The Natural Security Alliance (NSA) – not to be confused with the National Security Agency – is a respected French organization that sets security standards for data protection under biometric security. Business-cloud.com reported that the NSA described itself as "the only place where banks, retailers and vendors collaborate to define the strong authentication standard for payment and secure transactions based on wireless communication and biometrics."
While a number of organizations claim the same thing, the NSA is a widely recognized group, which makes its recent press release all the more important. The NSA set biometric security guidelines for the protection of individuals' fingerprints and other unique physical identifiers.
Although the NSA is not the only authority in security compliance – the list of members excludes a few notable organizations across the world – the move is the first such acknowledgement by any regulator and could be a sign of things to come. If anything, the new requirements only strengthen the case for what is already the tightest data center security platform available. Any business with lingering doubts surrounding the efficacy of biometric technology would likely be satisfied with a seal of approval from the NSA showing that the physical IDs of staff are safely stored away.
Keep fingerprints away from the wrong hands
Because biometrics utilize physical characteristics rather than pass codes or key cards, they are a much more effective means of security. But some might be concerned about where and how those biometric tags are stored. That's because those physical characteristics could provide hackers with the right patterns to allow access to server cabinets or restricted areas.
According to the NSA press release, compliance with their regulations would require the data center to convert the raw fingerprint information into a template for storage and processing.
"At the enrollment, biometric data should not be stored within the enrollment station but only transmitted to the … device. Furthermore, the controller commits not to constitute a database with the biometric data," explained the NSA.
The storage must also take place in a secure environment so as to protect the template from loss, disclosure, intrusion or unauthorized access.
Proof of consent a new requirement
The NSA also set rules regarding consensual acquisition of biometric data. The person providing the fingerprint must do so willingly and also consent to the storage of that information, and the data center needs to be up front about who has access to the data and by what means.
"To ensure the biometric authentication is not executed unwittingly, [these] Privacy Rules highlight the active role of the user. … The controller commits that the authentication results from a voluntary gesture of the user who places either his/her finger or his/her hand on the reader. … Natural Security technology shall not be used to track the user without his/her prior consent," the NSA detailed in its press release.
These measures are likely the first step in a longer, broader movement to tighten biometric storage and usage regulations. More and more fingerprint readers and other biometric technologies are in use. Those patterns should be considered private information, just like bank accounts passwords and social security numbers.
Fortunately, data centers with biometric access control should have no problem committing to the regulations – it is likely that many already implement them. It is in their best interest to ensure the fingerprints that provide security clearance are kept safe. Plus, compliance with the newest standards will give data centers' clients renewed confidence in their commitment to the best security measures on the market.