Is Biometrics the next big thing?

For many of us that have to prove some detail of who we are to a computer, a username and password is about as bearable as it can get.

Now we also have a slew of vendors that want us to rather replace this fact of some detail that we know (and hopefully remember) with something we physically are - a biometric component like a fingerprint, retina scan or voice print.

This all sounds like super spy or sci-fi stuff, but the reality is that these controls have reached a level of maturity that will make many of them enterprise-ready and cost-effective to deploy.

Still, there are some details to consider within the process of deploying a biometric solution. The fact is within a manual labour environment we will not be able to acquire a reasonable thumbprint all of the time, so a hand geometry scanner could be a more suitable solution. Moreover, the placement of such a device will be key to its ongoing success. Having a thumbprint reader at a high traffic area, for example in front of a lift shaft, may not be ideal, so the design of such solutions within the physical access control arena requires specialised resources.

In the logical access space, we now see many portable computing devices that ship with built-in thumbprint biometric readers. I have seen many of them utilised as a BIOS lock, where the machine will not boot successfully without presenting the correct thumbprint scan. Funny business

The level of comedy that could be associated with this outside of enterprise deployments is very high, with standalone users sometimes locked out of their own machines with little or no access recourse.

The fact is, in regard to larger deployments, we want users to strongly authenticate, we also want ease of use and we demand improved systems security. These are sadly all counterpoints to each other and business has to live within a fine balance. Moreover, having access to the ‘system' is not where the concerns stop.

Users that are properly authenticated also need access to various resources. These endpoints and applications should only be exposed to those users properly authorised to access these resources.

Therefore knowing who has access to systems is an important start, but ensuring that only authorised users can use these systems is a different matter. It is in this area where separation of duties and 'super user' access comes into the discussion.

High Expectations

The fact is, in regard to larger deployments, we want users to strongly authenticate, we also want ease of use and we demand improved systems security.

I have seen many instances of strong user authentication, most often with two-factor tokens, biometrics or digital certificates, where users gain access to systems from a remote location, and once they are logged into the enterprise they perform the functions as an administrator or root user, with no or very little auditing of their actions. This leaves the user exposed as 'plausible deniability' comes into play.

So I am of the opinion that IT systems secured with biometrics may have a business value proposition, if it is first clearly defined what the resources are that need to be protected. As an example: I use a strong credential to protect access to my machine, but by mounting the hard drive in another computer or by making use of a Linux boot disk, I can gain access to the core local data that is not encrypted.

At this phase I see it 'as a game' over that which you probably value the most in the form of data, confidential e-mail and more that could be available to an untrustworthy third-party.

This then brings us back to the strategy of defence in depth. Use the appropriate measure to protect that what is valuable. Do it in a way that will be meaningful and convenient to the user with the maximum payoff from an IT security point of view to the business.

Karel Rode is security solutions strategist at CA