each month’s usage - pay only for what you use (Yes / No)
o   Subscription scales with actual system use, by users and by feature selection (Yes / No)

6). Broad network access. This is an availability characteristic – not by time like 24/7 but by location based upon availability of Internet access: 

• Feature availability via for computer (PC, laptop, large tablet):

o   All desired features desired
o   A subset of desired features
o   Some important features are not available

• Internet-connection based feature availability via for mobile devices (smartphone, tablet):

o   All desired features desired
o   A subset of desired features
o   Some important features are not available

Notes: ____________________________________________________________________

7). Rapid elasticity or expansion. For example, adding new cameras automatically adds the appropriate storage to the subscription, based upon the length of the video retention period selected.

• Rapid elasticity or expansion is provided for:

o   All appropriate features.
o   All features we need to be elastic.
o   For some features, but not according to our desires.

Notes: ____________________________________________________________________

8). Application Updates. Cloud-based applications are typically built using a continuous development/continuous delivery approach. Application updates are usually performed monthly or every two weeks, sometimes weekly. System performance is monitored closely in real time, so that any potential bottlenecks or other non-performance decreases can be identified and quickly remedied. Testing and deployment are mostly automatic processes, utilizing cloud -based tools designed to eliminate human errors and speed up incremental rollouts while reducing the risk of problems being introduced.

• Updates are performed:

o   Every two weeks
o   Monthly
o   Quarterly
o   Per published schedule
o   At the discretion of the manufacturer

9). Application Roadmap. Executing continuous delivery requires a roadmap. Failure to have a published roadmap for a cloud-base application usually means that development is not predictable, or that the application is new enough that prioritization is based upon the needs of the expanding subscriber base, and thus changes over time.

• Application Feature Roadmap is:

o   Published to one year out.
o   Published to six months out.
o   Published to three months out.
o   Not published but sharable under NDA.
o   Not published or sharable.

Notes: ____________________________________________________________________

10). Operator Permissions. The larger the deployment, the more important these features become.

• Manage by operator classes or categories or roles:

o   Yes
o   No

• Do roles support inheritance (such as Supervisor inherits Operator permissions):

o   Yes
o   No         

• Manage by user-defined operator groups across categories (e.g. areas, regions, shifts, facility type):

o   Yes
o   No

• Granularity of permission settings matches operator job roles and responsibilities:

o   Good match
o   Poor match

• Permissions settings can be cloned or copied when creating new categories

o   Yes
o   No

• Authorization to define operator permissions can be delegated by region or other criteria:

o   Yes
o   No

• Reporting for operator permissions is highly useful:

o   Yes
o   No

11). Audit Trails. This capability traditionally has varied widely between otherwise similar products.

• All operator control actions are logged.

o   Yes
o   No

• All operator individual edit actions are logged (such as changed name, changed address).

o   Yes
o   No

• Audit trail change record includes “before” and “after” data record snapshots?

o   Yes
o   No

• Audit trail timestamps include operator’s time zone.

o   Yes
o   No

12). Manageability. Rate the ease with which the system can be managed.

• Administering the system is quick and easy.

o   Yes
o   Mostly
o   Partly
o   No

• Administrative human errors are:

o   Rare
o   Occasional
o   Frequent

• Reports are easily customizable.

o   Yes
o   No
o   Only using third-party tools like Crystal Reports

• Using 3^rd Party reporting tools is well-documented

o   Yes
o   No

• Using 3^rd Party tools does not require non-secure access to databases

o   Yes
o   No

• Are workflows supported by wizards or forward/back functionality?

o   Yes
o   No

• Are mistakes easily undone?

o   Yes
o   No

• Is it easy to “get lost” in the application:

o   Hard to lose your place
o   Easy to lose your place

13). Operability. Rate the ease with which the system can be managed.

• Most commonly performed actions are available on a single screen or page:

o   Yes
o   No

• Most commonly performed actions require minimal selections or clicks:

o   Yes
o   No

• Sequences of actions can be defined using a “macro” capability:

o   Yes
o   No

14). Integration. This covers built-in and custom integration.

