Saturday, October 23, 2021

Adding Biometrics to Enterprise Security Arsenal

Warriors have long used emblems, uniforms and tattoos to physically

identify themselves to their compatriots. Secret passwords were in use

long before the first person logged in at a keyboard.

Today, the world of enterprise security is increasingly incorporating

biometric identifiers as an additional weapon within the security

arsenal.

International Biometric Group, a New York City-based consulting firm,

reports that the worldwide market for biometric devices grew 67 percent

last year to reach $1.2 billion. And analysts there estimate a further

expansion to $4.6 billion by 2008.

The largest share of that money (48 percent) goes for fingerprint

recognition systems, followed by facial recognition (12 percent). While

these two are the most popular, there are other methods that analyze a

person’s physical or dynamic characteristics. Physical biometric

methodologies also look at:

  • Eyes — Examining the lines of the iris or the blood vessels

    in the retina;

  • Hands — Taking a 3D image and measuring the height and width

    of bones and joints, and

  • Skin — Analyzing surface texture and thickness of skin layers.

    ”When looking at strong authentication, you want two out of three

    factors — something you have, something you are and something you

    know,” says Eric Oullet, vice president in Gartner, Inc’s security

    research group.

    While, eyes, hands and skin are commonly used as biometric identifiers,

    more dynamic methodologies also are being introduced, such as:

  • Voice — Detects vocal pitch and rhythm;
  • Keystroke Dynamics — Analyzes the typing speed and rhythm

    when the user ID and password are entered;

  • Signature — Matches the signature to one on record, as well

    as analyzing the speed and pressure used while writing, and

  • Gait — Measures length of stride and its rhythm.

    To keep performance high and storage requirements manageable, today’s

    biometric technologies do not have to store or analyze a complete picture

    of the body part or the physical feature being used. Imagine the

    processing power that would be needed to store a high resolution picture

    of someone’s face and then compare it with a live image pixel by pixel.

    Instead, each method reduces the body part or activity to a few

    essential parameters and then codes the data, typically as a series of

    hash marks.
    For example, a facial recognition system may record only the shape of the

    nose and the distance between the eyes. That’s all the data that needs to

    be recorded for an individual’s passport, for example.

    When that person comes through customs, the passport doesn’t have to

    include all the data required to reproduce a full-color picture of the

    person. Yet, armed with a tiny dose of key biometric information, video

    equipment at the airport can tell whether the person’s eyes are closer

    together or if his nose is slightly wider than the passport says they

    should be.

    None of these biometric systems are infallible, of course, though the

    rates of false negatives and false positives have markedly improved. One

    of the problems with fingerprint readers, for instance, is that they

    couldn’t distinguish between an actual fingerprint and the image of one.

    In the recent movie National Treasure, Nicholas Cage’s character

    lifted someone’s fingerprint off a champagne glass and used it to gain

    access to a vault. That is not pure fiction.

    Japanese cryptographer Tsutomu Matsumoto lifted a fingerprint off a sheet

    of glass and, following a series of steps, created gelatin copies. He

    then tested these on 11 fingerprint readers and each accepted the gelatin

    prints.

    Outside the lab, Malaysian thieves chopped the fingertip off a

    businessman and used it with the fingerprint reader on his Mercedes. But

    none of those methods would work with higher-end fingerprint readers.

    ”The latest fingerprint readers are incorporating more advanced

    features, such as making sure the finger is a certain temperature,” says

    Ouellet. ”Everyone’s hand is different, as some are consistently warm or

    cold. In addition, they can also check if there is a pulse and tell how

    much pressure is being applied.”

    Such sophistication, however, has its drawbacks.

    Authorized users may find themselves locked out even when the devices are

    working properly. Why? Tiny changes, due to accidents or injuries, can

    change a biometrics profile, rendering it effectively obsolete.

    ”The thing to keep in mind with any biometrics is that your ID does

    change over time,” Ouellet says. ”If you cut your finger, your

    biometric may not be the same any more. Or your early morning voice is

    different than after talking for eight hours.”

    Biometrics in the Enterprise

    While biometric authentication certainly adds an extra layer of security,

    it would be a mistake to implement a high-end system and then feel that

    break ins instantly would be consigned to the history books. It takes

    back-end integration, constant vigilance and consistent user involvement

    to keep an enterprise secure.

    ”We feel security is a user issue and must go all the way to the

    desktop,” says Stan Gatewood, chief information security officer at the

    University of Georgia, Athens. ”Our philosophy is to do defense in

    depth. We have a very layered architecture and assume that any layer will

    fail some day.”

    The most popular biometric tool at the moment is the fingerprint reader.

    Some even use USB drives. And some keyboards and laptops come with them

    built in. These devices have come way down in price. As a standalone

    device, the unit price has dropped below $100. But, in an enterprise

    setting, that is just the start of the costs.

    ”Often, companies look at biometrics as being ultrasexy, cool

    technology, but they forget that there are integration issues,” says

    Oullet.

    IT departments have to ensure, for example, that back-end security

    systems can accommodate biometric authentication, and scale to the

    required number of users. Plus, if fingerprint readers are not

    incorporated into the laptop or desktop, it adds to the number of devices

    that need to be supported by IT.

    There is little point, then, in adopting a stand-alone biometrics system

    that cannot easily be assimilated into the organization’s existing

    security fabric.

    ”Security is no longer something you can address as an afterthought,”

    says Brett Rushton, vice president of strategic services for network

    consulting firm Calence, Inc. in Tempe, Ariz. ”It needs to be built into

    the infrastructure to deal with pervasive threats.”

    The good news is that the biometric authorization techniques are no

    longer so leading edge that they are difficult to marry with traditional

    security safeguards. Today’s systems are well enough developed that they

    can be incorporated into enterprise systems without too much effort.

    ”A strong authentication system is what you want to focus on and

    biometrics can be part of it,” says Oullet. ”But the user should still

    have to memorize something or have a token, and you need to make sure

    that polices and the management structure relating to it are firmly in

    place.”

  • Similar articles

    Latest Articles