Written by The following interview took place between the magazine “THE VAULT “and Jonathan Heywood from Siemens IT Solutions & Services
VAULT: Jonathan, Why do Siemens see biometric technology as an integral part of Identity and Access Management?
JH: Biometric technology is the one technology that really confirms who you are. For Siemens it’s part of a much larger identity management framework to identify, authenticate and authorize people to use and/or enter systems, buildings and services. Improvements to identity and access management, which bring in a single view of the user, leads to improved efficiency in an organization and helps control costs such as help desk costs and re-use of user information on any business processes.
When you have such an important single location for user data it’s very important to know who they really are and that’s why biometrics provide a useful supplement to this, because you then know that you’re changing things for the right people.
VAULT: What are some of the key drivers, which have contributed to the rise in use of biometrics, with specific reference to identity management?
JK: For us the key drivers have been associated with having a reliable, fast and convenient mechanism to confirm individual identity. For example in the public sector, biometric technology is seen as a means of helping to confirm entitlement to services. In financial services, biometrics may be used as a means of confirming identity, so it helps to reduce fraud.
In the healthcare industry, biometrics is seen as a very fast way of confirming who has completed what actions. So for example, some hospitals in Austria, are using biometrics as a means for staff to log on to patient workstations where they then get the role relevant information presented to them. This has been such a fast process, but it’s provided a very high level of acceptance to staff.
The other benefit of course, is that you get much better security with effective access controls and transparency, telling you who has done what and where. Some nuclear power stations for example, are now using biometrics as a means to control the plant.
VAULT: What benefits can biometric technology bring to Identity and Access Management?
JK: The main thing is that biometric technology is a fast and reliable method of unambiguously confirming somebody’s identity, especially with modern biometric techniques, which actually require live people to be identified. Biometric technology therefore provides strong authentication and improves the authentication process.
VAULT: In terms of policy development and implementation relating to biometrics, what are some of the main challenges faced by public & private organizations?
JK: In my experience the main challenges associated with the deployment of biometrics are really around privacy. People are very concerned that biometric information can be shared with other organizations. So if you like, it’s a bit like people worrying that their DNA getting into the wrong hands. And this is one of the big issues that any provider of biometric services has to be concerned about, is to make sure that those concerns of privacy, both in the public and private sector, are honored.
VAULT: How important are partnerships with other members of the ecosystem in ensuring the successful implementation of identification solutions?
JK: Partnerships are really important for Siemens, because although Siemens provides a core portfolio for identity, access management and biometric solutions, it does require a network of technology partners to provide the best in class solutions for customers. These include access to buildings, public services, financial systems or indeed industrial systems.
Although large organizations like Siemens can support most of these applications, no single organization can support them all. Therefore it is really important that there are standards in place to allow the various components to communicate with each other and operate effectively. For example, an identity and access management system needs to be able to access the building’s access control system and maybe the cashless vending machine in the canteen and so on. And you can see how these kind of technologies are becoming much more pervasive.
VAULT: What are some of the main issues in the public debate concerning the appropriateness and effectiveness of IAM and biometrics technology? How do you believe these can be overcome?
JH: If I give you an example of the use of fingerprint technology, one of the main fears that people have is the use of their fingerprints as a means for biometric identification for authentication, because fingerprints are used in other circumstances to identity people. You leave for example, your fingerprints in café’s or lifts where you have been, and so in a criminal sense it’s a very conclusive piece of evidence to show where you have been. People are very often concerned that the biometric data stored about them could be reverse engineered to provide fingerprint images to other organizations. But one of things about the biometric technology, which Siemens are using, is that they’re designed to make that reverse engineering virtually impossible. The thing that we’re finding is that technologies, such as palm vein readers and iris recognition technology, are seen as somewhat less intrusive because they’re non-touch and people can therefore accept that showing your hands to a sensor is fine for confirming that you’re there. But of course your palm vein pattern cannot be picked up by anything other than the same specialized device. For most people, this is where their biggest worries regarding biometric technology are.
VAULT: In your experience do you think that most of the general public are actually worried or scared of the technology, or the actual implementation of data that is retrieved from that?
