General security

Biometrics: Technical Aspects

Overview of the Last Article

Deploying any type or kind of security solution can be a daunting task. There are many factors which need to be taken into consideration, particularly from a technical standpoint. For example, if you already have a legacy system in place, one needs to ask the question if the benefits outweigh the costs regarding replacing and putting in a new one.

Or, if you are going to implement a new layer of security in addition to the legacy security system, then one must consider how the newer system will interact with the legacy system. For instance, if you already have a network of Firewalls and Network Intrusion devices in place, and wish to install a Public Key Infrastructure (PKI), then you need to consider how the network connectivity will operate with another.

Digital Certificates, as well as Certificate Authorities (CAs), will be needed to support the PKI Infrastructure, and unless thought out properly ahead of time, there could be some technical issues which arise which could corrupt your entire security system.

Thus, comes the need for the tools of Project Management to be used. By using a certain methodology, the C-Level Executive can be assured that the all technical aspects have been taken into consideration, thus assuring a smooth deployment.

The same is also true of deploying a Biometric system. Although many of the modalities of today will interoperate with a legacy security system efficiently, implementing a large-scale system is much more complex and challenging.

This is where once again using a Project Management Methodology must be used because using Biometrics is not only a technical matter but as our past articles have examined, there are also a lot of social based implications that go with it as well, especially in the way of Human Factors.

Our last article reviewed these concepts which are most important in any Biometric Project Plan. Specifically, they were as follows:

1. The Infrastructure Assessment
2. Human Factors/Ergonomic Issues
3. Evaluating the Feedback System
4. Population Dynamics.

Much of the article was spent on the discussion of the impacts a Biometric system can bring to the employees of a business or a corporation, and how these issues need to be addressed. It was heavily stressed that there must be an open line of communication between the stakeholders and the users of the Biometric system.

Also, Ergonomics was looked at closely as well. A Biometric system must not only be technologically advanced enough to confirm the identity of an individual positively, but it also must be comfortable and aesthetically pleasing enough to use, from a design standpoint.

In this article, we continue with the concepts of Biometric Project Management, focusing in on the more technical aspects, starting with the Systems Requirements phase.

Overview of the Systems Requirements Analysis

The next critical step in the Biometrics Project Management life cycle is that of the System Requirements Analysis. Determining the requirements of what is demanded by a potential security system is one of the most important aspects at this stage.

For instance, defining the specific requirements can be used to pinpoint the security problems further that the business or corporation could experience into the future, and the goals which are set forth by the establishment of these requirements can mitigate these risks.

The term "System Requirement" is a rather broad one, but for the purposes of a Biometric Project Management methodology, it can be specifically defined as follows: " . . . a condition or capability needed by a user to solve a problem or achieve a certain objective." (SOURCE: 1). As it relates to Biometrics, defining a set of requirements aids in the process of:

1. Clearly identifying absolute needs from unclear wants
2. Ascertaining the specific functions and specifications of the new, potential Biometric system
3. Determining what the Graphical User Interface (GUI) will be, and how it will appear regarding looks to the end user population
4. Providing a review of how the Biometrics database will be designed, function, and integrate into both the hardware and software
5. Establishing the guidelines and the specific criterion for Biometric system testing after it has been deployed and before it is made available to the employees of the business or corporation
6. Creating the Biometric system documentation for maintenance, and more importantly, for employee training and use.

The Biometrics System Requirements consist of the following steps, and they will be reviewed in further detail:

1. Biometric System Requirements elicitation
2. Biometric System Requirements analysis and regulation
3. Biometric System Requirements documentation
4. Biometric System Requirements validation
5. Biometric System Specifications.

Biometric System Requirements Elicitation

With regards to this component, this is where all of the stakeholders who are involved in the Biometrics Project List detail what their specific needs and concerns are about the potential Biometric implementation.

As a result of this process, the end user acceptance of the proposed Biometric system should dramatically increase once the system is deployed. This is because the key stakeholders will feel that they are taking an important part in the entire process.

Also, this process helps the CISO to procure a Biometric system which is specific to the security needs of the corporation or business. It should be noted that at this point the Biometrics Elicitation process can be passively or actively based.

