The idea of biometrics in the cloud may sound odd to the security minded IT professional. We know that in order to perform biometrics with integrity it is important to manage the trustworthiness of the entire process. From an architectural and services standpoint, aren’t we just now working towards trustworthiness in the cloud, as seen in efforts such as the Trusted Cloud Initiative led by the Cloud Security Alliance? In the past, executives have stated security as a reason not to move to the cloud. From this viewpoint, how can it make sense to consider biometrics in the cloud?
Two Reasons Why ‘Biometrics in the Cloud’ Makes Sense Today
I think there are two good reasons why biometrics in the cloud does makes sense today. One is Big Data and two is Wider Access. A March 2012 ComputerWorld article talks about Big Data becoming an issue that many IT organizations must come to terms with in 2012. The challenge being; how do you store massive amounts of end user data and make it useful?
Large biometric deployments have this same issue. As an example, in the past several years, the amount of biometric data records (mostly fingerprints, but also iris and facial images) has grown tremendously as several US agencies are required to use the latest identification and verification technologies. It is expected that there will be hundreds of millions of identities—petabytes of biometric data in Federal Bureau of Investigations, State Department, Homeland Security, and Department of Defense that need to be accessed real-time. One idea started in 2011 by Booz Allen Hamilton is to use the concept of cloud computing to drive up performance of data bases and processing of large amounts of biometric data as described in an article on the Booz Allen website.
This is but one example of what I think is a trend of using the computing concepts of Big Data and more processing power in the cloud to benefit biometrics.
Secondly, biometrics in the cloud can provide Wider Access to biometrics. In fact, in the area of voice biometrics, a common configuration is to use the voice channel as input, collect the audio via the speech application and securely access voice biometrics engine services via SOAP messaging. Many organizations have historically used hosted (cloud) voice services so the concept is not new. This cloud configuration, be it internal or external, actually lends itself to voice biometrics allowing organizations to engage with qualified hosting centers to gain access to more channels through unified communications and try new technology without the overhead of implementing it themselves.
Identity management is also moving towards providing wider access to cloud application via cloud services. CSA trustworthy cloud initiative includes identity management and Identity Management providers are targeting the cloud and looking to make use of federated identity methods to provide single sign on along with strong authentication if required. Schemes recently developed allow organizations to maintain credentials such as biometric models in the cloud or behind their own firewall.
Another way that the cloud enables wider access to biometrics is seen in emerging countries. This is a very different model then the US model.
As an example, a recent NPR article describes the national ID project in India where many Indians, in particular the poor, don’t have any ID. This makes it tough for them to fully engage in a rapidly modernizing society. A biometric project began in 2010 which tries to fix this problem by giving each citizen a biometrics ID. At its peak registrations were being made at a pace of one million people each day and the voluntary program is set to exceed its target of 200 million shortly. The idea is that if every person’s biometric data is collected and linked in the cloud, then with the swipe of a thumb, a rural farmer or city worker could be properly identified. For many people, this could determine whether or not they get access to a wide number of services.
Given the wide deployment of cellular networks in emerging countries, voice biometrics is popular and has grown quickly over the last six months through the cloud in Turkey. There are approximately 4 million voice biometrics users going through Global Bilgi, a CRM center that handles over 700 million customer contacts annually for a variety of companies, including Turkcell. Voice biometric has improved customer service and decreased overhead by reducing the authentication process to 5 seconds from 25 seconds for Turkcell’s consumer customers and 40 seconds less for its corporate subscribers.
Reasons Why ‘Biometrics in the Cloud’ Requires Pragmatism
Biometrics used as a security technology requires security discipline. Using an established security risk practice, we apply a ‘what if’ analysis to determine ‘why biometrics in the cloud’ might not make sense to rush to with over exuberance. A realistic resource is a document produced by the National Research Council entitled, ‘Biometrics Recognition: Challenges and Opportunities’ (free download) which covers technical and societal issues. Contributors include leading research and industry technology, medical and legal experts. The report lets us know realistically the status of biometrics and where further research is recommended.
The research report reminds us of the realistic challenges of performing biometrics with integrity across populations over time. It focuses on two main challenges which are that biometrics are complex and they are inherently probabilistic. In addition to the report, my previous posts and my other InfraGard learning series videos provide the background information on biometric technology to help understand why this is the case
The national research report states that automated biometrics recognition of individuals should be ‘tempered by an awareness of the uncertainty associated with that recognition’. Throughout our learning series, we have been realistic in positioning biometrics as a multi-factor technology option, in part due to this fact as well as differences in environments, cultures and laws.
The report advises that uncertainty can arise in a number of ways when using biometric systems in large populations including an ‘incomplete understanding of the distinctiveness and stability of the traits measured by biometric systems, the difficulty of characterizing the probability that an imposter will attack the system; and even the attitudes of the subjects using the systems—subjects who may have become conditioned by fictional depictions to expect, or even fear, that recognition will be perfect.’
Ultimately, the report recommends well run, pragmatic deployments with targeted users that effectively handle errors and deal with impostors. In addition, continued research to understand the effects of population over time is recommended. I agree with this strategy and believe that well executed biometric cloud implementations that meet prescribed goals are attainable and very beneficial. An irony worth noting is that research itself can benefit from a ‘research cloud’ to better store and analyze biometric research data over time helping industries and governments to best utilize biometrics in the future.
Author: Valene Skerpac (http://www.ibiometrics.com/Management_Skerpac.html)
Copyright protected 2012