This is the 10th article in the award-winning “Real Words or Buzzwords?” series about how real words become empty words and stifle technology progress, also published on SecurityInfoWatch.com.
By Ray Bernard, PSP, CHS-III
Sometimes the word “Enterprise” is the top label among several given to sets of product features and capabilities, such as Basic, Professional, Team, and Corporate. Often these labels are retrofit onto existing product capabilities in the hopes of attracting more customers in each category. It doesn’t necessarily mean that the top-of-line product was designed to support all or even most of the needs a large enterprise may have.
★ ★ ★ GET NOTIFIED! ★ ★ ★
SIGN UP to be notified by email the day a new Real Words or Buzzwords? article is posted!
Real Words or Buzzwords?
The Award-Winning Article Series
#1 Proof of the buzzword that killed tech advances in the security industry—but not other industries.
#2 Next Generation (NextGen): A sure way to tell hype from reality.
#3 Customer Centric: Why all security industry companies aren't customer centric.
#4 Best of Breed: What it should mean to companies and their customers.
#5 Open: An openness scale to rate platforms and systems
#6 Network-friendly: It's much more than network connectivity.
#7 Mobile first: Not what it sounds like.
#8 Enterprise Class (Part One): To qualify as Enterprise Class system today is world's beyond what it was yesterday.
#9 Enterprise Class (Part Two): Enterprise Class must be more than just a top-level label.
#10 Enterprise Class (Part Three): Enterprise Class must be 21st century technology.
#11 Intuitive: It’s about time that we had a real-world testable definition for “intuitive”.
#12 State of the Art: A perspective for right-setting our own thinking about technologies.
#13 True Cloud (Part One): Fully evaluating cloud product offerings.
#14 True Cloud (Part Two): Examining the characteristics of 'native-cloud' applications.
#15 True Cloud (Part Three): Due diligence in testing cloud systems.
#16 IP-based, IP-enabled, IP-capable, or IP-connectable?: A perspective for right-setting our own thinking about technologies.
#17 Five Nines: Many people equate high availability with good user experience, yet many more factors are critically important.
#18 Robust: Words like “robust” must be followed by design specifics to be meaningful.
#19 Serverless Computing – Part 1: Why "serverless computing" is critical for some cloud offerings.
#20 Serverless Computing – Part 2: Why full virtualization is the future of cloud computing.
#21 Situational Awareness – Part 1: What products provide situational awareness?
#22 Situational Awareness – Part 2: Why system designs are incomplete without situational awareness?
#23 Situational Awareness – Part 3: How mobile devices change the situational awareness landscape?
#24 Situational Awareness – Part 4: Why situational awareness is a must for security system maintenance and acceptable uptime.
#25 Situational Awareness – Part 5: We are now entering the era of smart buildings and facilities. We must design integrated security systems that are much smarter than those we have designed in the past.
#26 Situational Awareness – Part 6: Developing modern day situational awareness solutions requires moving beyond 20th century thinking.
#27 Situational Awareness – Part 7: Modern day incident response deserves the help that modern technology can provide but doesn’t yet. Filling this void is one of the great security industry opportunities of our time.
#28 Unicity: Security solutions providers can spur innovation by envisioning how the Unicity concept can extend and strengthen physical access into real-time presence management.
#29 The API Economy: Why The API Economy will have a significant impact on the physical security industry moving forward.
#31 The Built Environment: In the 21st century, “the built environment” means so much more than it did just two decades ago.
#32 Hyper-Converged Infrastructure: Hyper-Converged Infrastructure has been a hot phrase in IT for several years, but do its promises hold true for the physical security industry?
#33 Software-Defined: Cloud-computing technology, with its many software-defined elements, is bringing self-scaling real-time performance capabilities to physical security system technology.
#34 High-Performance: How the right use of "high-performance" can accelerate the adoption of truly high-performing emerging technologies.
#35 Erasure Coding: Why RAID drive arrays don’t work anymore for video storage, and why Erasure Coding does.
#36 Presence Control: Anyone responsible for access control management or smart building experience must understand and apply presence control.
#37 Internet+: The Internet has evolved into much more than the information superhighway it was originally conceived to be.
#38 Digital Twin: Though few in physical security are familiar with the concept, it holds enormous potential for the industry.
#39 Fog Computing: Though commonly misunderstood, the concept of fog computing has become critically important to physical security systems.
#40 Scale - Part 1: Although many security-industry thought leaders have advocated that we should be “learning from IT,” there is still insufficient emphasis on learning about IT practices, especially for large-scale deployments.
#41 Scale - Part 2: Why the industry has yet to fully grasp what the ‘Internet of Things’ means for scaling physical security devices and systems.