JK: I think it’s more about the implementation of the data. As you’ve probably noticed in the recent issues about body scanning at airports, which could be used for biometric purposes, the authorities are very keen to stress the fact that the images are deleted immediately. I think this is to try and provide reassurance to people that those images don’t have a lifetime beyond what they’re used for, which is to confirm that you’re not carrying anything you shouldn’t do.
I think that with biometric technologies, because there is an increasing amount of data stored about people and biometric data is such a conclusive mechanism for identifying people, people therefore get scared about having lots of information all put together about them, with a biometric tag which means it has to be theirs.
VAULT: In your opinion, who do you think should be responsible for driving greater acceptance of biometrics to the end user? And how do you think this can be achieved?
JK: Our experience is that the organizations who wish to implement biometric techniques for identification, are the people who have to be able to respond to that locally, so they have to communicate thoroughly with their users as to the advantages of this and to allay their fears.
You may remember I mentioned the hospital, where we use biometric logons – the staff have now fully accepted the benefit of using biometrics because it’s convenient and fast. They find that they can get access to the data in a second or so, rather than having to type a username and a password and we find that the process has been well accepted, with over 99.5% of staff using this. It starts with a few advocates and a significant program of change where you’re communicating with people and then ongoing coaching. But suppliers cannot do this and it has to be the client organization that does this.
If you’re talking about a more general public aspect, then it has to be the government that has to convince people that biometrics is a good, safe and secure way of identifying people. One of the problems is that governments often suffer from what I’d call ‘conspiracy theories’, where people worry about their data being used inappropriately and I think that’s something that governments have to really work on. We find it’s much easier dealing with individual organizations because once the staff see the benefits then they find it much more acceptable. I think that once more organizations start using biometrics it will also become easier for the government.
VAULT: What do you think are the best type of advocate groups to actually put a positive aspect on biometrics?
JK: I think that biometrics will come in through the commercial space. I’ve seen prototypes of ATM machines that essentially use a wave and pay type card to identify them; the customer then puts their hand over the censor to confirm that they are who they are, and then they can speak into the machine to say how much money they want. The only time they ever touch the machine, is when they take the notes out of the dispenser. Now in some societies that is something that will sell to the customers and that can be a very successful way of getting biometrics across. Similarly with high net worth customers who are very concerned about having high value transactions being fraudulently placed – if they use biometric tokens, they can use that as a mechanism to confirm if he’s there, and of course the banks like it because if you’ve got a biometric confirmation, the transaction cannot be repudiated.
It’s the benefits of security and convenience that appeal to customers. I think it’s one of those things where you’ll find that commercial organizations and organizations who are very worried about security, so for example nuclear power stations, they could use biometric access controls to supplement the normal identity cards, and then you know exactly who is doing what and where. And I think that’s where you’ll find those opinion formers, as these industries start taking this on, then you’ll find that it gets a lot more acceptance. For me the health service would be a natural place to start, but they have struggled with their healthcare program and I think this is one of things that’s a step too far for them at this stage, even though they would be an ideal candidate, if persuaded to take this on.
VAULT: Lets take this a stage further – in what kind of application areas do you see biometrics developing and emerging in over the next three – five years?
JH: I see biometrics as one of those things that will continue to be refined, making it faster and even more accurate. In about three years time I would expect many organizations to use biometric log-ons for their computer systems. This will also be used as part of the process of what we call ‘segregation of duties’, where you need at least two people to confirm a transaction. So for example in a bank back office, if you were wanting to transfer 100,000 pounds somewhere, you might need to have two people to confirm that that’s a valid transaction. Using biometrics to support that is a very good way of reducing the scope for fraud.
Where I see things happening in a more interesting way, are biometrics of the more behavioral areas. There have been recent descriptions using analysis of a person’s ‘gait’ (the way they walk), as a mechanism of confirming your identity; the way people type on computers could also be used. These are what I call the background uses of biometrics, which can actually help confirm the identity. They’re very hard to use for checking someone’s identity in terms of saying, ‘this is person Smith’, but it’s very good for confirming that ‘I think this is person Smith, do you agree?’ And I think that’s where biometrics will be used to provide improved security and safety. Although this is less about identity management, it does actually provide significant value to the organizations who can deploy it.