We are stuck with cards, passwords and PINs for the foreseeable future, but biometrics continues to advance.
All too often we tend to focus on the latest and greatest technologies out there and the bleeding-edge installations that set the scene for others to follow in years to come. It therefore helps to sometimes stop and refocus on the real marketplace to determine what vendors, installers and integrators are really doing when it comes to access control and identity management.
Hi-Tech Security Solutions asked a few of the local access control and identity management players to join us for a round-table discussion to learn what the real situation is in the local market. We were not looking for marketing or technology information, more a feel of the state of the market and what customers in general were doing in the access control and identity management field.
Starting out, we asked our panel to provide us with a big picture overview of the market as they see it, in only a sentence or two.
Linda Glieman, GM Africa at Impro says the tide has turned and more companies of all sizes are considering biometrics as an identity platform for a number of uses, including, albeit slowly, the replacement of passwords and PINs (personal identification numbers). This evolution will continue for some time however and she expects to see many larger companies using a mixture of cards and biometrics for their access control for some time to come.
Sanjay Dharwadker, regional manager at Morpho SA (known as Sagem in the past) agrees, saying this convergence is happening on a global scale, with some territories driven by market demands, such as South Africa, and others by large-scale national projects. Morpho has recently completed its acquisition of L1 in the USA for around €1 billion to ensure it remains on top of the market’s convergence.
Walter Rautenbach, MD of integrated solution development and biometric distribution company, neaMetrics, says convergence is happening, but it is a process that still has a long way to go when considering new technologies that add to the complexity of projects, such as the growth of mobile technologies and even cloud services.
Bonny Pedra, Pentagon Distribution’s key accounts manager says Pentagon, better known for its focus on the CCTV side of the business, has moved into the access game because of customer demands for integrated security solutions. Security in silos does not cut it in the market anymore.
“We found that the industry’s looking for access control that can manage more than just opening and closing doors, but also contributes to identification, monitoring, payroll and so forth. Moreover, openness and the ability to integrate an access control product with other databases and systems have become more crucial.”
Robbie Truter, area sales manager for HID Global SA, says the word on everybody’s lips is convergence: how do you link your logical and physical access, as well as other areas of your security posture. He states that two-factor authentication is definitely where it’s at: something you have, like a card; and something you know, a pin or sort of biometric. That gives you a much better understanding of whether the person is who they say they are. “For us, that’s where we see the market going. He adds that biometrics will play a huge part in this, but cards will still be with us for a long time to come.”
Cards will not die
When discussing the continued reliance on cards for access to almost anything, especially when there are more highly secure options available, Glieman says the reason is simply cost and trust.
Swiping a card on a machine you have had for years is far cheaper than changing to biometrics, and even more advanced smartcards in some cases. And even though biometrics has taken off in South Africa, many people are still wary of the technology, and this lack of trust is often warranted with the continued arrival of newer, less reliable products on the market that give biometrics a bad name.
“I think it also depends on the size of the organisation,” she adds. “Many larger corporations cannot afford to put biometrics everywhere, so we will definitely have a combination of cards and biometrics for the foreseeable future. We can expect to see more biometrics being used in high-security areas where additional security precautions need to be taken.”
Truter agrees, but notes that your choice of access control also depends on your risk profile. “Depending on what company you have, what you are trying to protect, whether it be your intellectual property or a data centre, that will determine what credential you choose.”
He also believes that in some cases, consultants do not even know what technologies are available. There is an educational component that needs to happen to ensure the market is not stuck in a proximity-based access rut. But this is a long-term focus as the old ID badge or card is still the most common identification mechanism used.
Dharwadker says he has seen the debate continue for years and it will continue for some time as people are comfortable with the status quo and, again, the cost is hard to beat.
As a warning to those about to jump into biometrics, Rautenbach says that often people promote biometrics because it seems to be less demanding on the administrative side. However, there is also an administrative aspect to biometrics that can’t be ignored or handled carelessly if you want an effective solution.
Another reason for the lifespan of cards is the versatility in new cards that can integrate multiple applications, from accessing a building, through to paying for lunch at a canteen and even logging onto your computer. Near-field communications (NFC) technology will extend that ability to your mobile device in 2012.
Real integrated access?
Vendors have been talking about expanding the scope of access control from building entrances through to logging onto your PC and paying for lunch (whether via biometrics or cards) forever. Apart from rare occurrences, this is simply not happening, especially using biometrics.
Glieman says everyone is concerned about the growing threat from white-collar crime, but need to be educated as to how this can be effectively dealt with. While some companies have the resources to integrate various security mechanisms to ensure the person conducting a transaction is who they claim to be and has the authority to do what they are trying to do, most do not as it is still a mammoth task.
“I think as manufacturers we need to get more involved in making it possible for companies to accomplish this integration without needing a complex technical solution.”
Pedra agrees, noting that open standards are crucial in any integration process to make it as seamless as possible. Although there are already standards in place, the ability to integrate access control and identity management into broader enterprise systems still requires more work than it should.
There are no real off-the-shelf applications for access and identity management that can be quickly installed and used, Rautenbach notes. The scope of what you require can get so big once people start talking about integration and their specific requirements they get scared off. Every company has its own specific needs so you cannot simply buy an identity management package and install it, you need to do the integration and customisation work to make it effective for your situation. And that costs money, and there is not much of that spare these days.
