Enterprise Biometric Security

A framework for using biometric security in the enterprise.

 

 

 

 

 

 

 

January 2003

 

Hunter Purnell

Dan Marks

 

 

 

 

There is a narrow view of the enterprise that exists today that only includes the network and computer realms within an organization.  In order to have an end-to-end sense of control over your users and assets within a particular organization, the view must be broadened a bit.  The enterprise should, at a minimum, include the following realms:

1.       Physical

2.       Network

3.       Computer

Figure 1

Securing the physical realm consists of protecting a facility or a tangible asset from entry or use.  For example, a building is secured from entry, typically, with a lock that requires a key for ingress.  Usually securing network and computer assets are grouped together.  They are related but very different concerning the task of securing them.  The network provides a gateway of use for a computer asset.  The network is the first line of defense against unauthorized use of a computer asset.  It is an all or nothing proposition when it comes to securing it.  An individual can be given rights to access it or denied rights to access it.  The computer asset is not that simple.  The computer realm can be further broken down in to the following sub-realms:

 

1.       Login

2.       Application

3.       Data

 

The login security of the computer asset protects it from any unauthorized access.  Again, like the network asset it is all or none.  Application security is applied to each individual application that is being run on a computer asset.  Each application should have security mechanisms that grant or deny access to the use of the application.  This sub-realm is a bit different in the sense that it does not exhibit the all or nothing access characteristics of the previously discussed realms.  Security for the application asset is going to depend on who you are and where you are (internal or external).  For example, a manager (who you are) will have access to the payroll function of a web based corporate enterprise application that an employee would not have.  Also, it might be a requirement for some types of sensitive functions on the same application to be “hidden” if the manager is accessing the application from his home computer versus his office computer.  Finally, data is the last realm.  The data will typically be the most sensitive part of the entire system.  This sub-realm also exhibits the characteristic of access being based on who you are and where you are. 

 

Finally, consider some broad grouping characteristics of security challenges that are employed in the enterprise:

 

n        Something I know (password, PIN)

n        Something I have (token, smart card, certificate, etc.)

n        Something I am (fingerprint, face, voice, etc.)

In a modern enterprise security system, all three of these broad groupings will be employed.  The user’s actions and level of desired access will dictate the security policy employed and determine the mix (one, some, or all) of security challenges.

 

Any single layer can be made more secure by increasing the complexity of the challenge.  However, stronger security can also be less convenient for users.  Therefore the right mix of challenges and complexity of the challenge will depend on the particular need.

 

As the name biometrics suggests, the idea behind this emerging technology is to map measurements of human physical characteristics to human uniqueness.  If this can be accomplished in a reliable, repeatable fashion, the verification and identification of human individuals by machine becomes a reality.  To that end, biometrics is a fusion of human physiology, pure mathematics, and engineering.  The idea of biometrics is very simple to grasp, but the implementation can be daunting and very difficult to realize.  The difficulty does not come from the gathering of the actual measurements but from the analysis of these measures.  As with most pattern recognition problems, more data can always be gathered.  The problem is what to do with it after it has been gathered.  Enough measurements have to be taken to assure uniqueness of each individual.  There is a fine line not having enough data and having too much.  Too much data can cause an “aliasing” effect, where individual uniqueness is lost. 

Also, the application of the biometric device has important ramifications on how much data should be collected.  Simply verifying someone’s identity is much less complex than identifying a person.  Verification vs Identification might seem like semantics, but think about the difference between checking someone’s driver’s license photo and recognizing someone in a packed room who you’ve never met.  Verification involves having someone tell a biometric system she is Jane Doe and then using one or more set of biometric information to verify that she is in fact Jane Doe.  Identification would be Jane Doe walking up to a set of Biometric sensors and being recognized as Jane Doe.  If you have seen the movie Minority Report, the mall stores biometrically identify Tom Cruise as he moves from store to store.  The increased complexity of identification means that reliable identification is still some years away from being perfected, which is why the Superbowl elected not to try to use Biometric identification techniques.  On the other hand verification is extremely reliable today and for some security applications is quite appropriate for either increased security or ease of use.

Depending on the application and objective, different “form factors” are more appropriate.  The predominant biometric form factors today are:

1.       Handprint

2.       Fingerprint

3.       Retina

4.       Iris

5.       Voice/Speech

6.       Handwriting/Signature

7.       Face

8.       Movement patterns (i.e. typing, walking, etc)

The use of biometric verification and identification have so far been limited to a few Hollywood movies.  The public seems to view biometrics as futuristic if not scary, even though these technologies have been around for the past several years.  The reality is this: the form factors discussed in this paper are real and work.  The issue becomes how to apply them appropriately.  Companies want to rush to the market with a really cool technology without a real problem to solve.  This is the case with early biometric solutions.  The early implementations were burdened with the fact that they were not as reliable as hoped for and prospective customers did not see the need to deploy yet another security technology that at the time only looked like a fancy replacement for passwords during computer or network login.  This is all beginning to change.  The important thing to focus on is the application of the technology.  The technology is much more robust than it was in years past.  Some of the technologies, fingerprint for example, are beginning to put up 99% correct verification rates. [1]  Some of the technologies, such as facial and speech recognition, will always be plagued by ambient environmental factors such as lighting and limited bandwidth communications channels (cell phones).  These technologies will not be able to function alone in an enterprise security system, but can be an important part of group of technologies that are used in conjunction with one another to strengthen the whole (see the future section of this document).  With all of this said, let’s look at a few factors to consider when applying biometrics.

Convenience  ^{(back to top | back to Whitepapers)}

This will be the number one factor for most customers concerning the deployment of a biometric system.  Security systems will be forced to become more stringent in the days to come.  This means that, at the low end, password policies will be modified to increase the frequency of changes to a user’s password.  Most organizations today are forcing users to change passwords at least every thirty days.  Most of these policies also do not allow the user to reuse the past 5 passwords.  This causes a user one extra headache and a reason to circumvent the security practices.  This also causes more calls to the help center to reset forgotten passwords.  Frustration rises and time wasted to achieve the higher level of security.  Passwords are also going to become longer and be machine generated.  This will really cause user frustration and lost of efficient use of protected physical/computer/network assets.  The password is the predominantly deployed verification mechanism in all of enterprise security today.  The password is considered “something that I know”.  The convenience provided by a biometric device that represents the user’s identity (“something I am”) mapped to the user’s password or PIN is very high.  If the user obtains use of a physical/computer/network asset only using a biometric, the convenience of the security system is greatly increased.  Also, the security of the system can be bolstered without affecting the user.  The password could be changed every 10 minutes and made to be 32 characters long, if the security policy so demanded.  The user would only have to bring their biometric along.

Security  ^{(back to top | back to Whitepapers)}

Incorporating biometric devices into the enterprise security architecture increases security by eliminating the ability to share passwords and making it much more difficult to counterfeit or steal the security key.  The level of security provided by a device also depends on the number of “reference points,” which are the individual metrics taken in each scan.  For instance, Iris scanners capture 200+ while fingerprint readers typically on capture around 80. However, the effectiveness of the reference points also depends on the algorithms used as well.  More reference points can mean more false negative identifications.  In other wor