The first annual BiometriX conference held on 29 July 2008 and co-hosted by SmartX central intelligence, an international network of professional associations concerned with smart technologies, and Technews, the publisher of Hi-Tech Security Solutions, was deemed to be a great success by all concerned.
The aim of the BiometriX conference, attended by over 220 local and international delegates, was to provide an holistic view of biometric technologies including applications and best practice advice, together with an opportunity to explore and debate future trends in the technology.
South Africa is the international leader in adopting biometric technology in the business arena with a particularly strong focus on workforce management applications. Biometrics has developed into a sophisticated range of advanced technologies encompassing over 20 difference measurements since fingerprint matching in law enforcement started over 100 years ago.
"Our primary goal was to bring together delegates from all industry sectors to network and learn from real-life experience to successfully implement these technologies," comments Carol Willis, general manager of SmartX central intelligence. "The partnership with Technews Publishing has been incredibly productive, resulting in a high-quality event."
Gary Jones, managing director of Ideco Biometric Security Solutions and platinum sponsor of the event, adds: "South African companies using biometrics are years ahead of users in Europe and North America and events such as the BiometriX conference highlight this expertise.
"What has been learnt - often through expensive experiments with unsuitable biometric technology - is that fingerprint is the most effective biometric identification. Current and potential users in both the public and private sectors can learn a lot from these experiences."
The conference offered a wide range of presentations (outlined below) and finished up with a panel discussion and Q&A session before delegates enjoyed an hour of networking over a glass of wine. Willis comments: "We are delighted with the success of this inaugural event and we are confident that this conference will continue to attract big audiences in the coming years as this technology continues to rapidly evolve."
Leading the world
Gary Jones, managing director, Ideco Biometric Security Solutions (IBSS), is an acknowledged expert on biometrics, from an early introduction in 2001 when he was appointed by Sagem, France, to supply technical resources for an automated fingerprint identification System for the SAPS. Since Jones joined the Ideco Group in 2003, he has gone on to establish IBSS as the global leader in the distribution of Sagem biometric solutions.
Whilst Jones acknowledges that the ICAO has approved three biometric technologies - fingerprint, face and iris recognition - he believes that fingerprint technologies will remain dominant: forensic's dependence on fingerprints is a compelling argument that this is the only biometric evidence that may be found at crime scenes. Another important factor is that people have 10 fingers which offer higher enrolment probability than other techniques.
Currently market research indicates that fingerprint accounts for 59% market share, followed by face at 13%, iris at 5%, with a range of other technologies making up the balance. Jones comments: "Another compelling factor is price. Face and iris recognition solutions are only viable for a small number of extremely secure installations".
Jones went on to demonstrate the features required for identification which are: universal, unique, permanent and neasurable/accessible. Biometrics also offer additional benefits in that they cannot be lost, stolen, forgotten or shared. Convenience should not be underestimated as an influential factor with users: fingerprint biometrics remove the need to carry keys or cards around, and high-maintenance passwords become obsolete. Anything that simplifies and improves security tends to be popular.
Correct enrolment procedure is vital to the success of biometric solutions. Jones adds: "Capturing the original reference sample(s) is most important as you need quality prints for successful operation."
While Jones believes that the pros of fingerprint biometrics speak for themselves: uniqueness, accuracy, speed and cost, he suggests that the slightly negative perception of fingerprints from its association with forensics should be addressed rather than ignored.
Jones then went on to explain the intricacies of how a fingerprint is converted by an algorithm into a unique set of identifiers called minutia points.
Rock solid safety
Tommy Laubscher, manager, Mining Division, SACO Systems, joined the company in 1989 and has worked throughout the division in design, project engineering, installation and maintenance. He has many years' experience in RFID applications and safety-enhancement projects. Laubscher's broad experience gives him a thorough understanding of time management and access control in the mining sector.
Laubscher has developed a practical formula for designing mining systems that can be applied to many other workforce management solutions. First, determine the volume of users at the access point and multiply this figure by 7 seconds per person (calculated at 2,5 seconds for turnstile operation, 2,5 seconds walk through plus 2 seconds for the human factor. Laubscher wryly commented that as nobody runs to work, the reality of the additional time taken has to be accepted. The time required for all workers to gain access can therefore be established.
