eSSL Biometric Secuwatch

March 2, 2011

eSSL Receives the Frost & Sullivan Market Share Leadership Award in the Indian Biometric Market

Filed under: Access Control, Biometrics, fingerprint india, world — secuwatch @ 10:31 am

Mumbai, India, March 2, 2010 – eSSL was recently conferred the Frost & Sullivan Market Share Leadership Award in the Indian Biometric Market, at the 1st Annual Electronics Industry Excellence Awards Banquet held at Taj Ambassador, New Delhi. The increasing importance of the Electronics sector in the overall GDP and the potential it holds for an emerging economy like India is well known. The growing emphasis on technology, features, innovation, productivity and sustainability have encouraged organizations to continuously improve their offerings. The Indian Electronics Industry was estimated to be worth $47 billion in 2010 growing consistently and is expected to reach $350 billion by 2020

On receiving the award, Mr. Anand Jain, Partner, enterprise Software Solutions lab (eSSL) said, “It’s a wonderful moment for all of us at eSSL. We are delighted to receive the Frost & Sullivan Market Leadership Award in the Indian Biometric Market for the second time in a row*. We take this opportunity to thank all our customers for their continued support and for entrusting eSSL with opportunities to provide them with the worlds best Biometric and RFID-based solutions, which cater to HR attendance and access control needs. eSSL is committed to increasing customers’ performance by enhancing our portfolio to provide integrated and robust solutions.  We also thank Frost & Sullivan for felicitating us with this award, which is an inspiration to companies to perfom better.

The performance of different market participants in the Biometrics market were evaluated through primary research. The key officials within each company were interviewed to assess their relative position within the given market. The data thus obtained was subjected to intense analysis to narrow down on the award recipient.

Niju V, Deputy Director, Automation & Electronics Practice, Frost & Sullivan, South Asia and Middle East, said, “The biometrics market is dominated by large players and despite this concentration, eSSL has been able to carve out a niche for itself. The company has captured a significant share of the market by offering customized solutions. eSSL’s offering of value based pricing has been well appreciated by the customers and has become the cornerstone of its success in the biometrics market. The exciting part of eSSL’s focus on this market is its continuing investment in R&D activities, ensuring that this leadership position is sustainable in over the long-term”.

Frost & Sullivan is in the forefront of conducting research in the electronics markets to track the developments and competitive positioning of different organizations in an emerging and ever-evolving market.This assessment of organizations researched the best practices adopted by them and how they differentiate themselves within the ever-growing community of vendors, vying for user attention. Frost & Sullivan Best Practices Awards for the Indian Market are based on extensive research, analysis of the market and assessment of participants competing / operating in this market. The Award for Market Share Leadership is presented to a company that has demonstrated excellence in capturing the highest market share within its industry in a specific year

* Market Strategy Leadership award for Electronic Access Control Systems (India) in 2007

About Frost and Sullivan

Frost & Sullivan, the Growth Partnership Company, enables clients to accelerate growth and achieve best-in-class positions in growth, innovation, and leadership. The company’s Growth Partnership Service provides the CEO and the CEO’s Growth Team with disciplined research and best-practice models to drive the generation, evaluation, and implementation of powerful growth strategies. Frost & Sullivan leverages 50 years of experience in partnering with Global 1000 companies, emerging businesses, and the investment community from more than 40 offices across six continents. To join our Growth Partnership, please visit

About eSSL

enterprise Software Solutions Lab (essl – is headquartered in India’s leading software center, Bangalore – the location chosen by several leading multinational firms. Today, eSSL is a well-reputed software development company with excellent track record and several years of industry experience.We are recognized IT experts in the selected application domains and make every effort to advance our skills. As an industrial software laboratory, our key focus is to work closely with every business from large to small corporations and govt. based cooperatives worldwide in our efforts to bring responsibly produced products and services to a global marketplace.


