Keogh and Associates Copyright 2003 A LOOK AT LARGE SCALE DEPLOYMENTS Presenter Colin Keogh Keogh and Associates

Keogh and Associates Copyright 2003 Are large enterprises ready for biometrics? At first glance it would seem so… It’s affordable - costs have fallen dramatically There are many choices of proven technologies It works well for the vast majority of users There is a good value proposition for biometric authentication (Physical Security, Time and Attendance, …) There is a heightened sense of urgency to strengthen security

Keogh and Associates Copyright 2003 Large Scale Deployment Security assessment Choice of biometric technology Choice of software and middleware Installation Implementation Training Analyze and update

Keogh and Associates Copyright 2003 Physical Security Physical security is about protecting tangible assets from harm. These assets can include (but are not limited to) people, buildings, vehicles, documents, food and drink, pharmaceuticals, consumer or industrial products, art, museum artifacts, and money. The harm to be avoided can include theft, destruction, vandalism, sabotage, espionage, or tampering.

Keogh and Associates Copyright 2003 Security Assessment “A process whereby security concerns are identified and their impact upon the organization are analyzed”

Keogh and Associates Copyright 2003 Security Components Security Policy Security Awareness Security Organization Physical Security Personnel Security Threat Assessment IT SecurityIncident Analysis Security Training

Keogh and Associates Copyright 2003 A biometric solution for all your security needs is not always the best approach!!!!!

Keogh and Associates Copyright 2003 ISO and Biometrics Security policy Organizational security Asset classification and control Personnel security Physical and environmental security Access control

Keogh and Associates Copyright 2003 Magnetic Stripe Card PIN/Password Magstripe Card and Password Secure ID and PIN Smart Card and PIN Biometric Multi- Modal Biometrics INCREASED SECURITY LOW MEDIUM HIGHLY SECURE

Keogh and Associates Copyright 2003 Expenditure Areas Increased Stayed the Same Decreased %& Internal security personnel expenditures Internal security operations expenditures Security consulting expenditures Contract guard expenditures General personnel screening expenditures Access control expenditures Anticipated Security Expenditures for

Keogh and Associates Copyright 2003 The RFP Describe what is needed not how to achieve it Allow vendors to tender solutions Make the vendor prove that their integrated product meets your requirements Develop an evaluation model to compare the different solutions

Keogh and Associates Copyright 2003 RESELLER INTEGRATOR CONSULTANT SECURITY SYSTEM MANUFACTURER

Keogh and Associates Copyright 2003 Consultants Consultants can help with your complete security plan and implementaion. They can also recommend integrators and resellers that they have worked with in the past. Their knowledge of the industry will save you thousands of dollars and hundreds of hours.

Keogh and Associates Copyright 2003 Integrators Integrators work closely with leading biometric technology vendors and independently keep abreast of the latest developments in the biometrics sector, they can provide solutions specific to each customer's security requirements. They are independent of the manufacturer so they can let the need drive the solution.

Keogh and Associates Copyright 2003 Resellers Resellers are retail partners for a manufacturer. They specialize in that manufacturer’s products and usually carry solution based software for the manufacturer’s hardware. Resellers let the hardware drive the solution. Give them your specifications and let them respond with their solution.

Keogh and Associates Copyright 2003 Vendors The biometric vendors manufacture the hardware or write the software. They do not supply complete integrated solutions. They work with resellers and integrators as their interface to the end user.

Keogh and Associates Copyright 2003 Selection Criteria Cost Long term compatibility Public acceptability Attack resistance Ease of use and deployment Level of accuracy Size

Keogh and Associates Copyright 2003 There is no single biometric that fits all and each deployment situation must be viewed on its own merits; this way, the requirements shape the biometric solution, the biometric solution does not shape the requirements.

