Trusted Space: Layered security

CC&M's Trusted Space has most of the same functionality as SAFsolution, but there are several key differences. Trusted Space, which is also HIPAA-certified, is primarily deployed in health care institutions, and although SAFLink also has health care customers, Trusted Space has a couple of features tailored to a health care environment that the SAFLink product does not have.

The most significant difference between the two products is their system architecture. Although SAFsolution extends and integrates with Active Directory, Trusted Space uses a separate database server to store the biometric template data.

One advantage of this architecture is that sensitive information — such as application IDs, passwords and auditing information — is stored separately and at a deeper level of vulnerability. What's more, in the event of a directory crash, the data would still be intact. This system, however, is not as convenient as SAFLink's integrated system, and it incurs extra costs, both for purchasing the server and for the administration required to maintain it. This architecture requires synchronization software to ensure that data on the Trusted Space database agrees with data in the network directory structure.

The directory integration software comprises three data synchronization modules. The Push Module pushes real-time data updates from the Trusted Space database to the network directory structure, while the Pull Module pulls data from the directory structure into the Trusted Space database. For example, if a user name is changed in one location, it will be pushed or pulled to the other location so the information remains consistent.

Finally, the Synchronization Module allows administrators to schedule batch data comparisons at specific times. This confirms that all data is synchronized between the directory structure and the Trusted Space database.

Trusted Space can integrate with any network environment that uses common directory structures such as Microsoft Active Directory, Windows NT directory structures and Novell Inc. LDAP directory structures.

The Trusted Space database server can use Microsoft SQL Server 7.0 or SQL Server 2000 and can be deployed in a single or clustered environment.

Biometric authentication

Like SAFsolution, Trusted Space uses verification to authenticate users. The log-in process is based on what CC&M calls a primary device concept. When a user presents a log-in ID, the software searches for biometric devices installed on that workstation. If the user's primary device is present, the system prompts for that biometric token. But if the primary device is not present, the system automatically prompts the user for a password.

This functionality could be useful in a health care environment, in which users regularly log in to different machines and different workstations have different biometrics installed, such as fingerprint scanners in one location and iris scanners in a department in which users wear gloves. According to CC&M, this also allows sites to implement biometrics in phases.

Trusted Space is compatible with HA-API devices but not BioAPI devices. Because HA-API is now a subset of BioAPI, only devices that support both standards can be used.

Virtual sessions

Trusted Space's feature set differs from SAFsolution's in several areas. It does not have features such as disconnected log-in, self-enroll, a practice tutorial and fast log-in.

But it does offer two features optimal for health care environments that SAFsolution does not have. The first is session management, which allows different users to securely access public workstations while retaining individual user-based information and application sessions. In other words, the system recognizes distinct sessions and applications on the workstation so multiple people can use it at once but continue their individual work.

These virtual sessions are accessible through Trusted Space's biometric screen saver, which replaces the standard Windows screen saver. From the screen saver, a user can log off the system or log someone else off and then log in.

The second feature optimal for health care installations is the biometric time clock, which uses a biometric token to record working hours. The use of the biometric prevents time reporting fraud because no one else can imitate someone's biometric.

The clock is also equipped to handle exception cases, such as when a user clocks in but forgets to clock out. Upon the next log-in, the clock checks how many hours have passed since the last clock-in and notifies the user if the clock-out was missed. The system can then automatically send a message to the payroll department notifying them, and the user also receives a notification message.

Trusted Space includes integrated single sign-on functionality, accessible through the software's shell mode feature. When operating in shell mode, users have only a Trusted Space toolbar on the screen, and available applications are accessible from this toolbar. This feature allows restricted but audited access for system users and prevents system configuration changes.

Reporting methods also differ between the two products. Although SAFsolution uses Microsoft Event Viewer for reports, Trusted Space has separate reports based on Crystal Reports. Both systems allow administrators to create custom reports.

Trusted Space offers multiple levels of administrator access for ease of maintenance in large organizations. Rights range from allowing a designated administrator to enroll a new user to allowing administrator permissions required to update systemwide configurations.

SAFLink: Perfect for Windows

Back to Intro


Trusted Space

Computer Consultants and Merchants Inc.
(800) 274-0545

Typical user licensing for Trusted Space ranges from $100 to $150 per seat before discounts. The separate server and database platform costs extra (pricing varies) and can be purchased independently or through Computer Consultants and Merchants Inc.

Trusted Space was designed for health care organizations, but it has been expanded to work in any network environment and not just those that employ Microsoft Corp.'s Active Directory. The product offers session management, which is ideal for public workstations. However, it requires a separate database server for storing biometric data, which increases costs and administration time but can offer greater security. It runs on Windows NT 4.0/2000/XP/2003 using Microsoft SQL Server 7.0 and SQL Server 2000 for the database; and on client computers running Windows 98 SE/NT and Windows 4.0/Me/2000/XP.

We tested Trusted Space on a Dell Inc. PowerEdge 1400 running Windows 2000 Server loaded with both the client and database applications. The database was Microsoft SQL Server 2000.

The Fed 100

Read the profiles of all this year's winners.


  • Then-presidential candidate Donald Trump at a 2016 campaign event. Image: Shutterstock

    'Buy American' order puts procurement in the spotlight

    Some IT contractors are worried that the "buy American" executive order from President Trump could squeeze key innovators out of the market.

  • OMB chief Mick Mulvaney, shown here in as a member of Congress in 2013. (Photo credit Gage Skidmore/Flickr)

    White House taps old policies for new government makeover

    New guidance from OMB advises agencies to use shared services, GWACs and federal schedules for acquisition, and to leverage IT wherever possible in restructuring plans.

  • Shutterstock image (by Everett Historical): aerial of the Pentagon.

    What DOD's next CIO will have to deal with

    It could be months before the Defense Department has a new CIO, and he or she will face a host of organizational and operational challenges from Day One

  • USAF Gen. John Hyten

    General: Cyber Command needs new platform before NSA split

    U.S. Cyber Command should be elevated to a full combatant command as soon as possible, the head of Strategic Command told Congress, but it cannot be separated from the NSA until it has its own cyber platform.

  • Image from Shutterstock.

    DLA goes virtual

    The Defense Logistics Agency is in the midst of an ambitious campaign to eliminate its IT infrastructure and transition to using exclusively shared, hosted and virtual services.

  • Fed 100 logo

    The 2017 Federal 100

    The women and men who make up this year's Fed 100 are proof positive of what one person can make possibile in federal IT. Read on to learn more about each and every winner's accomplishments.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group