Issue #91 Cover Story: How Cloud Services Are Impacting Physical Security

cover_176081492By Brian Tuskan.

Who would have believed, even a short time ago, that cloud technology would change everything for Physical Security. The enhanced services that security can now deliver to improve safety and save lives, is akin to seeing just beyond the headlights; and steering away from danger, just ahead of time.

Before I jump into the cloud discussion, I will provide a little context around my experience with technology and how it has been applied to the organisations that I have worked with. From the first time I saw the game ‘Pong’ on a TV screen, I have always been interested in computer technology, especially during my early university computer applications classes. I was never interested in learning to cut code as a software architect or engineer, but loved being a power user of computer technology to solve problems, or to be more efficient and agile. I started with a Commodore 64 with an Oki dot-matrix printer, and taught myself about computers through reading, research, and mostly trial and error.

Ever since I was very young, I have always dreamed of being a police officer. In 1988 I realised my dream when I started a law enforcement career with the Honolulu Police Department. By then I was hooked on computers, and interested in seeing how they could be applied to policing. In my short five-year tenure, my career advanced rapidly, and my jobs included special services positions as an ATV officer patrolling Waikiki Beach, and member of the Honolulu Police SWAT team. Although I was never the top of my police recruit class; the power of computing technology gave me a competitive advantage by enabling me to do things better and faster than other non-technical officers.

In those days, the few police computers provided were Wang PC desktops connected to a mainframe. The primary report writing technology supplied to officers was a manual typewriter. If you wanted to be faster, you bought your own electric typewriter. Talk about Bring-your-own-device! I was the first officer to use a laptop for work when I scraped up enough money to purchase a dual floppy drive Tandy 1400FD laptop. Picture a laptop about the size of a slim desktop weighing what felt like 20 lbs. There was a tiny LCD screen and no hard drive, so I would carry around a bunch of floppy drives.

The more seasoned officers endearingly teased me, and my supervisor gave me the nickname ‘Mr. Science’. I loved the moniker as it differentiated me from everyone else. My supervisors started giving me coveted roles and I helped them solve problems using spreadsheet templates in Lotus 123 for metrics and crime statistics, and used Harvard Graphics for visualisation and presentations. One evening, while writing out a report on my laptop, a seasoned senior officer looked at me with a smirk and said “what’s up with your computer gadgets? The police functions just fine without them.” I replied that computers were the future and would forever change policing. This proved true for my professional development as I was able to complete case reports twice as fast as anyone else. A bunch of rookie officers purchased their own laptops, and form-filler programs when I started the ‘cop geek club’ and held technology study groups. Then we all chipped in and bought a high-end dot-matrix printer, pumping out case reports at lightning speed. It did not take long to see the more senior officers jump on the technology bandwagon and join the club.

Then, in 1993, I accepted a lateral position with a small police department (Redmond, Washington) with only 36 sworn police officers. What this Police department lacked in size they made up for by being very progressive with technology. Microsoft Corporation is headquartered right in the backyard of the City of Redmond. The Police Department at that time was led by Police Chief Steven Harris, who was also the International Association of Chiefs of Police President, and had a strategy when it came to technology. He was a strong advocate of public, private partnerships and the use of technology in policing. I was able to invest eight years at the Redmond Police, mostly as a detective, and leveraged technology to solve problems and help my job. As an example, to manage major fraud cases which required lots of data, I built a Microsoft Access database leveraging COTS (Commercial-off-the-Shelf) technology. That act alone cut the data input and analysis by 75 per cent from the old way that we did things. This helped us to solve cases much faster. Then I started embedding photos and images in police reports using Microsoft Word, and also used email for witness statements. All of the detectives and officers soon followed, after seeing the power of technology to help increase productivity.

In 2000, I had the opportunity to work in the private sector after being recruited to join the team at Microsoft Global Security. The role managed the investigations, operations, and technology teams, as well as innovating and incubating exciting new concepts for physical security and public safety. I was surprised to see that the security team had built most of their security IT infrastructure for their own use. The team managed on-premise servers and proprietary applications. Physical security managers were also IT system administrators with 24×7 oversight and control. They loved being paged to ‘save-the-day’ if something went wrong.

Since Microsoft has one of the largest corporate IT infrastructures in the world, I questioned the logic of owning and managing our own servers, and believed that we could still effectively control and even enhance our IT services through partnerships. Even though I was told that by owning the IT environment, we could control everything, after reviewing our security’s technology we found that the technology was not scalable, nor interoperable. Being in-house hosted, it was a collection of solutions that the team had put into action over several years to solve individual problems. Because there was no strategy behind the technology, the physical security infrastructure was a costly nightmare to operate. We found vast opportunity to streamline the 60 different proprietary technology solutions in our organisation.

With the support and leadership of our Chief Security Officer, Mike Howard, we were able to obtain funding for a strategic multi-year physical security technology upgrade. The strategy focussed on COTS platform-based technology: technology that could be configured instead of customised; technology that already existed within the IT environment; and technology that was developed for business productivity which could also be used for security.

Instead of compartmentalising security from IT, consistent with our new strategy, we targeted the development of strong partnerships with IT. By moving the on-premise servers of security to IT’s hosted environments, we were able to receive 24×7 expert service, with high availability. If something with the technology went wrong, disaster recovery protocols meant we could rely on our partnership with IT to speedily fix it based on defined service level agreements.

Around 2005, Cloud Computing, or simply ‘Cloud’, started to gain traction. Many people wondered what it meant. Cloud delivers computing as a service rather than a product. Most people do not think twice where their water or electricity service comes from; they just expect to get the service and pay for that service. When they open a faucet, water flows. When they plug in an appliance, it turns on. Renting services from the Cloud gives the same experience for utility computing.

