Working Together
The impact of security systems on the IT network may create bigger problems than expected
- By Bob McCarthy
- Sep 01, 2006
Over the years, corporate departments have learned how to increase efficiency and value by leveraging the assets of the corporate IT infrastructure. Accounting, HR, operations and other groups make extensive use of computer applications, data storage, e-mail and other IT tools to increase their productivity and the range of services they provide to customers.
By connecting physical security systems to the IT network, security can achieve productivity gains and deliver new services in the areas of remote video surveillance, video and access control integration, and centralized security system management tools.
The corporate security department has recently joined this revolution by introducing new IT-centric tools and techniques designed to significantly increase the capabilities of the security organization.
By connecting physical security systems to the IT network, security can achieve productivity gains and deliver new services in the areas of remote video surveillance, video and access control integration, and centralized security system management tools.
Convergence also provides the ability to integrate video surveillance systems with central monitoring station software or with transactional systems, such as point-of-sale, bank ATMs and teller lines.
These and other network-centric security tools certainly add significant value to the organization, but in the process, they also consume significant network resources. Bandwidth, switch and router ports, data storage and IP addresses are not bottomless resources.
The IT team is tasked to make sure that new systems do not negatively impact other network users -- many of whom use the network to provide mission-critical services. Therefore, the security team needs to coordinate with the IT department before connecting equipment to, or installing software on, the LAN.
Certain characteristics of security systems -- such as bandwidth consumption of video equipment -- are likely to bring close scrutiny from the IT department.
When the security department staff educates themselves on issues that concern the IT department, they are in a better position to evaluate security equipment and system vendors, which will save significant time and money by not investing in a product or system that will not meet their firm's IT standards.
System Availability
The IT network provides services to the entire organization, so it is critical that a security device failure does not cause a general network failure. By the same token, a poorly designed and managed IT infrastructure will compromise the integrity of the security system.
Security devices can increase individual availability by using solid-state hard drives for storing their embedded programs and by using operating systems that are resistant to viruses, Trojan horses and denial-of-service attacks -- especially for systems that are connected to the public Internet.
Embedded operating systems used in network appliances also ensure that hackers cannot easily exploit the vulnerabilities of PC operating systems, which can expose security equipment to be used as launching pads for network attacks. Built-in firewalls and IP access control lists that limit system access to computers from specific IP addresses or IP subnets also can help prevent network security breaches. If the equipment uses a Windows® OS, the auto-update feature should be enabled, so that publicized vulnerabilities are patched as soon as possible.
Quality of Service
IT departments can allocate percentages of network bandwidth for services (such as Web traffic, e-mail and VoIP) on a LAN to ensure high levels of service, but on a WAN or the Internet, all services fight for the same bandwidth.
VoIP and IP videoconferencing systems are examples of IT services that are extremely sensitive to LAN/WAN delays caused by excessive levels of security video traffic. One MBps of video traffic isn't noticeable on a 100 MBps LAN, but on a 1.5 MBps Internet connection, these fragile services cannot be protected from a 1 MBps video stream.
For this reason, IT departments examine the level of video traffic (particularly over the WAN) that a video security system will generate. Thus, the ability to limit video bandwidth consumption is a highly desirable feature in today's video surveillance equipment.
Some systems require data/video preservation even in the event of catastrophic failure at the primary facility. In this case, the security system must support data/video archiving in a location that is physically separate from the primary storage location. For some, daily backups suffice, but other applications require hourly or real-time archiving.
Advanced surveillance systems also provide management tools to enable remote archive/restoration of system configuration data for quick system restoration.
Privacy Protection and Information Security
Every department entrusts the IT manager to protect sensitive corporate data on the network. Live and recorded surveillance video is no exception -- especially when the video system is integrated with financial or retail systems and may contain embedded receipt data.
All network-based security equipment must, therefore, employ industry-standard authentication and authorization techniques to ensure that internal network users can only access the parts of the system it is authorized to access.
Passwords and firewalls prevent unauthorized viewing and/or downloading of security video and data. This can be designated to the level of a per camera basis on advanced CCTV systems for both live and playback modes.
Availability of Management and Monitoring Tools
In systems that employ dozens, hundreds or thousands of security devices, it becomes impractical for IT and security staff to monitor and manage these units individually.
Tools that continuously monitor the health of each security device and automatically report any problems to the IT department are invaluable. Similarly, when software upgrades are required, management tools that allow the upgrade to be applied to multiple devices at once rather than manually upgrading each unit saves labor hours.
