Security Squared

The future of industry is in convergence

• By Mark Mills
• Feb 06, 2007

AT the most basic level, there are just two types of security: physical security to protect people and assets, and information security to protect bits and bytes in data systems. And, information security products are generally more intelligent than physical security products.

Last year, a Booz Allen report estimated that the information-centric part of physical security was a $1 billion a year business, growing to more than $10 billion annually in less than a decade.

The future of physical security is in convergence. Smart networks should make smart devices talk while making dumb devices smart so both collectively function as intelligent, useful networked security systems. The future is in physical security systems that integrate a wide array and large number of highly disparate devices -- systems that are ubiquitous, imbedded, highly configurable, scaleable and transparent in utility. This is a familiar trajectory for experts of recent IT history. And there is an instructive metric to borrow from the IT world known as Metcalfe's Law.

Metcalfe's Law
Somewhere there's a derivative Metcalfe's Law for information-centric physical security -- a rule-of-thumb that establishes the value of the security network in terms of the character and connectivity of the devices on the network.

Robert Metcalfe, inventor of the Ethernet and founder of 3Com, hypothesized the value of a communications network increases as the square of the number of users connected. Double the number of computers or any CPU-based device on a network and its value quadruples. Rising value entices others to join the network, thereby creating a cycle of growth in value for users and markets for suppliers. The introduction of wide area networks (the Internet, soon WiMax) and local area networks (wired and wireless Ethernet) was the driving force in the explosive growth of devices on the edge of those networks, an ever rising value to end users.

Similarly, the value of a networked security system grows non-linearly with the number of smart devices on the network, including collateral connections with other networks and devices. Assuming the devices in the security networks are smart, an additional metric may be needed to postulate an IT-type scaling law in security systems -- one that counts the lines of code in the firmware and the number of network interfaces in the security devices.

Devices on the edge of the networks, regardless of scale, from vehicles or buildings to entire cities and countries, collect information that is or should be routed, processed, stored, analyzed, compared and cross-correlated, and re-routed to automatically initiate actions or provide transparent information to support decisions. This is what operators want. This is what is so often called, but rarely provided, "a solution."

The software and networks needed to manage, analyze and rationalize security data flows are remarkably similar to those that manage business and entertainment data flows. Thus, increasingly visible in the security world are venerable IT players such as Cisco, Microsoft, EMC, IBM, Qualcomm, Harris and Motorola. But there is one central difference between the two worlds.

The devices on the edge in the IT world are phones and similar devices with embedded microprocessors -- from PCs to PDAs and cameras. In the security world, devices on the edge are more varied, and some are only now emerging. There is a vast array of complex information-gathering devices and sensors, frequently with embedded microprocessors. There are few standards and highly variable outputs, performances and purposes.

Security sensors are designed to detect, identify and track objects, chemicals or people. These sensors range from widely distributed cameras to exotic infrared and laser imagers, acoustic and radar-based surveillance. Sensors also include all manner of biometric, chemical, biological, explosive and radiological tools emerging from remarkably compressed and refined renditions of basic instruments once only familiar in scientific and medical settings. Some of the devices already have embedded software and plenty of native smarts, feeding massive data streams into local, rarely networked, software-driven analytic systems. Others are barely sentient.

Light of Day
From Doha to Detroit, the general architecture of what a security system should look like is often articulated and only now beginning to see the light of day. Information is ideally gathered and correlated on an intelligent, analytic basis in real time from a large number of security technologies.

There are plenty of examples of the technology at work. A shipping container's origins and signature can be linked to people that interact with the container and there are sensors designed to sniff it along its journey. A radiological spectrum at an interstate truck weigh station can be designed to take an automated license plate reading just as facial biometrics can correlate with material missing in inventory from another country. Accomplishing such feats requires sophisticated networks linked usefully on the front lines.

You might say the CCTV crowd has figured this out, increasingly offering not just IP-enabled cameras, but an array of software to control, route, store and process video information. Video has come first to the network paradigm in part because the core product, the visible imaging sensor, is a mature commodity. The camera is often the first and sometimes only step in many security deployments, and it is an essential part of nearly any security system. Also, CCTV benefits from product maturity (reasonable prices, transparent metrics and standards) and the ready availability of directly relevant software and communications networks from non-security uses of video.

Incorporating IP connectivity with a video camera is not exactly a revolutionary idea, nor is it deeply insightful to add Bluetooth to a biometric card reader or to a handheld radiation sensor. There are many examples of how IT features prove useful in security products. The trend will doubtlessly extend to adding smart sensors and communications to nearly everything, including stanchions used to form security lines, bollards outside buildings and even the manhole covers in surrounding streets. Incorporating IT-centric capabilities in all devices and locations is now possible by three core factors.

Enabling IT-Centric Security
First, there is the inevitable and ongoing decline in device/sensor cost and increase in effectiveness -- cheap and useful is a winning combination. Second, the cost of network connectivity, bandwidth, storage and processing power are all low and still declining. The third determinant is the ability to design and implement useful network architectures using the first two. The network design task is daunting given the complexity of the physical, geographic, regulatory and psychological environments.

Network design requires a concept of operation, which determines not only the nature of the networks, software and related items, but also frequently the design and nature of security devices on the edge of networks. Ultimately, a security system that works is measured by its utility -- transparency, ease of use, accuracy -- for the people on the front line. For the military, this is the war fighter, for governments, first responders and in civilian domains, this is the ubiquitous, if underappreciated, security guard.

The DOD's net-centric warfare efforts are nearly monomaniacal in the focus on the frontlight war fighter. Somewhat less attention has been focused on humans on the civilian security frontlines. It is not surprising that much of the pioneering work in info-centric security has been undertaken by the likes of Northrop, Lockheed, Raytheon and Boeing. The companies take practices developed for military force protection to find application in civilian domains -- from borders to airports and large cities. A more telegraphic trend for the expanding field is the early steps taken to enter the physical security market by more generally info-centric companies such as IBM, SAIC, CACI and Booz Allen -- and of great promise, the entry of a flurry of small companies and entrepreneurs.

Perhaps the best bellwether of the emergence of this new paradigm for security is the appearance of new trade and professional societies. The Network Centric Operations Industry Consortium has a military-civilian focus and convergence. The Open Security Exchange is working to accelerate the widespread convergence of physical security with IT. The Alliance for Enterprise Security Risk Management, ASIS, the Information Systems Audit, along with the Control Association and Information Systems Security Association are all playing parts in the new security world. The ISSA was created "to address the integration of traditional and information security functions and to encourage board and senior executive-level attention to critical security-related issues and the need for a comprehensive approach to protect the enterprise."

Last year, a Booz Allen report estimated that the information-centric part of physical security was a $1 billion a year business, growing to more than $10 billion annually in less than a decade. If Metcalfe's Law holds in the security world, and there's every reason to believe it will, the growth may be much faster -- a happy outcome both for the nation's security and the engaged companies.