Security convergence 2.0

About a decade ago, convergence was a big buzzword in the security industry. Then, after a couple of years, the buzz pretty much died down. Now, in 2014, it's popped right up again, but in ten years the concept of convergence has evolved in some very interesting ways, in line with how IT has generally evolved since then. In the security world, the term 'convergence' refers to physical and cyber security being managed together, instead of separately - which, historically they were, and today, for the most part, still are.

Historically, big companies would have a security department, which was responsible for physically protecting the company's people and assets using a set of tools popularly known in the trade as Guns, Guards and Gates. Then, there would be an IT security department, which concerned itself solely with protecting the company's computers and data. The two groups were barely even aware of each other, and the IT security people really weren't that busy until around the mid-90s when the evolution of hackers from a group of teenage punks out to impress their girlfriends to the sophisticated cyber gangsters of today, started in earnest.

I remember noticing, sometime in the mid-90s, that both groups typically saw themselves as 'Security' (capital S) for their employers and in their industries, but had no idea what the other group did, let alone any meaningful contact with them.

The security convergence trend started around 2001 or 2002, when it was discovered that things like building access control systems and security cameras, which were already networked by then (but only as stand-alone systems using propriety communication protocols), could be given IP addresses and become part of THE network. Now that I think of it, early converged security systems may have been one of the first instances of the IOT. But I'm getting ahead of myself.

The idea generated a lot of excitement at the time, because it meant that the servers for access control systems and security cameras sit in the network closet and be managed by the IT staff. Money would be saved on cabling and duplicated efforts. Predictably, the IT people were down with that, but it didn't sit real well with 'Security' (physical capital S), who saw it as a flagrant threat to their significance and their jobs.

As security convergence gathered steam, a few sharp engineers realized that physical access to the building, and virtual access to the corporate network, could be managed using the exact same system. A single token (usually a dual-purpose badge) would be issued to all employees. Further money would be saved, the employees would have one less item to lose and be replaced, and everyone would live in joy and bliss.

It didn't quite work out that way, though, because an ongoing parade of glitches got in the way. Early convergence platforms, while prestigious to own and operate, were expensive and error prone. And they were mostly built on Windows XP, which requires no further explanation. Biometric systems, which to me are a killer app for converged access control, were similarly expensive and error prone. On the video surveillance side, footage streamed from the cameras sucked up bandwidth like there was no tomorrow, annoying network managers, and the video servers, which were basically industrial strength Tivo machines, were expensive and ... you guessed it.

(The reason I know all this is that I was in charge of an early converged security system, at a mid-sized financial services company in California).

Basically, security convergence in the early and mid-2000s was not ready for prime time, and so the genre entered a lengthy trough of disillusionment.

(Intermission)

OK, now fast forward to today. Today, we have much cheaper and improved:

  • Biometrics
  • Cameras and DVRs
  • Data storage
  • Network bandwidth

In addition, we have the following, which are at or near the point of commercial viability, and which together offer a vastly more sophisticated picture of what converged security can be:

  • Smartphones and tablets
  • Sensors. Cameras are nothing but visual sensors - electronic eyes. But now we have audio, motion, and many more. The Samsung Galaxy S4 has no fewer than 9 sensors packed into it
  • RFID
  • RTLS (real time location systems)
  • Cloud computing
  • Big data analytics
  • Alerts technology
  • Drones
  • And I'm sure I've missed a few things

Finally, to string all of these dandy technologies together we have the IOT, which is starting to plant the seed in the minds of Suits the world over that things other than Workstations, servers and routers might in fact have an IP address.

We might call this new combination Security Convergence 2.0. With Security Convergence 2.0, we have the potential for real-time situational awareness and predictively deployed security controls to prevent, detect, and respond to threats, the likes of which have not been imagined. And that will be good, because we will see threats the likes of which have not imagined as well.

Clearly, we're still going to face some uphill challenges for working, fully converged and economical security systems to be built (meaning this stuff isn't going to show up overnight ... there may be one or two more troughs of disillusionment yet before we get to where we're going. The challenges include:

  • The basic concept of convergence, even in its initial incarnation, is still nascent. Most companies in the world still practice the "traditional" separation of powers when it comes to managing security.
  • The vast majority of IOT systems being designed with either laughable security, or zero security (this is already the subject of much commentary by security experts)
  • A lack of standards

I plan to get into detail on all of this here on the blog, because this new incarnation of security convergence is one of the things that inspired me to start this blog in the first place.