Establishing Digital Trust: Don't Sacrifice Security for Convenience
Today, the world of enterprise security is increasingly incorporatingbiometric identifiers as an additional weapon within the securityarsenal.
International Biometric Group, a New York City-based consulting firm,reports that the worldwide market for biometric devices grew 67 percentlast year to reach $1.2 billion. And analysts there estimate a furtherexpansion to $4.6 billion by 2008.
The largest share of that money (48 percent) goes for fingerprintrecognition systems, followed by facial recognition (12 percent). Whilethese two are the most popular, there are other methods that analyze aperson's physical or dynamic characteristics. Physical biometricmethodologies also look at:https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i
''When looking at strong authentication, you want two out of threefactors -- something you have, something you are and something youknow,'' says Eric Oullet, vice president in Gartner, Inc's securityresearch group.
While, eyes, hands and skin are commonly used as biometric identifiers,more dynamic methodologies also are being introduced, such as:
To keep performance high and storage requirements manageable, today'sbiometric technologies do not have to store or analyze a complete pictureof the body part or the physical feature being used. Imagine theprocessing power that would be needed to store a high resolution pictureof someone's face and then compare it with a live image pixel by pixel.
Instead, each method reduces the body part or activity to a fewessential parameters and then codes the data, typically as a series ofhash marks. For example, a facial recognition system may record only the shape of thenose and the distance between the eyes. That's all the data that needs tobe recorded for an individual's passport, for example.
When that person comes through customs, the passport doesn't have toinclude all the data required to reproduce a full-color picture of theperson. Yet, armed with a tiny dose of key biometric information, videoequipment at the airport can tell whether the person's eyes are closertogether or if his nose is slightly wider than the passport says theyshould be.
None of these biometric systems are infallible, of course, though therates of false negatives and false positives have markedly improved. Oneof the problems with fingerprint readers, for instance, is that theycouldn't distinguish between an actual fingerprint and the image of one.In the recent movie National Treasure, Nicholas Cage's characterlifted someone's fingerprint off a champagne glass and used it to gainaccess to a vault. That is not pure fiction.
Japanese cryptographer Tsutomu Matsumoto lifted a fingerprint off a sheetof glass and, following a series of steps, created gelatin copies. Hethen tested these on 11 fingerprint readers and each accepted the gelatinprints.
Outside the lab, Malaysian thieves chopped the fingertip off abusinessman and used it with the fingerprint reader on his Mercedes. Butnone of those methods would work with higher-end fingerprint readers.
''The latest fingerprint readers are incorporating more advancedfeatures, such as making sure the finger is a certain temperature,'' saysOuellet. ''Everyone's hand is different, as some are consistently warm orcold. In addition, they can also check if there is a pulse and tell howmuch pressure is being applied.''
Such sophistication, however, has its drawbacks.
Authorized users may find themselves locked out even when the devices areworking properly. Why? Tiny changes, due to accidents or injuries, canchange a biometrics profile, rendering it effectively obsolete.
''The thing to keep in mind with any biometrics is that your ID doeschange over time,'' Ouellet says. ''If you cut your finger, yourbiometric may not be the same any more. Or your early morning voice isdifferent than after talking for eight hours.''
Biometrics in the Enterprise
While biometric authentication certainly adds an extra layer of security,it would be a mistake to implement a high-end system and then feel thatbreak ins instantly would be consigned to the history books. It takesback-end integration, constant vigilance and consistent user involvementto keep an enterprise secure.
''We feel security is a user issue and must go all the way to thedesktop,'' says Stan Gatewood, chief information security officer at theUniversity of Georgia, Athens. ''Our philosophy is to do defense indepth. We have a very layered architecture and assume that any layer willfail some day.''
The most popular biometric tool at the moment is the fingerprint reader.Some even use USB drives. And some keyboards and laptops come with thembuilt in. These devices have come way down in price. As a standalonedevice, the unit price has dropped below $100. But, in an enterprisesetting, that is just the start of the costs.
''Often, companies look at biometrics as being ultrasexy, cooltechnology, but they forget that there are integration issues,'' saysOullet.
IT departments have to ensure, for example, that back-end securitysystems can accommodate biometric authentication, and scale to therequired number of users. Plus, if fingerprint readers are notincorporated into the laptop or desktop, it adds to the number of devicesthat need to be supported by IT.
There is little point, then, in adopting a stand-alone biometrics systemthat cannot easily be assimilated into the organization's existingsecurity fabric.
''Security is no longer something you can address as an afterthought,''says Brett Rushton, vice president of strategic services for networkconsulting firm Calence, Inc. in Tempe, Ariz. ''It needs to be built intothe infrastructure to deal with pervasive threats.''
The good news is that the biometric authorization techniques are nolonger so leading edge that they are difficult to marry with traditionalsecurity safeguards. Today's systems are well enough developed that theycan be incorporated into enterprise systems without too much effort.
''A strong authentication system is what you want to focus on andbiometrics can be part of it,'' says Oullet. ''But the user should stillhave to memorize something or have a token, and you need to make surethat polices and the management structure relating to it are firmly inplace.''