Saturday, August 26, 2006

Service-oriented security

In his post on Heathrow Hell, my CBDI colleague David Sprott discusses the recent airport security measures imposed by the UK government, following a suspected terrorist plot to use liquid explosives in midair. No handbaggage at all. No liquids or other refreshments allowed onto the plane. No books or magazines. And no phones, cameras or laptops.

As it happens, I was travelling myself that day, heading to Grenada on vacation with my family, so I was personally affected by the new security restrictions. Fortunately, we were informed before we left home, and were able to repack accordingly. I packed my oldest mobile phone in the suitcase, and was allowed to take the SIM card onboard along with my other credit cards and identity cards. But my children had their sweets confiscated at the security check.

Cheap airlines charge outrageous amounts for a very poor selection of onboard refreshment, while airport shops sell a much more interesting selection at more reasonable prices. So it generally makes sense to buy your own food before boarding. But on this occasion, nobody seemed sure whether any snacks or drinks we might buy would be allowed onto the plane. As a result, everyone bought stuff onboard, and the plane (unprepared for the extra demand) ran out of nearly everything. Meanwhile, the airport shops were affected by the reduced number of planes, together with the altered pattern of demand, and were left with huge amounts of unsold sandwiches and other perishable stock.

So look what happens. An emergency security policy is imposed, and lots of supply chains are seriously affected by higher or lower demand - and this is made worse by confusing and inconsistent communication of the policy.

Perhaps security is more important than a few unsold sandwiches and and a few hungry passengers, or even a few delayed and cancelled flights. But the emergency policy had a negative impact on other aspects of security as well. Thousands of mislaid bags [source: BBC News]. People who steal stuff from baggage must have thought Christmas had come early. And were we really any safer overall? [See Bruce Schneier]

Will technology solve the security problem? New systems available from 2008 might be able to trap known terrorists before boarding the plane; in the meantime we have to rely on passenger profiling [source: BBC News]. This might be just about adequate for symmetric threats, but of course terrorism isn't symmetric.

As David points out, CBDI analysed this very problem over three years ago, as a worked example of business modelling for SOA. All of the stakeholders - airline, airport, airport shops and other service providers - need to be able to respond quickly to unexpected changes in national security policy. We have long advocated a holistic approach to service-oriented security; among other things, this involves integrating differentiated services with dynamic policy management, enabling an agile approach to SOA security. We design a service-oriented business - or a service-oriented collaboration between multiple businesses - with the expectation that policies and other demands will change at short notice. In my view, this rapid-response capability is precisely the sort of SOA benefit that is directly relevant to the business and is not just about IT cost-saving.

Further commentary from Bruce Schneier.

Related Posts

Travel Hopefully (March 2008)
Heathrow Terminal 5 (March 2008)
For Whose Benefit Are Airports Designed? (January 2013)

No comments: