This is the 10th article in the “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
Sometimes the word “Enterprise” is the top label among several given to sets of product features and capabilities, such as Basic, Professional, Team, and Corporate. Often these labels are retrofit onto existing product capabilities in the hopes of attracting more customers in each category. It doesn’t necessarily mean that the top-of-line product was designed to support all or even most of the needs a large enterprise may have.
The scope of the term Enterprise Class is of sufficient breadth and depth that it requires three articles to cover it. The first article looked at the technology trends having the greatest impact on what Enterprise Class means today. The second article looked at the requirements for Enterprise Class systems that specifically address the needs of applications with high user counts and wide geographic distribution.
This article provides a checklist-style worksheet that security systems integrators, specifiers and end users can use to evaluate and compare offerings that are labeled “Enterprise Class”. The checklist also includes Enterprise Class deployment factors. That’s because if you purchase Enterprise Class technology but don’t provide an Enterprise Class deployment, you won’t get Enterprise Class performance. To rate some of these items for a product under consideration, you may have to visit one or more deployments that are addressing similar requirements to your own. You can also use this checklist to comparatively rate technologies and deployments across multiple sites. This can be helpful for establishing upgrade priorities.
It is important to note that, due to the continually accelerating advancement of the information technologies on which electronic physical security systems are built, security systems technologies are also continually advancing. This means that the nature of deploying technology has changed. Gone are the 5- to 10-year rip-and-replace security system life cycles of the previous 40 years. In-place systems must be upgradeable deployments, that customers can update and evolve according to their security and business operational needs, as relevant new technology advances become available.
The chief challenge for veteran security professionals (end user customers) and for security industry veterans (manufacturers and service providers), is to change our thinking to take continual technology advancement into account. When you see super-computers that talk to you being advertised on TV as the “new employee” you can hire (IBM Watson), you know we’re in an entirely new era of computing technology. And it’s just beginning.
Technology advancement itself is just one of the reasons why Enterprise Class has become a moving target. Other reasons have to do with the fact that as technology evolves, so do organizations evolve, and so does the nature of doing business. It’s a changing landscape with rapidly changing risks, and keeping up with this evolving customer landscape is probably the greatest challenge the traditional physical security industry has ever faced.
About This Checklist
Many of these checklist items are not specific to Enterprise-Class applications, and could be applied to any application. However, this checklist overall is focused on system attributes that are critical for enterprise-scale deployments. Human workarounds that are tolerable for small systems don’t scale up to larger systems, and this factor is not always considered when expanding from a small scale deployment.
Important: Don’t excuse any operational shortcoming because “that’s the state of technology today.” Did you know that current-generation motion-detection video analytics automatically account for tree and shrubbery motion, flapping signs on fences, rain, clouds and other non-relevant motion? Regardless of whether a shortcoming could be resolved with current technology, it is important to identify all shortcomings as advancing technology is more than likely to address them.
Enterprise Class Application Checklist
High Availability. This applies to cloud data centers, as well as corporate internal data centers, and to servers operating within the data centers. (For example, the data center may have dual power, but does the server have dual power inputs so it can benefit from it? If not, does the UPS the server runs off have dual power inputs? Does the server itself have dual power supplies? Use the Notes field to capture specific details.
- Data Center Uptime Guarantee:
- Battery Backup:
- 4 hours
- 8 hours
- 24 hours
- 48 hours
- 72 hours
- Emergency Power:
Reliability. Security systems are complex, and reliability must be considered for each aspect of the system. Add to the suggested items below, to include the aspects of the product or system that are operationally important to users, whether highly reliable or not. For items that are not 100% reliable, describe or rate the reliability shortcoming. This includes but is not limited to: Camera offline rates, false alarm rates, nuisance alarm rates, detection failure rates, and quality lapses such as jittery or jumpy video.
- Detection rate:
- Data capture rate (such as for vehicle plate recognition):
- Response time to user actions:
- PTZ tracking:
Data redundancy, backup and recovery. Cost may be a factor depending upon database size. In non-cloud on-premise applications, backups should be automatic, with full weekly backups and incremental daily backups. Cloud-based redundant databases in differing geographic locations can be superior to ongoing backup snapshots, although offline backups may be more affordable if temporary data outages are acceptable.