Keogh and Associates Copyright 2003 Types Of Biometrics Fingerprint/finger geometry Hand geometry Iris/retina Facial image/facial thermograms Voice Signature Keystroke

Keogh and Associates Copyright 2003 Biometric Hardware Cost Biometric Implementation Cost

Keogh and Associates Copyright 2003 Product Considerations Interoperability User population Maintenance Obsolescence Testing Continuing evaluation Resources

Keogh and Associates Copyright 2003 Public Acceptability Finger7 Signature9 Hand7 Iris/Retina4 Facial8 Voice8 Scale is from 1 lowest to 9 highest

Keogh and Associates Copyright 2003 Ease of Use Finger8 Signature9 Hand7 Iris/Retina3 Facial5 Voice8 Scale is from 1 lowest to 9 highest

Keogh and Associates Copyright 2003 Level of Accuracy Finger8 Signature4 Hand7 Iris/Retina9 Facial4 Voice7 Scale is from 1 lowest to 9 highest

Keogh and Associates Copyright 2003 Interfaces Composite video Parallel port Serial port USB port PCIA port Ethernet/intranet Weigand

Keogh and Associates Copyright 2003

The big challenge is the integration Biometrics has to become a fully integrated component within an complex corporate environment There are very few solutions that meet this challenge today Biometric technology is not the issue – it’s the integrated solution

Keogh and Associates Copyright 2003

Professional Services can cost 3 to 20 times the biometric hardware cost. Make sure that you biometric software and middleware is compatible and the vendor is supplying a complete solution.

Keogh and Associates Copyright 2003 Top Security Mistakes Security threats and risks are not analyzed prior to selection of security technology and design Corporations fail to deal with the awareness and operational aspects of security Lack of robust security policy definition or non-adherence to security policies Absence of non-periodic security audits Lackadaisical implementation of physical security

Keogh and Associates Copyright 2003 Security Mistakes By Management Assigning untrained people to maintain security Failing to understand the relationship of physical security to the business problem Failing to deal with the operational aspects of security Authorizing reactive, short-term fixes leading to problems re-emerging

Keogh and Associates Copyright 2003 User Considerations User privacy concerns User perception Target user characteristics User difficulties Ease of use

Keogh and Associates Copyright 2003 User Attitude No matter how hard you try, if your customers or employees do not like the system, the system performance will suffer Educate the users prior to implementation in a positive approach to the implementation. This will help to alleviate “user malfunction”

Keogh and Associates Copyright 2003 Impact Are there any privacy issues? Will the biometric access have to meet any standards (ISO, government, etc.)? How will the system be implemented and who will control the implementation? What will be the impact to the customers, employees, etc.?

Keogh and Associates Copyright 2003 Privacy Issues Physical Privacy –The stigma af only criminals have their picture taken or their fingerprints taken. I’m an honest person –This will hurt me. The laser will hurt my eyes … –Non-hygenic. I’m not touching that after he touched it

Keogh and Associates Copyright 2003 Privacy Issues Information Privacy –The ability to control information about onesself. This is soon to become a mandatory concern. –Ability to search records about a person in real time. Effectively tracking that person. –Misuse of data –Using information for other that authorized purpose

Keogh and Associates Copyright 2003 Centralize the identity management functions of the organization in a single place so that they can be effectively managed and the appropriate level of trust can be maintained in the authentication process.

Keogh and Associates Copyright 2003 Scalability For any biometric identity system to be worth the investment, it must scale to meet the company’s projected requirements. You must specify the system by: Number of users enrolled Number of concurrent authentications supported Average response time Longest response time Availability criteria

Keogh and Associates Copyright 2003 Availability In a critical enterprise scenario, availability is a key requirement. While no single technology component can ever be guaranteed to be 100% available an effort must be made to choose components that minimize average failure time for any component.

Keogh and Associates Copyright 2003 The success or failure of a biometric security installation in a client’s application is not dependent on the reliability of the biometric product alone !!!!!

Keogh and Associates Copyright 2003 Training is the key to any successful implementation and deployment of a biometric security system. Developing a security wise culture within the company is a must. AND IT DOES’NT STOP THERE!! Training is an ongoing proposition or it is a waste.

Keogh and Associates Copyright 2003 PROTECTION DETECTION REACTION

Keogh and Associates Copyright 2003