Management Case Studies
|
How Biometrics Is Changing Corporate Security
| posted 10-31-2009 |
Average Rating: 
|
 Almost immediately after the terrorist attacks of September 11, 2001, huge expectations were placed on the technology of biometrics: Political pundits, security experts, and seemingly every variety of talking head called for using computers more intensively to automatically recognize individuals and identify those who were potentially dangerous—at airport terminals, sports stadiums, data centers, scientific laboratories, and other such sensitive installations. Biometrics—a collection of techniques for identifying people according to unique physical and behavioral traits such as fingerprints, speaking voices, and the way they walk—promised to help secure America against even the most cunning of enemies. But guess what? While the use of biometrics in many high-profile government applications has languished since the 9/11 attacks, corporate America, driven by the need to cut costs and boost profits, has been slowly embracing biometrics. In 2009, according to Acuity Market Intelligence, public sector use accounted for 60 percent of the total global biometrics market, leaving 40 percent to enterprise use. But by 2017, it has projected the commercial sector will account for 55 percent of the market. Some of the driving factors: a highly mobile population, an ongoing decentralization of the workforce, and increasing usage of cloud-based computing. In 2009, Acuity estimates, global biometric revenues will amount to slightly less than $2.6 billion, growing to $11 billion in 2017—a 20 percent compound annual growth rate. Most but not all uses of biometric security are directly related to controlling access to facilities. As visitors enter Disney World, for instance, computers scan their fingerprints to make sure that only authorized purchasers are making use of discounted multi-day tickets. In scores of corporate data centers, hand-geometry readers work alongside card-keys, badge readers, and passcodes to authenticate workers trying to enter the most secure areas. Voice authentication techniques are helping banks, such as ABN AMRO in the Netherlands, to identify customers before they’re enabled to execute transactions over the telephone. Clocking in Arguably the most popular corporate uses of biometrics are in non-security applications, says C. Maxine Most, principal at Acuity. One of the most compelling of these, she points out, is in tracking employees’ time and attendance on the job. “This is a real bright spot,” Most says. “It’s an unsexy app, but it provides definite ROI in 12 to 18 months, sometimes in just 6 months.” By linking each worker directly to his or her labor record, aka time-sheet, employers can enjoy a host of significant cost-savings, market researcher Most says. Traditional methods of punching into a job, with a piece of paper and time-clock, easily lend themselves to fraud. Workers can enlist colleagues to punch them in and out hours after they actually enter or leave the workplace. But by identifying each worker through a fingerprint or hand-scan, for instance, this kind of “buddy punching” can virtually be eliminated. “The cost savings are real,” Most says, including fewer conflicts between management and workers, less payroll processing, dramatic reductions in wages for overtime, and reduced administration effort. In a recent white paper, Most estimates that intentional and error-driven “time theft” ranges as high as 10 percent of gross payroll and costs corporate America hundreds of billions of dollars a year. “Biometrics consistently deliver accurate, reliable, and auditable real-time labor data,” she says, and that’s “the foundation of effective labor management.” The great advantage of using biometrics to confirm identity is that the technique does not require any special effort on the part of individuals. It’s not what a person has in their possession—a key or electronic token, for instance—or what he or she knows, as in a secret passcode, that distinguishes them from other persons. Those items are easy to forget or misplace. Instead, authenticating the person depends on some unique aspect of their physical being that can be measured or analyzed directly by a computer and accurately matched against previously-stored records. The measure of man Fingerprints were the first such characteristic to submit to computer analysis and matching, starting as early as the 1960s at the FBI, but since then, the field of biometrics has broadened to include almost a dozen other techniques. It turns out that there are unique patterns to be identified in the shapes of people’s hands, in the coloring that makes up their eyes’ irises, in the blood vessels of their retinas, and in the shapes and arrangement of their facial features. With the right equipment, unique patterns can be recorded even in the veins within fingers and hands. In addition, each person’s DNA, or genetic code, is unique (unless they happen to be an identical twin). Each individual also displays four unique behavioral characteristics that can be used for biometric purposes: the frequency characteristics of their voice, as shaped by their vocal tract; pen pressure and speed while writing by hand; the timing of fingers typing on a keyboard; and the dynamics of their body and limbs while walking. Choosing which of these various biometrics to use in a particular application is matter of weighing such factors as the cost of equipment, error rates, and susceptibility to fraud. Even DNA, thought to be as immutable and definitive as possible, is now suspect. The New York Times in August reported that an Israeli firm called Nucleix has shown that it is possible—indeed, easy, for “any biology undergraduate,” to fabricate DNA evidence at crime scenes. Quite likely, this has implications for using DNA as a biometric for security and other applications. Permanence over time is another important factor. If a certain bodily characteristic changes as a person ages, it can’t be used without periodic refreshing of the master database holding biometric records. This is exactly the case with retinal blood vessels, which for some reason has become a particularly popular biometric in sci-fi movies. Biometrician beware Experts warn that as unique and powerful as they are, biometrics should not be adopted as substitutes for traditional security measures. Because fooling biometric systems can be as easy as tricking a facial recognition system by showing it a photograph of a face it “knows,” these technologies must be used only in conjunction with other techniques. If people are required to provide a secret passcode or secure pass-key in addition to a fingerprint, the rates of false negatives—mistaking Joe for Bob—and false positives—identifying a photo of Joe as Joe himself—may be reduced to an extremely small number. And because biometric records are not secrets, writes Bruce Schneier, a leading security expert and blogger, they need special attention when being captured and stored. First, there must be a way to make sure that the voiceprint originally associated with Mary has actually been generated by Mary. And then, once digitized, that voiceprint must be stored in a highly secure way, because a purloined copy of its data could be used—by hacking into a remote terminal, for instance—to trick the biometric system set up to check it. Equally important, Mary can never change her voiceprint or any other biometric, as she might a pass-key or other assigned credential, and that means that once a biometric is compromised, it is compromised for good and therefore unusable. For now, the industry sectors most heavily committed to using biometrics are healthcare and financial services, both of which are highly regulated. For instance, the Health Insurance Portability and Accountability Act of 1996, or HIPAA, sets out a strict set of rules governing the protection and privacy of medical records. Penalties for breaking these rules are quite stiff, so hospitals tend to pay special attention to securing their IT systems. Yet, they also need to make those systems easy for doctors to use, especially when it comes to logging in and out of different workstations as they make their rounds. Too many passwords to remember or fiddling to log in to these systems and doctors will move on to another hospital. Biometrics, though, and so-called proximity badges, make it possible to quickly log in to a hospital application—and perhaps even have it “follow” the physician from terminal to terminal. Looking to the future, Acuity’s Most sees biometrics finding widespread use with mobile devices. With a technology called Near-Field Communications (NFC), cell phones can be used as electronic wallets to make purchases of soft drinks, for instance, or theater and transportation tickets. Without some form of biometrics to help associate each cell phone with its proper owner, however, the risks of losing the device would be so high that this scenario would likely remain more dream than reality. “Near-field is the application that will finally drive biometrics into corporate use in a big way,” Most says. ______________________________ An introduction to biometric security From fingerprints to biometrics ______________________________  COMMENTSHow is your business dealing with data storage issues in an age of rapidly changing technology? Leave your response in the comments below. |
