Prepare for Identity Management in Physical Security to Change Drastically

Mobile Keys Pic

Smartphones & Big Data

Many of our everyday online activities are leveraging authenticating digital identities, cloud data resources and mobile convenience. As all of us come to depend more on smartphone functionality (pay at the pump, ATM’s, building access, network access, etc.), the digital credential and logical access via cloud apps will eventually replace the physical card.

It is easy to overlook the complexity that convenience may add to physical security planning. In the very near future, the C-Suite will demand that security professionals find strategies to allow the convenience of these new technologies, WHILE MANAGING THE SECURITY VULNERABILITY.

If you have not already begun the research into this new technology, start now:

https://www.hidglobal.com/solutions/mobile-access

Our Greatest Security Challenge

This will be the greatest challenge the security industry has faced in the last 20 years. Big Data and The Cloud will be our society’s future and the C-Suite will demand it. You think not? All of us will demand it. Whether it is employees, consumers, clients… we will all come to expect the convenience of managing/controlling both Internet-of-Things (IoT) connected devices and Cloud apps from our smartphone.

If you don’t think technology convergence is happening in the security space today, think again. Information Security (InfoSec), Network Security (IPSec) and Physical Security (PhySec) will all bleed together, because they must! In order to protect our assets (people, places, things) in this new emerging world, these disciplines will lean on each other to develop strategies that don’t exist today. I hope we are all up for the challenge and enough of us see the future to remain relevant in this changing landscape.

Why Ring the Bell Now?

After reading the article below, I decided it was time for me to emphasize this message. I didn’t think CIO’s were ready to accept this technology yet and deal with the vulnerabilities it brings, but ATM’s are too mainstream. The future is closer than I realized. Take a look…

https://www.yahoo.com/tech/smartphones-replace-cards-bank-machines-031358234.html

If you would like to discuss this, or other security topics, please contact Doug via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin. It is intended to be a personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Advertisements
Posted in Big Data, Cybersecurity, Data Security, Identity Management, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , , , , , , | Leave a comment

76 Percent of Organizations Breached in 2015

Cyber cartoon

 

This figure was both a surprise… and not. The majority of cyber attacks are not reported, for good reason. It is embarrassing for private enterprise to publicly report a data security breach. There is an obvious negative impact on public opinion, shareholders, etc.

Most security directors are unaware of the pervasive cyber vulnerabilities inherent in many of the technologies they deploy. There are encryption and identity management solutions for physical security systems that can manage this risk. The need for more collaboration between Physical Security and InfoSec Consultants is very real. As related industries, we need to improve the quality of the overall solutions being offered to our end-user partners. I have listed a few important excerpts below:

From “SIA Update” dated February 22, 2016:

According to the 2016 Cyberthreat Defense Report, 76 percent of responding organizations were affected by a successful cyber attack in 2015 – up from 70 percent in 2014 and 62 percent in 2013.

Free copy of the Cyberthreat Defense Report at: Cyberthreat Report.

  • Endpoint protection revolution. For three consecutive years, respondents have expressed growing dissatisfaction with their current endpoint security defenses. This year, a whopping 86 percent have expressed their intention to replace (42 percent) or augment (44 percent) their current endpoint protections.
  • BYOD backpedaling. The percentage of organizations with active BYOD deployments has dropped for the third consecutive year – from 31 percent in 2014 to 26 percent in 2016.
  • Must-have network security investments. Next-generation firewalls are the top-ranked network security technology planned for acquisition in 2016, followed by threat intelligence services and user behavior analytics.
  • Mobile devices “still” in the crosshairs. For the second consecutive year, mobile devices are perceived as IT’s “weakest link.” In total, 65 percent of respondents witnessed an increase in mobile threats over the prior year.
  • Malware and spear-phishing continue to cause headaches. Malware and spear-phishing top the list of cyberthreats causing the greatest concern among respondents for the third-consecutive year.
  • Massive exposure to SSL blind spots. Only a third of responding organizations have the tools necessary to inspect SSL-encrypted traffic for cyberthreats, revealing a gaping hole in enterprise security defenses.
  • Employees are still to blame. For the third consecutive year, low security awareness among employees tops the list of barriers to establishing effective security defenses. Survey participants are also concerned with an overwhelming volume of security event data, lack of skilled personnel, and lack of available budget.

