Securing Content with System Authentication…
Certifications essentially are comprised of bodies of information that pertain to the skills, knowledge and techniques involved with particular job roles and technologies, and they exist to validate candidates’ comprehension of those topics. Thus, securing that data is central to the value of any certification program. Indeed, the importance of credentials has been on an ascendant curve as program managers have increasingly employed an array of effective strategies to defend the curricula.
There are many ways to do this, but three procedures in particular stand out.
One of the recurring problems with many IT certifications (we won’t name any names here) early on was the fact that there were no processes in place to verify the identities of test takers. It was about as hard for a fraudulent candidate to get into some of these exams as it was to drink on a fake ID in college. Here’s how it works. Someone will pay a “plant,” who is usually much better informed on the topic in question than themselves or might even be connected with either the program or the testing center, to sit through a test in his place. The plant will proceed to ace the test, and—voila!—the financier is now MCCNPLPIW+ certified, and prepared to fake his way into a job that’s far above his head.
Fortunately, this problem has diminished significantly in the past few years, as program managers—in cooperation with testing centers—have implemented measures to prevent impostors from getting through the front door. Some of these methods have been fairly simple: for example, showing more than one piece of valid photo identification or distributing a personalized access code beforehand. Some of the larger, more in-demand certification programs out there have begun to explore options such as biometrics, which could verify candidates’ identities through fingerprints or even retinal scans, and smart cards that carry computer chips.
This approach actually applies to a couple of different aspects of certification. The first involves ensuring that the program attracts the desired audience, intellectually and ethically speaking. It also can refer to the kinds of resources they are permitted to use during the exam.
The former stems from the fact that some rather, shall we say, unsavory characters took certification exams in the past for reasons other than those intended by the programs’ designers. They might pass them or bomb them—not that it usually mattered. Their main objective was to get some or all of the questions or other subject-matter items, then pass them along to friends or distribute them to the masses over the Web. While this problem has not been entirely solved, it has been reduced by the addition of non-testing requirements, such as demonstrating a certain level of relevant industry experience or agreeing to adhere to a code of ethics devised by the program manager.
The second aspect relates to the proliferation of portable electronic modalities—which also can be used as study aids—that can hold vast amounts of data (phones, watches, calculators, etc.). While some of these might be permissible, the fact is that test takers can use them not only to store questions and answers they might have gotten from a brain dump, but also to record the content of the exam as they take it. This is dealt with in part—though by no means perfectly—with systems that determine if the amount of time spent on a particular question was notably longer or shorter than the norm. Use extreme discretion when figuring out which of these devices is acceptable for the testing environment.
The rise of the computer-based test in certification has certainly been a boon, but has brought with it a new set of security issues as well. Servers in general can be—and regularly are—infiltrated by attacks from outsiders. And the frequent transfer of sensitive information between computers inherent in certification testing environments means that data can be compromised without effective defense mechanisms.
Of course, program managers can and often do turn to solutions like firewalls and intrusion detection and prevention systems to keep their content secure. However, one of the most helpful, simple and inexpensive ways to protect data is by encrypting it. This applies to confidential information sent to other locations, as well as files resting on servers and computers. Developing a formal policy around cryptography is highly advantageous for any credentialing program that relies on servers for critical information storage.
–Brian Summerfield, firstname.lastname@example.org