Converged Biometrics for Physical and Logical Access Control

spotlessstareSecurity

Nov 29, 2013 (3 years and 9 months ago)

89 views


327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646)
449
-
0597







A White Paper for the Banking and Finance Sector
:

Converged Biometrics for

Physical and
Logical
Access Control









327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646) 449
-
0597

Converged

Access

Control


Organizations realize that possession of a key or ID card and
the
knowledge of a login and password are
the

vulnerabilities
exploited every day. Not knowing WHO possess a valid key, card or login is the root of
physical and intellectual property

theft

with
annual l
osses estimated at $110 Billion according to a
recent
Norton

Symantec

report

(Study, 2012)
.


Xelios
Biometrics
Converged Biometric
Access Control system, as part of its Banking Automated
Fingerprint Identific
ation System (BAFIS), solves the problem of end
-
point intrusion. Fingerprint biometry
cannot be lost, stolen or copied and when deployed at

doors and computer terminals
close
s

the
opportunity for
malicious and authorized entry
.


Organizations are looking for an
end
-
to
-
end physical and logical access control system federating
security across the enterprise. A single, trusted supplier with a comprehensive and mature authentication
system delivers the promise of converged biometric access control. Utilizing
advanced crypto
-
sensors
and algorithms (AFIS) from the world leader Safran Morpho ensures operational scalability and reliability.


Xelios Biometrics’

Banking Automated Fingerprint Identification System (BAFIS
) is

a turnkey biometric
authentication system capable of working with databases of tens and hundreds of millions of user records
and respond in less than one second.

BAFIS
brings together internal Bank

processes such as
password
management,
protection of dig
ital certificates
and
physical

access control
. It can
be extended to external
applications such as ATM’s
, Home
-
Banking
, Customer ID at Teller

and

fi
ngerprint enabled POS
terminals.
All
modules are integrated into the existing

network architecture a
s

a
n integrated and

scalable
turnkey
solution
.

Introduction of Xelios


Xelios Biometrics
was
spun
out of

the
Safran (Sagem Morpho)

Conglomerate

in 2002 to focus on the
commercial applications of biometrics
.
Origin
ally developed for the military

the techno
logy
has been
integrated into tailor
-
made solutions for various industries including banking, healthcare and stadium
management.

Customers in more than 80 countries rely on
this

technology for identity verification, fraud
prevention, and securing access to facilities and equipment.


Introduction of Safran


The Safran Group is the
global leader
of biometric identification technology

having produced and sold
more than one million f
ingerprint devices to date.

With more than 62,000 employees, $17 billion in sales
and

a

$2

billion
annual

R&D

budget,
Safran supplies
54
% of the
Automatic Fingerprint Identification
Systems (
AFIS
)

market. Civil, military and

law enforcement
agencies such
as the FBI have relied on the
technology since 1982 and it continues to be ranked #1 in the NIST fingerprint recognition vendor tests.




Gartner Inc.
: “Undoubtedly, biometric is the most secure way to authenticate, the most difficult to
imitate and
duplicate''


Diebold
:

“The real goal of Biometrics is to end the PIN and the card, so no one has anything to
steal''






327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646)
449
-
0597

The risk rogue
business employees
pose to the security
of online fraud has
increased
significantly from

30 percent of
respondents citing
this as the cause of
online fraud to 42
percent in 2012.

-
Ponemon Institute

Business Banking Trust Trends
2012

Repo
rt

Banking Automatic Fingerprint Identification Service (BAFIS)


Solution

Overview
:


BAFIS

is a service for financial institutions and payment systems providers
. It provides

real
-
time

biometric
authentication services

for physical and logical
acces
s control
. Authentication services can be
extended to customer facing application such as

card
-
less ATM ba
nking, online banking and other

applications to eliminate ID fraud and differentiate from competitors.


Installed in Bank’s data processing center, BAFIS consists of a turnkey hardware and software solution
which contains the fingerprint
identification data (minutiae) and compares both fingerprint and symmetric
keys. A positive ID will then provide a biometric device its session registration. The fingerprint verifies
identity in full compliance with international ANSI and ISO standards
.


Strong encryption ensures end
-
to
-
end transactional security of the fingerprint minutiae thus providing data
integrity, authenticity and privacy. Databases are encrypted and validation is
performed in
the
completely

safe environment of the Bank’s data pr
ocessing
centers.

