Leaving Your Mark
Why anything less than you is not enough
- By Bill Bockwoldt
- Oct 02, 2008
Today’s mobile professionals carry more sensitive information than ever before. A single laptop can contain strategic business plans, corporate financials, intellectual property materials and private employee information that can be valued in the millions, if not billions, of dollars. The traditional focus of corporate asset protection, the notebook PC itself, has evolved to redefine the real asset as the data contained in that PC.
This realization, coupled with recent regulatory changes forcing the public announcement of data breaches of personal information, has sent a shockwave through the corporate world and is leading to faster adoption of more types of data security.
At the same time, fingerprint biometrics has become the “ultimate human interface” device by providing a combination of security and personal convenience never before experienced on the corporate desktop.
Security is achieved when the expense and difficulty of breaching something lies just beyond the perceived value of doing so -- and hence the breach is never attempted or completed successfully. Biometrics as an authentication factor helps to achieve this for typical PC access by working in combination with new and existing technologies to raise the security bar. Some examples of this combined approach are presented below.
Securing the PC from boot-up requires the user to enter and configure the BIOS of the system. Corporate IT managers generally frown upon this since no centralized management approach is available for BIOS management today. When the BIOS protection is enabled, the HDD can be locked and require a password of eight to 32 characters to unlock. This needs to be done before the system even boots to the operating system level, where most attacks generally occur. If a user were to forget the password, the HDD must be replaced and the old one discarded.
By combining this existing but under-used security capability with a fingerprint biometric subsystem, this problem can be addressed and a much stronger level of system security can be immediately enforced. The biometric device can be used to replay the BIOS password when the user swipes a finger -- preventing the loss of the password and simplifying an overly complex security feature already present in the system.
A more advanced approach to securing HDD data is to combine a full HDD encryption solution with the biometric subsystem. This goes one step beyond the BIOS password by actually encrypting all data on the HDD using AES encryption technology. The HDD encryption must be unlocked in the pre-boot environment so the operating system can load and the system can complete the boot-up cycle.
This approach has significant security advantages over a simple BIOS password but again poses the same issue of reliance on a single password, which can be quite complex and difficult to remember. When combined with a biometric subsystem, the authentication derived from the fingerprint reader can be used as the authentication mechanism and to release the encryption key to decrypt the HDD -- once again removing the risk of a lost or forgotten password. It would be natural for the leaders in HDD encryption solutions, including WinMagic, Sophos/Utimaco, McAfee/Safeboot and Checkpoint/Pointsec, to begin offering this combined approach in the near future.
Operating System, Network Logon
Leveraging the initial authentication used within the pre-OS environment, the appropriate credential also can be passed to the operating system for local system or network logon. This saves one more manual authentication step for the user and again simplifies the password usage paradigm. Since network passwords are changed frequently, this is the most common area of focus for IT managers in attempting to simplify the user authentication process and manage it as efficiently as possible.
Any biometric authentication factor must support the ability to recognize and support forced password changes and, as many readily-available solutions do today, allow some form of centralized control over this process. There is a growing interest in integrating biometrics as an authentication factor at the OS level.
Single Sign-on, Remote Authentication
The same credential release mechanisms used for logging into the operating system also can be integrated with SSO and remote authentication solutions. In the case of SSO, all of the same password rotation, reset and protection rules apply, along with the added issue of the keys to the kingdom -- where one password is protecting all of the digital assets of the enterprise. With biometrics, users have the flexibility to create strong passwords with no need to remember them because they can simply swipe their finger. The added convenience helps to fulfill the true purpose of the SSO system, and stronger passwords can be created and managed much more effectively.
Remote authentication techniques today are dominated by the use of one-time passwords using stand-alone “hard” tokens or software clients that generate soft tokens offered by security leaders including RSA, Vasco and Verisign. The difference has to do with where the OTP seed and algorithm are stored and where the OTP is generated (in hardware or software).
A biometric subsystem can fulfill the role of the token and generate the OTPs based on a successful fingerprint authentication at either the hardware or software level, since the seed can be embedded in the biometric hardware in some cases. Using biometrics embedded in notebooks and peripherals addresses several issues, including the support and productivity costs of lost and forgotten tokens, costs associated with upfront token purchase or replacement of hard tokens, and installation of additional client software and reliance on PINs.
However, the greatest unacknowledged benefit is that now an OTP can only be generated based on who you are, rather than what you know or what you have -- thus solving the most basic authentication paradox in existence today.
Application Security, Compliance
Beyond device and network authentication, more organizations today are focusing on limiting access to specific applications or data repositories. New compliance regulations such as Sarbanes-Oxley stipulate employee authentication for certain financial transactions or internal procedures and require repudiation -- an ideal case for biometrics. The biometric subsystem can be called to request an authentication for practically anything, including an Excel spreadsheet locked with a password, an internal home-grown financial application, or a typical ERP or CRM system. Using this type of authentication approach again reduces the myriad number of password schemas that need to be created, recorded, remembered and managed by over-taxed employees.
As a single layer of security in a multilayered approach, a fingerprint biometric solution offers flexibility and the opportunity to simplify some of the more onerous aspects of security management. But what really sets a biometric solution apart from all other forms of authentication security is the convenience to the user.
You take your finger everywhere, never forget it, don’t lose it and understand how to use it. Swiping your finger is intuitive, pleasantly repeatable and doesn’t require any effort or special focus during those early mornings or late nights at the office or on the road. It is a personal experience tied directly to you, and only you, that makes this approach so much more compelling over smart cards, tokens, ID badges, physical keys and passwords. Your fingerprint can’t even be phished.
All of these reasons are what make biometrics such an obvious choice for enhancing the user experience. And when things get easier for users, they tend to adopt them enthusiastically. This behavior transforms into reduced help-desk costs, lower hardware replacements costs, better insurance premiums, and happier employees for the corporation, not to mention the overall improvement in security protocols and reduction in fraud.
Fingerprint biometric technology has been well-established for a hundred years and has been in commercial deployment by governments and public services for much of that time. However, it has only recently begun to reach real adoption in the commercial and consumer sectors due to significant advancements in packaging, cost reduction, and overall device and system performance.
All major PC OEMs are now offering integrated biometric solutions and early signs of peripheral adoption are on the horizon as well, evidenced by the fact that even Apple stores in the United States now carry a USB fingerprint reader. As the industry ramps toward ubiquity in the notebook PC platform, the mobile phone sector is taking notice as well and should not be far behind. This is the second most heavily used electronic device in the enterprise today (some would argue the first), and is a natural progression for biometric adoption based on the growing needs for data protection and network access.
While the value proposition offered by fingerprint biometric security is becoming increasingly clear, the proper criteria for selecting the right technology is not as well understood. This decision is not simply a matter of purchasing new hardware and software products, but instead it requires a fully integrated solution to extend corporate network and platform security. As opportunities for biometrics in the enterprise continue to expand, the market will continue to offer innovative, cost-effective approaches to the growing security dilemma.