xing

This is a post I made to a security group I am on. The topic is biometrics and the need for it in a business environment.

--- 

Usually today, the security issues are NOT with identification/authentication - it is the lack of completely understanding the technology - thus implementing a bioscanner to identify / authenticate a user, while sending the data itself over a non-encrypted line.

The biggest challenge with any security is the need for it. Do you REALLY need this kind of security? Will this technology make you are SECURE? Is there any other tool or solution that can achieve the level of security you need - at a lower price (monetary, user acceptability, support)? If you choose this particular technology - what parts will be secure, and what parts are not changed/adequately secured?

Another key challenge is lack of understanding. Business people care more about business - making the profit, ensuring the operations. Security people care more about adding security - less about the business impact. By the end of the day, these two parties have to work together to ensure an adequate level of security for that particular business. Unfortunately, what we see almost every day is the complete opposite scenario (particularly with ICT-security).

The Security guys tries to make a case about how important a new tool, technology or gadget is. And from a single, security minded point of view - they usually are right. BUT - the business do not invest in the tool - they choose to go "insecure" instead. What the security people do not get is that business people are usually equally good at risk assessment and risk management - some even better.

Why?

To successfully run a business - you handle risk and have to manage these on a large scale, continually. You make the decisions - to go or stop - usually with only little knowledge of the outcome. Some say you have to gamble, others prefer to call it risk management. Some don't even know that this is what they do. They will tell you that all they do is maximizing profit while reducing the costs - known and unknown.

So in this scenario, the business people usually win the game - because of their added perspective. They perfectly understand risk - and they are willing to some to gain some. It is a different mindset.

For the security industry, this means they dig up dangerous scenarios, construct hypothetical issues to sell you only parts of what you need. That would be fine - if they'd only tell you that the actual risk is usually much lower than the perceived risk (after their FUD), AND if they'd tell you that they are only part of the solution.

For the business people, a simple equation should be applied:

Value > security measures

Never spend more securing an object than the actual value of the object. Common sense, right? Yeap. But not commonly adopted unfortunately.

On biometrics - they will come. They are already here. A fingerprint scanner is implemented in most business laptops today. A camera is on some, and as mentioned in this thread - almost all laptops do have a mic. The challenges for biometrics, however, are more complex (list is not conclusive):

• local laws/regulation

EU has strong privacy regulations, that some of the countries use against the Biometrics.

• MITM/MITB

authentication / identification alone is not enough - you need secure communication too

• authentication vs. identification

should you authenticate only, identify only, or the both? At what stage? Using what technology and measures?

• the actual need

What is wrong with a username/password combo? Why do you really need a stronger method? When do you need it? Can you do without? Should you do without?

• usability

a tool can be as secure as it want, but if users do not like it, they WILL circumvent it. BUT - it may also be the killer app so in demand - use biometrics as a way to simplify the life of the users - no more need for usernames/passwords and devices up and down and back and forth.


This post is not only true about biometrics - this is true about all security. The challenge for the industry is to make relevant solutions, that are needed and that fix real issues. The challenge for the customers is to identify the solutions relevant for them - to fix issues they have. The challenge for (end)users is adopting new security solutions every other day.

In the end of the day - you can never be 100% secure. You can get very close if you really want to (and can afford it) - but fact of the matter is that your job is to secure your business - meaning you are there to make as much profit as possible, or if an NGO - to spend as much time as possible to do your thing. No matter if you are the CEO or the CSO - your job is NOT to invest in security - it is to work towards the business goals of your company. Period.

Dear anonymous (I would much rather prefer to say Dear John),

First - I post this as a blogpost instead of a reply to your comment on my post about Jamparii. 

Thank you for your input. As I know you are not only claiming to do what you say, but actually are trying to build your own tool for business networking, I would much rather that you did enter your own name, John.

However, what you are pointing at is true in all new ventures. It does take capital to build success. And there are several different paths to choose from. Jim has chosen one path, and John, you took another path.

My experience tells me that the path of money alone is not enough. To build a successful networking site, you need quality. You need content. You need active users. And you need a value proposition to your users.

Linkedin, Xing and Facebook are three successful networking tools, but they are very different. Ecademy and Viadeo are others. Myspace and Orcut are there too. Just to name a few of your competitors. They offer value. Distinctive value. And they have success. 

You need to present a clear value to me before I will even consider your new tool. No matter how you choose to finance you venture. Scam or not.

This is about risk as well. Do you have what it takes to break the bank? Did you consider all options? Have you done your homework, so you know how to position yourself?

What if you fail? What if it takes twice the time to break even? Or three times the time? What if you only secure half the funds you need? What if only one tenth of the required users actually signs up? 

So the question to you two competitors - do you have the BUZZ?

I have been known to rant about peoples lack of care or understanding when it comes to publishing information on the Internet. Most people are either incredibly naive, plain stupid or just do not care. (I do realize they probably just do not want to know).

This Youtube came to my RSS reader today (thanks Gnucitizen).

So as a reminder to my readers, please take a look at this video. It is your identity at stake. Your future.