• All needed integrations are built-in and user-configurable

o   Yes
o   No – custom programming is required

• Built-in integration capabilities are sufficient

o   Yes – all needs covered
o   No – functionality is only partly implemented

• An API is available for custom integrations

o   Yes
o   No

• API is well-documented

o   Yes
o   No

• API is usable by our in-hour IT capability

o   Yes
o   No

• API Security is implemented

o   Yes
o   No

• API Availability

o   Free to all
o   Free to integration partners
o   Reasonable license fee applies
o   Integration license is costly

15). Suitability. Enterprise Class applications are often feature-rich, and that can sometimes result in a feature-overload experience. Some applications provide a selectable list of configurations, to provide a good starting point based upon your size and type of organization. Some applications have different “editions” of the application, which provide a single pre-configured starting point. Others provide software wizards to guide user through initial configuration, or configuration by sections of the application. Sometimes the application is designed with just a single type of business in mind, but allows delegation of feature use for central, regional and local use.

• Suitability:

o   A special edition fits our organization type and size
o   Configuration for organization type is selectable
o   Documentation and help provide acceptable guidance for configuration and use
o   Global configuration allows Inapplicable areas of the application can be hidden for all
o   User permissions enable hiding inapplicable portions of the application based upon roles and responsibilities
o   Application is not configurable, we will have to ignore what doesn’t fit

16). Localization.

• All needed languages are:

o   Fully supported
o   Supported only in operations functions
o   Supported only in administrative functions

• Localization support:

o   Users can implement localization.
o   Users can implement localization.
o   Localization is factory-only

 17). Time Zones.

• Event, alarm, log, comment, activity and audit records are timestamped including time zone.

o   All
o   Most
o   Some
o   None

• Time zones are shown in real-time multi-site information displays.

o   All
o   Most
o   Some
o   None  

18). System Compatibility. Integrates or interacts with existing deployed technology.

• Fulfills all requirements
• Fulfills some requirements
• Not compatible 

19). Data Compatibility.

• Data sharing or integration with IT systems.

o   Out-of-the-box compatible.
o   Custom programming required.
o   Not compatible.

• Transaction rates.

o   Proven to handle anticipated volume
o   Volume capacity unknown

• Reported error/problem rates. Reference sites report:

o   No data sharing/integration problems.
o   Problems were overcome.
o   Minor tolerable problems.
o   Significant ongoing problems. 

20). Training. The technology trends are for self-evident system use, miniature help links, instantly available online help, and no training required.

• Formal training is required:

       o   Days
       o   Hours
       o   None

• Formal training is available:

o   Online
o   By Integrator
o   By factory

21). Force Multiplier Rating. Applications should enable users to get more done in less time, compared to working without the application or with legacy or earlier generation applications. Automation can be a big factor in the force multiplier effect.

• Productivity:

o   More than triples individual productivity
o   Doubles individual productivity
o   No time-related productivity increase, but reduces errors and stress.

• Enablement

o   Can accomplish things not possible otherwise
o   Requires less experience/skill than other applications
o   Provides reports, dashboards, etc. not otherwise available to stakeholders

22). Dashboards. Dashboards are important for quickly assessing status.

• Dashboard real-time operational value

o   High – meets all needs and wants
o   Medium – saves time but could include more information
o   Low – don’t contain needed data

• Dashboard customization

o   Easily customizable
o   Slightly customizable
o   Not customizable

23). Cyber Security. An often overlooked but critically important factor.

• Built-in cyber security capabilities are documented

o   Well
o   Poorly
o   Not at all

• Out-of-the-box security profile

o   Defaults to most secure profile
o   Defaults to least secure profile

• Conformance to standards

o   Appropriate
o   Easily Configurable
o   Less than desired
o   No standard followed or applied

• Penetration Testing

o   Ongoing
o   Periodic
o   Occasional
o   None

• Third-Party Cyber Security Certifications

o   All applicable
o   Some applicable
o   None

24). Scalability. Technology is evolving, so this rating accounts for that. Scalability is

• Proven to fit our specific current and future needs
• Proven to fit our current needs, future needs are on manufacturer’s roadmap
• Documented by 3rd-party testing
• Asserted but unproven
• Unknown

For your convenience, download a Microsoft Word version of this worksheet so that you can:

• Have an editable electronic copy
• More easily make notes
• Edit it for your specific purposes

If you know of an Enterprise Class attribute that you think should be on this checklist, please tell me about it.

About the Author:

Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security. and a regular technology columnist for Security Technology Executive magazine.