Security Integration: Making it Work
March 01, 2007
Appeared in Building Operating Management/FacilitiesNet
In today’s business world, terms like convergence, synergy and integration are used so frequently that it’s easy to dismiss instances where they actually are occurring. Security systems are a case in point.
Behind the growth in security system integration projects is the realization by more managers and executives that the risks their organizations face pose threats to both facilities and information systems. In addition, many executives are looking for efficiencies that can be gained when multiple security systems are integrated.
The term “security system integration” can take on a variety of meanings. Historically, most security system integration projects have involved linking the access control and alarm systems, and then integrating the closed circuit television system, says Seth Klibonoff, senior engineer with Syska Hennessy Group. Once these systems were connected, a violation of the access control system would cause the alarm to sound and prompt the camera to switch on and record the incident. This often was accomplished by installing hard-wired connections between the systems.
“Security system integration” also refers to the trend within a growing number of organizations to merge physical security applications, such as access control, and logical security applications, such as biometric identification programs that allow employees to use the corporate network, into a single, comprehensive system. Employees responsible for physical security may join the same department as those responsible for network and computer security, says Salvatore D’Agostino, vice president of sales with CoreStreet Ltd. As more executives recognize the need to put in place systems that protect both their facilities and their information systems and databases, this approach is gaining greater acceptance. “Convergence is really happening now,” says D’Agostino.
One example comes from the Federal government, he says. Homeland Security Presidential Directive 12 (HSPD 12), which was issued in August 2004, requires all government employees and contractors to have a common credential to gain access to a government building and to log onto federally controlled information systems. Once an individual is identified via the credential, the system knows the computer applications and building areas to which he or she is allowed access. “It’s state of the art,” says D’Agostino.
As the practice of security integration becomes more sophisticated, the term likely will come to indicate an even more comprehensive approach to linking different systems. For example, over the past year or so, a growing topic of discussion among industry experts has been to link the security system with human resource applications, says Klibonoff. That way, when a person either joins or leaves the company, the security system would be automatically changed when the human resources department updates its records.
Integrating different elements of an organization’s physical and logical security systems offers a range of benefits. For starters, it provides a more comprehensive approach to security that’s less vulnerable to incidents and better able to respond if one occurs. Kim Loy, PSP and vice president of marketing with G4Tec/AMAG Technology, offers an example. If the access control and intrusion alarm systems are linked, the access control system can be programmed to automatically change, based on the type of alarm that sounds. If the system determines that an intruder has entered the facility, it may lock down the computer room.
An integrated approach also offers better protection against the reality that “you can perpetrate physical threats logically, and logical threats physically,” D’Agostino says. He recalls an event in another country in which a customs agency had installed a state-of-the-art computer system, with best-in-breed firewalls, alert systems and message monitoring. One day, several men came to the front desk in overalls, and said that they were there to perform some maintenance work in the computer room. Once inside the room, however, they unbolted the mainframe from the floor and hauled it outside to a waiting truck.
In addition, an integrated system typically provides operating efficiencies. As a starting point, calls to the IT help desk generally drop when employees can use one credential to access both their computers and their workspace. The more credentials or passwords they have to manage, the greater the likelihood that they’ll forget one, and need to call on the information systems staff.
As new open-standards software applications come onto the market, it’s becoming increasingly feasible to manage an integrated system from a single software package. “You have one interface to deal with, so there’s less training, and it’s easier to support,” says Steve Sawyer, senior sales executive with Siemens Building Technologies Security Solutions.
While integrating security systems makes great sense, it’s often not an easy process. One challenge comes from the fact that security systems historically have been proprietary. “To integrate, you would have to buy everything from the same vendor,” says Sawyer. If the vendor provided only minimal support, or decided to exit the business, customers could become saddled with a system that didn’t meet their needs.
Fortunately, this is becoming less of a problem, Sawyer adds. A growing number of vendors entering the physical security sector have their roots in IT, and offer more open, standard systems. Some provide software development kits or application program interfaces. Both tools make it easier to integrate different systems.
