Generation game

The general perception of the security industry is that it's a dynamic marketplace. One with huge growth potential. Due to a range of global factors, there are ever more cogent reasons to invest in security. Consequently, all over the world companies are transforming breakthrough technologies into innovative products and rushing them to market.

However, a visit to one of the security sector's major trade shows - such as IFSEC or Total Workplace Management - suggests that this rosy mental picture does not entirely reflect reality. The average event looks similar to the previous one, with the same individuals populating the exact same booths. When colleagues ask: "Have you seen anything new, then?" invariably the answer is: "No. Not really".

Perhaps the only exception to that rule can be found in the CCTV sections, where innovation is largely driven by developments in consumer electronics that continue apace.

Compare that scenario with your typical IT trade show. The sheer noise level in the exhibition halls reflects the buzz and excitement in that sector. Almost all of the company booths feature brand new product ranges and innovative client solutions, with one major development following another.

So why is there such a big difference between the security and IT markets? For the answer to that question, we can learn something by studying the IT market and use the insights gained to rekindle interest in our own security sector.

The IT sector: going back in time

First of all, let's wind the clock back a few decades. In the early 1980s, if you needed a device for writing a letter, completing calculations or storing information, your IT Department would probably have given you a Wang word processor, an HP12C calculator and an IBM 3270 terminal with access to a database on a mainframe. Three separate devices, in other words, for three functions.

At the time, such a solution represented a major step forward, but very soon end users started to complain. They discovered, for example, that it wasn't possible to integrate calculations within a document. Sharing a printer was also difficult. If you required new functionality, the chances were that you would need to replace at least one of the devices.

However, all of this changed the moment IBM introduced the first PC. It was not so much the device itself that made such a huge impact on the IT market, but more a vision of how computers should work. Instead of dedicated devices that only performed one task well, you were now faced with a generic, all-purpose tool that could do many things for you. It was simply a case of installing the right software.

The subsequent introduction of Microsoft Office made the integration of spreadsheet calculations and merged information from a database within a word processing document even simpler.

Software duly became hardware-independent, and end users could enjoy enhanced hardware performance at ever-lower prices. Moore's Law - which stated that data density would double roughly every 18 months - proved remarkably accurate.

The introduction of open standards made it much easier for third parties to use software developed by others within their own solutions, resulting in a dramatic increase in the speed of innovation. These and other developments - among them the Internet revolution - have led to the dynamic IT market we see today.

The security management market

Compare this history with that of the security management systems market. Two decades ago, if a security manager required a way of controlling access, detecting intrusion and keeping track of events, they would necessarily propose a separate access control panel, a stand-alone intrusion detection panel and a series of CCTV cameras. Integration of these functions would have been a challenge, while the introduction of new functionality often meant replacing at least part of the hardware.

Two decades later, the solution to the problem would be almost exactly the same. Probably, your access control panel would be called something like System 3000 rather than System 2000, but still offer almost exactly the same functionality. The use of an existing Local Area Network (LAN) might have reduced the amount of cabling, but integration would still be difficult and time-consuming.

One could argue, then, that the IT market blossomed while that for security stagnated. The $64,000 is: ‘Why?'

First of all, the security market is extremely fragmented. Hundreds of companies develop and manufacture their own systems. Hardly any boast a turnover in the security systems sector of more than £25 million. Those that do usually have multiple product lines without any common components. With such turnover levels, it's clear that the amount of money available for developing innovative products is severely limited.

Typically, the architecture upon which the current ranges of security management products are based is over 15 years old. Although some new products are occasionally introduced, the basic design principles remain unchanged. A good example of this is the switch to IP-enabled controllers for access control. Over 80% of those security systems available that have made the switch to IP have done so by integrating a standard serial-to-TCP/IP converter in their controller. The controller can now be connected to the LAN using a Category 5 cable, but the communication between controller and server is still based on the old, original serial protocols - leaving all of the other opportunities offered by true IP-based communication unused.

Furthermore, these aged architectures are - almost without exception - based upon closed, proprietary protocols. This makes it virtually impossible to leverage innovations made by other suppliers. Functionality such as firewalls, encryption and authentication, all of which are presently sought-after by most end users, has to be developed by the manufacturer.

Bottleneck in the system

If you were to study the underpinning architecture of all security management systems currently available in the UK, you'll find that the main bottleneck to any kind of advancement is the controller.