Complete SIA Update dated February 22, 2016 at: Feb SIA Update.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Identity Management, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , , , | Leave a comment

The Most Basic Physical Security Vulnerability

Vulnerability cartoon

Mechanical Key Override

I am so often amazed to see Security Integrators uninterested in the end-user/owner’s decision how to manage a mechanical key override solution for electronic access control. This is the most severe, easily recognized vulnerability in the entire continuum of security applications. Every organization’s greatest fear and biggest dirty little secret is: Lost Masterkeys. Do security integrators factor in a client’s lost masterkeys in the system design? In a career of private conversations with facilities operations teams, I can emphatically say, no one has told me they have never lost a masterkey.

Must Have / Can’t Have Dilemma

As any honest consultant will tell you, failure rates with electro-mechanical and electronic equipment are very real. Two problems arise when access control solutions fail: doors allow unauthorized access, or doors do not allow authorized access. Each is equally problematic… one for security reasons, the other for the customer inconvenience. In my experience, at least a third of access controlled doors in the U.S. are not designed with fail-secure applications (mag locks) and if you install battery back-up, do the batteries get inspected regularly? The second scenario may be worse: Door Forced. So what does the industry do? Deploy the generally accepted emergency solution: mechanical key override. Here is the head-scratcher, when leaving locksmiths on their own these cylinders are KEYED INTO existing systems, rather than keyed differently – adding all the vulnerabilities that come with it.

How Old is Pin Tumbler Technology?

Pin tumbler cylinders were invented approximately 160 years ago. So, even when working with the most recent access control solutions, we are still depending on the performance of a 19th Century technology to deter unauthorized access. That vulnerability is not strictly defined as a professional criminal picking the cylinder. Today, any kid with two photos of a key (patented keyways too), a CAD program and a cheap 3D printer can duplicate a key.

Depending on 160 Year Old Tech, IS there an Answer?

There is a new generation of “key” technology today. The “key” here (pun intended) is an electronic format with a loaded credential carrying an authenticated “digital identity” within. This technology has been kicking around for about 10 years in the banking, retail and municipal sectors, but has only been introduced to the broader security market in the last few years. These electronic credentials are managed by self-hosted, or cloud-hosted software in a central server based environment. This IS the next generation in “key” control. A battery in the key is charged weekly and provides power to the credential (key) and electronic cylinder (when inserted). There is a mobile programming device that is capable of pairing via Bluetooth to your cell-connected smart phone, loading/updating credentials and user permissions real-time to/from the server. The solution includes audit trail capability for both key and cylinder, but also has more advanced features such as: expiration of keys and the ability to re-key entire buildings at no cost. Interestingly enough, discussions have begun to integrate these solutions with major access control software, so key management can be integrated into identity management. What a powerful combination!

 

xt images

This is NOT Traditional Electronic Access Control!

While there are features in common, the real value becomes clear as the next generation of key control. I have seen it used as an access control solution, but in that application it offers a limited feature set, primarily: electronic credential management, schedules and audit trail. Just as a quick measure, the solution is roughly 1/5 to 1/10 the cost of traditional card access control per opening.

Risk Mitigation

Traditional key management touches so many roles: property managers, facilities managers, security managers and yes, risk managers. Now that current technology options exist for key control, those responsible for risk management should be looking at this type of solution long and hard. If we stop sweeping under the rug the issue of lost master keys and the high probability of the associated vulnerability it represents, the ROI becomes VERY clear. At a minimum, this tech makes sense for all exterior doors. Common locksmith practice is to key exterior doors separately, because of the probability of lost key events. Instead of the mechanical interim solution, deploy something more permanent and eliminate recurring re-keying costs.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be a personal professional blog. The content reflects my observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed reflect a personal viewpoint and do not in any way represent the position of any other person, organization or company.

Posted in Identity Management, Integration, Physical Security, Technology | Tagged , , , , , , , | Leave a comment

Reality Check: Critical Info Transmitted via Simple Bit Data?