When a company wants to continue using its existing infrastructure, while also upgrading and adding on to it, the challenge of integrating proprietary systems often remains, Loy adds. However, through the emergence of new technologies, such as readers of access control cards that work with different types of cards (also known as multitechnology readers), and the openness of many new systems, even such retrofits are becoming less of a challenge, she says.
“One advantage of the revolution in IP (Internet Protocol) technology is the move to more open standards,” says Klibonoff. “More products are being designed to be compatible.”
Another challenge is the fact that many IT departments, while critical to the success of any security integration project, already have too many projects on their to-do lists, says Sawyer. What’s more, because a fair number of security systems still are proprietary, the IT department often has to take a hands-on role in integrating and supporting them. That may make IT employees hesitant to get involved right off the bat. Again, this should change as more open systems come onto the market.
A first step in integrating security applications is determining the size and scope of the project, says D’Agostino. Will the new system cover the entire facility, or just a specific floor or wing? Will departments be integrated as well, or will the physical and logical security departments remain separate? It’s essential to answer questions like these before the project begins.
To ensure that most, if not all, of the facets and risks of the project are identified, assemble an operational team that includes representatives from all affected departments. This typically includes facilities, security, information technology, legal and human resources. Along with ensuring that different concerns are brought to light, a cross-functional team provides an opportunity for the “cops and geeks” to better understand each other, D’Agostino says. That should lead to more productive working relationships.
In addition, IT expertise is required to determine the impact an integrated security system is likely to have on the corporate network. For an integrated security system to be effective, it can’t disrupt other business functions, Loy says. This is key, as the video capabilities of today’s IP video networks can often overwhelm an organization’s existing network, says Klibonoff. As a result, it may be necessary to build a network to dedicated to this application.
In addition to the IT department, support also is needed from the “C-suite” or executive level, says Sawyer. Management needs to recognize and champion the fact that security today means more than placing locks on the doors. Providing for this level of security probably will affect employees in the business units — for instance, access to the corporate data center may become more restricted — and the business unit leaders need to know that the company is behind the shift. Otherwise, they may gripe about or ignore any new rules or procedures implemented.
As part of the shift to a more comprehensive approach to security, a growing number of companies are placing responsibility for both physical and logical security under one individual, such as a chief security officer. This person is charged with ensuring security decisions benefit the organization overall, rather than being based only on one department’s input.
Thorough and precise specifications need to be drawn up for the integrated system, Klibonoff says. If the specifications are vaguely written, they’re likely to be misinterpreted, as the personnel doing the implementation may meet the letter, but not the intent, of the specification. For example, if the specifications say something like, “provide manufacturer XYZ or equal,” the equipment provided may not perform as intended. That’s because the specifications didn’t spell out exactly which functions that manufacturer XYZ offers are needed.
This usually becomes an issue when the specifications are written from a template that uses a single manufacturer’s technical and performance specifications, Klibonoff adds. “The integrator will provide all the details in the boilerplate and assert that they have met the specification, while missing the reason that a particular manufacturer and model has been selected.”
In addition, the individual or company doing the implementation should let the end user know what’s feasible and practical. Klibonoff provides an example: On one security integration project, it would have been possible to use the company’s existing video system. However, this system didn’t easily integrate with a new access control system being installed. The company was faced with a choice between retaining the existing system and settling for an integrated system that wasn’t as seamless as the company might have liked, or purchasing a new system. In the end, they decided they could live with the reduced integration, which requires a few extra mouse clicks in order to play a video from a selected event, Klibonoff says.
It can also be critical that the security system be designed to accommodate future growth and technology, adds Klibonoff. Once a system is installed, adding more capabilities, such as biometric readers, becomes much more costly than it would have been to incorporate these from the beginning. “If you don’t plan, the system may not keep up with technology and expansion,” he says.