A standard ain’t a standard unless it’s standard – and in physical security, it ain’t
I pumped a few gallons of Shell premium unleaded into my tank which was partially full of Mobil 93 octane. Got to my office and tuned the TV to CNN. Watched it for awhile then slipped to Fox news. Booted up the MacBook running Leopard and VMWare with Windows XP and surfed over to Google to read my RSS feeds from a dozen blogs and news sources. I noticed the cleaners had loosened some plugs so I plugged my stereo system back in the wall. That reminded me to use my Sprint cell phone to call the land line phones at the electronics store to see if the newest Blu-Ray readers are in stock.
That’s the thing about standards. You hardly notice them till they’re absent. Take Blu-ray. Of the two competing standards in the high definition video format wars, I thought HD-DVD was going to win. DVDs are awesome, but high definition DVD seemed way better. But I wasn’t confident enough to plop down 400 bucks until the vendors fought it out amongst themselves. For awhile I thought about grabbing that Samsung player that played both video formats, HD DVD and Blu-ray, thinking that Samsung was creating an integrated environment by supporting both. Then I looked at the price tag and saw it selling for nearly twice the price of a standard Blu-ray box. Integration sure can cost a lot.
I just referred to Blu-ray and HD-DVD as standards. I should have said proposed standards. That’s because a standard is only a standard if it’s standard. Er…you know what I mean. Two groups worked out a new format for all music and video disks, but they weren’t identical. It took a consensus of distributors and customers to decide which would become the actual standard of choice.
In the security industry we talk about standards all the time. H.264 looks like it will be the compression standard of choice for squishing video into tight streams to fit on our overloaded networks. IP v6 is poised to be the protocol to handle the exponentially growing traffic on our networks. But an obviously missing standard in our industry is messaging. Remarkably, there is no standard way to get a message from this access control server, or that video analytics processor to this event management correlation engine. Blows my mind.
This is not rocket science. You decide on a delivery platform, like XML, and a format of headers and tags for different classes of information, and everyone starts using it. Creating the standard is easy. Desiring to create a standard, well, that’s the sticky part. Ask some of the big named vendors – especially the ones touting their use of Microsoft, Oracle, and other IT standards based products – to describe their approach to standard messaging and they’ll happily tell you about their application programmer interface (API).
A vendor told me the other day that his access control solution was “totally open.” When I asked what he meant he told me he offers an SDK to qualified partners. I don’t know what some of these people are smoking, but an API is not a standard. Neither is an SDK (a software developer’s toolkit). APIs and toolkits are proprietary. They are like secret invitations to the private club. It’s like those shifty car dealers offering 0% financing to qualifying buyers. That “qualifying” bit keeps it exclusive.
Interoperability is really the key for being open or standards based. But that’s only a half step. Sure my product can be interoperable with anybody else’s, but as soon as one vendor in the infrastructure changes something, everyone has to change. The whole point of standards is that once you embrace the standard, you are guaranteeing a higher level of interoperability, rather than interoperability that is frozen in time. There’s another catch. Just because my product is standards based, and so is yours, it doesn’t mean our products are interoperable. For example, if I encapsulate my video in RDP and you encapsulate yours in UDP, we’re still sunk. We’d need some middleware to get the two systems to work together.
Clearly XML is a popular way to tag and share information between multiple systems. XML is not exactly a standard – it’s merely a schema, a template, for presenting information – but it’s close enough. It could easily serve as the perfect foundation for sharing information. Next, product makers will have to decide which XML tags to use and what classes of information to associate with the tags. If XML isn’t the preferred platform, then let’s pick SNMP or something already!
All I’m saying is that you, the end users, security executives buying and using security technologies, will be able to have more efficient, effective, flexible and value-creating security architectures if the vendors would get out of their good ol’ boy mentality and allow new software and hardware to interoperate easily. Standards are the most effective path to that interoperability. We want to evolve to a plug n play environment. Unfortunately the closest I’ve seen so far is plug n pray. Most integrators and vendors don’t even achieve that, however, preferring good ol’ fashioned plug n pay.
Well, gotta run to the store and pick up my Blu-ray player. Hmmm, but will it play my home video DVDs?