- Database redundancy:
- The set of disks or other media that contain the redundancy set are separate from the disks that contain the datafiles, online redo logs, and control files (Yes / No)
- The redundancy set is separate from the primary files in every way possible: on separate volumes, separate file systems, and separate RAID devices (Yes / No)
- Database backups:
- Backups can be made in real time, without requiring database use to be shut down (Yes / No)
- Partial recoveries can be made, for cases where data has been accidentally deleted or mistakenly replaces (Yes/No)
- Both backup and recovery have been tested with your own data (Yes / No)
- Backup and recovery times are known based upon the nature of your data (Yes / No)
Cloud Computing Characteristics. Many capabilities, including anytime/anywhere application access, require cloud computing. Some applications are hosted in the cloud, and are web-based, but are not designed as true cloud computing applications. By this I mean that they don’t support the five essential characteristics of cloud computing as defined by NIST: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. The application attributes below go beyond what NIST defines for cloud computing, but that’s because we’re qualifications for the Enterprise Class label. Cloud system provide many high-value capabilities that are only available via a cloud- based service. Thus, the capabilities of cloud-based application are on an accelerating growth trajectory, while those of client-server based systems are not.
- Cloud-based application:
- Fully-cloud based
- Some features available via cloud-application
- Cloud application is on the manufacturer’s roadmap
- No plans for cloud application
On-demand self-service / measures service. This essentially is self-service provision of application features, activating the service is the same as placing an order for it, and you can add and remove features from the cloud application according to the basis of your subscription (often monthly). What’s great about this is that you get to try out a feature for a nominal cost, without jumping through hoops to do so. No emailing of license files, no reseller or manufacture participation needed.
- Feature activation:
- Instant self-service activation (Yes / No)
- Instant self-service de-activation (Yes / No)
- Billing is done upon completion of each month’s usage – pay only for what you use (Yes / No)
- Subscription scales with actual system use, by users and by feature selection (Yes / No)
Broad network access. This is an availability characteristic – not by time like 24/7 but by location based upon availability of Internet access:
- Feature availability via for computer (PC, laptop, large tablet):
- All desired features desired
- A subset of desired features
- Some important features are not available
- Internet-connection based feature availability via for mobile devices (smartphone, tablet):
- All desired features desired
- A subset of desired features
- Some important features are not available
Rapid elasticity or expansion. For example, adding new cameras automatically adds the appropriate storage to the subscription, based upon the length of the video retention period selected.
- Rapid elasticity or expansion is provided for:
- All appropriate features.
- All features we need to be elastic.
- For some features, but not according to our desires.
Application Updates. Cloud-based applications are typically built using a continuous development/continuous delivery approach. Application updates are usually performed monthly or every two weeks, sometimes weekly. System performance is monitored closely in real time, so that any potential bottlenecks or other non-performance decreases can be identified and quickly remedied. Testing and deployment are mostly automatic processes, utilizing cloud -based tools designed to eliminate human errors and speed up incremental rollouts while reducing the risk of problems being introduced.
- Updates are performed:
- Every two weeks
- Per published schedule
- At the discretion of the manufacturer
Application Roadmap. Executing continuous delivery requires a roadmap. Failure to have a published roadmap for a cloud-base application usually means that development is not predictable, or that the application is new enough that prioritization is based upon the needs of the expanding subscriber base, and thus changes over time.
- Application Feature Roadmap is:
- Published to one year out.
- Published to six months out.
- Published to three months out.
- Not published but sharable under NDA.
- Not published or sharable.
Operator Permissions. The larger the deployment, the more important these features become.
- Manage by operator classes or categories or roles:
- Do roles support inheritance (such as Supervisor inherits Operator permissions):
- Manage by user-defined operator groups across categories (e.g. areas, regions, shifts, facility type):
- Granularity of permission settings matches operator job roles and responsibilities:
- Good match
- Poor match
- Permissions settings can be cloned or copied when creating new categories
- Authorization to define operator permissions can be delegated by region or other criteria:
- Reporting for operator permissions is highly useful:
Audit Trails. This capability traditionally has varied widely between otherwise similar products.
- All operator control actions are logged.
- All operator individual edit actions are logged (such as changed name, changed address).
- Audit trail change record includes “before” and “after” data record snapshots?
- Audit trail timestamps include operator’s time zone.
- Audit trail retention in live database
- 90 days
- 180 days
- 1 Years
- Until deleted
- Audit trail retention in archived database
- Automatic per configuration
- Manual action required
- No archive retention
Manageability. Rate the ease with which the system can be managed.
- Administering the system is quick and easy.
- Administrative human errors are:
- Reports are easily customizable.
- Only using 3rd party tools like Crystal Reports
- Using 3rd Party reporting tools is well-documented
- Using 3rd Party tools does not require non-secure access to databases
- Are workflows supported by wizards or forward/back functionality?
- Are mistakes easily undone?
