Biometric technologies have been around for years, primarily providing physical access control or time and attendance. With the mounting integration of biometric readers into physical security network devices, such as desktops, laptops and mobile wireless devices, the shift has started a trend toward a more all-encompassing credentialing solution that strives to unify chief security officers (CSO) and their security colleagues. Another significant trend centers on the integration of biometrics into access card readers and badges that could be replaced with biometric devices.
Biometric devices quickly and automatically confirm the identity of end users by comparing patterns of physical or behavioral characteristics in real-time against enrolled computer records of those patterns. Leading technologies accomplish this by scanning data files of an individual’s fingerprint, hand, iris, palm or voice for authentication.
Functionality Going Well Beyond Physical Access
Many security industry insiders contend that biometrics enhance privacy by erecting a barrier between personal data and unauthorized access. Technically, biometrics-based capture devices create electronic digital templates that are encrypted, stored and then compared to encrypted templates derived from “live” images to confirm identity. The templates are generated from complex and proprietary algorithms and are then encrypted using strong cryptographic algorithms to secure and protect them from disclosure.
A number of post-9/11 federal government requirements are also driving biometrics into achieving dual functionality in both physical and logical security. For instance, with FIPS 201-1, CSOs are empowered with a tool to check the identity and status of individuals requiring access to enterprise or government resources. This increases capabilities beyond those of most legacy physical access credentials. It is important to understand the different authentication mechanisms and the levels of threat they mitigate. A CSO is in the best position to decide how to employ the FIPS 201-1 credential within the context of an overall security plan, bearing in mind requirements for throughput and operational and interoperability considerations for future expansions.
The high cost of data breaches and the need to meet compliance regulations are also pushing organizations to adopt heightened identity and access management (IAM) processes. Companies are looking to physical and logical identity convergence to increase security, reduce redundancies and create complete audit trails.
Converging physical and logical identity and access management enables organizations to more closely monitor which employees are requesting access to certain spaces and facilities, and not only when but also from where. In essence, identity convergence enables organizations to add a fourth factor of authentication. Traditionally, there are three possible ways in which employees can prove their identities: through (1) what they know via a password or personal identification number (PIN), (2) what they have via a proximity or smart card and (3) who they are via a biometric identifier. When physical and logical identity management processes are converged, companies can also use a fourth factor —where a person is — to verify identity.
Unified Credentialing Can Enhance Efficiencies
Without a unified policy, a person’s user accounts and credentials can become rogue identities that can be used by others to gain unauthorized access to information. With unified identity and access management processes, all of a person’s user accounts and credentials are managed centrally under a single identity. When he or she leaves, the identity and associated rights and privileges are removed, effectively disabling all of the user’s accounts and credentials assigned during the course of employment.
This integration also simplifies assigning employees new privileges when they take on new roles. Administrators can simply delete individuals from one user group and assign them to another to grant physical and logical access to everything necessary for the new role. This prevents the time lag that generally occurs in starting up a new user account — a period in which employees are unproductive or tempted to borrow each other’s account in-formation, a clear violation of many compliance regulations.
Physical and logical convergence also enables companies to use the same credentials, such as a fingerprint biometric, for physical and logical access. This can lower the cost of access control accessories as one authentication factor can be used for both, achieving a significant return on investment.
Using the same credential for both physical and logical identification requires technological interoperability. For example, the biometric reader on an employee’s laptop should use the same template to make a match at the biometric reader at the employee entrance.
Physical and logical convergence can also help organizations create more complete audit trails, enabling them to monitor not only the who, what, when and why of when confidential information is accessed, but the where and to whom as well. Security equipment manufacturers are moving rapidly to capitalize on a broad range of biometric applications, giving integrators an opportunity to help customers with much more than just security-related solutions.