A strong physical security system is technology based and covers the gaps
- By Lance Holloway
- April 01, 2018
Security professionals are faced
with several challenges in today’s
highly technical environment on
campuses. Issues such as system
architecture fragmentation, cybersecurity
and regulatory compliance are not
only critical risks, but also open significant
gaps in the overall security mission to safeguard
life safety, privacy, intellectual property
and business continuity.
Through strategic system planning and
proactive maintenance methodologies, security
professionals can close the gap on negligent
vulnerabilities and move their programs
forward from a reactive mode to serving the
A PATCHWORK CONFIGURATION
“Design fatigue” sets in on many campuses
over the years by way of acquisition and rapid
technological advancement. Eventually, many
security teams are faced with numerous
brands, all varying in functionality and
updated features. A patchwork quilt configuration
begins to form consisting of older, outdated
systems that are mission-critical and
often too expensive or complex to outright
replace without a major capital project.
However, the extreme risk within these fragments
are failure to alert on specific events,
porous data security and unmanaged surreptitious
access to video, records and location
access. Often, the procurement and deployment
processes miss the big picture five-year
plan; solving smaller issues piece by piece.
More clearly, physical security and IT
should co-plan master platform investing and
data ownership to ensure uptime, security
and efficient spending.
Cybersecurity has been an issue on many
campuses for decades. However, today’s Internet
of Things (IoT) revolution allows a smartphone
to connect to almost anything with an
IP address including: other smart devices,
security cameras, databases, lab equipment,
vehicles, door controllers, etc.
A two-fold approach to shoring up this
security gap is: first, to ensure all selected
manufacturers abide by current IT best practices
for patching and logical permission
management, and the second is to ensure that
selected products connect to the approved IT
Often, IT manages anything on the network
that can be identified. However, many
physical security devices have been deployed
on the campus network being neither identified
nor maintained, resulting in outdated
devices susceptible to malware or unauthorized
access. Devices compatible with IT
SIEM, Directory Services or other management
tools bring visibility and management
to the system and can mitigate cyber-attack
Current system monitoring can have a significant
gap where many IT systems watch the
status of the IP address of a camera, for example;
but are not configured to ensure the manufacturer
firmware is up-to-date and that the
hard drive is properly capturing usable video
in the case of a forensic investigation. Platforms
dubbed “service assurance” have
emerged that have developed their feature set
to explicitly monitor all network elements
involved in reproducing the archived video.
A typical recording path for security video
may include camera, network switch, server,
operating system and hard drive (cloud or
clustered storage). Again, the gap is that many
IT systems are set to monitor the uptime of an
IP address on the network, but cannot warn
the security department that recording latency
may crash the NVRs, resulting in a life
safety gap in lost video. Service Assurance
products are poignantly developed to greatly
strengthen resource usability.
What can happen in the case of these systems both life safety and business continuity. Incidents can occur with no
useable video or proper alerting to notify security until after the event
has transpired. Physical and logical security response teams are robbed
of their opportunity to intervene on behalf of the corporate charter to
ensure safety and operations.
One evening in September 2017, a man was assaulted in downtown
Petaluma, Calif., in a pedestrian walkway and later died of his wounds.
There were surveillance cameras where the attack occurred, however,
the cameras were not working.1 Many campuses have had security
incidents transpire in areas technically covered by video cameras that
were assumed to be recording. Through construction damage, uncoordinated
network changes, unmaintained equipment or blatantly malicious
alteration, video footage can be missing when called on—causing
not only unnecessary delays in investigations, but embarrassment for
security departments spending considerable amounts on equipment
On a purely logical surface, private data is at risk through unmanaged
peripherals on any network. Current internet hacking threats to
IoT devices often begin by simply trying the default name and password
on devices such as cameras and recorders.2 Other exploits are
based on operating systems and known exploits are posted clearly on
the internet for malicious actors to leverage.3 Numerous physical security
devices have been deployed on campus networks over previous
decades; many of which never made it onto the IT watch lists and
Customers today are aggressively scanning their networks for rogue
devices to ensure legitimate items are properly updated and maintained
while unneeded devices are removed. These processes are time
intensive, especially when thousands of devices require constant monitoring
and prompt security fix updates. Automated update and monitoring
dashboard tools are essential. These tools with fully developed
filters for specific security products are uniquely powerful.
Short-term planning for campuses should entail identifying what is on
the network. Security partners should be on hand to ferret out all
devices and provide an inventory report with IP addresses to IT and
security leadership. Once items have been identified, they should be
categorized for action plans: old systems should be updated or hardened
to meet standards and newer technologies should be registered in
Active Directory, LDAP, SIEMs and other primary IT governance platforms.
The ongoing maintenance plan should be scripted for the different
device categories and implemented. These plans and documentation
will help IT survive their next audit and make physical security a
true team player.
Long-term strategies should take advantage of the recent trend in
hybrid physical & logical security product platforms. Physical Identity
and Access Management (PIAM) engines as well as Service Assurance
products help tighten software and firmware updates and logical access
control to security devices, allowing a single dashboard to report on
and alert key stakeholders within the campus.
When selecting newer converged governance platforms, a few overriding
considerations should help narrow down the many options available.
API. The product’s Application Product Interface (API) should be
current and best in class. The overall library of connecting products
should already be a strong mix of existing integrations to avoid experimental
products (mature product with committed developer updates).
Data Security. Data management is crucial in today’s Business
Intelligence (BI) environment. With possibly terabytes of information
available from various systems around the campus, it is possible to artfully
piece together significant discoveries about how the business
operates and how to improve not only security, but the overall customer
Reporting. Articulate reporting is a make or break facet of system
planning. Filtering out and ensuring the right message gets to the
expert at the right time is the goal. Most systems, unfortunately, are
deployed with a data glacier—a massive wall of raw information that is
unusable to most colleagues. This often-overlooked aspect of security
architecture frequently fails to engage stakeholder interest from the
various departments who would otherwise become champions for the
program. Safety data, certification and compliance dashboards, as well
as facility utilization reports are of immediate value to other departments
across the campus.
Policies. IT internal controls define how the overall business should
run to ensure who can go where and when on the network. Security
systems should natively bridge with IT platforms to allow these network
control policies to naturally inherit within the physical security
systems. Many systems today are an honor system spread sheet process
rife with errancy and costly delays in shutting down security privileges.
These should be automated and transparently documented to the
central reporting dashboards.
IoT. Broad patching functionality is required for today’s IoT management
strategy. Where IT typically has a comfort level in patching all
Windows computers on the campus, most IoT devices do not have a
Windows operating system and may require a unique tool to ensure
firmware is updated to address new vulnerabilities. Service Assurance
platforms do just this; they connect hundreds or thousands of devices
and monitor firmware and password settings to ensure alerts arise
when a newer version is available or changes are recommended. This is
as well automated in a best-case scenario.
Command Center. Command Center design is an art form. Just as
popular cable television providers organize content intuitively for consumers,
the aggregated information head end should be easily understood
as well, and draw the stakeholders in for deeper discoveries and
readily processed actionable updates. Raw data is present in most systems.
Data science makes it possible to process these massive stores of
information. A truly powerful security partner will help the campus
departments discover how to leverage these platforms and insights.
Such strategic conversations are critical when validating budgets
and operational policies to ensure our campuses remain the preferred
centers of learning and healing. The intangible result of the right security
program and systems are the genuine fruit of the overall strategy:
a trusted environment for opportunity, prolific collaboration and business
efficacy. Security plays a significant role in strengthening today’s
businesses, now more than ever.
This article originally appeared in the April 2018 issue of CSLS.