Adding Biometrics to Enterprise Security Arsenal
Are biometrics ready for widespread deployment? What are the pros and cons of going with this security weapon?
Today, the world of enterprise security is increasingly incorporating biometric identifiers as an additional weapon within the security arsenal.
International Biometric Group, a New York City-based consulting firm, reports that the worldwide market for biometric devices grew 67 percent last year to reach $1.2 billion. And analysts there estimate a further expansion to $4.6 billion by 2008.
The largest share of that money (48 percent) goes for fingerprint recognition systems, followed by facial recognition (12 percent). While these two are the most popular, there are other methods that analyze a person's physical or dynamic characteristics. Physical biometric methodologies also look at:
''When looking at strong authentication, you want two out of three factors -- something you have, something you are and something you know,'' says Eric Oullet, vice president in Gartner, Inc's security research group.
While, eyes, hands and skin are commonly used as biometric identifiers, more dynamic methodologies also are being introduced, such as:
To keep performance high and storage requirements manageable, today's biometric technologies do not have to store or analyze a complete picture of the body part or the physical feature being used. Imagine the processing power that would be needed to store a high resolution picture of someone's face and then compare it with a live image pixel by pixel.
Instead, each method reduces the body part or activity to a few essential parameters and then codes the data, typically as a series of hash marks. For example, a facial recognition system may record only the shape of the nose and the distance between the eyes. That's all the data that needs to be recorded for an individual's passport, for example.
When that person comes through customs, the passport doesn't have to include all the data required to reproduce a full-color picture of the person. Yet, armed with a tiny dose of key biometric information, video equipment at the airport can tell whether the person's eyes are closer together or if his nose is slightly wider than the passport says they should be.
None of these biometric systems are infallible, of course, though the rates of false negatives and false positives have markedly improved. One of the problems with fingerprint readers, for instance, is that they couldn't distinguish between an actual fingerprint and the image of one. In the recent movie National Treasure, Nicholas Cage's character lifted someone's fingerprint off a champagne glass and used it to gain access to a vault. That is not pure fiction.
Japanese cryptographer Tsutomu Matsumoto lifted a fingerprint off a sheet of glass and, following a series of steps, created gelatin copies. He then tested these on 11 fingerprint readers and each accepted the gelatin prints.
Outside the lab, Malaysian thieves chopped the fingertip off a businessman and used it with the fingerprint reader on his Mercedes. But none of those methods would work with higher-end fingerprint readers.
''The latest fingerprint readers are incorporating more advanced features, such as making sure the finger is a certain temperature,'' says Ouellet. ''Everyone's hand is different, as some are consistently warm or cold. In addition, they can also check if there is a pulse and tell how much pressure is being applied.''
Such sophistication, however, has its drawbacks.
Authorized users may find themselves locked out even when the devices are working properly. Why? Tiny changes, due to accidents or injuries, can change a biometrics profile, rendering it effectively obsolete.
''The thing to keep in mind with any biometrics is that your ID does change over time,'' Ouellet says. ''If you cut your finger, your biometric may not be the same any more. Or your early morning voice is different than after talking for eight hours.''
Biometrics in the Enterprise
While biometric authentication certainly adds an extra layer of security, it would be a mistake to implement a high-end system and then feel that break ins instantly would be consigned to the history books. It takes back-end integration, constant vigilance and consistent user involvement to keep an enterprise secure.
''We feel security is a user issue and must go all the way to the desktop,'' says Stan Gatewood, chief information security officer at the University of Georgia, Athens. ''Our philosophy is to do defense in depth. We have a very layered architecture and assume that any layer will fail some day.''
The most popular biometric tool at the moment is the fingerprint reader. Some even use USB drives. And some keyboards and laptops come with them built in. These devices have come way down in price. As a standalone device, the unit price has dropped below $100. But, in an enterprise setting, that is just the start of the costs.
''Often, companies look at biometrics as being ultrasexy, cool technology, but they forget that there are integration issues,'' says Oullet.
IT departments have to ensure, for example, that back-end security systems can accommodate biometric authentication, and scale to the required number of users. Plus, if fingerprint readers are not incorporated into the laptop or desktop, it adds to the number of devices that need to be supported by IT.
There is little point, then, in adopting a stand-alone biometrics system that cannot easily be assimilated into the organization's existing security fabric.
''Security is no longer something you can address as an afterthought,'' says Brett Rushton, vice president of strategic services for network consulting firm Calence, Inc. in Tempe, Ariz. ''It needs to be built into the infrastructure to deal with pervasive threats.''
The good news is that the biometric authorization techniques are no longer so leading edge that they are difficult to marry with traditional security safeguards. Today's systems are well enough developed that they can be incorporated into enterprise systems without too much effort.
''A strong authentication system is what you want to focus on and biometrics can be part of it,'' says Oullet. ''But the user should still have to memorize something or have a token, and you need to make sure that polices and the management structure relating to it are firmly in place.''