- Is it easy to “get lost” in the application:
- Hard to lose your place
- Easy to lose your place
Operability. Rate the ease with which the system can be managed.
- Most commonly performed actions are available in a single screen or page:
- Most commonly performed actions require minimal selections or clicks:
- Sequences of actions can be defined using a “macro” capability:
Integration. This covers built-in and custom integration.
- All needed integrations are built-in and user-configurable
- No – custom programming is required
- Built-in integration capabilities are sufficient
- Yes – all needs covered
- No – functionality is only partly implemented
- An API is available for custom integrations
- API is well-documented
- API is usable by our in-hour IT capability
- API Security is implemented
- API Availability
- Free to all
- Free to integration partners
- Reasonable license fee applies
- Integration license is costly
Suitability. Enterprise Class applications are often feature-rich, and that can sometimes result in a feature-overload experience. Some applications provide a selectable list of configurations, to provide a good starting point based upon your size and type of organization. Some applications have different “editions” of the application, which provide a single pre-configured starting point. Others provide software wizards to guide user through initial configuration, or configuration by sections of the application. Sometimes the application is designed with just a single type of business in mind, but allows delegation of feature use for central, regional and local use.
- A special edition fits our organization type and size
- Configuration for organization type is selectable
- Documentation and help provide acceptable guidance for configuration and use
- Global configuration allows Inapplicable areas of the application can be hidden for all
- User permissions enable hiding inapplicable portions of the application based upon roles and responsibilities
- Application is not configurable, we will have to ignore what doesn’t fit
Localization. Multi-language support can vary from application to application.
- All needed languages are:
- Fully supported
- Supported only in operations functions
- Supported only in administrative functions
- Localization support:
- Users can implement localization.
- Users can implement localization.
- Localization is factory-only
- Event, alarm, log, comment, activity and audit records are timestamped including time zone.
- Time zones are shown in real-time multi-site information displays.
System Compatibility. Integrates or interacts with existing deployed technology.
- Fulfills all requirements
- Fulfills some requirements
- Not compatible
- Data sharing or integration with IT systems.
- Out-of-the-box compatible.
- Custom programming required.
- Not compatible.
- Transaction rates.
- Proven to handle anticipated volume
- Volume capacity unknown
- Reported error/problem rates. Reference sites report:
- No data sharing/integration problems.
- Problems were overcome.
- Minor tolerable problems.
- Significant ongoing problems.
- User-defined database capabilities:
- User defined fields available for in each form or data record where it makes sense.
- Limited use of user defined fields.
- No user defined fields.
- Database export:
- All databases are easily exportable in multiple formats.
- All databases are easily exportable in one or two useful formats.
- Key databases are exportable in an acceptable format.
- Data only exportable via report generation.
- Third-party reporting applications:
- Full documented support for Crystal reports and/or other tools.
- Paid undocumented support for Crystal reports and/or other tools.
- No support
Training. The technology trends are for self-evident system use, miniature help links, instantly available online help, and no training required.
- Formal training is required:
- Formal training is available:
- By Integrator
- By factory
Force Multiplier Rating. Applications should enable users to get more done in less time, compared to working without the application or with legacy or earlier generation applications. Automation can be a big factor in the force multiplier effect.
- More than triples individual productivity
- Doubles individual productivity
- No time-related productivity increase, but reduces errors and stress.
- Can accomplish things not possible otherwise
- Requires less experience/skill than other applications
- Provides reports, dashboards, etc. not otherwise available to stakeholders
Dashboards. Dashboards are important for quickly assessing status.
- Dashboard real-time operational value
- High – meets all needs and wants
- Medium – saves time but could include more information
- Low – don’t contain needed data
- Dashboard customization
- Easily customizable
- Slightly customizable
- Not customizable
Cyber Security. An often overlooked but critically important factor.
- Built-in cyber security capabilities are documented
- Not at all
- Out-of-the-box security profile
- Defaults to most secure profile
- Defaults to least secure profile
- Conformance to standards
- Easily Configurable
- Less than desired
- No standard followed or applied
- Penetration Testing
- 3rd Party Cyber Security Certifications
- All applicable
- Some applicable
Scalability. Technology is evolving and this rating considers that. Scalability is:
- Proven to fit our specific current and future needs
- Proven to fit our current needs, future needs are on manufacturer’s roadmap
- Documented by 3rd-party testing
- Asserted but unproven
Download an Editable Version
For your convenience, download a Word® version of this worksheet so that you can:
- Have an editable electronic copy
- More easily make notes
- Edit it for your specific purposes
If you know of an Enterprise Class attribute that you think should be on this checklist, please tell me about it.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.