#42 Cyberspace - Part 1: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#43 Cyber-Physical Systems - Part 1: We must understand what it means that electronic physical security systems are cyber-physical systems.
#44 Cyberspace - Part 2: Thought to be an outdated term by some, understanding ‘Cyberspace’ and how it differs from ‘Cyber’ is paramount for security practitioners.
#45 Artificial Intelligence, Machine Learning and Deep Learning: Examining the differences in these technologies and their respective benefits for the security industry.
#46 VDI – Virtual Desktop Infrastructure: At first glance, VDI doesn’t seem to have much application to a SOC deployment. But a closer look reveals why it is actually of critical importance.
#47 Hybrid Cloud: The definition of hybrid cloud has evolved, and it’s important to understand the implications for physical security system deployments.
#48 LegacyHow you define ‘legacy technology’ may determine whether you get to update or replace critical systems.
#49 H.264 - Part 1Examining the terms involved in camera stream configuration settings and why they are important.
#50 H.264 - Part 2A look at the different H.264 video frame types and how they relate to intended uses of video.
More to come about every other week.
It is important to note that, due to the continually accelerating advancement of the information technologies on which electronic physical security systems are built, security systems technologies are also continually advancing. This means that the nature of deploying technology has changed. Gone are the 5- to 10-year rip-and-replace security system life cycles of the previous 40 years. In-place systems must be upgradeable deployments, that customers can update and evolve according to their security and business operational needs, as relevant new technology advances become available.
The chief challenge for veteran security professionals (end user customers) and for security industry veterans (manufacturers and service providers), is to change our thinking to take continual technology advancement into account. When you see super-computers that talk to you being advertised on TV as the “new employee” you can hire (IBM Watson), you know we’re in an entirely new era of computing technology. And it’s just beginning.
Technology advancement itself is just one of the reasons why Enterprise Class has become a moving target. Other reasons have to do with the fact that as technology evolves, so do organizations evolve, and so does the nature of doing business. It’s a changing landscape with rapidly changing risks, and keeping up with this evolving customer landscape is probably the greatest challenge the traditional physical security industry has ever faced.
About This Checklist
Many of these checklist items are not specific to Enterprise-Class applications, and could be applied to any application. However, this checklist overall is focused on system attributes that are critical for enterprise-scale deployments. Human workarounds that are tolerable for small systems don’t scale up to larger systems, and this factor is not always considered when expanding from a small scale deployment.
Important: Don’t excuse any operational shortcoming because “that’s the state of technology today.” Did you know that current-generation motion-detection video analytics automatically account for tree and shrubbery motion, flapping signs on fences, rain, clouds and other non-relevant motion? Regardless of whether a shortcoming could be resolved with current technology, it is important to identify all shortcomings as advancing technology is more than likely to address them.
Enterprise Class Application Checklist
High Availability. This applies to cloud data centers, as well as corporate internal data centers, and to servers operating within the data centers. (For example, the data center may have dual power, but does the server have dual power inputs so it can benefit from it? If not, does the UPS the server runs off have dual power inputs? Does the server itself have dual power supplies? Use the Notes field to capture specific details.
- Data Center Uptime Guarantee:
- Battery Backup:
- 4 hours
- 8 hours
- 24 hours
- 48 hours
- 72 hours
- Emergency Power:
Reliability. Security systems are complex, and reliability must be considered for each aspect of the system. Add to the suggested items below, to include the aspects of the product or system that are operationally important to users, whether highly reliable or not. For items that are not 100% reliable, describe or rate the reliability shortcoming. This includes but is not limited to: Camera offline rates, false alarm rates, nuisance alarm rates, detection failure rates, and quality lapses such as jittery or jumpy video.
- Detection rate:
- Data capture rate (such as for vehicle plate recognition):
- Response time to user actions:
- PTZ tracking:
Data redundancy, backup and recovery. Cost may be a factor depending upon database size. In non-cloud on-premise applications, backups should be automatic, with full weekly backups and incremental daily backups. Cloud-based redundant databases in differing geographic locations can be superior to ongoing backup snapshots, although offline backups may be more affordable if temporary data outages are acceptable.