Over 80% of those security systems available that have made the switch to IP have done so by integrating a standard serial-to-TCP/IP converter in their controller... but the communication between controller and server is still based on the old, original serial protocols

For years, controller hardware and software have scarcely evolved at all. At least in part, this is why newly-developed, secure, contactless chip-card technology has yet to make a significant imprint on the market. All of the research and development in encryption and authentication is rendered useless if readers can only be connected to older generation controllers through a standard Wiegand protocol - with no protection whatsoever!

Biometrics might have already made big inroads if available controllers were able to store more than 32 or 64-bit credentials. Now a complex solution is required with biometric templates stored on chip cards instead of on the controller itself. Although biometrics promise identification without cards, in practice you are still stuck with badges due to the limitations of today's controllers.

One of the reasons why controllers have not evolved over the years is that writing reliable, distributed, real-time software that runs on a controller is particularly challenging. Since much of this embedded software was developed many years ago, old-fashioned software languages were used which rendered maintenance extremely laborious.

In the past, microcontrollers offered limited capabilities and memory was an expensive commodity. As a result, a good deal of effort has gone into optimising embedded software to realise the required performance for end users at the right price. This necessarily means that most controller software is extremely hardware-dependent. Adopting a new, vastly more powerful microcontroller - at a fraction of the price - would be prohibitively expensive due to the costs incurred from having to re-write the embedded software.

Is the security market irrevocably stuck in the past? Well, not necessarily. A few companies have taken up the challenge and begun to develop new security management systems from scratch, the first step being a revision of controller design.

Correct method of operation

A number of options are available for the microcontroller at the heart of the system. Just now, the Intel XScale RISC processor family is a promising candidate with an attractive price tag. Most current PDAs and other handheld devices are based on this processor, ensuring ready availability and competitive pricing.

Then you can install some memory (64 MB RAM and 64 MB Flash, for example) and, by adding a USB host controller, a wide range of expansion possibilities become available - such as the expansion of memory with a memory stick or the addition of peripherals like keyboards or small VGA screens.

In addition to this hardware platform, an appropriate operating system needs to be selected. Given that it's essential to have control over all of the software housed in a given controller, an operating system boasting full access to the source code is vital. Open source Linux is thus the most suitable candidate, particularly as there are no licence fees. If you do decide to choose Linux, a wide range of standard functionality becomes available (such as firewalls, encryption and databases, etc).

You're not there yet, though. To be fully hardware-independent, the new controllers must also have a Java Virtual Machine onboard. We are in much the same situation as the mobile 'phone industry, wherein new handsets are introduced every few months. In order not to be forced to rewrite all of the embedded software for each model, third party software developers are now adopting the Java programming language because it enables them to write hardware-independent programs. Nowadays, every mobile 'phone is equipped with a Java Virtual Machine that is capable of running Java software, so you can expect a similar development with controllers.

This new generation will be so generic it's very likely that a few companies will step in and make them a commodity. In the United States, the HID Corporation has already launched its own VertX Linux-based controller line. Consequently, the average sales price will drop quite dramatically. These controllers will apply well-documented open industry standards. That being the case, third parties will be able to focus all of their resources on developing innovative solutions for the end user.

Wholesale change... for the better

The introduction of these ‘next generation' controllers could well have the same impact on the security management market as did the entrance of the PC within the IT sector. A couple of organisations have already begun to develop totally new security management systems based purely on them.

Developments such as combining access control and intrusion detection behaviour components on the same controllers - giving rise to reduced investments in hardware - will have a major impact on the security market in several different ways.

First, only a handful of solutions developers will have the financial resources, skills and stamina to undertake such a large and risky development project. Therefore, a very limited number of manufacturers will be both willing and able to develop these new platforms.

Second, today's pricing model will need to be replaced. The industry currently earns most of its money from hardware sales, whereas most of its costs are absorbed in the development of software. Due to the commoditisation of controllers, hardware prices will drop pretty rapidly, and so a new revenue stream needs to be established.

Ultimately, a new price model is required whereby end users pay a licence fee for the level of functionality on the controllers.

In much the same way as companies pay for the software packages installed on the PCs at their premises, this model allows for differentiation in charges. Standard access functionality may be priced attractively compared to high-end functionality with the integration of biometrics, etc.

The hundreds of companies that now sell outmoded systems will face a tough ‘make or buy' dilemma. The majority will procure the new platform from one of the few dedicated manufacturers and use it to develop their own solutions, but they will tailor to the needs of a specific market niche.

With the advent of new and open security platforms, it will then be much easier to develop new functionality. Third parties are already focusing on developing truly innovative solutions by adopting a security platform that adds value for end users without being hampered by rigid, old-fashioned and closed architectures. That is a massively positive development, it must be said.