Trusted Info

What Information Should We Trust?

In business meetings recently, the issue of data encryption arose and it jolted me back to reality. Most physical security professionals seem to think Information Security (InfoSec) – IS ONLY – IP Security (IPSec). Everyone wants to discuss data security issues related to IP Infrastructure. That is the MORE secure data infrastructure associated with Physical Protection Systems today and needs only minor attention.

In Wiegand We Trust?

Too many professionals today think only in terms of secure data transmission from the controller to the server, but the greatest vulnerability is actually from the reader to the controller! Two copper conductors (+ground) carry bit format identity data (Wiegand) from the reader to the controller in what must be over 90% of the installed private sector systems currently installed. When I explain this to security engineers, they look at me like I am from another galaxy, far, far away (are the Star Wars references getting old?)… but then for some it dawns on them… and I get the question: what are my options?

Encrypted IP Data from the Card Reader?

Several companies already have products offering IP Data solutions, but the breadth of the available product is limited. As a result, all the major security software developers are moving toward an encrypted serial data protocol that I have mentioned on this blog before: Open Supervised Device Protocol (OSDP). It definitely has its advantages over Wiegand… but I must ask, what the heck is the industry doing? 

Encrypted Serial Data Preferred Over Encrypted IP?

Do we in the security industry truly believe we are doing the end-user community a service by introducing a decades old technology that will need to be replaced in 5-10 years? Yes, I understand the idea of isolating data AWAY  from the vulnerabilities of the LAN/WAN infrastructure, but do we really believe system specific serial networks will be the future of security systems?

Information & Data Security FINALLY Addressed in Physical Security

OK, I am very happy to see Physical Security equipment manufacturers finally understanding the horror seen in an I.T. Director’s eyes when they are first told your IP Controllers will be installed on THEIR network. None of us can afford to be disengaged from this discussion. Card Access and Intrusion design must express as much concern for data security, as physical deterrence features. OSDP is being introduced to address this concern.

SMART  Technology Investment

Security Directors consider this topic carefully, especially those of you collaborating with I.T. Directors… If we all agree that data vulnerabilities should be addressed and funding has been allocated to mitigate the risk, shouldn’t you be investing in the latest technologies? IP Data via LAN/WAN Infrastructure CAN be secure, if it is designed properly. If your technology partners do not offer solutions that can provide this, apply pressure for them to develop it. IP-Based Technology AND Solutions have been available for years now.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be his personal professional blog. The content reflects personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect personal viewpoints/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Data Security, Physical Security, Technology | Tagged , , , , , , , , , , , , , , | 1 Comment

Maintaining Relevance in a Dynamic Landscape

relevance

Now, there’s the rub! Is the consultant addressing topics relevant to the client’s perceived need, or just addressing his/her area of expertise?

We live in a world where organizations face a diverse array of threats. The daunting task of the Security discipline is assessing the associated risk and prioritizing limited resources to address mitigation. During the discovery process, sometimes I can see clients running through the inventory in their heads… controlled access, monitored access/intrusion, forensic or active video surveillance, hardening networks, improving identity management, information security (etc.). The validity of such an assessment depends heavily on understanding the values and mission of an organization. Protecting assets can take many forms: human, equipment, financial and intellectual resources, even a company’s reputation.

How does a prospective client determine which potential partner can provide the greatest value in addressing their needs?

The key deciding factor should be a demonstrable understanding of the unique environment in which each organization operates and the challenges faced. As specific expertise seems to be required, the understanding narrows to smaller and smaller subsets of potential threats… and relevance slowly diminishes.

Maintaining Relevance

The majority of end-users depend on their partners (consultants/contractors) to help them understand their vulnerabilities and address them effectively. In a security continuum where there are so many competing messages, most value propositions tend become garbled and difficult to evaluate. Let’s look at perceived value defined for a few different disciplines:

Physical Security

Dealing with theft, external and internal violence, unauthorized access to critical areas, vandalism (etc.), a physical security focus brings the tried and true principles of detect, delay and deter concepts. There tends to be numerous vulnerabilities in this category that require experience and training to address. The complexity of designing site, building perimeter and interior security solutions can be difficult to perform effectively, requiring years of experience with cameras, sensors, reader technologies and their integration.

