Enterprise and government security are now deeply enmeshed in service oriented architectures. Policy-based event management increasingly drives access to data and access to information. Complex problems of who is granted what kind of access are resolved in conversations in which practitioners assert semantics and compare ontologies.
Members of the Security Industry Association (http://www.siaonline.org/) are in a complicated world with few standards. The big three services (access control, intrusion detection, closed circuit monitoring) share almost noting in control protocols or in implementation. The special needs of diverse facilities, whether highly hardened, or adverse environment (high radiation, extreme cold …) are likely to prevent technology consolidation. Because security must always be concerned with hostile agents, security systems are arguably an area where standardization is actually bad.
The best security systems interact with the enterprise. The trivial example is awareness that an employee was fired yesterday. Closing the office during the company picnic can change both the access control and intrusion detection rules in the building. But enterprise programmers do not really understand the inner working of these systems and their volatile technology.
Security is never about just locking the gate. It is far easier and cheaper to build a fence with no gate, if the goal is to make sure that no one enters. The point of security is to make sure that right person at the right time can easily access a facility or service. Therefore, the most important attribute of security is situation awareness.
Physical security faces the same key issues as system security. Identification is the first question: who is attempting the activity in question. One of the most important identities is the well known person Anonymous. The next question what roles does this person possess. What job does this person have? What role is he assuming today? Is he working on this week’s maintenance call-back list?
Intrusion detection has the same issues. Intrusion detection is also able to add spatial awareness to the enterprise security system. This week, I was introduced to a security system in which a user’s phone and network access were disabled as long as he was in a certain location.
Clean simple enterprise interfaces to security systems should treat the entire systems as an enterprise appliance, offering up situational awareness and providing simple services. Those services can then be made subject to all of the nuances of policy-based security used in the IT realm.