With the former, focus group interviews can be conducted with all of the stakeholders who are involved, and with the latter, process diagrams and other types/kinds of technical documentation are created.

Another effective tool which is utilized in this process is that of Use Cases. These are actually process flow diagrams that are used to map the Biometric system in its entirety. To aid in this part of the diagramming process, it is the Unified Modeling Language (also known as "UML" for short) which is widely utilized.

Biometric System Requirements Analysis and Regulation

In this second phase, several sub-steps are involved, which are as follows:

1. Rank requirements
2. Model requirements
3. Ascertaining if the potential, new Biometric system can actually solve the security needs of the business or corporation.

With Rank requirements, the IT staff and the System Administrators ascertain and determine the statistical probability of the degree of severity which could result if a particular system requirement were not to be implemented for any reason.

For example, if the absence of a particular requirement causes a severe problem for the business or corporation, then it is ranked with a very high statistical probability. But conversely, if the absence of this same requirement causes a less severe problem, then it is ranked with a much lower statistical probability.

Also, various Costing Functions associated with the Biometric system can also be ranked on a more severe/less severe statistical probability rating as well.

With regards to the Model requirements, as described previously, there are different languages which can be used to map out the details and the functionality of the proposed new Biometric system. Apart from the UML (described in the last section), another tool which can be used is that of the "Biometric and Token Technology Application Modeling Language," also known as "BANTAM" for short.

This is a tool which is used specifically to create the visual aspects of the hardware and the software which will be used when the Biometric system is fully deployed.

Finally, ascertaining if the Biometric system can meet or fulfill the security requirements can help the CISO, System Administrators, and other C-Level Executives of the business or corporation determine if other security mechanisms might be required, to create a Multimodal Biometric solution, as opposed to a Unimodal Biometric solution.

Biometric System Requirements Documentation

With the Biometric Requirements subcomponent, this where all of the steps and other components of the proposed Biometric system are documented and tracked. After the Biometric system has been implemented, this documentation then serves as the focal point for troubleshooting and creating the end user booklets and guides.

Regarding the Biometric system validation, this is the process where all of the stakeholders who are involved in the implementation review the documentation to ascertain and determine any points of confusion to ensure that the Biometric system implementation goes as smoothly as possible and that all foreseeable problems are resolved ahead of time.

Also, prototypes of the actual Biometric system can be obtained from the vendor, and a test environment can be simulated to further ensure that the real Biometric system implementation will go smoothly and just as planned. Once all these specific tasks have been accomplished, all of the stakeholders can then sign off to begin the deployment of the Biometric system.

Biometric System Requirements Validation

In this step, newer documentation is created and updated so that it remains valid if any upgrades and/or changes occur in the newly deployed Biometric system. Also, during this entire process, the corporation or business can put out various Requests For Proposals (RFPs) to the various Biometric vendors to help narrow down which Biometric systems will fit into the budget and most importantly, meet the Security requirements.

Also, during this timeframe, the Biometric vendors who make the short list can also provide trial products to the C-Level Executive so that he or she and the IT staff can further evaluate which Biometric system will meet their Security needs the best.

Biometric System Specifications

After the Biometric Systems Requirements analysis phase, the next major phase in the Biometric Project Management Life Cycle is that of the Biometrics Systems Specification phase. This part of the project management provides as to what the Biometric System will accomplish and what it may not be able to do. This particular phase helps the C-Level Executive and their IT staff keep the budget and expenses in check, as well as making sure that the implementation is running on schedule.

The Biometric System Specification phase consists of the following sub-components:

1. Biometric System Functionality:
   

   These are the specific security tasks that the Biometric System is supposed to accomplish.

2. Biometric System External Interfaces:
   

   These are the specific requirements that the Biometric System will interact with at the corporation or business, such as a legacy based Security system, as well as other related hardware and software applications.

3. Biometric System Performance:
   

   These are the specifications as to how each subcomponent of the Biometric System will interact with each other, and how they are expected to perform as a whole.

4. Biometric Attributes:
   

   These are primarily the specifications for the maintenance of the entire Biometric System.