Identity Management

In my opinion, this is a category unto itself. I have run into very few physical security professionals that understand this discipline well. Identity management is NOT printing a photo on an access control badge.  It represents using Active Directory Services to achieve authentication in BOTH LAN/WAN/Cloud data communication and Physical Protection System (PPS) environments.

Hardening Networks

Encryption, Encryption, Encryption. Why are IP networks fully encrypted, while access and intrusion monitoring data infrastructure is not? Food for thought, 128 bit AES encryption is not the highest order of encryption… Is physical access to switches and servers strictly controlled?

Information Security

I am now being asked, “do software apps managing access control use open source code?” Do IP Edge devices (controllers, cameras, etc.) have protection schemes for Denial of Service (DOS & DDOS) Attacks? Does all data communication utilize password protected encryption keys? Is dual authentication available? Can credential technology support network identity management? There is an answer for each of these questions in both network and application environments. Let’s get engaged and begin the discussion…

Relevance is TEAMWORK!

The most difficult transition I had to make in my long career, was moving from an individual to team performance focus (topic for another article). The complexity of leading technologies, latest software and evolving threats demand specialists able to address these areas both individually and together. Any one person working independently is unlikely to grasp the entire picture. The answer is to bring a team together with a basic understanding of these disciplines and capable of coordinating design and deployment to deliver the best solutions addressing the client’s broader needs.

So, which discipline offers the greatest security value? None individually… the best risk mitigation will always come from effective multi-discipline teams!

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , | Leave a comment

Security Automation: Responding to Disruptive Technology

giraffe.mediator

Is this War, or an Opportunity?

After taking a short few weeks to investigate the InfoSec space and speak with several ISC2 certified CISSP’s… it would appear the convergence and overlap of Data and Physical Security is creating misconceptions regarding roles for effective protection of assets. A few gentlemen I spoke with felt Physical Security is merely a subset of the much broader Information Security category. The comment really had me thinking. This perception must certainly be caused by poor communication between the two disciplines.

How do we fix this?

Demand for convergence is so high with end-users, InfoSec needs are starting to drive Physical Security requirements. As Physical Security Professionals, if we don’t start embracing this trend, the new CISO executives will  become THE “C” suite security officers.

As I begin to engage both sides of this debate, I sense both curiosity and competitiveness emerging. On the ISC2 side, some have expressed the belief they are better prepared and uniquely qualified to handle BOTH Information AND Physical Security management, planning, design, etc… The InfoSec world is very aware of Physical Security, while I find the reverse is not necessarily true. On the ASIS (American Society for Industrial Security) side, InfoSec is being seen as a parallel industry, with little impact on our disciplines and trades. Neither of these viewpoints is close to the truth. Successful people are bound to tap into their competitive nature and whether this translates into a perceived advantage, or ignoring the convergence… this is the wrong track. I have been sharing a message for all who would hear for a year now… the bright new future will require both disciplines in cooperation, to properly deploy security plans/systems.

Embracing the “Dark Side”

Okay, so maybe the title is a cheap “Star Wars” rip-off, but it truly represents the challenge. In the recent IP Video Camera years, most traditional security contractors struggle with LAN/WAN connectivity and data security. Typical proposals exclude any associated impact on network infrastructure. In the past three years, I have heard it said to the end-user so many times, my head hurts: “the connection to the network is not my problem.” Conversely, I am also tired of the I.T. Director telling me: “you will not put that cr@p on my network!” This has to be a two-way street. For effective protection of assets, the answer should come from both sides embracing each other’s world and finding the compromise somewhere in the middle.

Compete with InfoSec and I.T., or Partner?

Choosing ignorance and denial and competing with cabling/network contractors and InfoSec consultants will not be a successful strategy in the long-run. LAN/WAN/Cloud is here now and is the data solution of choice for the private sector. It is clear, the best answer will come from education. ASIS and ISC2 should be pursuing an industry alliance. We need to look at each other’s value and find where they compliment each other in the planning and successful deployment of systems.

