Trusted Space: Layered security
- By Michelle Speir
- Nov 02, 2003
CC&M's Trusted Space has most of the same functionality as SAFsolution, but there are several key differences. Trusted Space, which is also HIPAA-certified, is primarily deployed in health care institutions, and although SAFLink also has health care customers, Trusted Space has a couple of features tailored to a health care environment that the SAFLink product does not have.
The most significant difference between the two products is their system architecture. Although SAFsolution extends and integrates with Active Directory, Trusted Space uses a separate database server to store the biometric template data.
One advantage of this architecture is that sensitive information such as application IDs, passwords and auditing information is stored separately and at a deeper level of vulnerability. What's more, in the event of a directory crash, the data would still be intact. This system, however, is not as convenient as SAFLink's integrated system, and it incurs extra costs, both for purchasing the server and for the administration required to maintain it. This architecture requires synchronization software to ensure that data on the Trusted Space database agrees with data in the network directory structure.
The directory integration software comprises three data synchronization modules. The Push Module pushes real-time data updates from the Trusted Space database to the network directory structure, while the Pull Module pulls data from the directory structure into the Trusted Space database. For example, if a user name is changed in one location, it will be pushed or pulled to the other location so the information remains consistent.
Finally, the Synchronization Module allows administrators to schedule batch data comparisons at specific times. This confirms that all data is synchronized between the directory structure and the Trusted Space database.
Trusted Space can integrate with any network environment that uses common directory structures such as Microsoft Active Directory, Windows NT directory structures and Novell Inc. LDAP directory structures.
The Trusted Space database server can use Microsoft SQL Server 7.0 or SQL Server 2000 and can be deployed in a single or clustered environment.
Like SAFsolution, Trusted Space uses verification to authenticate users. The log-in process is based on what CC&M calls a primary device concept. When a user presents a log-in ID, the software searches for biometric devices installed on that workstation. If the user's primary device is present, the system prompts for that biometric token. But if the primary device is not present, the system automatically prompts the user for a password.
This functionality could be useful in a health care environment, in which users regularly log in to different machines and different workstations have different biometrics installed, such as fingerprint scanners in one location and iris scanners in a department in which users wear gloves. According to CC&M, this also allows sites to implement biometrics in phases.
Trusted Space is compatible with HA-API devices but not BioAPI devices. Because HA-API is now a subset of BioAPI, only devices that support both standards can be used.
Trusted Space's feature set differs from SAFsolution's in several areas. It does not have features such as disconnected log-in, self-enroll, a practice tutorial and fast log-in.
But it does offer two features optimal for health care environments that SAFsolution does not have. The first is session management, which allows different users to securely access public workstations while retaining individual user-based information and application sessions. In other words, the system recognizes distinct sessions and applications on the workstation so multiple people can use it at once but continue their individual work.
These virtual sessions are accessible through Trusted Space's biometric screen saver, which replaces the standard Windows screen saver. From the screen saver, a user can log off the system or log someone else off and then log in.
The second feature optimal for health care installations is the biometric time clock, which uses a biometric token to record working hours. The use of the biometric prevents time reporting fraud because no one else can imitate someone's biometric.
The clock is also equipped to handle exception cases, such as when a user clocks in but forgets to clock out. Upon the next log-in, the clock checks how many hours have passed since the last clock-in and notifies the user if the clock-out was missed. The system can then automatically send a message to the payroll department notifying them, and the user also receives a notification message.
Trusted Space includes integrated single sign-on functionality, accessible through the software's shell mode feature. When operating in shell mode, users have only a Trusted Space toolbar on the screen, and available applications are accessible from this toolbar. This feature allows restricted but audited access for system users and prevents system configuration changes.
Reporting methods also differ between the two products. Although SAFsolution uses Microsoft Event Viewer for reports, Trusted Space has separate reports based on Crystal Reports. Both systems allow administrators to create custom reports.
Trusted Space offers multiple levels of administrator access for ease of maintenance in large organizations. Rights range from allowing a designated administrator to enroll a new user to allowing administrator permissions required to update systemwide configurations.
SAFLink: Perfect for Windows
Back to Intro