5. Biometric System Design Constraints:
   

   These are the best practices and standards that the newly implemented Biometric System is supposed to adhere to.

6. Biometric System Testing:
   

   These specifications establish layout the criteria that will confirm what is acceptable performance for the Biometric System.

From these above components, the Biometric System Specifications can then be written either internally by the project management team from within the business or corporation, or by a neutral, unbiased third party. Regardless of the entity which writes it, the documentation at a minimum, should consist of the following:

1. The Introduction:
   

   This portion of the documentation consists of the Executive Summary, the scope of the Biometric System deployment/implementation, the key terminology ("techno-jargon") used in the entire process, as well as a listing of the references which were used to conduct the research to justify the need for a Biometric System in the first place.

2. Product Description:
   

   This portion describes the entire gamut of Biometric modalities which are going to be used at the business or corporation, and how they will be deployed (for example in a Peer to peer network, a Client-Server network, etc.).

3. System Requirements:
   

   This final portion of the document lays out the details of the formal Security Requirements for the Biometric System which is to be ultimately procured and deployed.

Conclusions

As one can tell, the procurement and deployment of a Biometric System can be a very complex undertaking, as opposed to just implementing a simple, USB based standalone device. There are both the human and technical issues which need to be taken into consideration. If it is planned out properly, it can take up to 6-8 months to complete the entire Biometric Project Management project.

While this might appear to be a long time, it is obviously much better to make sure that every step is planned out in detail. If not, there could be more expenses in the future when it comes to the procurement and deployment of the Biometric modalities which will be used.

But, it is also important to note that the Biometric Project Management plan must be dynamic in nature. Meaning, if one part of it changes, the other portions of the plan should be able to update in real time to properly reflect the change(s).

The first article went into detail into what the overall Biometric Project Management plan should look like, based on the Human Factors perspective. This article continued with this theme, but instead, focusing in on more the technical aspects.

Our next article will continue with the theme of the Biometric Project Management Lifecycle, but it will examine the technicalities which need to be examined when considering the actual Biometric modalities themselves which will be deployed at the business or corporation.

Sources

1. Certified Biometrics Learning System, Module 2. Biometrics System Design and Performance, 2010, IEEE.
2. http://www.ucalgary.ca/btlab/files/btlab/ch1.pdf
3. http://www.fi.muni.cz/reports/files/older/FIMU-RS-2000-08.pdf
4. https://pdfs.semanticscholar.org/5f28/c8fa6c561a2de3833cd08433368e108658ff.pdf
5. https://its.ny.gov/sites/default/files/documents/SystemReq.pdf
6. https://resources.sei.cmu.edu/asset_files/EducationalMaterial/1994_011_001_16238.pdf
7. https://pdfs.semanticscholar.org/f01c/11dd576c45e21a7767f01aa1c25d348324dc.pdf
8. http://www.selectagents.gov/resources/information_systems_security_control_guidance_version_3_english.pdf
9. https://www.nist.gov/sites/default/files/documents/director/ocla/NIST_Biometrics_testimony_6_12_13.pdf
10. https://assets.kpmg.com/content/dam/kpmg/pdf/2016/05/trends-in-biometrics.pdf
11. https://www.pcisecuritystandards.org/pdfs/pci_ssc_quick_guide.pdf
12. https://www.nist.gov/sites/default/files/documents/itl/iad/ig/PFT_req.pdf
13. http://www.ti.com/lit/wp/spry289/spry289.pdf
14. http://biometrics.cse.msu.edu/Publications/Fingerprint/DassZhuJain_SampleSize_PAMI06.pdf
15. https://pdfs.semanticscholar.org/7721/a0611f40ca3d9230673814207a98e750b440.pdf
16. http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.581.9476&rep=rep1&type=pdf
17. https://www.utdallas.edu/~chung/SYSM6309/NFR-18-4-on-1.pdf
18. http://www.osec.doc.gov/osy/hspd-12/PDF/SP800-76-1.pdf
19. http://ddpolice.gov.in/tenders/Biometric-Attendance-System.pdf