- Database redundancy:
- The set of disks or other media that contain the redundancy set are separate from the disks that contain the datafiles, online redo logs, and control files (Yes / No)
- The redundancy set is separate from the primary files in every way possible: on separate volumes, separate file systems, and separate RAID devices (Yes / No)
- Database backups:
- Backups can be made in real time, without requiring database use to be shut down (Yes / No)
- Partial recoveries can be made, for cases where data has been accidentally deleted or mistakenly replaces (Yes/No)
- Both backup and recovery have been tested with your own data (Yes / No)
- Backup and recovery times are known based upon the nature of your data (Yes / No)
Cloud Computing Characteristics. Many capabilities, including anytime/anywhere application access, require cloud computing. Some applications are hosted in the cloud, and are web-based, but are not designed as true cloud computing applications. By this I mean that they don’t support the five essential characteristics of cloud computing as defined by NIST: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion, and measured service. The application attributes below go beyond what NIST defines for cloud computing, but that’s because we’re qualifications for the Enterprise Class label. Cloud system provide many high-value capabilities that are only available via a cloud- based service. Thus, the capabilities of cloud-based application are on an accelerating growth trajectory, while those of client-server based systems are not.
- Cloud-based application:
- Fully-cloud based
- Some features available via cloud-application
- Cloud application is on the manufacturer’s roadmap
- No plans for cloud application
On-demand self-service / measures service. This essentially is self-service provision of application features, activating the service is the same as placing an order for it, and you can add and remove features from the cloud application according to the basis of your subscription (often monthly). What’s great about this is that you get to try out a feature for a nominal cost, without jumping through hoops to do so. No emailing of license files, no reseller or manufacture participation needed.
- Feature activation:
- Instant self-service activation (Yes / No)
- Instant self-service de-activation (Yes / No)
- Billing is done upon completion of each month’s usage – pay only for what you use (Yes / No)
- Subscription scales with actual system use, by users and by feature selection (Yes / No)
Broad network access. This is an availability characteristic – not by time like 24/7 but by location based upon availability of Internet access:
- Feature availability via for computer (PC, laptop, large tablet):
- All desired features desired
- A subset of desired features
- Some important features are not available
- Internet-connection based feature availability via for mobile devices (smartphone, tablet):
- All desired features desired
- A subset of desired features
- Some important features are not available
Rapid elasticity or expansion. For example, adding new cameras automatically adds the appropriate storage to the subscription, based upon the length of the video retention period selected.
- Rapid elasticity or expansion is provided for:
- All appropriate features.
- All features we need to be elastic.
- For some features, but not according to our desires.
Application Updates. Cloud-based applications are typically built using a continuous development/continuous delivery approach. Application updates are usually performed monthly or every two weeks, sometimes weekly. System performance is monitored closely in real time, so that any potential bottlenecks or other non-performance decreases can be identified and quickly remedied. Testing and deployment are mostly automatic processes, utilizing cloud -based tools designed to eliminate human errors and speed up incremental rollouts while reducing the risk of problems being introduced.
- Updates are performed:
- Every two weeks
- Per published schedule
- At the discretion of the manufacturer
Application Roadmap. Executing continuous delivery requires a roadmap. Failure to have a published roadmap for a cloud-base application usually means that development is not predictable, or that the application is new enough that prioritization is based upon the needs of the expanding subscriber base, and thus changes over time.
- Application Feature Roadmap is:
- Published to one year out.
- Published to six months out.
- Published to three months out.
- Not published but sharable under NDA.
- Not published or sharable.
Operator Permissions. The larger the deployment, the more important these features become.
- Manage by operator classes or categories or roles:
- Do roles support inheritance (such as Supervisor inherits Operator permissions):
- Manage by user-defined operator groups across categories (e.g. areas, regions, shifts, facility type):
- Granularity of permission settings matches operator job roles and responsibilities:
- Good match
- Poor match
- Permissions settings can be cloned or copied when creating new categories
- Authorization to define operator permissions can be delegated by region or other criteria:
- Reporting for operator permissions is highly useful:
Audit Trails. This capability traditionally has varied widely between otherwise similar products.
- All operator control actions are logged.
- All operator individual edit actions are logged (such as changed name, changed address).
- Audit trail change record includes “before” and “after” data record snapshots?
- Audit trail timestamps include operator’s time zone.
- Audit trail retention in live database
- 90 days
- 180 days
- 1 Years
- Until deleted
- Audit trail retention in archived database
- Automatic per configuration
- Manual action required
- No archive retention
Manageability. Rate the ease with which the system can be managed.
- Administering the system is quick and easy.
- Administrative human errors are:
- Reports are easily customizable.
- Only using 3rd party tools like Crystal Reports
- Using 3rd Party reporting tools is well-documented
- Using 3rd Party tools does not require non-secure access to databases
- Are workflows supported by wizards or forward/back functionality?
- Are mistakes easily undone?
- Is it easy to “get lost” in the application:
- Hard to lose your place
- Easy to lose your place
Operability. Rate the ease with which the system can be managed.
- Most commonly performed actions are available in a single screen or page:
- Most commonly performed actions require minimal selections or clicks:
- Sequences of actions can be defined using a “macro” capability:
Integration. This covers built-in and custom integration.