Converged

Logical

and

Physical

Access

Control:

Converged biometric
authentication of Bank staff ensures end
-
point resistance to the most
sophisticated internal and external attacks. Biometric authentication
protects and monitors physical and logical assets while increasing employee
productivity. Real
-
time monitoring generates alarms of suspicious and
malicious activities to prevent loss of bank assets.

BAFIS

provides

a

rapid

return

on

investment
:

T
he investment cost of the
fingerprint sensors
and systems
for authentication is
exponentially

lower
than
direct and indirect
cost
s

of fraud and loss prevention expenditures.

Increased customer confidence
is a competitive differentiator

to

attract

new
customers

and retain existing customers.

Xelios


easy to administer system can be handed over to the customer’
s
technology

department after
an
initial period

of training and is backed with Xelios’ 24 hour 7 day
support options
.


Technology

and

Sensors


The Xelios BAFIS system is built on the Safran Morpo AFIS fingerprint matching algorithms. Customer
references
include the FBI’s AFIS database since 1982 and more than 80 systems making up
approximately 54% of the global installations with solution for hundreds of millions of records. US NIST
continues to rank the technology in first place among rivals (
http://www.nist.gov/itl/iad/ig/fingerprint.cfm
).





327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646) 449
-
0597

Converged

Physical

and

Logical

Architecture


The

biometric database
is

separate from other corporate databases
and

stores
the
fingerprint data
associated to every user, as well as
Access Group, Permissions, Access L
ogs
, etc.
:

Physical
&
Logical
Access Control Services
(
Biometric device
management
)
Fingerprint
Database
NETWORK
Fingerprint Enrollment
&
Permissions Management
DATACENTER
BRANCH OFFICE
User
Workstation
Physical Access
Control Devices
Directory Services
(
User accounts
,
group policies…
)
Corporate
Database
User
Workstation
OFF
-
SITE LOCATION
VPN
Fingerprint capture
&
storage in database
Fingerprint loading in sensor memory
Domain credentials management

Hardware

and

Topology

Installed in Bank’s
secure
data processing center,
the
BAFIS
central database consolidates biometric
data typically utilizing the blade server computing architecture. Servers are often geographically
distributed to efficiently manage regional branches and offices. The biometric architecture can be
configured into the existing infrastructure.

Data

Privac
y


By scanning your finger, the technology measures

the distance between distinct points that are unique to
you and
generates
identifying numbe
r
s based on those distances.

The fingerprint is encrypted on the
sensor and at no time does a fingerprint image

leave a sensor.

Neither our customers nor we store
fingerprints, nor can the data be re
-
c
reated into a fingerprint image
.





327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646)
449
-
0597



Data

Handling


Biometric data is efficiently distributed across the enterprise according to Access Group. Access Groups
are unique to each enterprise but the general categories are:

1.

Global



Users with access to resources across the
enterprise

2.

Regional

Users w
ith access to resources across a wide part of the enterprise

3.

District:



Users with access

to
resources in a
reduced

part of the enterprise

4.

Local:


Users with access to resources only at the branch or office assigned

Xelios


biometric loading

services searc
h for new fingerprint records from all locations and move them
upstream
to
the
central BAFIS database. BAFIS efficiently redistributes the biometric data
downstream
to
the inter
nal memory of the end
-
point biometric sensors,

regar
dless of whether these sensors are intended
f
or physical or logical access. Loss of server connection does not result in loss of local operations.

Because the Safran sensors are embedded crypto
-
systems capable of both storing and matching
biometric data,
the response time is immediate and
requires no server connection. P
rovisioning of
sensors with modifications to the Access Group

list

is a background process not affecting local
operations.

Physical

Access

Control


Physical access devices run in stand
-
alo
ne mode by default, which means that

upstream

network
transactions are only performed when loading/unloading fingerprints
to

the device. When a valid finger is
presented to the device,
industry standard
electronic signals are automatically triggered to unl
ock the
door/turnstile.


Access logs are stored inside the device itself and
periodically

uploaded

to the
upstream
biometric database.

P
hysical access devices
may also be configured
to work online
. A
fter presenting the finger, the biometric
device sends a request

command to
a

server, where a software
-
based module makes the final decision
about granting access to the user and returns this decision to the device
.