Defining Roles and Examining Cooperation

In the future, I will attempt to examine what that cooperation might look like and how to define and separate roles. I will attempt to look at this from both sides and find the path to the middle. I am looking forward to the challenge and I hope to learn much along the way.

If you would like to discuss this, or other security topics, please contact me via LinkedIn. Also, take a look at my LinkedIn Discussion Board Security Convergence, or my Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Information Security, Physical Security, Technology | Tagged , , , , , , , , , , , , , , | Leave a comment

Security Fears vs. Awareness

Funny-Perspective-cartoon_zps3aa62091

I had an interesting conversation last year with a Data Security Consultant, Mark Turturo, CISSP. I have been working since then to better understand the mission of these professionals and their relevance to the physical security specialist. I operate in a business community dominated by ASIS certified CPP’s and PSP’s and BICSI certified RCDD’s.  There has been slow progress, but I am coming to understand how an ISC2 certified CISSP can impact security design and the role they play in vulnerability and risk assessment.

Examining Related Industries

I have spent an entire career learning how to design and deploy solutions that Deter, Delay and/or Detect physical access to a site, or building. What I have come to learn is this is only the beginning in the bigger picture…

In a Physical Protection System design capacity, I rarely thought to assess vulnerabilities introduced by the data infrastructure, or the software application(s) supporting its functionality. The CISSP offers the perspective that evaluates these concerns and more. I spent 90 minutes discussing securing source code, data encryption formats and not just identity verification, but data source authentication. My head was spinning! Previously, my design concerns were focused on better integration and inter-operability and now I realize, these are just a few of the coming challenges we will be facing.

This category of consultant pulls back the curtain and questions the secure nature of the platforms we physical security professionals regularly deploy without question. This idea of software and networks having a “back door” is scary stuff! I typically think of my greatest challenge as asset protection, but without data security ensuring the integrity of these systems… it all becomes irrelevant.

Fear Versus Awareness

Mark and I worked our way through data security concerns such as hackers capitalizing on network vulnerabilities and malicious code in firmware and drivers, in addition to core applications. My first thought as I was listening to Mark was, “this is too advanced for the average end-user”, but I am learning these attacks are becoming a common occurrence. As I evaluate the importance of the contribution offered to systems design by the information security consultant, it is becoming clearer… the physical security industry should be keenly aware of the influence this other discipline is having on our common clientele. The typical security contractor still regularly deploys old card access credential technologies where digital identities can be cloned and data transmission technology can be simply intercepted to spoof credentials. There are technologies available today to eliminate these vulnerabilities… why isn’t the physical security community discussing these issues with clients? I understand these topics can cause fear in the user community, but isn’t it our responsibility to provide proper advice regarding the entire spectrum of risk and liability? If this does not become part of a physical security consultant’s repertoire… our relevance will be put into question. Here is a great example… McAfee produced a white paper on Proximity Card vulnerabilities at: McAfee White Paper. Why does McAfee (Anti-Virus  Developer) feel the need to be evaluating physical security credential technology?

Where Next?

I will be making this education a priority in coming months. I am hoping to have my employer authorize trips to events such as: RSA Conference, BlackHat Briefings and ISC2 Secure Events. I will be reaching out to more data security professionals and searching for convergence in our disciplines… actively looking for areas we can find partnership in adding value for our common clients. It is my hope that strategic alliances will bring these two perspectives together.

A BIG thank you to Mark Turturo for a beginning education into his world! Douglas Levin is a consultant employed by ASSA ABLOY.

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Cybersecurity, Data Security, Physical Security, Technology | Tagged , , , , , , , , , | Leave a comment

Differentiating System Integration as a Service

cartoon_strays-in-database

Professional Services Role in Physical Security

I find it interesting to note that most manufacturers in the security industry call their channel partners “Security Integrators”, rather than Security Contractors. It represents a fundamental misunderstanding of system delivery business models. Does this miscalculation represent a hopeful wish to magically transform their dealers into the true Value Added Re-Sellers (VAR’s) needed to improve market share?

