biometrics

This new thumbdrive/memory stick/flash pin (choose or add your prefered name) offers a finger print scanner. A scanner that looks for the live skin, something that is claimed to increase accuracy, and allows you to use dirty fingers and still get access.

The only downside is that now I can no longer cut of your fingers to gain access to your data. I need you alive and kicking at my side...

Traditional password protected logons has been a true servant since the birth of networked computers. In the beginning they where simple security mechanisms designed to make sure small groups of people had access to the relevant systems – typically system administrators and IT-pros. They needed a tool to avoid the typical user to accidentally wreck havoc in the core systems.

The Interconnected networks changed the ballgame. Suddenly “everyone” was connected – to everyone. The challenge soon became to protect everything from everyone. It became clear over the years that tradition computer security needed a complete redesign. Enter the firewall. Enter the centrally managed security tools. Enter layered security. Enter DRM. And enter a high number of password protected tools and systems to be managed. But the core design never changed – when you needed authentication, you just added a variation of the log-on and password method. 

Passwords stay on top as the identification and authentication system. What was a good idea decade’s ago is now so deeply integrated into ICT that almost every tool and system available on the enterprise market requires a log-on. With password. The users are expected to carry around between five and 20 passwords. Some have many more. Most of them use PostIT™ notes, Word™ files and other methods to manage it all. Others use the same password everywhere. And we have tried to teach them password management and awareness for ages.

And this is all yesterday’s news.

There are an increasing number of tools that enables Simplified Sign-on, Single Sign-on and log-on management. The point is to reduce the number of passwords required by the users. Most such tools are non-standardized, and they try to connect to a large amount of proprietary systems. There is a total lack of industry standards – which in turn makes it very hard for vendors and new technology to efficiently solve the problems of using passwords.

The impact on Biometrics is pretty obvious. Lack of standards means vendors of Biometrics need to develop one solution for every system out there. Further, they have to develop the interconnect ability of their Identification and / or authentication methods into the methods of the system in speak. And – they need to convince system vendors and integrators that Biometrics is the best way to solve identification and authentication challenges.

Both these strategies require a large budget, time and a proof-of-concept. Most importantly, though, they require a business plan showing clear values for the system vendor. In other words, Biometrics must offer values that are easy to communicate - to end users, to enterprises and to system vendors/integrators.

And in my opinion, Biometrics does that today. The message was clear ten years ago too – but then it lacked the necessary quality.

Some years ago, I had to use an external device in order to scan my fingerprints. The idea was great – a mouse with an integrated thumb-scanner – located exactly where my thumb where. It was easy to install – on a single client. And after only one week of use, it refused to read my prints.

It turned out the technology was way too young. 

Today, the scanner is integrated on my ThinkPad. I personally do not think it increases security – in the sense that if you like, you can still steal and access my data – but it does increase usability. And I argue that usability is a major part of security. People are lazy – and having to remember and use a number of passwords is just plain wrong. Particularly when we have technology available to take away the pain of logging on to different systems.

Biometrics strengthens the weakest link in security – the users. By reducing the strain on the users, you increase the overall security. This is achieved both by reducing password management issues, but also by making your users more content. Instead of knowing they are breaking the policies, they can now concentrate on their job.

The ICT industry is slowly moving in the right direction. I mentioned my ThinkPad™ that comes with an integrated finger print scanner and software to use it for local and network logon, as well as a password management tool. Other vendors do the same thing.

And when the system is correctly configured it works a dream. I just love not having to remember all the passwords.

In the enterprise, things are not so simple. Although they can make large savings by implementing biometrics, an enterprise requires centrally managed solutions, and integration with their core applications.

Most enterprises have a mixed environment of ICT. The mixed environment may include applications developed in the ‘70s, with systems added along the way, acquired through mergers and with new production facilities and requirements. Some of these applications may lie in the core of the enterprise, and careful considerations must be made before adding new security measures.

Lack of standardization means they will have to work closely with their system integrators and vendors to implement identification and authentication solutions. As always, this is a game of resources and politics.