Caroline Lewis

Corporate Communications, South Asia

P: +91 98217 37935

F: +91 22 2832 4713


Nimisha Iyer

Corporate Communications – South Asia, Middle East and North Africa

P: +91 98200 50519

F: +91 22 2832 4713



February 22, 2011

Biometric attendance system at Karnataka University

HUBLI: Irregular and non-punctual staff will be dealt with an iron hand if they fail to be in Karnatak University (KUD) on time, thanks to biometrics fingerprints attendance system which has been installed at all the departments.

Hundreds of employees work at various sections of 52 departments at KUD. The manual attendance system is said to be a cause for concern among the heads of various departments to keep track of the attendance of their subordinates. Their not being punctual was adding to the problem.

The biometric system is expected to instil discipline among the employees so their efficiency is increased. KUD has also installed IP-based CCTV at libraries, administration building, examination building and the main annex to keep a watch on the behaviour of students in libraries and the movement of employees elsewhere.

R M Vatnal, chairman of IT department, which designed and implemented the system, told `The Times of India’ that biometric system is being used in important departments like finance, administration and examination. The biometric devices installed at all other departments are yet to be activated. “The biometric system is being run on a trial basis in some departments. It should be in place at all the departments in the next two months,” he added.


Instead of signing in the register, the employees will have to put the impression of their fingers on the device to register their attendance daily. The fingerprints of all employees have been uploaded in the system. The fingerprint-specific system also checks registration of proxy attendance.

The biometric devices will be operated from the main server located at the IT department. “We will send attendance report of each department to the heads concerned everyday so they can know the regularity/ punctuality of their subordinates,” Vatnal said, and added that the new system has cost KUD around Rs 5 lakh.

Source: Biometrics Attendance System

February 21, 2011

Biometric Fingerprint Reader as Valuable Technological Tool

Technological advancement is the planet over in our day to day life starting from our home to office. Everyone is aware of their home appliance advancement, considering the office, now in this current century there is no need to maintain the pile of ID anymore to maintain the records of workers log. We can store the detail of time constraints even electronically which even saves sere wastage of time. Just a portable device made of fabric can be hung up somewhere and a beep sound easily audible whenever it senses a skin touch. Even it can easily admit the frauds and can alarm the other ones. The device is so small that it can be full or stirred to any place according to our convenience. Technically this device normally plotted with fuzzy logic, when a person is allowed to touch the thin dinghy plate for once this device maps each and every detail of the person’s touch, the various mapping contains the length and size by the side of with some other detail which is necessary for the detection of the individual, it depends on the programming of how it has been plotted.Biometric fingerprint reader has been establish out by an US citizen for office purpose so that everything could be doneautomatically as because time and cash both are valuable like nothing else. This discovery became so very helpful as well as essential that throughout the globe human beings started adapting the same. Taking consideration of India why should India live behind. India adapted this system and very soon throughout the country it gained its popularity for its usefulness. Nowadays it is an established device which is not only used in the office but also it is used at home, where people use it for multiple purposes.

PURPOSES :OFFICE : In office, it is generally used to store the details of theattendance of the employees, it also store the details of the break timings of variousemployee.

That is, instead of by a huge pile of ID this fiddle with print device does the work. Since details are stored in terms of electronic means therefore it saves the precious time as well as it saves from fraud. These keeps the records everlastingly in the computerso that any time you want to have a look you can always get it. 

HOME : In home, if someone want to keep a track of log that is, who is coming, when is coming, also in foreign it is used as a security like, in order to enter into the house one needs to scan the fiddle with if the device is plotted by the concerned fiddle with then only the person would be allowed to enter into the place or else it is generally attached with the security alarm so when the device does not find a match it blows the security alarm, thus it prevents the attack of burglars.

This rate has been full into adaption by our country also, after all why to stay behind, nowadays few Indian Jails also by this rate as because tracking every employee individually becomes very tedious so they are electronically protected. Thus, this device is proving very beneficial in technological, mechanical and user friendly point of view.

February 15, 2011

Facebook uses biometrics on photo images

Filed under: Access Control, Bangalore Biometrics, Biometrics, world — secuwatch @ 5:10 am

Social networking giant Facebook is taking the plunge into using facial recognition-based biometrics in a bid to make it easier for users of the site to tag their photos.