In my previous sales and marketing roles,  equipment sales was focused on efficient and effective applications engineering. This was appropriate in the technology landscape of the 90’s and 00’s. The need to move on from this mindset is critical in today’s world. The pervasiveness of IP Data, LAN/WAN, Edge IP Devices, PoE+ Power Distribution, Cloud Computing, Advanced Data Encryption and Certificate-Based Identity Management… have built a framework requiring a “Systems” approach to automation technology. Companies unable to bring a true “integration” focus to their client base will be left behind.

Integrator vs. Contractor

  • What is a Security Contractor? For construction projects, these companies estimate card access, intrusion alarm and video surveillance systems from specifications and bid projects. Upon award, they supply and install equipment, pull and terminate wire  and load software. For retrofits and upgrades, they follow owner’s direction to price and deploy systems strictly within the parameters of their narrow focus.
  • What is a Security Integrator? A company that looks for system installation projects with opportunities to add value through site survey, consulting, designing new, or improving poorly engineered scopes of work. For retrofits and upgrades, they focus on discovery (End-User Needs Assessment) – understanding a prospect’s priorities based on asset values, and operational concerns while helping to evaluate threats, risks, site requirements and performance of existing systems. These activities are essential to addressing vulnerabilities and tailoring solutions.

Company #1

By definition, they use old technology to deploy the same solutions being installed time and again – regardless of whether the square peg fits in the round hole.

Company #2

Discovers a partner’s pain points and customizes solutions to assist in mitigating risk, reducing operating expense and improving efficiency and effectiveness.

Why should we examine these two business models?

Company #2 must employ trained, experienced professionals in sales, design and installation roles. This requires higher operating costs and higher gross profits to fund reinvestment. Here is another example of the typical conflicting business models: lean logistics versus value added service. That is why company #2 can survive only if they deliver real, results based solutions and convey their value proposition effectively to their clients. Part of the Company #2 mission is to seek out new technologies, products and systems that allow them to offer the BEST solutions available to provide measurable results.

Company #1 does not have the skills inventory to be an integrator and will not survive over the long term. The only scenarios where logistics models are successful are when cost control and scalability are leveraged – making them excellent targets for acquisition. There will always be another company out there bigger and more efficient.

Company #2 will foster customer satisfaction and loyalty, generate higher profits and NEVER be caught unaware by industry disrupting technologies.

Defining Professional Services

Assessments

Evaluating: risk, vulnerability, site conditions, system obsolescence, infrastructure

Determining Needs: improving efficiency, effectiveness and cost control, technology and investment planning

Solutions

  • Increasing data bandwidth to support more robust systems
  • Leveraging new technologies to enhance functionality
  • Offering new system capabilities via improved inter-operability from integration of related systems
  • Eliminating administrative overhead via shared data across multiple databases
  • Better client decision making through education and advice
  • Network optimization
  • Providing API’s, DDE and managing identity certificate handling
  • Offering trained certified employee services: PSP, CISSP, DBA, MCSE, etc.

Burglar Alarm (Intrusion Detection) Contractors

This is another often misunderstood channel. Intrusion detection is most often tied to offsite monitoring contracts. This industry is defined by the recurring monthly contract revenue business model embraced by these companies. Burg is a reactive approach to security and is much less expensive than the proactive access control approach. Both have their place in an overall layered security plan… but don’t mistake a burg contractor for an integrator. Top-notch security integrators will be capable of deploying both types of systems *and* offer monitoring services.

Competing, Conflicting Channels

When I assess a metro market – FIRST, I discover and separate the network/structured cabling contractors, security integrators, security contractors, burg contractors and miscellaneous players (i.e. commercial locksmiths). Understanding HOW different channels deliver systems to the market:

  • Understanding the role these different types of companies play in serving the overall market is the key to manufacturers developing an effective go-to-market strategy and finding the best partners for specific technologies to minimize channel conflict

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Integration, Physical Security, Technology | Tagged , , , , , , , , , , , , | Leave a comment

Changing Face of Social and Business Media

communication

WordPress, LinkedIn, Facebook, Google+, etc…

These services have begun making subtle changes. What I used to think was a modern marvel and the key to providing open access to ideas and improved communication is becoming something else. I don’t believe there is nefarious intent. It is more the impact of optimizing for mobile data connections and hand-held devices. These and other sites are beginning the move and the result is horrifying.

