The Biometric Devil's in the Details

By Ben Rothke CISSP, QSA, and Benjamin Tomhave, MS, CISSP

 Succeeding with a Strategic Approach

One of the most common mistakes made by companies when rolling out a biometric solution is thinking that biometric controls are a plug-and-play technology.  The reality is that biometric solutions are 10% technology and 90% policy and management.  

An effective biometric solution rollout must be deployed in the context of an effective methodology.  Project planning and requirement definition is imperative to success.

The quality that separates an effective rollout project plan from an ineffective one is attention to detail. 

For biometric security controls to work, they must be deployed in a strict, methodical fashion. There are many attributes that need to be taken into consideration. Everything from budget to politics and culture to staff training and support will be affected by the decision to implement biometric controls.

Toward this goal, a successful biometric controls project should employ a strategic approach comprised of three broad phases: design, positioning, and deployment.

The Design Phase. The purpose of this initial phase is to fully define the business drivers for the biometric rollout, enumerate relevant regulatory requirements, and perform a pilot test. A significant portion of project time should be invested within the design phase to ensure the success of the project. During design, the attributes mentioned above should be identified and detailed, with an action plan drafted accordingly.

The design phase may also include performing solution identification and evaluation. In the case that a solution is identified, a pilot must be performed to test the efficacy and adequacy of the solution. During the pilot, key stakeholders should be given an opportunity for hands-on testing to ensure that pre-identified concerns are addressed and to determine if other concerns may exist that were not previously identified.

This phase of work should not only focus on the technical aspects of the given biometrics suite but should also include an evaluation of cultural and social issues relevant within a given environment. A training and awareness program should be chartered to support future phases of the project. The objective of this phase is to thoroughly define the problem space and contributing factors, identify and test a solution, and develop the base framework for training and awareness.

The Positioning Phase. During the positioning phase, legacy systems will need to be updated or bypassed, overall project risks determined, and a training and awareness program should be launched. All decisions should be supported by the risk management process, such as identifying key risks and performing a trade-off analysis to help ensure that the proper degree of risk resiliency will be achieved (or maintained) by deploying the chosen solution.

The primary objective of the positioning phase is to initiate and to complete intermediate changes required supporting the pending full deployment of the solution. This phase provides another opportunity to pull the emergency brake on the project should it be determined that the solution does not meet the needs of the business, or that it makes the organization less risk-resilient.

By the end of this phase, all stakeholders should be comfortable with the solution and the deployment plan. The deployment plan should be evaluated independently to minimize related risks, and the results of the pilot should be integrated into the plan as part of lessons learned.

The Deployment Phase. During the deployment phase, hardware and software are implemented, end-user training and awareness are mainstreamed, and steps are taken to ensure continuing process improvement. Biometric controls should be fully functional by the end of this phase, and the overall risk posture of the enterprise changed favorably. The enterprise should be more resilient to risk than at the onset of the project.

Deployment Requirements. Generally speaking, for a biometric controls' deployment to be successful, it must fulfill the following seven requirements. 

  • Universality – Every person must have this characteristic. Don’t take it for granted that all of your users will have this physical characteristic. If you are working in a factory and thinking of a hand scanner, realize that there are plenty of people without 5 digits on their hand.
  • Uniqueness – Make sure two people will unlikely share this characteristic. Height, weight, hair, and eye color are clearly not unique. The iris, retina, and fingerprint are perfect examples of biometrics that are highly unique.
  • Permanence – The characteristic must be available over the long term. If your users are working with chemicals or sanding agents, fingerprint readers may not be the best option.
  • Collection – The biometric must be easy and unobtrusive to obtain. If your users perceive an iris scan as "being shot in the eye by a laser,” perhaps you need to think of a different biometric.
  • Performance – The biometric technology must be accurate, fast, and robust. A biometric that works quickly in the test lab may fail when thousands of users are logging in during the morning rush.
  • Non-circumvention – No one should be able to bypass the biometric. Once you deploy a security technology, you will often find out how resourceful users can circumvent it.
  • User acceptance –End users must accept the technology. See the following section regarding how the least technical requirement can be the one that can undermine everything.



The Magazine — Past Issues


Beyond Print

SM Online

See all the latest links and resources that supplement the current issue of Security Management magazine.