All Safran door access control devices support industry standard protocols such as RS232, Wiegand and
TCP/IP with power over Ethernet (POE). All models integrate with standard electronic door controllers
and locking mechanism exactly like a card reader an
d comply with fire alarm door open commands.

Both outdoor and indoor rated models are available supporting optional PIN pad, LCD display, embedded
RFID and smartcard readers PIV and FIPS 2.0 certified for combining biometrics with card and/or PIN for
mul
ti
-
factor credentialing.

Duress

Conditions



A designated finger by itself or in combination with a specific PIN code can be used in the event an
employee is being coerced to perform a transaction. The policy and procedure to handle such
exceptions, such as duress, follow the Bank’s policy. A “dure
ss” finger will often allow transfer of limited
funds or provide entry to a facility while simultaneously signal
ing

an immediate silent alarm.





327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646) 449
-
0597

Logical

Access

Control



Windows login credentials for the user's domain account are stored in the device's ha
rdware along with
biometric

data. These credentials are ciphered and there is no way of extracting them
unless the user
presents their fingerprint on the sensor

guaranteeing the privacy of the
data
.

When presence is established a
t a facility by the fingerprint, this
new awareness

becomes a critical factor
in
the decision to grant access to the network
. Conversely, if a remote session is initiated while the user
is present
, it

indicates a
malicious
penetration attempt.
Ongoing enhancements to the de
cision based
login authentication system eliminate

windows of vulnerability for physical or logical penetrations.

B
iometric authentication
to access

specific Corporate S
oftware

is accomplished by the Bank’s
development teams or Xelios integrating a set of
biometric
software components
.

Logical

Access

Control

Architecture





Network

Operation

Center

(NOC)

and

Reporting



The Network Operations Center (NOC) oversees enterprise authentic
ation operations and
monitors one
or many networks
for
certain conditions that may require special attention. Organizations may operate
more than one NOC, either to manage different networks or to provide geographic

redundancy

in the
event of one site becoming unavailable


Maintenance

and

Support


A variety of multilevel service agreements are available from
simple proac
tive maintenance and
monitoring to comprehe
nsive 24 x 7 managed services.



327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646)
449
-
0597

Immediate Benefit
Intangible Benefit
Single point of
management for entire
enterprise
Immediate grant/removal of access rights eliminates windows of
exposure existing between disparate systems
Reduced costs managing
keys
Fingerprints are not consumable cost items and when factored
with RF ID cards still are less costly than keys
Decreased time and effort
for authorized staff to
access facilities
Improved employee productivity and satisfaction
Reduced insurance
premiums
Biometric access solutions eliminates the potential for
fraudulent access by lost, stolen or counterfeit keys/cards
Undisputable biometric
audit trail for all access
events
Improved customer confidence in bank’s diligence
Elimination of password
related down time
Forrester Research estimates the average cost of a single
password reset is $70 per employee
Reduction in help-desk
incidents for password
Protection against data loss by industrial espionage and cyber
intrusions
Physical audit trail of
account activities
Cost of remedies addressing security breaches and application
downtime following incidents
Reduced staff costs by
converging physical and
logical authentication
Improved employee satisfaction and productivity
Converged biometrics
require no consumable
cards or keys
New and decommissioned facilities provisioned by simply
installing and powering devices
Physical presence at a
location is factored into
granting/not granting
network access
Employee time and attendance is perfectly recorded providing to-
the-minute reporting for payroll accuracy
Consolidated physical and
network security
monitoring center
Immediate awareness of penetration attempts and statistical
analysis for preventative countermeasures
Undisputable forensic
evidence for internal
investigations
Deterrent factor benefits loss prevention measures
Cost reduction from one
system vs. multiple
systems
Move to person-centric security rather than location or account
centric security has multiplier effect across entire enterprise
Reduction in physical and
logical operational costs at
branches
Rapid provisioning/decommission of branches and offices
Knowledge of presence
in/out of building
eliminates remote access
breaches
Real time workforce awareness allows optimized payroll, staffing
and automated scheduling
Physical Access Control
Logical Access Control
Converged
ROI CHART FOR CONVERGED BIOMETRICS



327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646) 449
-
0597

Physical

Access

Control

Door

Readers








Product Name
Description
Comment
Specification
Image
MA J Series
Elegant design and
high security in a
small package
Suitable for both in and
outdoor applications
•Standalone or networked
• Multiple interfaces including
POE on RJ45/Wi-Fi
•MIFARE® and secure DESFire®
contactless smartcard reader
• IP 65 rated for outdoor use

