Is there a need for strong identification and authentication? Is your company wanting to bolster access security on its computer network, and investigating the use of biometrics as an adjunct to or replacement for user passwords? “You’re not alone”, suggests Clive Handley, Marketing Director for Transactions and Security of the VELOCIT-e group. “Just about any corporate enterprise that is serious about security today is investigating the use of biometrics”.
Most experts agree that the days of protecting access to corporate computers and information with user passwords and cards are numbered. Surveys have shown that by far the majority of the problem calls received by internal corporate help desks are password or token-related. This administrative burden, coupled with inconvenience and lost productivity of highly compensated staff, has been estimated to cost more than $300 per network user each year. Corporate help desks are inundated with requests from users who have forgotten their codes. Password management has become a tedious and expensive task.
The electronic pathways leading to sensitive and mission critical information are heavily travelled and not well patrolled. Increasingly sophisticated software tools are being used by 'hackers' to easily crack passwords, enabling them to gain access to the identities of trusted employees, suppliers and business partners.
The strategies used to make passwords more difficult to compromise (random changes, alphanumeric combinations, etc) also make them more difficult to remember, which annoys authorised users. It also increases administrative costs for only slightly improved security. Regardless of how complex or sophisticated the password policy is, there is no way that an administrator can prevent an authorised user from transferring their password to a third party (collusion) or prove that it was the authorised user, and not a third party, who presented the password (non-repudiation).
Not only do passwords present a security risk says Handley, but they are also expensive to administer. Most user passwords in a large enterprise are changed by policy every 30-60 days. With biometric I&A, users no longer need to remember those frequently changing, complex passwords (or write them down). They do not need to carry expensive token cards that can be left at home (or in a desk or PC).
iTouch peripheral fingerprint imager for computer and network security
"It is far better to implement an administrator-controlled trust model which allows the systems administrator to define which users to trust, what credentials are required to gain trust, and when a trusted relationship is required," adds Handley. In an intranet example, administrators are able to allow all employees secure access to the 'employee only' section of the company's home page on the web, but provide only designated employees to additional web pages based on function responsibility (ie sales people enter orders and review customer activity, product managers to change confidential product descriptions and pricing, and financial staff to update reports.) The other key benefits of implementing an administrator-controlled trust model include:
* Enhanced security is transparent to the user.
* Users are not required to perform any trust decisions to access enterprise resources.
* Single sign-on to multiple network resources can be achieved through secure biometric logon.
The only way to solve these types of problems is with biometric identification and authentication (I&A), the use of unique biological or behavioural characteristics of an individual (voice, face, fingerprint, iris patterns etc) instead of passwords to positively identify authorised users seeking access to enterprise resources. Biometrics are extremely difficult to compromise or deny ("it was not me"), are not easily forgotten or transferred and do not need to be changed. "The Multi-Biometric Enterprise suite offered by VelocIT-e, provides a reliable and user friendly I&A; foundation that supports access privileges, accountability, privacy and confidentiality, while improving audit trails within an organisation", says Handley.
Phoenix keyboard with built-in fingerprint sensor
Information technology professionals are recognising that the next major challenge facing the enterprise is improved data and network security. Financial losses resulting from computer security breaches are reported to exceed $1 billion annually and the real cost of theft of propriety information cannot be calculated. Liability exposure from failing to protect the integrity, privacy and confidentiality of information under the enterprise's custody and control (ie consumer and employee medical/financial records) has never been greater.
Many organisations have elevated the position of Chief Security Officer and provided these individuals with significant budgets to address this issue.
The cornerstone of any sound enterprise security plan is strong user Identification and Authentication (I&A). Without compromising I&A, smartcards, encryption including PKI, access control hierarchies and other security measures are in jeopardy. "What is the point of encrypting messages or auditing transactions if you cannot be sure who is initiating or receiving them," asks Handley? "Clearly it is time to rethink the whole approach". He adds that biometric I&A, when coupled with these important elements of an integrated network security framework, provides a solid foundation for any comprehensive data security plan. The payoff for positive user authentication can be significant. What would a financial institution pay to mitigate the risk of a wire transfer fraud? Or what would a healthcare provider organisation pay to protect itself from a breach of confidentiality lawsuit concerning electronic medical records in its custody? Says Handley, "The ability to eliminate or mitigate a variety of risks is very powerful in today's litigious society!"
Corporate Officers and Directors are personally responsible for protecting the company's information assets and assuring that management information systems enable compliance with applicable laws. Failure to protect information assets can result in civil or criminal liability for the corporation and its management. Replacing vulnerable passwords with biometrics demonstrates management's efforts to use the best available technologies to safeguard the data in their care, custody and control.
In conclusion, the market will force the use of biometrics as a preferred enterprise security solution. Workers are being overwhelmed by passwords, suggests Handley. "Biometrics", he says "when used and applied correctly, just costs pennies per day. What makes a password work is that it is secret; if it is compromised it can be changed. What makes biometrics work is that they cannot be forged."