IT also prefers a system that allows them to add, change or remove an employee's security permissions from a central database rather than logging into each device individually to change permissions. These types of management tools have long been available for networking equipment, and they are now becoming available for DVRs and other security equipment.
While some new systems can use the existing IT infrastructure, others require new investment.
Some new systems require less maintenance effort than others due to the frequency of changes and/or the lack of enterprise management tools. Devices that employ the Windows® operating system require monthly security updates. If the Windows auto-update feature cannot be used, then this update process will be manual, consuming an enormous amount of technician time.
Quality of Vendor Technical Support
In this instance, IT departments value vendors who provide accurate and timely technical support -- particularly during installation and downtime. This support can extend to advanced replacement programs (in which warranteed products are replaced rather than repaired in order to minimize downtime). A healthy, established vendor is preferable to a vendor who is a startup or is facing financial problems.
Many systems require interoperability with external systems. Flexible application programming interfaces ensure that the systems can exchange information with other systems and with various types of user interfaces, whether it be a client server or Web based. Vendors who offer a software development kit to provide a programming interface can accommodate this requirement.
For international organizations, multi-language manuals, user interfaces and technical support also are important, and the security system should be flexible enough to handle a variety of languages, date formats, daylight savings time schemes and technologies.
|
Evaluating Two Wide-Area Network, Video Surveillance Solutions Using IT's Criteria
A hypothetical system requires centralized reviewing and control capabilities for video cameras deployed across all 100 locations of a regional retail chain. All stores have existing 128 KBps WAN connections. The relevant requirements are:
- One-hundred stores located across a five-state region.
- Nine cameras per store.
- Five frames per second of recording per camera upon motion detection, 0.5 fps the rest of the time (assume each camera will record at the higher rate 12 percent of the time).
- A 640 x 480 resolution video, with 10 KBps average image size.
- Thirty days of video storage.
Applying this criteria to each design solution for a video surveillance system puts these requirements to the test.
The solutions under consideration are a DVR-based approach with local video storage at each store and an NVR approach, in which each IP camera transmits its video to an NVR at the customer's corporate headquarters, as NVRs generally have a single, centralized storage device.
DVRs provide centralized viewers and configuration tools, but they store the video locally at each facility (referred to as "distributed storage"). Thus, the network connection between each store and the headquarters only requires sufficient storage for periodic maintenance and video monitoring. Hybrid approaches are available, but comparing pure DVR and NVR approaches makes the relative pros and cons clear. |
|
The Most Significant Differences Are:
Network availability. The DVR does not use the network for video storage, so it is not generally affected by WAN reliability. The NVR solution uses the Internet/WAN to transmit video from the stores to the NVR central server. Lower-cost DSL connections only guarantee 99 percent availability (5,260 minutes of downtime per year). Business-grade DSL guarantees 99.9 percent (526 minutes of downtime per year), but is considerably more expensive.
Network quality of service. Services running on the existing corporate WAN connection may include credit card processing, transaction logging and inventory management. The NVR approach will require an average of 750 KBps and peak of 4 MBps at each store, requiring Internet/WAN bandwidth upgrades to ensure that the security video will not interfere with existing services. The DVR will have much smaller bandwidth requirements for performing occasional maintenance and video review using the bandwidth limit configuration setting.
Installation costs. While the DVR does not require any new network services or equipment, the NVR solution will require the installation of new network services and equipment at each store to provide the increased bandwidth requirements.
Total cost of ownership. Ten analog cameras and a 300 GB DVR will likely cost more per store than 10 IP cameras and one store's portion of the centralized NVR storage, but the DVR solution does not require the monthly recurring costs for increased WAN/Internet bandwidth at each store plus the cost of dual T3s (45 MBps) at the headend for receiving the NVR video.
The right architecture. Careful consideration must be given to IT concerns when choosing a video surveillance architecture. In this example, the cost of dedicated WAN bandwidth will surpass the cost of equipment over the lifetime of the project, and the risk of losing video due to WAN outages may be unacceptably high for some applications. |
Total Cost of Ownership
It is becoming increasingly common to require a return on investment analysis for significant projects. An accurate ROI calculation considers all costs, not just those for the initial equipment, installation and configuration.
Additional costs include project-specific equipment costs, additional network equipment, anti-virus software licenses (for Windows-based devices) and training, as well as the recurring costs of dedicated WAN bandwidth, monitoring, maintenance and security vendor licensing fees.
As security managers develop IT-centric systems, a clear understanding of the impact on the corporate network will help ensure a successful deployment. Those who try to operate independently of the IT department will find themselves losing that independence as they rely on others to evaluate and approve their systems.