In a blog by one of the company’s engineers, Justin Mitchell, it was revealed that every day, people add more than 100 million tags to photos on Facebook. They do this because it’s an easy way to share photos and memories.

Mitchell says in his blog that while tags are an essential tool for sharing important moments, many people find tagging photos a chore.

Mitchell said that since October, the company has been working to make this process easier. First Facebook added group tagging, so users can type one name and apply it to multiple photos of the same person. Now Facebook is announcing tag suggestions, which will make tagging multiple photos even more convenient.

The new systems will use face recognition software – similar to that found in many photo editing tools – to match new photos to other photos a person is tagged in. Facebook then groups similar photos together and, whenever possible, suggests the name of the friend in the photos.

Users can disable suggested tags in their Privacy Settings, if so desired.

The feature will be debuting tag suggestions to users in the United States over the next few weeks.


January 17, 2011

Indian biometrics booming

A new report by Frost & Sullivan has found that biometrics is the fastest emerging technology in the Indian securities and identification market and is finding increased traction in various government and non-government applications such as driving licenses, ePassports, land records, as well as time and attendance.

Frost says that biometrics is gradually gaining ground at the expense of conventional methods of identification and security checks such as physical checks, photo IDs, tokens, and passwords.

The Indian Biometric Market report finds that the market earned revenues of INR 5.43 billion from the combined sale of biometric readers and cards in 2009 and estimates this to reach INR 52.55 billion in 2015.

“There is an increasing need to secure people, assets, information, and facilities by managing access control for authorized people,” says Frost & Sullivan Research Analyst Sagarina Rai. “The Indian biometrics market is receiving a huge boost from large-scale government projects, increasing public awareness, and rising security concerns.”

Owing to India’s large population, identifying oneself in the country is a major hurdle, especially in the rural areas. This has made a solid case for the use of biometrics in the interiors, says Frost.

Furthermore, due to a rapidly rising economy, there has been a spurt in the need for safety and security solutions among organizations dealing with private and confidential data. The escalation in security threats has also spawned a need for authenticated physical access to building premises, creating vast opportunities for biometrics companies.

Despite the market’s potential, the poor awareness, lack of a unified standard for biometric readers, as well as inadequate expertise and investments are restraining the market. India has not yet started manufacturing biometric devices domestically because the sensors have to be imported. Owing to a surfeit of imports, the market is flooded with low-cost, low-quality devices. As these devices often fail to meet quality standards, customers’ confidence in the technology is fast eroding.

Source: Frost & Sullivan

January 10, 2011

P Chidambaram Inaugurates Biometric Attendance Control System

Home Minister P. Chidambaram inaugurated the Biometric AttendanceControl System, which is implemented at the home ministry offices located North Block, Jaisalmer House and Lok Nayak Bhawan. This automated attendance system is aimed at ensuring that employees come to work on time.
Taking the initiative for ensuring punctuality, Chidambaram arrived at 9 a.m. at the North Block and registered his attendance by placing his finger on the scanner.

The proposal for the implementation of the biometric scanners had been put forward a few months ago by Chidambaram himself. This idea was given by him after he started noticing that many officials were not even reporting for work, but their attendance had been found. He had also noticed that people were in the habit of leaving office before the scheduled time.

 Source:  Time and Attendance System

“Under this system, all officials of the ministry will be registering their arrivals in the morning and departure for the day,” said a senior ministry official.
According to a home ministry official, any employee who registers three late arrivals in a month will have a cut in her casual leave.
The employees are expected to reach office at 9 a.m. sharp, and put their index finger on the scanner, which will identify their fingerprint, flash their employee code and name and register their arrival. They will have to go through the same drill when leaving for the day at 5.30 p.m.

January 4, 2011

Why Biometrics?

Filed under: Access Control, attendance data, Biometrics, Office automation, Security — secuwatch @ 9:52 am
Biometrics comprises methods for uniquely recognizing humans based upon one or more intrinsic physical or behavioral traits. 

Biometrics Identification is the key word to security.