When considering biometrics, many enterprises choose to evaluate competing tools like OTP and PKI. In my opinion, only PKI is relevant – as OTP is only a redesign of static passwords. And PKI is a perfect companion of biometrics – as most PKI tools require the user to locally authenticate using a pass phrase. Substitute the pass phrase with my fingerprint, and I can use my certificate to identify myself online and offline, locally and on my network – without having to remember my password at all.

And best of all – both technologies are ready, tested and available.

 ---------------------------------------

This article was first published in the Biometric Institute Ltd, Australia, newsletter, in January 2008. You will find more info on their website: www.biometricsinstitute.org

This is a post I made to a security group I am on. The topic is biometrics and the need for it in a business environment.

--- 

Usually today, the security issues are NOT with identification/authentication - it is the lack of completely understanding the technology - thus implementing a bioscanner to identify / authenticate a user, while sending the data itself over a non-encrypted line.

The biggest challenge with any security is the need for it. Do you REALLY need this kind of security? Will this technology make you are SECURE? Is there any other tool or solution that can achieve the level of security you need - at a lower price (monetary, user acceptability, support)? If you choose this particular technology - what parts will be secure, and what parts are not changed/adequately secured?

Another key challenge is lack of understanding. Business people care more about business - making the profit, ensuring the operations. Security people care more about adding security - less about the business impact. By the end of the day, these two parties have to work together to ensure an adequate level of security for that particular business. Unfortunately, what we see almost every day is the complete opposite scenario (particularly with ICT-security).

The Security guys tries to make a case about how important a new tool, technology or gadget is. And from a single, security minded point of view - they usually are right. BUT - the business do not invest in the tool - they choose to go "insecure" instead. What the security people do not get is that business people are usually equally good at risk assessment and risk management - some even better.

Why?

To successfully run a business - you handle risk and have to manage these on a large scale, continually. You make the decisions - to go or stop - usually with only little knowledge of the outcome. Some say you have to gamble, others prefer to call it risk management. Some don't even know that this is what they do. They will tell you that all they do is maximizing profit while reducing the costs - known and unknown.

So in this scenario, the business people usually win the game - because of their added perspective. They perfectly understand risk - and they are willing to some to gain some. It is a different mindset.

For the security industry, this means they dig up dangerous scenarios, construct hypothetical issues to sell you only parts of what you need. That would be fine - if they'd only tell you that the actual risk is usually much lower than the perceived risk (after their FUD), AND if they'd tell you that they are only part of the solution.

For the business people, a simple equation should be applied:

Value > security measures

Never spend more securing an object than the actual value of the object. Common sense, right? Yeap. But not commonly adopted unfortunately.

On biometrics - they will come. They are already here. A fingerprint scanner is implemented in most business laptops today. A camera is on some, and as mentioned in this thread - almost all laptops do have a mic. The challenges for biometrics, however, are more complex (list is not conclusive):

• local laws/regulation

EU has strong privacy regulations, that some of the countries use against the Biometrics.

• MITM/MITB

authentication / identification alone is not enough - you need secure communication too

• authentication vs. identification

should you authenticate only, identify only, or the both? At what stage? Using what technology and measures?

• the actual need

What is wrong with a username/password combo? Why do you really need a stronger method? When do you need it? Can you do without? Should you do without?

• usability

a tool can be as secure as it want, but if users do not like it, they WILL circumvent it. BUT - it may also be the killer app so in demand - use biometrics as a way to simplify the life of the users - no more need for usernames/passwords and devices up and down and back and forth.


This post is not only true about biometrics - this is true about all security. The challenge for the industry is to make relevant solutions, that are needed and that fix real issues. The challenge for the customers is to identify the solutions relevant for them - to fix issues they have. The challenge for (end)users is adopting new security solutions every other day.

In the end of the day - you can never be 100% secure. You can get very close if you really want to (and can afford it) - but fact of the matter is that your job is to secure your business - meaning you are there to make as much profit as possible, or if an NGO - to spend as much time as possible to do your thing. No matter if you are the CEO or the CSO - your job is NOT to invest in security - it is to work towards the business goals of your company. Period.