In Laubscher's first example mine, with over 35 000 employees, 40 contractors took 4,6 minutes to enter a specific access point. Smartcards were considered (time required would drop to 3,6 minutes) as was the option to add another turnstile (time required would be an acceptable 2,3 minutes but not cost effective). The final option was for employees to get used to spending 1,6 minutes longer to gain access.
The second example mine, with over 32 000 employees, had over 10 000 enrolled with fingerprint biometrics. 50 employees had enrolment problems which could be and were addressed but five employees had to resort to card access because their prints were too damaged.
Laubscher believes fingerprint biometrics are a value proposition in large-scale workforce management systems. Preventing buddy clocking produces big savings but, from a safety point of view, biometrics also helps to control illegal entry by ghost miners who are impossible to account for in an emergency situation.
Hearing you loud and clear
Carlos Gonçalves, chief technical officer at Intelleca, is an expert in the field of unified communications and focuses on financial services and telecoms sectors. He is responsible for Intelleca's contact centre and speech solutions as well as a communications as a service (CaaS) hosted platform. He has been instrumental in introducing SA English, Afrikaans and Zulu speech recognition and multilingual speaker verification technologies in the SA market.
Gonçalves explained that voice biometrics extract, characterise and recognise feature sets from speech signals which convey the speaker's identity. Characteristics such as shape, resonance, glottal source, pitch harmonics, vowel length, tongue size, teeth, nasal cavity size and vocal tract length are utilised to create a voice model or voiceprint.
Voice recognition systems aim for an equal error rate (EER), which is the crossover point where the number of false accepts is equal to the number of false rejects. Security can be improved by multifactor authentication. Voice systems often supplement existing security, as opposed to replacing it.
Advantages of voice biometrics include leveraging web and IVR investments, integrating well with existing data infrastructure and applications tend to be centralised. Live-agent interaction is shorter - no more 20 questions - and verified calls are around 40 seconds shorter.
The main use of voice biometrics is for access control to remote computer networks, electronic commerce, forensic investigations and telephone banking. There are over 150 000 voice biometrics users in South Africa. Voice biometrics is trusted by financial institutions who apply it to mobile banking and high-value transactions. Large corporates also find value in using voice biometrics for password maintenance, which can be made self-service - a big plus compared to operating a 10-person help desk.
But the most influential factor is that customers like it. A sample taken by ABN-AMRO found that 83% prefer voice verification over the current 5 digit code; 99% would use it for account information; and 73% would use it for money transfer.
Security is a business issue
Naeem Seedat is a highly-qualified information security expert who drives PriceWaterhouseCoopers Digital Identity Solutions and Information Security service lines where he helps clients to enable the right identity and security solutions for their businesses.
In Seedat's opinion, although technology is a critical enabler, security is a bigger issue for business. Seedat then shared some highlights of the 2008 Global State of Information Security Survey, produced by CIO and CSO, in association with PwC:
* Business continuity and disaster recovery (BCDR) outstripped regulatory, internal policy and reputation as the main driver of security spending - which is rising.
* The identity of security alert generators has changed over three years from predominantly hackers to employees.
* Managers are increasingly uncertain how many events happen each year.
* The threat of financial loss or IP theft outweighs fraud or extortion.
* Attacks are more sophisticated with e-mail now much closer to abused valid account, social engineering, phishing or exploiting known application vulnerability.
* Knowledge of partner security is very low with only 15% 'very confident' in their partner's or supplier's information security.
This last point led neatly into the challenges that Seedat sees ahead for SA companies when the Protection of Personal Privacy Act (applies to all private and public sector organisations) comes into effect later this year. Seedat believes that compliance with the PPPA is going to be a big challenge. There are approximately 47 questions to determine the impact of the ACT on an organisation, so management should begin to look into this issue now. Seedat also speculated on the emergence in the future of identity brokers who could manage individual's identity data whilst the individual will manage the access to this data.
Seedat concluded with some clear advice that the choice of technology is a long way down the long list of things to do to implement integrated, company-wide security. As Einstein said: "Everything should be made as simple as possible. But not simpler."