 

sagan

Changing Interfaces and Platforms

I have noticed many social and business media outlets slowly eliminating enhanced features and streamlining for the upcoming change. The dumbing-down is becoming a natural consequence of the hand-held and wear-ables phenomenon. In the same way most lost the individual skill to write letters when email arrived, quantity of information and access is beginning to replace content. Rich content is too difficult to deliver over the coming technologies. Are our media moguls betting we will accept greater access and connectivity as an alternative? This continuing loss of thoughtful content and movement towards written sound-bytes is frustrating at best. It reminds me of the world recap in 30 minutes on the evening news, or the idea of finding all your current events information on Twitter feeds. Personally, I would rather have one lengthy substantive interaction, than 50 single sentence, meaningless exchanges. Food for thought about the changing state of technology and where it is taking us.

Technology Based Media SOLUTIONS

I make my living applying the latest technologies to real-world challenges and in the process offering improved efficiency, added  functionality, reduced risk, better communication and more data from which better decisions can be made faster. None of this can be accomplished without establishing goals before the work is begun. Social and business media today seem to be operating under the presumption that access and connectivity will be viewed by the public as most important. Any blogger will tell you, it is all about the content when attempting to attract traffic. I have to ask the question: Is the 140 character Twitter limit a teaser to attract you to a link with more content, or are people pulling their content directly from the feed? Before we all decide a computer on a watch is the coolest thing since sliced bread, maybe we should all be thinking about the impact of the move towards tablets, smart phones and watches. How can we ensure that limited mobile data connections and device memory can deliver substantive content, instead of meaningless sound-bytes designed to incite emotional, rather than intellectual response?

Better Technology IS Good

These changes are amazing and represent huge leaps in our ability improve lives, bring knowledge to the world and improve business profitability, but somewhere we must find the vision to direct the APPLICATION of this technology towards net positive gains. Is less thought-provoking, single sentence communication better? Should we strive for a more meaningful exchange of ideas as a worthwhile goal? How do we become more vocal and change this looming trend?

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Technology | Tagged , , , , , , , | Leave a comment

A Vision for Effective Application of Technology

I.T. brickwall

Common Technology Oversights

In my experience, there are three very common discoveries when I reach out to new potential partners:

  1. A lack of awareness that their existing systems have much more potential functionality than they currently utilize.
  2. A realization they have invested too much money in related systems that have no potential to work together.
  3. Disappointment when I point out they have no VISION for leveraging technology to improve efficiency and mitigate risk, no DESIGN STANDARD to drive future system selection and no ROAD MAP to prioritize investment.

Mission

As a consultant, I find it is important initial meetings are positive. Highlighting these oversights may be a painful experience, if the discussion is mishandled. It is critical to help an end-user’s team become excited about the future of these systems, after concerns have been addressed… I have a PASSION for applied technology. I attempt to ensure everyone around me knows that excitement. Applying technology to resolve challenges and improve operational efficiency is challenging AND very rewarding. As design professionals, we lower costs, improve profits and mitigate risk and liability. A value message that should be conveyed with every interaction. I particularly enjoy that last meeting on every project when we review results, discuss what has been achieved and adjust that road map (discussed above) to check items off the list.

Achieving the Mission

It would be impossible to share the entire discussion here, so let’s review a few important elements that will exemplify the mindset discussed above:

Professional Services Model

What should be the expectation when working with a technology vendor? I dislike the idea that a vendor’s only role is to sell and install systems/equipment. Automated solutions are complex and require years of training and experience to fully understand applications. These companies should be “partners”, not just “contractors”.

Partnering

What does it mean to be a partner? Simply put: a partner adds value to the relationship. Too many fail to realize – the advantages to leveraging automation can be far greater than the initial investment to deploy systems.

What are Professional Services?

Your technology partner should be performing the following functions:

  • Optimizing existing systems.
  • Discovering an organization’s “pain-points” and recommending features and benefits of existing and new solutions to eliminate them.
  • Learning an organization well enough to recommend solutions to improve operational efficiency.
  • Education regarding new products and technologies.
  • Assistance with developing a 3-5 year road map and future-proofing investment in technology.