The identity process
We all know that companies are supposed to have policies and processes around identity, whether this is part of a security policy on how to authenticate people entering a building or logging onto a computer. The reality is that these policies are mostly ad hoc. The security department has one for accessing the building, while IT has one for accessing logical resources, while HR has one for who uses a company car and so on. In most cases, they never converge.
This is changing slowly. “Today more companies are starting to create a security policy, for which they need an identity management policy,” says Glieman. “While many companies say they have an identity management policy, they do not really. They have a few processes documented, but few have the resourses to throw at identifying, putting together their identity management policy, and making sure that it is integrated.
“Again, it is about education and having time to bring it together. I think many companies would be quite shocked if they really knew the level of security within their own organisations. Unfortunately, everybody only finds out once there has been a breach of some sort and then all hell breaks loose.”
Truter believes compliance regulations will drive the process to a consolidated identity process, which he says should be reviewed on an annual basis. Recent recommendations from the King III report would encourage this, but again, it is a matter of how seriously companies take this and what resources they are prepared to put behind it.
The problem with many identity policies is that they are generally card or password-based. This in itself is a vulnerability, as the system can be breached easily – as numerous fraud cases have shown. Biometric solutions can prevent this as they are not tradable and cannot be lost – and the newer technology requires quite some effort to bamboozle. “For example, we are introducing innovations such as the combination of fingerprint and vein technology,” adds Dharwadker. “This will prevent fake fingerprints or excuses from those who have damaged or unreadable fingerprints.
“Another example, looking into the future is our ‘finger on the fly’ solution that will allow people to scan their fingerprints by simply waving their hand over a reader. I expect we will also have a similar face recognition technology as well. These are not merely advanced technologies, but will make the identity management processes simpler and more non-intrusive, even to the point of invisibility.”
Proprietary not a problem?
Standards are an important aspect of identity processes, Rautenbach adds, to ensure the infrastructural components existing in large enterprises interoperate. The catch here is that complying with ISO biometric standards, for example, will result in poorer performance from your readers, so vendors use their own algorithms to speed the process of identification. When you opt for common standards, you need to take that into account as well if you want to mix and match technology. The converse also applies, if you have used a vendor’s proprietary technology, you may have problems adding alternative products into the equation.
“I personally like proprietary systems, that way you have got one throat to choke if something goes wrong and you have got easier integration,” adds Truter. “But I think a policy is very important, the questions are, what data do you want to put on your card from a biometric point of view and what will it be used for? Key questions need to be asked before implementation; including who will have access to it and what will it be used for?”
On the topic of proprietary issues, Dharwadker says this only happens in specific areas, such as algorithms, which give the vendors speed and accuracy advantages. In general, however, he says systems are fairly open. At the database level, for example, Morpho uses Oracle, which provides its own framework for compatibility. At other levels, you have examples such as Wiegand. “So I think the question of proprietary software is not as severe as it used to be a few years ago.”
Quality and cost
A question all customers have to face is the question of cost over quality. With a number of low-quality products on the market at a tempting price, customers need to be able to make rational decisions on what to buy and at what cost-point. Rautenbach says the best way to determine the effectiveness of a product is from its track record. Not only should customers look at the product’s history, but also the service provided by the vendor.
Truter also advises buyers check reference sites where the product has already been installed. “The sites should be in the same vertical as your company and you should talk to the important players in the project, such as the IT and security managers.”
“I also think it is education in terms of standards,” adds Glieman. “Make sure you understand the encryption and the standards. That is where we should be educating people more on what the importance of encryption is, what the importance of securing your data is and why biometrics should comply with ISO standards. It will help customers make better buying decisions, reduce the support burden and avoid having the cowboys give the industry a bad name.”
“The customer’s calculation should be about the lifecycle cost of the solution, not just the purchase price,” says Dharwadker.
While the evolution of access and identity management has a long way to go, we are already seeing interesting changes in the market. The emergence of near-field communications (NFC) that will turn mobile phones into smartcards is already happening.
With this technology, as soon as you get to a door or a payment terminal (assuming the application is installed) you bring the device near the reader and it grants you access or performs the transaction. There is no need for a card as your phone becomes a card, or as many cards as you can load onto your phone.
We will also see access technologies advancing to more automated, intelligent systems that streamline the enrolment and reporting processes. And as performance improves and costs decline, the ability to delve into the realm of science fiction with multiple biometric technologies operating on the fly, without hampering the user will also be a reality – perhaps a frightening reality when it comes to individual privacy.
In the meanwhile, back in the real world, the focus will be on integration of multiple security systems with a clear, simple management interface, to make the lives of security operational personnel easier and to create stricter identity management policies. We will still see cards playing a major role in access and identity management, as well as passwords and PINs, but the move to biometrics is and will continue and will accelerate as the various forms of crime increase and the benefits of more secure identity solutions become a business imperative.
|Tel:||+27 11 543 5800|
|Fax:||+27 11 787 8052|
|Articles:||More information and articles about Technews Publishing (SA Instrumentation & Control)|
© Technews Publishing (Pty) Ltd | All Rights Reserved