No silver bullet
Biometrics is a maturing technology in SA, but experts warn that it's merely a piece in the puzzle for corporate security
Recent market research by ABI Research predicts that increased interest and investment in a variety of biometric technologies is set to push total spending worldwide to $7.3 billion by 2013, more than double the current rate.
This pretty much correlates with research last year by the International Biometric Group which estimated $3 billion annual biometric industry revenues in 2007 and predicted that it would double to $7.4 billion by 2012.
While biometric authentication technology has been slow to take off, Jonathan Collins, principal analyst at ABI Research, said that despite the current economic downturn, he expected the biometric sector to continue to prosper for a number of reasons.
Terror attacks have been a big factor in the increase in awareness, while a growing emphasis on security in both the public and private sectors are also big drivers, he said.
Biometrics back home
And while terror attacks are, fortunately, not common in this country, South Africa has been described as the most dangerous country - which is not at war - in the world, for its high levels of violent crime.
But, "the scourge of crime in South Africa is by no means limited to violent crime," researchers from the SA Human Rights Commission wrote in their recent Human Rights Development Report.
"The moral decay also manifests itself in the proliferation of crimes being committed in the business sector," the report said.
Moreover, PricewaterhouseCoopers' economic crime survey published in October 2007 showed that 72% of South African companies surveyed were victims of economic crime - higher than the 42% global average.
It's therefore no surprise that South Africa is rated as one of the top ten users of biometrics in the world. The South African Police Service uses a fingerprint-enabled criminal record database, Home Affairs has its own national digitally-converted fingerprint database, the Department of Social Development uses fingerprints to identify people to whom they pay social grants and the Department of Transport has a database of all licence holders - including their fingerprints.
This makes sense against the backdrop of an observation by ABI Research's Collins that while face, iris, hand, and speech recognition systems have emerged and are being adopted independently and alongside fingerprints, fingerprints will continue to be the dominant biometric measurement for some time to come.
"Biometrics in South Africa is a maturing technology. I wouldn't say that South Africa is catching up, because we're not significantly behind in usage of the technology, but we're not using it to its full potential. It is becoming a part of life here though, being used in smart ID cards and health cards, and it is becoming more acceptable to companies and individuals," says Naeem Seedat, associate director at PricewaterhouseCoopers (PWC).
At the physical access level, there is a fair bit of work being done locally in the biometrics space, but at the bigger identity management level framework level South Africa is lagging because enterprise architects aren't involved in the projects, he adds. "However, we are seeing some inroads in the financial sector and government is strongly pushing biometric identification projects."
A word to the wise
"Most companies are now kicking the tyres with smaller deployments in the financial services and telecommunications sectors. Many businesses are grappling with the process angle, the technologies are immature and they need to choose their vendors through use case development and testing," suggests Patrick Devine, security and identity management practice leader at Cornastone Consulting.
Seedat notes that because PWC is technology agnostic, it generally advises client companies to consider their requirements and all possible technology options. Then they should get their infrastructure architects and the technology vendors to communicate and integrate their systems.
"We always advise clients to take a holistic view. Don't just go to a technology vendor because you need an access control system. There was a classic example of a client recently who implemented an expensive biometric access control system, and within a day, staff were piggybacking off others to go through the entrance because it took too long for them to go in one at a time. So you need to sit down and architect solutions and do so with a fair bit of insight," he points out.
"Before businesses embark on an identity management project they should assess their existing environment and then they need to understand the complexities of cross-platform users and privileges," agrees Devine.
This sentiment is echoed by Amir Lubashevsky, director of Magix Integration. "For us, biometrics alone is not a solution. It's just a remedy to a particular problem."
This touches on another issue, Seedat adds. Many organisations implement large biometric access control projects, but don't spare a thought for how it will change the way people will work or how clients will interact with them.
"You need to consider the change management element," he says. "At the end of the day, it's people that are using the technology, so if you don't win their hearts [with it], you're doomed.
Besides, Biometrics can be a scary thing, he admits. "There are some negative perceptions of the technology, especially when you think of the traditional practice of fingerprinting criminals, and there are also privacy concerns," admits Seedat. So, you need to get people on board the concept of using the technology, and you need to prepare them and enable them to use it, he says.
Seedat's final word of warning is for potential users not to be persuaded to use inferior products, particularly those imported from China, because of their reduced prices in comparison to more robust products. "Ask the right questions of the technology vendor, and don't make price the determining factor," he says of biometric systems.
Also, Seedat cautions, don't forget about securing the back-end. "Biometrics is not a silver bullet. It helps secure the front-end of a system, but there are processes behind the biometrics - it's merely a piece in the puzzle."
Technology in progress
Besides, points out Devine, biometric technology is extremely immature and has a way to go before widespread adoption apart from a few niche areas, such as access control for a small number of people to a physical location.
"A major concern is the potential for the biometric database to be compromised. It is one thing for a password to be compromised, because users or administrators can simply create a new password. But fingerprint and retina prints cannot be changed. People need to distinguish between the non-real-time fingerprint matching the way the police use it and the real-time fingerprint checking of a user authentication system," he says.
According to Devine, the biggest risks for identity theft are firstly paper-based records that can be easily stolen from the post box or post office, secondly the malicious insider at a large corporation that can steal databases of hundreds of thousands of personal records on a simple memory stick, and thirdly, and most importantly, are family and friends. "Much of the US-based research points to the last point as the most prevalent," he says.
As for the challenges organisations face in implementing an identity management solution based on biometrics, Devine says they include getting the technology to work as advertised and ensuring the biometric database is never in a position to be compromised - the last one being nigh impossible.
On the upside, companies are beginning to understand the complexities of roles-based access control and the large vendors are playing catch up as they try to integrate the point solutions that they have acquired over the last three or so years, he maintains.
When queried as to the return on investment of a good biometrics system, Lubashevsky compares it with insurance - a necessary evil. Companies, both big and small, have to consider the governance and risk implications of not implementing such a system to protect their intellectual property, he says.
As for the technologies to watch, Seedat lists mechanometrics, RFID, near-field communications, and smartcards. "The future of biometrics in this country will be driven by government. Smartcards and RFID will become mainstream, especially in the financial sector. With the work government is doing for the smart ID sector, there will be more applications to use smartcard technology in the corporate sector. Government is also looking seriously at RFID technology. The new intelligent numberplate system planned for Gauteng is rumoured to be RFID based, and the technology could have significant implications for traffic control and tolling," he concludes.