Today, the cloud can be consumed in many ways: as a public, private, community or hybrid cloud service, and choices about on-premises or off-premises infrastructure can be made. Put another way, many organisations, large and small, are challenging their IT enterprises to deliver competitive cloud services, or migrate them to a best-in-class organisation who can. Others are also using them at peak time because of their amazing elasticity. The Cloud is a disruptive technology like the first mass produced automobiles, which arrived and rendered horse carriages obsolete. Like all evolving technologies too, the migration is gradual. Even those first cars I just mentioned had their own buggy whips as they were transformed to the next generation!

As a Corporation, Microsoft’s strategy included going ‘all in’ to the cloud. Our Global Security team embraced this strategy by stating a bold goal complete with timeline to move nearly two dozen physical security technology functions to the cloud. Today, the majority of our physical security technology sits either in a private or hybrid cloud, and more recently we have solutions in the public cloud using SaaS (Software as a Service) hosted by Microsoft. In most cases, freeing the dependency from on-premise hosting increases system availability, reduces costs, and, in the current cyber-risk era we live in, ensures systems are up-to-date and as robust as best practices allow. It was compelling when we compared this to the relatively skinny maintenance and compliance budgets that many organisations have for on-premise infrastructure. Reputable Cloud data centers have the best in the business managing them. They are regulated, secure, and the sheer economies of scale of such large IT infrastructures allows for significant cost reductions compared to in-house IT hosting.

I frequently hear the question ‘Is the cloud secure?’ I say ‘absolutely’. If you chose a reputable cloud service provider who implements security best practices it can be significantly more secure. I recommend careful research before choosing a cloud solution. Select your advisors carefully to ask the right questions. Major cloud service providers have lots of information about their security protocols and architecture, and can describe in detail how your information is hosted, compartmentalised and managed. Microsoft’s Azure cloud reduces security and compliance costs and minimises risks to organisations through: Identity Access Management, Network Security, Data Protection, Data Privacy, Threat Defense, Compliance Programs, and Certifications. Microsoft is also an executive member of the cloud security alliance helping to lead on standards, and encouraging industry colleagues to best practices. The International Association of Chiefs of Police (IACP) chose Microsoft Azure to host their association website www.theiacp.org.

Still, many public sector organisations either do not want, or cannot by regulation, allow their servers to leave their building. If they can see it and touch it, then it is safe in their mind. In 2012, when Super-Storm Sandy pummeled the East Coast of the United States, a small police agency’s building in the state of New Jersey was flooded by the storm. Police officers literally had to carry their desktops and police servers over their heads to get to higher ground. The entire department’s digital files were on those desktops and servers. Officers used blow dryers in an attempt to dry out the wet hardware hoping to get them to work. Some of the information was lost forever. The cloud allows for synchronised file storage and sharing – virtual backups for the backups. If you lose on-premise hardware in a disaster, all of the information can be safe and accessible in the cloud.

Cloud solutions also allow for hybrid environments where you can have both on-premise and cloud services to leverage the cloud. The benefits are high availability of your data in case of a crisis. With the ubiquity of mobile technology, tablets, and the internet of things, information is so easy to access from any device. Better still, a cloud connected smartphone is like having a data-centre in your pocket. Add a computer assistant that you can now talk to, and the possibilities are endless.

The fiscal benefit of cloud services is the reduction of capital expenditures. Build out of expensive hardware rich infrastructures which may only reach peak load periodically is a thing of the past when a few technology devices with an internet connection will suffice. Many platform-based cloud services come with client offline synchronisation. Put more simply, they store a local copy of the data most critical to you, which you can access when there is no network available. An example of this type of resiliency is the interoperable capabilities of Microsoft’s three Global Security Operations Centers (GSOCs). Leveraging the many applications now in the cloud, our GSOCs share responsibilities across geographies and time zones, through operational load sharing. The hardware used in the centre’s are laptops and tablets that are easy to un-dock and move in case of an evacuation or emergency. The other GSOCs manage operations until the affected SOC takes back operational control.

Government agencies and those with limited IT support or budget are now leveraging the cloud to deliver large organisation technology solutions at a moderately small cost. I know of several police agencies which have embraced cloud solutions for their entire department. The Chief conducts virtualised briefings to the rank and file teams through IP unified communication. Like the jump that the Tandy laptop gave me, Officers now manage reports, use of force, and any police document within a shared portal, seamlessly, while outside the police station.

New, next generation business intelligence tools allow patterns to be identified, and the development of heat maps which provide officers with actionable intelligence to act by deploying appropriate resources to the right places. With shrinking budgets and limited technology improvement opportunities, organisations are accustomed to being forced to do more with less. Today, with even less, they can do much more with the cloud.

You can see more examples of the power of the cloud at Microsoft Cloud (http://www.microsoft.com/enterprise/microsoftcloud/default.aspx#fbid=-D8rvh0IZhX) and Microsoft in Government (http://www.microsoft.com/government).

 

Brian Tuskan is the Sr. Global Security Director of Technology & Investigations for the Microsoft Corporation. In addition, Brian oversees all security communications & awareness. In his 13 years at Microsoft, Brian has led other Global Security teams, including Global Security Operations, Event Security, Retail Security and the build-out and implementation of the three Global Security Operations Centers. Prior to Microsoft, Brian has over 12 years of law enforcement experience. He has a Criminal Justice degree from Wayland Baptist University, a graduate of the University of Washington – Foster School of Business – Executive Development Program, and a Leadership Certificate from Georgetown University. Brian is on the Microsoft Worldwide Public Safety and Justice Advisory Council and served on the ASIS Leadership & Management Practices Council.