Physical Security: Life Before & After Becoming Enterprise-Ready
SecuriThings CEO Roy Dagan
Nearly every physical security department uses hundreds or thousands of devices. These can include cameras and access control systems designed to protect everything from corporate campuses, universities, airports, hospitals, factories, government facilities and more. It’s extremely challenging to protect these devices and keep them IT-compliant and operational without a physical security infrastructure that is enterprise-ready.
Enterprise-ready means that a solution — whether software, hardware, or services — can meet the demanding needs and requirements of large organizations. In the context of physical security, the five key factors in enterprise-readiness are:
- Device Availability. A baseline necessity for physical security, device availability should be as close to 100% as possible.
- Robust Cybersecurity. IP-based devices that connect via IT’s networks should never provide an easy attack opening into the organization’s network.
- Compliance. Physical security teams and devices must comply with regulatory mandates, company-internal and industry requirements, as well as IT standards.
- Cost-Efficiency. Device maintenance must be highly cost-efficient and avoid excess costs such as dispatching technicians in unnecessary “truck rolls.”
- Future Planning and EOL Replacement. Replacing outdated devices at the right point in their life cycle is necessary for cost efficiency, cybersecurity and compliance.
Fulfilling these enterprise-readiness requirements depends on physical security’s ability to manage devices end to end, which requires real-time visibility across entire fleets. This capability is somewhat dependent on the specific devices and whether they support remote diagnostics and operations.
Enterprise-readiness sounds terrific in the abstract. But what does it mean for day-to-day work in a real physical security department? When you are enterprise-ready, what’s actually different?
To answer that, let’s look at several essential, oft-repeated processes where physical security groups carry out batch/bulk operations across their device fleets. We’ll examine how each task is a struggle when systems are not enterprise-ready. Then, for the opposite view, we’ll show how the same process improves when physical security groups are enterprise-ready. The contrasts are readily obvious.
Handling Outages / Lack of Availability
Our first task scenario zeros in on device availability — e.g., which devices are out of order, why they are not working, and what to do about it.
Let’s imagine a scenario where a number of cameras are down within your fleet.
Looking for quick answers on security topics? Try Ask SDM, our new smart AI search tool. Ask SDM →
If you’re not enterprise-ready, once you hear of the outage, you have options such as looking them up in an asset inventory spreadsheet. You could also search maintenance records. The video management system (VMS) might also confirm that it isn’t able to see the device, unit by unit. If not, you can phone IT to see if they know of a network problem. You will likely have to wait for IT’s response while you weigh the cost of dispatching a technician.
If you are enterprise-ready, you receive an alert that includes analysis explaining the issue and its root cause. Knowing whether the network switch or something else caused the outage, you can take action. For example, you can reset the cameras remotely yourself, adding a firmware update if available, or let the system automatically submit a support request to IT for servicing. If it’s a relatively minor issue with the cameras themselves, you should be able to bring them back up quickly from wherever you log in.
Conducting a Firmware Upgrade for Hundreds of Cameras
Firmware updates are often urgent. Manufacturers regularly issue them in response to vulnerabilities that have just come to light, because attackers quickly begin hunting for devices not yet under the protection of the upgrade. In other cases, devices running on outdated firmware can suffer performance issues.
Let’s imagine you are alerted to the scenario above.
If you are not enterprise-ready, you have to check the make and model of every device, one-by-one, to ensure they are not running outdated firmware. If you depend on spreadsheets for tracking assets, that can be cumbersome. A technician handling the update manually may need to go through multiple steps per unit. Upgrading hundreds of cameras remotely takes a prohibitive amount of time. If the procedure omits an initial test of the upgrade on a handful of units, then compatibility problems — which could knock every device offline — might slip through.
If you are enterprise-ready, your system will quickly identify all devices eligible for an available firmware upgrade. Your system operators can implement the update on a single device as a test. Compatibility issues and software conflicts are common, and this check ensures that your upgrade will not put all the cameras out of service. If the upgrade passes this test without hiccups, the rollout can continue to the remainder of the units. Then the system runs a status check on all the upgraded cameras to confirm they’re operational. If the initial test knocks the sample camera offline due to a compatibility issue with the management system, the system automatically rolls that device back to the most recent compatible version — with no harm done.
Automation delivers impressive time savings, although exactly how much depends on how cumbersome a process you’re replacing. If you had no ability to update firmware in batches, then you were implementing upgrades by going from one device to the next. For each unit, an upgrade might entail a sequence of multiple steps. It could take weeks to complete. In that scenario, automation could make the difference between days versus seconds. Automation also simply makes it easier to make the decision to carry out an upgrade.
Rotating Passwords on Hundreds or Thousands of Devices
Password updates are essential. With age, passwords are more likely to be cracked. Updating passwords (rotation) often does not happen often enough, and factory-default passwords are known to hackers. Once again, automation comes to the rescue and delivers a very high return on investment.
Let’s consider this scenario where you are called to rotate passwords across your fleet.
If you are not enterprise-ready, many of your devices are still using their weak default passwords. To change them, you must update one device at a time and then update the management system accordingly. Then you need to securely save each unique new password, and ensure it is also updated on the management system. Batch processing speeds it up, but the process is still so time-consuming that many organizations do not carry it out often enough, and rarely complete it.
If you are enterprise-ready, your screen shows that per company policy, it’s time to replace passwords on hundreds of devices in your fleet. You do not have to hunt down which devices are due for the rotation, nor change passwords one by one. With a few mouse clicks, you initiate the procedure to run automatically across all the devices – and on the corresponding management system – in a matter of seconds. With a centralized, automated process, the entire rotation should take under five minutes, whereas manually it might take hours or more to execute. Upon completing this rotation, you set the system to automatically perform rotations every six months, going forward.
Future Planning
Unlike in IT, asset and maintenance tracking systems are not yet common in physical security departments. That can be a major obstacle when you try to plan ahead for replacement of older devices.
If you are not enterprise-ready, end-of-life (EOL) replacement is often in reaction to outages of older units. The alternative, identifying older devices to replace before they go down, is laborious. You reference each manufacturer’s website to check, one by one, which units are EOL or End of Service. Your team may have to rush evaluation of replacements, and end up overpaying, if too many devices go offline at once. Tracking numerous different EOL and EOS dates leads to compliance and security problems. Manual, reactive methods scale poorly and eat up your day.
If you are enterprise-ready, your management system shows all physical security devices and automatically checks them against manufacturer updates and warranty information and identifies EOS and EOL units. Even with thousands of devices, including different makes and models, this takes just a few seconds. You will always have a comprehensive list of all physical security devices, showing all known EOS/EOL dates, so you won’t be caught off guard. Your actual process might be a video meeting with your team members located in other time zones, to discuss their upcoming replacement needs and the short list of new hardware options. This strategic approach enables a clean, longer-term budgeting process.
Making Enterprise Readiness Work for Physical Security
There are some less obvious elements of enterprise-readiness that are important. First, collaborative working relationships with IT pay off in better alignment and problem solving. Second, cooperation on integrations between your systems integrators and device manufacturers enables more complete data exchange — valuable for status updates and remote management of devices.
The scenarios above tell just part of the story. Additional processes like device certificate management can also see major improvements in cost efficiency and use of resources. With three pillars of enterprise-readiness in place — visibility, end-to-end automation, and collaboration with IT — physical security can transform its day-to-day operations experience and productivity.
