SC Magazine interview: Selva Selvaratnam, CTO of HID Global
After two decades running his own business, he saw it taken over by HID Global, eventually becoming HID's senior vice president and chief technology officer. Paul Fisher met him.
How did you get into this business?
I came to the UK from India in the early 1980s, I did my PhD in Cardiff, set up my own firm, bench capital funded, in '85/'86, with a few people from the university. By 2004, I wanted to sell and HID acquired my business and I stayed on. So I've been in this business for 28 years. I've seen it evolve and change.
Tell us about HID and its history
It's a US business that was acquired by Swedish lock-making conglomerate Assa Abloy in 2000. Our focus was physical access initially but as we merged with the ITG division of Assa Abloy we moved into the delivery of secure solutions.
We supply into the physical access world, the logical access world, PCs and secure identification devices for passports. We supply UK passport inlays, animal ID, industry and logistics type tagging. We tag beer kegs and waste bins, through manufacturing sites in Europe and the Far East. So we have a very, very wide portfolio.
How does your market break down?
In physical access, we have a dominant position, probably leaders in the field. In the e-government inlay market, we are number one or at least number two.
Growth areas are police, healthcare and education. These are all prime areas where identity and the management of identity are becoming more and more important. One of the key challenges is the convergence of requirements. Physical access used to be separate from logical access, but one of the converging points is the card – the ID you carry with you.
You were involved in the troubled NHS IT project. What's its future?
I didn't get into the politics of the situation, but the whole IT programme started on the footing of bringing all the systems together. What basically happened in the UK is there were a whole range of disparate systems that didn't talk to each other, and the first order of play was to bring these systems together and put one giant backbone in that medical professionals would use. So that was the starting point.
But we supplied the equipment for the desktop to allow access, so it was the front end of it. If you look at the hospital market globally, one of the things that comes through very clearly is that information is key and as people digitise, the card becomes the common point to not just patient records, but patient input.
The clipboard will be replaced by a tablet PC where patient information will be input electronically.
We also have something we call a clean room reader based on RFID technology that allows secure access to an operating room without touching a reader or card.
In surgery, they are beginning to tag sponges and surgical equipment etc, so they don't get left in patients.
We are all NHS patients in the UK: will we all have our own smartcard?
That's not the way the UK Government is going – it wants hospitals to maintain control over access to patient information, digital or not. Other countries such as Germany are developing a two-way system.
There we supply what we call an e-health reader. It's a double terminal that goes into GP's offices and hospitals. Both the patient and the doctor have to agree they are going to look at the information, so they both present their cards and they are allowed information. Entitlement is stored on the card; you know what treatments you are entitled to. Germany is a step ahead here.
Are people wary of ID cards as signs of a Big Brother state?
Yes. There is a natural caution that comes from it. There is also a tendency to think personal details are stored in the card. They very rarely are. What's normally stored is entitlement and an ID, and the information is stored somewhere else.
So are your cards secure?
Yes, but security is a matter of layering. Security starts in multiple layers. So, you put in a layer of security on the card, then on the reader, then on the system, so there are multiple breaches that have to take place, because, as you know, there is no such thing as a completely secure card, if somebody is determined enough.
Risk-appropriate security is what we keep pushing: the more you pay, the more secure the card. There are cards that are much more secure than the old proximity cards. Any smartcard, any high frequency smartcard is more secure than a mag stripe reader, because the mag stripe card was so easy to copy.
Could I have a secure card shared by Barclays, Amazon etc that could also provide access to a carpark, say?
That would be utopia. The card is capable of it. You could put 50 applications on a card if you wanted to.
The problems that come up are: who owns the card and who's going to pay to put it out there and what happens if the card is lost with multiple apps on it? It's like losing your mobile phone...
It is those things that are stopping this going forward. We are looking at card management services where HID and other vendors will say, ‘look, we will manage the applications on it'.