MA 500 Series
Fingerprint Access
Control Terminal
and Time and
Attendance
Terminal
Suitable for indoor
locations
• Multifactor 1:N identification
• Up to 50,000 local users
• Easy integration to existing
systems
• Power-Over-Ethernet (POE)
• MIFARE® and DESFire®
contactless card
reader/encoder (optional)
• Optional wireless LAN
communication
• FBI PIV IQS certified senso
MA 500 Outdoor
Series
Outdoor Fingerprint
Access Control and
Time and
Attendance
Terminal
Suitable for harsh outdoor
locations
• IP 65 weatherproof
• Fast, accurate and reliable
• Multifactor authentication
• Up to 50,000 local users
• Easy integration
• Power-Over-Ethernet (POE)
• Integrated MIFARE® and
DESFire® reader/encoder
P
h
y
s
i
c
a
l

A
c
c
e
s
s

C
o
n
t
r
o
l

327 East 84th Street ∙ New York NY 10028 ∙ Telephone (646) 561
-
9860 ∙ Fax (646)
449
-
0597


Logical

Access

Control

Readers




End of Document

Product Name
Description
Comment
Specification
Image
MSO1300
USB Fingerprint
Suitable for staff
authentication
• <.6 sec 1:1 matching
• <.8 sec 1:1000 matching
• 14x22mm sensor area
• 500 (2 print) user capacity
• FAR adjustable to 10
-8
• CE, FCC & RoHS Compliant

MSO1351
USB FIPS/PIV
Fingerprint and Card
Suitable for staff
authentication with multi-
factor FIPS/PIV
Certification
• <.6 sec 1:1 matching
• <.8 sec 1:1000 matching
• 14x22mm sensor area
• 500 (2 print) user capacity
• FAR adjustable to 10
-8
• FIPS 201 Certified
• CE, FCC & RoHS Compliant
MSO300
USB ruggedized with
large platen for
customer facing
applications
Suitable for high security
single-factor
authentication
• <.7 sec 1:1 matching
• <.9 sec 1:1000 matching
• 23x23mm sensor area
• 500 - 5,000 user capacity
• FAR adjustable to 10
-8
• Zamak Ruggedized Housing
• CE, FCC & RoHS Compliant
MSO301
USB ruggedized,
Fake Finger
Detection with large
platen for customer
facing applications
Suitable for highest
security single-factor
operations. Fake Finger
Detection adds nominal
latency
• <.7 sec 1:1 matching
• <.9 sec 1:1000 matching
• 14x22mm sensor area
• 500 - 5,000 user capacity
• FAR adjustable to 10
-8
• Zamak Ruggedized Housing
• Fake Finger Detection
• CE, FCC & RoHS Compliant
MS0350
USB ruggedized
FIPS/PIV and card
with large platen for
customer facing
applications
Suitable for high security
multi-factor FIPS/PIV
authentication
• <.7 sec 1:1 matching
• <.9 sec 1:1000 matching
• 14x22mm sensor area
• 500 - 5,000 user capacity
• FAR adjustable to 10
-8
• Zamak Ruggedized Housing
• FIPS 201 Certified
• CE, FCC & RoHS Compliant
MS0351
USB ruggedized
FIPS/PIVand card,
Fake Finger
Detection with large
platen for customer
facing applications
Suitable for highest
security multi-factor
PIV/FIPS req's. Fake Finger
Detection adds nominal
latency
• <.7 sec 1:1 matching
• <.9 sec 1:1000 matching
• 500 - 5,000 user capacity
• FAR adjustable to 10
-8
• Fake Finger detection
• Zamak Ruggedized Housing
• FIPS 201 Certified
• CE, FCC & RoHS Compliant
MSO Finger VP
USB multi-modal
fused fingerprint
and vein
Suitable for challenging
fingeprints e.g. elderly,
manual labor workers, etc.
• 1 sec 1:1 matching
• 1 sec 1:500 matching
• 5,000 - 50,000 user capacity
• FAR adjustable to 10
-8
• CE, FCC & RoHS Compliant
L
o
g
i
c
a
l

A
c
c
e
s
s

C
o
n
t
r
o
l