Biometrics technology is now widely accepted worldwide as the only means available for verification / authentication of an individual’s identity – be it fingerprints, hand geometry, face / iris / or voice recognition.

Hand geometry along with fingerprints are well established in the arena of Access Control and Time and Attendance, now easily accepted as a sure means of  verification or identification and subsequent generation of data for further processing and reporting.

Face and Iris recognition technology is now deeply involved in the more serious business of  identifying terrorists and outlaws, assisting in nabbing them whenever spotted by the systems being put in place at airports and other points of entry and exit from a country’s borders. Of course there is no denying the high rate of identifications made using AFIS based fingerprint systems, of criminals and convicts. Voice recognition technology has limited but purposeful uses right now and is being developed and should be freely available soon.

These Biometric Technologies are making it difficult for people to falsify or assume other people’s identities, enter areas forbidden to them or “buddy / proxy punch” for a colleague at work.

Tremendous opportunities have opened up for executing financial transactions over the internet, doing business or performing simple tasks over LAN / WAN / /INTRANET.

All these require a positive authentication of people. Addition of Biometrics will strengthen PKI certification. Withdrawing cash from ATMs can be secured using small low cost fingerprint devices making PIN redundant as also reduce insurance costs. Safe deposit vaults can be made more secure using biometric devices.

Medical Insurance and Social welfare schemes are prone to fraud. Biometrics can save the companies and the state millions, using simple application software.

Access control systems alone do not meet today’s security requirements. There is a need for a comprehensive solution which would include verification of employee’s / visitor’s ID, surveillance using C.C.T.V. systems with recording facilities, perimeter security using robust electric power fencing which works on the principals  of DETER -DETECT, DENY AND DELAY intrusions.

December 29, 2010

Biometric Time Attendance System is a Need for Indian Government Offices

Filed under: Access Control, Attendance system AHMEDABAD, Biometrics — secuwatch @ 7:44 am

Government offices in India were infamous, and continue to remain so. It is the hub of corruption! The case of I P Venkataraman serves an example. He was arrested by Central Bureau of investigation (CBI) for working full-time as a senior official for both India’s federal government and Karnataka state government. He managed both the jobs and was also promoted in them. He attended both the offices irregularly, both situated in the same city. This is symbolic of the work culture in government offices in India. Government officers lack time keeping abilities. Late coming, longer breaks, unnecessary leaves are a part of the daily life of an ordinary civil servant in India.

Face recognition time attendance system can bring down this problem to a considerable extent. Most of the modern government offices have the traditional paper-based time attendance system. Employees mark their in-time and out-time on a sheet of paper. A supervisor approves the recorded detail. This manual process of attendance keeping is time consuming and prone to error. It can be easily manipulated leaving room for corruption. A biometric time attendance can prevent malpractices related to attendance in a government office. Face recognition time attendance has the following benefit that makes it reliable as compared to the attendance sheet of paper:

* Government of India works for the development of the physically disabled in a number of ways. Job reservations are made in government offices for the disabled. A face recognition time attendance will enable them to record daily attendance details without any contact with the attendance keeping system.

* A working day consists of eight hours. Biometric time attendance will help adhering to this schedule. Automated system ensures correct record keeping of attendance in a government office. Late arrivals, leaves and breaks will be calculated systematically.

* The traditional attendance keeping may only require the employee to mark on a piece of paper. Even if the employee is absent, a friend can mark on his behalf and the absentee remains undetected. However, a face recognition time attendance will eliminate this problem.

The Ministry of Home Affairs and Atomic Energy Installation has a biometric time attendance installed in its premises. Other central government institutions are also expected to follow this trend. State governments have also installed biometric time attendance system to achieve better results. Gujarat state government resorted to this system to prevent absenteeism amongst teachers in tribal areas. This will eventually reduce drop-out rates in primary schools. Karnataka State Pollution Control Board employed biometric time attendance system to improve punctuality amongst the staff.

