Biometrics & The Cloud: Testing the Waters

April 6, 2016 niroop 0 Comment

Illustration of a cloud with biometric enabled devices.In the last decade, we have seen tremendous growth in the biometrics sector. The industry has shifted from catering exclusively to large corporations and government agencies to being a household commodity freeing you from the trivial yet tedious task of unlocking your smartphone with a password. At the same time, we have seen cloud-based service offerings force a fundamental shift in how we operate our infrastructure, plan for growth, and absorb fluctuations in IT demand without sacrificing cost. Despite the rise in both of these technology trends, we have only recently started to see them cross each other’s thresholds. Whether you are a small business trying to manage physical access or a government agency concerned with identity management, we will explore some strategies ranging from testing the waters to taking the plunge while still protecting your data.

Testing the Waters

When working with biometrics, one of the first growth challenges that arise is the ever expanding need for storage, particularly as new biometric modalities such as iris, face, palm vein and Scars Marks and Tattoos (SMT) are being used to enhance matching capabilities by augmenting traditional biometrics such as fingerprints. A single identity or biometric encounter may now involve three fingerprint slap images, two iris images, and a number of facial images (matching accuracy increases with a larger number of samples). Depending on your biometric system, if you are storing templates that adds 10 template binaries for fingerprints, two for irises, etc.  If your system can tolerate the latency of reaching out to the cloud, offerings such as Amazon’s S3 object store service or Rackspace’s Cloud Files service, for example, can save you from going through the challenges of repeatedly upgrading or expanding your SAN capacity. It is important to keep in mind that with these types of cloud services, charges are incurred for storage of data as well as data transmission.  If your biometric system frequently accesses a core set of biometrics and occasionally accesses from a larger biometric set, a local cache model which will be addressed in the next section can help mitigate the costs of data transmission from the cloud.

The easiest approach to integrating cloud storage solutions with a new or existing biometric system is to abstract all biometric object (image and/or template) storage and retrieval operations behind a microservice architecture such as an independent scalable REST web service interface. This makes it easy to add functionality specific to mitigating risks associated with the cloud without impacting the rest of the system.

Using Microservices to Mitigate Cloud Risks

Constantly accessing data from the cloud incurs data transmission costs. One method to mitigate this is to encapsulate a caching framework behind your biometric storage microservice. This is accomplished by caching accesses to the cloud performed by the service either using an in memory caching server, such as Redis or Memcached, or saving it to a local storage array. Retrieval requests are first checked against the local cache before reaching out to the cloud unbeknownst to the rest of the system. In most cases this is an effective strategy because there is typically an inverse relationship between the age of a biometric and how often it needs to be accessed.

Another common risk associated with cloud strategies involves data security.  While some cloud storage services provide at rest data encryption capabilities such as Amazon S3, not all do and even then it’s best to encrypt your data with your own keys before sending out to the cloud. This is another feature that can be built into a biometric storage service without impacting other areas of the system. The service should perform key management against a standard FIPS compliant symmetric key cryptographic module and handle encryption before writing data to the cloud and decryption upon retrieval before serving the data to the system.

Finally, unless you are implementing a new biometric system, you most likely have lots of existing biometric data that needs to be migrated to the cloud. Building the as needed or gradual migration of local biometric data into your biometric service allows the process to proceed with no impact to your system. The system requests a biometric from the service, and the service determines where it is currently located as part of the migration and serves it back while also moving the data to the cloud if it was retrieved locally.