Passport to secure online transactions
Glenn Kieser, account manager for Services Industries (Siemens IT Solutions and Services), directs Siemens services into the finance services sector. His many years' experience (in SA, Europe and the USA) as a software developer, security consultant and infrastructure architect for Siemens and Microsoft, amongst others, has been focused on strategic and technical issues challenging the finance, manufacturing, government and telecomms sectors.
The conference achieved a world-first when Kieser took the opportunity to reveal the details of Siemens' new Internet Passport to delegates. The handheld device was developed in response to a recommendation from US Federal Financial Institutions Examination Council (FFIEC) that financial institutions should implement multifactor authentication in all over-network transactions.
The 3-factor authentication principle (which has become a general standard) has evolved to meet this requirement for high levels of authorisation security:
* Knowledge (Something the person knows) such as a password or PIN.
* Biometrical attributes (Something the person is) such as an individual's fingerprint or iris.
* Physical resources (Something the person has) such as a token or smartcard.
Keiser explained that the growth of identity theft in e-commerce and online banking and other security attacks (such as phishing, man-in-the-middle or Trojan horse attacks) motivated the development of multifactor authorisation techniques. The legal insecurity surrounding Internet transactions in general was unacceptable. So the need to create higher security levels in online financial transactions was pressing.
The concept behind the Internet Passport is simple: an encrypted, tamper-proof connection is established between bank and user. Operationally, this is achieved in a number of steps:
* The user logs onto the bank's website and sends the transaction information.
* The bank returns the information as an encrypted optical signal which appears as a flickering box on the user's computer screen. A transaction number code (TAN) is also embedded in the 'flicker' box.
* The user enables the Internet Passport by placing a finger on the device's fingerprint reader.
* The Internet Passport is then held near to the flicker box on the computer screen to read and then display the encrypted information and the TAN on the device.
* The transaction is enabled when this TAN code is entered on the computer keyboard.
Keiser is confident that the three-factor authentification functionality of Siemens' Internet Passport provides the solution to the FFIEC recommendations for secure Internet payment and attack prevention.
To be or not to be
Karel Rode, director of Information Security Group of Africa (ISGA) is an independent security consultant who assists organisations to define the principles, policy, architecture and management of security, identity and access in terms of host and information management, and network forensics. Rode gained his experience consulting for Dimension Data Security (attaining a CISSP qualification in IT Security in 2002) and Computer Associates (CA), and he specialised in the retail, financial, chemical and education sectors.
Identity access management (IAM) is a hot topic but Rode believes that the business community has yet to appreciate the full implications of implementing a successful IAM strategy. It is crucial to understand that IAM is interlinked with multifactor authentication.
Rode then gave an example of this interaction by explaining that, if IAM is analogous to allowing only those people you trust to enter your house, then strong authentication is the first step in the process: putting a lock on your door. Deciding on a strong authentication solution is a process of determining what combination of locks and keys will work best for a particular situation, and it is often a jumping-off point for enterprises embarking on what can be a significant journey to a complete IAM implementation.
Data classification is another important aspect of the journey towards the IAM destination that is little understood. Rode challenged business to answer some tough questions: Which data is most sensitive to your business? Do you know where it resides? Do you understand the origin and nature of your risks? Have you selected appropriate controls based on policy, risk, and the location of sensitive data? Are you managing security centrally? Are you auditing your security to constantly improve?
He then went on to outline a complete approach to identity lifecycle management processes that need to be considered with a view to enabling users faster, reducing costs and risks, whilst supporting compliance goals.
It all begins with discovering the range of roles that reflect different levels of users. This model needs to be maintained and applied to all users and there needs to be sound analysis and reporting of the entire user group. Functionality that will be required includes gap analysis, privilege cleanup, and planning capabilities.
Identity management is another area where the enabling and disabling of users needs tight control. This is also the point to consider IDM and biometric deployment best practices. Self-service administration by users is a definite goal as is, again, strict control of identity administration. Security compliance is another area where reporting and system alerts are compulsory together with user and role entitlement certification.
And last, but not least, there has to be room to initiate change management and validate results. Rode's conclusion was emphatic: IAM is an ongoing process and it has to be approached with managerial commitment as an enterprise-wide endeavour.
© Technews Publishing (Pty) Ltd. | All Rights Reserved.