The need of a government office is different from a commercial office. Similarly, the benefit of a face recognition system in a government office is different from that of a commercial office. It helps in preventing identity fraud. Government offices have more data to hide. Leakage of sensitive information can be reduced with this tool. Besides, a face recognition time attendance will work as a whistleblower in the offices. Government offices in India are desperately in need of an image make-over. A biometric time attendance with face recognition will help in this regard.


December 28, 2010

Use a Biometric Time Clock For Your Business

For your business, nothing is more important than the proper management of time. When you’re able to accurately measure when your workers clock into work, you can easily distribute payroll and balance the books. It’s a given, then, that a dependable method for recording hours is used to ensure you do not over or underpay your staff, and that you’re able to keep track of employee time in your company. Installing biometric time clock software and hardware is a great step to take in making your business run smoothly.

Why should you use a biometric time clock? A good biometric terminal comes equipped with high-tech software that integrates into your internal systems, and includes features like finger scanning or card reading capabilities for precise records. Depending on the size of your business, you can have one or more terminals installed at a reasonable price, and the benefits will definitely save you money in the long run.

Convenience – Many companies of punch clocks offer different styles for your use. Wall-mount and handheld devices can be installed, and are useful if your employees work off-site. A worker can connect to work via a phone or other device.

Accuracy – The software provided can offer you real-time employee reports for concise payroll records. The biometric technology takes the guesswork out of scheduling.

Stability – Guaranteed hardware and components help eliminate time clock fraud. With fingerprint scans, for example, you can greatly decrease the chance of that happening.

User-Friendly – Find a system that is easy to install, easy to use, so that your workflow is uninterrupted.

For smooth transition to a better format for payroll and accounting, try a biometric time or punch clock for your business.

August 14, 2008

Cyber cafes to be monitored in India

Indian police places biometric systems and CCTV in more than 150 cyber cafes in order to catch cyber criminals in the act

The growing threat from criminals and fraudsters who use cyber cafes has been getting out of control in many parts of the world, but authorities in India have come up with a unique system which they are looking to trial very soon. The system uses a mixture of biometrics to take thumb prints as users log on, live photographs, and the users name and address records to keep track of who is using workstations, and more importantly, when. The Indian Police recently organized a demonstration of the system to more than 150 cyber cafe owners and while it went down fairly well, there are some concerns about privacy. Many cyber cafe owners are aware that some users will log onto view sites of an adult nature, but it is more the criminals and the fraudsters who are the target of the authorities. A number of cafe owners, however, are concerned about the creeping “big brother is watching” scenario, something which some say has long gone beyond the Indian stage in the United Kingdom.

Cyber crime is a growing business around the world but catching the criminals in the act is proving more and more difficult. While this latest move in India has prompted some concerns it seems likely that some kind of compromise will be reached in the end. 


August 12, 2008

Leading player in Attendance, Access, CCTV, Fire Safety Solutions industry



October 8, 2007

Fingerprint Authentication – The Time Has Finally Arrived

There are several techniques that can be applied for verifying and confirming a user’s identity. They can be broadly classified as something the user knows, such as a password or PIN; something the user has, such as a smart card or ATM card; and something that’s part of the user, such as a fingerprint or iris. The strongest authentication involves a combination of all three. The technology used for identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice or handwriting is called Biometrics.

It has been more than 15 years since the introduction of commercial fingerprint authentication systems. Yet they are just now gaining broad acceptance. We should not be surprised. Many technologies required several years before the right combination of factors allowed them to become ubiquitous. If one looks back to laptop computers, cell phones, fax machines, pagers, laser printers and countless other everyday devices, one will realize most had long gestation periods. Biometrics is now at the acceptance crossroads. What will propel them into common usage?

September 27, 2007

High Level Security Using Biometric – Fingerprint Access Control with Video phone

Biometric based applications guarantee for resolving numerous security hazards. As a method of preserving of privacy and the security of sensitive information, biometrics has been studied and used for the past few decades. Fingerprint is one of the most widely used biometrics. A number of fingerprint verification approaches have been proposed until now. However, fingerprint images acquired using current fingerprint input devices that have small field of view are from just very limited areas of whole fingertips. Therefore, essential information required to distinguish fingerprints could be missed, or extracted falsely. The limited and somewhat distorted information are detected from them, which might reduce the accuracy of fingerprint verification systems. In the systems that verify the identity of two fingerprints using fingerprint features, it is critical to extract the correct feature information. In order to deal with these problems, compensation of imperfect information can be performed using multiple impressions of enrollee’s fingerprints.


