Planning for an Integrated and Converged Physical Security Solution

Physical Security & surveillance platform mainly comprise of following sub systems: Electronic Access Control System, Alarm Systems and Sensors, Intrusion Detection, Logical Access Control and Video Surveillance. These systems have been in existence for quite some time now. Enterprises talk about Integration and convergence of these sub-systems and overall IT Infrastructure. The blog tries to explore these new age requirements in more detail.

Integration or convergence in a lay man language means “when separate things merge together to become one”.

In an ophthalmology language convergence can also be described as “Single binocular vision” which simply means that the vision of both is combined so that instead of “seeing double,” we see a single object — but from a three-dimensional perspective.

The word convergence has wide-ranging scope and implications in the field of security and surveillance. Normally a very narrow perspective is provided by an OEM or an integrator depending upon their product portfolio and knowledge. Here I am trying to discuss various convergence and integration perspectives, which may help to address various gaps and ambiguities at the design stage itself.

Designing an integrated physical security platform constitutes following four stages:

Business entities & relationships

The first step towards designing a converged security solution is to identify all the business entities that are expected to be controlled or control. A business entity can be a human being or an object. A series of brain storming session with various stake holders shall reveal all such entities. For example a manufacturing unit’s entities can be identified as Employees, Contractual Labourers, Contractors, Vendors, Company owned vehicles, Contractual Vehicles, Employee Owned Vehicles, Contractual Drivers, Company Drivers, Casual Visitors, Company Assets, System Administrators, Department/Functional Heads etc.

A truly converged security solution should be able to uniquely identify all such entities in the system and map various security policies, processes and access rules associated with them. The system should be able to establish relationships between these entities. Few relationship examples are as follows:

1. Employees are mapped with their reporting managers, who are responsible to approve their leave request, assign access rights, assign attendance rules, approve visitor requests etc. Employees are further mapped to their vehicles and assets issued to them by the organization.
2. Contractual laborers are mapped with their respective contractor companies and their reporting managers.
3. Visitors are mapped to the employees whom they are visiting and approving authority.
4. Drivers are mapped to the vehicles and if the vehicles are contractual then to contractor companies.

Access rights of an employee/contractor shall be mapped with certain parameters in their HR records.

Credentials

In today’s modern work scenarios based on the factors such as convenience, security level, compliance requirements, each entity as described in section above might be identified using different credentials in different systems. For example a person might be required to use biometrics to gain access to data centers, smart card for doors and turnstiles, long range tags for his vehicle, digital signatures for singing tender documents and corporate submission to various statutory bodies, Username and passwords for signing into PCs, Servers and applications. These credentials or identities can be classified into three types:

1. Physical: Smart Cards, Tokens, RFID Vehicle tags, RFID Asset tags, Paper Passes, NFC phones etc
2. Bio metrics: Fingerprint, Face, Iris, Retina etc.
3. Virtual: Digital Signatures, Username-password, PIN

All the above form of credentials has different characteristics, Physical credentials such as smart cards might change several hands (re-issued), have the possibility of getting lost or stolen, therefore the life cycle and inventory of the physical credentials has to be carefully monitored and acted upon; Biometric credentials uniquely identifies a person for nearly lifetime therefore has to be carefully preserved for long term availability, confidentiality and integrity; Virtual Credentials have the possibility of getting hacked or communicated to others or forgotten and in some cases is required to be surrendered. Therefore there has to be well defined configurable policies for storage, expiry and re-issue of these credentials.

The system architect should identify all such credentials getting associated with various business entities. The security management system should therefore be a converged platform to manage and configure policies for all three forms of credentials/identities based on their unique characteristics, threat perception and vulnerability.

Other important aspect while deciding upon various forms of identities is cross platform compatibility and interoperability. For example if we go with Finger Prints as a form of credential to identify an employee in an access control system then the finger print template database shall be accessible and interpretable by other hardware devices, branch locations and software modules such as HR, Visitor and Contractor Management modules. The same goes with Smart Cards, Digital Signatures etc. The key words here are non-proprietary, Cross Platform Compatibility and Interoperability.

Deciding on hardware & software products

Once we have identified business entities, their relationships and credentials, the next step is to identify best of the breed hardware and software products that are compatible with Credentials as identified above and which can recognize all the entities as decided earlier and seamlessly communicate with each other as well as with other IT systems based on policies and relationships as defined.

The hardware and software platform shall also be based on open standards, latest technological innovations, environmental considerations and reasonably future proof. Following are the few sample cases that an integrated platform may offer:

1. A Fire drill exercise will generate a real time report of all the people currently present in the facility comprising of Employees, Visitors, Contractors, drivers, vendors etc.
2. Visitor Management system is able to identify a visitor as an ex-employee or current employee or as blacklisted vendor from an associated facility.
3. As soon as the contractor’s contract in the HRMS system expires, all his associated credentials(Vehicle, personal access, logical access rights) automatically gets disabled on the last working day
4. As soon as a fire sensor identifies an incident, integrated alarm management system highlight the incident along with corresponding CCTV footage.
5. Procurement department does not get locked up with a specific vendor during expansion or repair and maintenance.

Integration with IT systems

In today’s networked world, Physical security system cannot operate as an island and therefore has to integrate with various information systems in an enterprise. The requirement for integration with various enterprise systems can be classified into following categories:

1. Data Input
2. Communication service Interface

Data input

Enterprise security system shall get automatic access to Enterprise data such as Employee/Contractor Records along with other important parameters such as Termination dates, expiry dates, reporting manager, branch location, leaves, holidays etc. to avoid manual errors, ghost credentials and meeting certain regulatory compliance. Most well know Data Input interface standards are Active Directory/LDAP or customized web-service based integration with HRMS and ERP systems.

Communication service interface

Enterprise Security shall be able to send various notification messages to various employees or systems as and when required therefore certain integrations are required with Enterprise communication services such as Email Servers, SMS servers, intranet portals or other messaging interfaces been deployed by an enterprise.

Data output

The Enterprise Security shall also be required to output certain information on periodic basis to enterprise information systems such HRMS systems for payroll processing, to meet labour law compliance and other third party systems such as Time Attendance, Meeting Room management systems, cafeteria systems etc

Therefore the system architects while designing the physical security platform shall carefully analyze all the above integration requirements either current or future before deciding upon the product or preparing an RFP document.

Share Planning for an Integrated and Converged Physical.