- All needed integrations are built-in and user-configurable
- No – custom programming is required
- Built-in integration capabilities are sufficient
- Yes – all needs covered
- No – functionality is only partly implemented
- An API is available for custom integrations
- API is well-documented
- API is usable by our in-hour IT capability
- API Security is implemented
- API Availability
- Free to all
- Free to integration partners
- Reasonable license fee applies
- Integration license is costly
Suitability. Enterprise Class applications are often feature-rich, and that can sometimes result in a feature-overload experience. Some applications provide a selectable list of configurations, to provide a good starting point based upon your size and type of organization. Some applications have different “editions” of the application, which provide a single pre-configured starting point. Others provide software wizards to guide user through initial configuration, or configuration by sections of the application. Sometimes the application is designed with just a single type of business in mind, but allows delegation of feature use for central, regional and local use.
- A special edition fits our organization type and size
- Configuration for organization type is selectable
- Documentation and help provide acceptable guidance for configuration and use
- Global configuration allows Inapplicable areas of the application can be hidden for all
- User permissions enable hiding inapplicable portions of the application based upon roles and responsibilities
- Application is not configurable, we will have to ignore what doesn’t fit
Localization. Multi-language support can vary from application to application.
- All needed languages are:
- Fully supported
- Supported only in operations functions
- Supported only in administrative functions
- Localization support:
- Users can implement localization.
- Users can implement localization.
- Localization is factory-only
- Event, alarm, log, comment, activity and audit records are timestamped including time zone.
- Time zones are shown in real-time multi-site information displays.
System Compatibility. Integrates or interacts with existing deployed technology.
- Fulfills all requirements
- Fulfills some requirements
- Not compatible
- Data sharing or integration with IT systems.
- Out-of-the-box compatible.
- Custom programming required.
- Not compatible.
- Transaction rates.
- Proven to handle anticipated volume
- Volume capacity unknown
- Reported error/problem rates. Reference sites report:
- No data sharing/integration problems.
- Problems were overcome.
- Minor tolerable problems.
- Significant ongoing problems.
- User-defined database capabilities:
- User defined fields available for in each form or data record where it makes sense.
- Limited use of user defined fields.
- No user defined fields.
- Database export:
- All databases are easily exportable in multiple formats.
- All databases are easily exportable in one or two useful formats.
- Key databases are exportable in an acceptable format.
- Data only exportable via report generation.
- Third-party reporting applications:
- Full documented support for Crystal reports and/or other tools.
- Paid undocumented support for Crystal reports and/or other tools.
- No support
Training. The technology trends are for self-evident system use, miniature help links, instantly available online help, and no training required.
- Formal training is required:
- Formal training is available:
- By Integrator
- By factory
Force Multiplier Rating. Applications should enable users to get more done in less time, compared to working without the application or with legacy or earlier generation applications. Automation can be a big factor in the force multiplier effect.
- More than triples individual productivity
- Doubles individual productivity
- No time-related productivity increase, but reduces errors and stress.
- Can accomplish things not possible otherwise
- Requires less experience/skill than other applications
- Provides reports, dashboards, etc. not otherwise available to stakeholders
Dashboards. Dashboards are important for quickly assessing status.
- Dashboard real-time operational value
- High – meets all needs and wants
- Medium – saves time but could include more information
- Low – don’t contain needed data
- Dashboard customization
- Easily customizable
- Slightly customizable
- Not customizable
Cyber Security. An often overlooked but critically important factor.
- Built-in cyber security capabilities are documented
- Not at all
- Out-of-the-box security profile
- Defaults to most secure profile
- Defaults to least secure profile
- Conformance to standards
- Easily Configurable
- Less than desired
- No standard followed or applied
- Penetration Testing
- 3rd Party Cyber Security Certifications
- All applicable
- Some applicable
Scalability. Technology is evolving and this rating considers that. Scalability is:
- Proven to fit our specific current and future needs
- Proven to fit our current needs, future needs are on manufacturer’s roadmap
- Documented by 3rd-party testing
- Asserted but unproven
Download an Editable Version
For your convenience, download a Word® version of this worksheet so that you can:
- Have an editable electronic copy
- More easily make notes
- Edit it for your specific purposes
If you know of an Enterprise Class attribute that you think should be on this checklist, please tell me about it.
Ray Bernard, PSP CHS-III, is the principal consultant for Ray Bernard Consulting Services (RBCS), a firm that provides security consulting services for public and private facilities (www.go-rbcs.com). He is the author of the Elsevier book Security Technology Convergence Insights available on Amazon. Mr. Bernard is a Subject Matter Expert Faculty of the Security Executive Council (SEC) and an active member of the ASIS International member councils for Physical Security and IT Security.