 We at eSSL believe our solutions are among the best in the industry.  A special emphasis of our company’s vision is the utilization of advanced biometric technology to increase the security of our clients’ homes, workplaces, networks and data.  The small and medium business environments make up the bulk of the Indian economy and their security is fundamental to the defense of our national financial system.  Effective solutions must offer increased security of data, networks and access to facilities while maintaining personal privacy.

Access Control 101

Filed under: Access Control, Technology — secuwatch @ 4:33 am

Access control is the process by which users are identified and granted certain privileges to information, systems, or resources. Understanding the basics of access control is fundamental to understanding how to manage proper disclosure of information.

Access Control Overview

Controlling how network resources are accessed is paramount to protecting private and confidential information from unauthorized users. The types of access control mechanisms available for information technology initiatives today continues to increase at a breakneck pace. Most access control methodologies are based on the same underlying principles. If you understand the underlying concepts and principles, you can apply this understanding to new products and technologies and shorten the learning curve so you can keep pace with new technology initiatives.

Access control devices properly identify people, and verify their identity through an authentication process so they can be held accountable for their actions. Good access control systems record and timestamp all communications and transactions so that access to systems and information can be audited at later dates.

Reputable access control systems all provide authentication, authorization, and administration. Authentication is a process in which users are challenged for identity credentials so that it is possible to verify that they are who they say they are. Once a user has been authenticated, authorization determines what resources a user is allowed to access. A user can be authenticated to a network domain, but only be authorized to access one system or file within that domain. Administration refers to the ability to add, delete, and modify user accounts and user account privileges.

Access Control Objectives

The primary objective of access control is to preserve and protect the confidentiality, integrity, and availability of information, systems, and resources. Many people confuse confidentiality with integrity. Confidentiality refers to the assurance that only authorized individuals are able to view and access data and systems. Integrity refers to protecting the data from unauthorized modification. You can have confidentiality without integrity and vice versa. It’s important that only the right people have access to the data, but it’s also important that the data is the right data, and not data that has been modified either accidentally or on purpose.

Availability is certainly less confusing than confidentiality or integrity. While data and resources need to be secure, they also need to be accessible and available in a timely manner. If you have to open 10 locked safes to obtain a piece of data, the data is not very available in a timely fashion. While availability may seem obvious, it is important to acknowledge that it is a goal so that security is not overdone to the point where the data is of no use to anyone.

Types of Access Control

Discretionary access control systems allow the owner of the information to decide who can read, write, and execute a particular file or service. When users create and modify files in their own home directories, their ability to do this is because they have been granted discretionary access control over the files that they own. On end-user laptops and desktops, discretionary access control systems are prevalent.

Mandatory access control systems do not allow the creator of the information to govern who can access it or modify data. Administrators and overseeing authorities pre-determine who can access and modify data, systems, and resources. Mandatory access control systems are commonly used in military installation, financial institutions, and because of the new HIPAA privacy laws in medical institutions as well.

Role-based access control systems allow users to access systems and information based on their role within the organization. Role-based access allows end-users access to information and resources based on their role within the organization. Roles based access can be applied to groups of people or individuals. For example, you can allow everyone in a group named sysadmin access to privileged resources.

Rule-based access control systems allow users to access systems and information based on pre-determined and configured rules. Rules can be established that allow access to all end-users coming from a particular domain, host, network, or IP addresses. If an employee changes their role within the organization, their existing authentication credentials remain in effect and do not need to be re-configured. Using rules in conjunction with roles adds greater flexibility because rules can be applied to people, as well as devices.