A quick word of advice – if you are working with a technology company that is not capable of this kind of relationship, find one that is.

Examples of Professional Services

Database Data Exchange (DDE)

When I bring up this topic, some folks become suspicious. Database programmers are very expensive. That level of expertise and integration is unnecessary here. I am referring to “interfaces”, NOT integration. Interfaces can utilize SQL Queries and Active Directory Service Interfaces to share data. These tools are application agnostic and do NOT require an integration to be deployed. It is a best practice to ensure platforms are SQL and LDAP (AD protocol) compliant. What is the benefit of exchanging data across databases?

Simple Example – University / K-12 users all have Student Enrollment, HR, Transactional (POS), Network and Physical Security user databases which require data entry. The user database from one software platform can be selected and maintained as a source to keep the others updated. An Interface can be written to share changes (deletions/additions) at the end of every school day to eliminate data entry in the four other systems, thereby eliminating daily administrative functions involved with user record maintenance.

Advanced Example – Still using the previous example… how about expanding the information in each user record to include: security hierarchy, area of study, extra-curricular activities, etc. This information could be used to update situational permissions, privileges and building access rights, thus eliminating additional administrative functions.

Application Programming Interface (API)

API creates integrated functionality across related systems. Automating – not data exchange this time – but logic that can be used to manage “if-then” functionality for signaling devices and software, or in the most complicated scenarios – offering complex event recognition and other similar functions. This can be expensive and difficult to accomplish when customized across systems, but my suggestion here is: let others do if for you – FOR FREE!

Simple Example – Card access software has the ability to trigger other systems when an individual enters a space. This capability can be leveraged to offer numerous advantages with related systems:

  • Security Authorization: Trigger a video surveillance camera to authenticate identity and add a date and time stamp to recorded video.
  • Energy Savings: Trigger lighting control or HVAC VFD’s in individual areas to save energy.
  • Risk & Liability Management: Synchronize audio with a video feed to monitor high-risk areas.

Advanced Example – This can get in the weeds fast, but let’s look at a few rough ideas. Here is one feature type: activity recognition across systems. Here is another: shared functionality between cloud, desktop and mobile interfaces.

How Can This Be Free?

Please read through this section more than once and incorporate into your Organizational Design Standards. Engage an integrator (partner), or consultant to research strategically aligned manufacturing partners who have already written an API across their platforms. It is that simple. Engage a quality integrator that is able to leverage this capability and you have immediately future-proofed your technology investment.

Example – Here is the setup: A multi-building campus has extensive intrusion detection (IDS) with card access (ACS) and video surveillance (VMS) systems. The campus utilizes at least a few on-site security guard personnel. The three systems have previously written API(‘s) (integration) across to the other platforms. Alarm maps have been uploaded to either the ACS, or VMS. An alarm event posts in the event log triggering a text to a guard. A guard responds by opening an app on their smart phone that shows the alarm map to pin-point the location of the security event and immediately dispatches. Enroute, the guard triggers a Macro which uses inter-operability features to pull the four real-time camera feeds closest the alarm location into a split-screen on his phone, then verifies recent ACS events. This scenario improves guard response time and preparedness and allows fewer personnel to cover the same area.

Not the Future, Now!

I hope I have been successful in describing the potential functionalities that can be achieved with this approach. This capability is here now.  Why not put this on your Technology Road Map, or begin suggesting this approach to your clients today?

If you would like to discuss this, or other security topics, please contact him via LinkedIn. Also, take a look at his LinkedIn Discussion Board Security Convergence, or his Twitter feed @DLIPTech.

This site is maintained by Douglas Levin, PSP, AHC, LEED AP. It is intended to be my personal professional blog. The content reflects my personal opinions and observations regarding the Physical Security Systems industry and Technology Sectors. The opinions expressed herein reflect my personal viewpoint/ideas and do not in any way represent the position of any other person, organization or company.

Posted in Integration, Physical Security, Technology | Tagged , , , , , , , , , , , | 1 Comment