Access Control Technologies

There are different types of access control technologies that can all be used to solve enterprise access solutions. Tokens, smart cards, encrypted keys, and passwords are some of the more popular access control technologies.

Biometric devices authenticate users to access control systems through some sort of personal identifier such as a fingerprint, voiceprint, iris scan, retina scan, facial scan, or signature dynamics. The nice thing about using biometrics is that end-users do not lose or misplace their personal identifier. It’s hard to leave your fingers at home. However, biometrics have not caught on as fast as originally anticipated due to the false positives and false negatives that are common when using biometric technologies.

Smart Cards are plastic cards that have integrated circuits or storage receptacles embedded in them. Smart cards with integrated circuits that can execute transactions and are often referred to as “active” smart cards. Cards with memory receptacles that simply store information (such as your bank ATM card) are referred to as “passive.” Whether or not a memory card is a type of smart card depends on who you ask and what marketing material you are reading. Used to authenticate users to domains, systems, and networks, smart cards offer two-factor authentication — something a user has, and something a user knows. The card is what the user has, and the personal identification number (PIN) is what the person knows.

A token is a handheld device that has a built-in challenge response scheme that authenticates with an enterprise server. Today’s leading tokens typically use time-based challenge and response algorithms that constantly change and expire after a certain length of time, e.g., one minute. Like smart cards, tokens use two-factor authentication. However, unlike smart cards, the two-factor authentication is constantly changing based on timed intervals — therefore, when a password is entered, it cannot be reused, even if someone sniffing the wire detected it in transit.

Encrypted keys are mathematical algorithms that are used to secure confidential information and verify the authenticity of the people sending and receiving the information. Standards for encrypted keys have been created to make sure that security requirements are taken into account, and to allow technologies made by different vendors to work together. The most widely used standard for encrypted keys is called X.509 digital certificates. Using digital certificates allows you to stipulate who can access and view the information you are encrypting with the key.

Passwords are used for access control more than any other type of solution because they are easy to implement and are extremely versatile. On information technology systems, passwords can be used to write-protect documents, files, directories, and to allow access to systems and resources. The downside to using passwords is that they are among the weakest of the access control technologies that can be implemented. There are numerous password-cracking utilities out on the Internet — some of which are freeware and some of which are licensed professional products. If a hacker downloads an encrypted password file, or a write-protected document with password protection, they can run the password file or document through a password cracking utility, obtain the password, and then either enter the system using a legitimate user’s account or modify the write-protected document by inserting the correct password when prompted. By using a protocol analyzer, hackers can “sniff” the network traffic on the wire and obtain passwords in plaintext rather easily.

However, in spite of the risks in using passwords, they are still commonly used world over with the assumption that taking the trouble to violate password protections would not be worth the time and effort. If passwords are used, it is recommended that mixed-case passwords with both numeric and alphabet characters are used, since these types of passwords are more difficult for password cracking tools to crack. Passwords with names and real words in them are easiest to crack. Good password choices look like this:

  • 1bHkL0m8
  • a9T4j7uU
  • 7VbbsT10
  • gL4lJT3m
  • koO521qW

Poor password choices look like this:

  • Billsmith
  • Troutfishing
  • Jessica
  • NewYorkOffice
  • Surfdude

While stronger access control systems are clearly available, password models are not going to go away anytime soon. Some organizations routinely run password crackers on end-user accounts to check if end-users are using easy to guess passwords, or more secure password choices. As long as passwords are being used, they should be managed through routine audits, and expired according to a pre-determined schedule.

A Word to the Wise

Understanding the basics of access controls is good preparation for a variety of information technology initiatives including:

  • Shopping for new access control products
  • Developing an information security budget
  • Writing access control and authentication security policies
  • Evaluating and deploying single sign-on technologies
  • Configuring authentication services
  • Architecting data classification schemes
  • Preparing to perform an information technology audit
  • Getting ready for certification and accreditation initiatives

All organizations should have their access control configurations and policies well documented and available for upper management review. Keep in mind that access control configurations and policies would by their very nature contain sensitive information, so the documentation should be stored securely, and its access should be monitored.

Create a free website or blog at