Note: This article is the first in a two-part series.
In the Indian marketplace, the term “security” can be a double-edged sword. On one hand, job opportunities for security professionals are everywhere and, given the number of cyber threats and hacks occurring these days, the marketplace shows no signs of cooling down. Corporations and organizations are increasingly taking the security of their networks seriously, and spending large sums to hire skilled security pros.
On the other hand, the technologies being used to secure the tangible assets (hardware and software) and intangible assets (intellectual property) of an enterprise often need protection themselves. For example, when a member of the IT security staff logs on in order to install the latest software patch from Microsoft, how do you really know that this individual is a legitimate member of the IT security staff?
The challenge of confirming one’s identity stems from both the processes and the protocols being followed in many Indian enterprises. To illustrate this point, in order to log into a server the only form of credential required is (and has been for the longest time) the traditional Username/Password combination.
Unfortunately, passwords can be easily guessed, hacked, stolen, hijacked, re-created, and so forth — in many instances without the authorized user even knowing it’s happened. There is no worse feeling than attempting to log in to your online bank account only to discover that your password has been hijacked and maliciously changed.
To counter this, Indian companies of all sizes have initiated strict policies designed to enforce the highest levels of password security. These password characteristics typically include:
- Upper and lower case letters in the password
- A combination of numbers and punctuation marks generated at random when creating the password
- Prohibiting the creation of passwords that include the actual name of the holder — John Doe cannot create the password “JohnDoe1”
- Requiring passwords to exceed or be at least so many alphanumeric characters
- Requiring passwords to have a short-life so that new ones need to be created within a period of time
In the end, no one remembers long, complex, and frequently changing passwords. As a result, people, especially employees, have taken to writing them on a Post-It Note, and attaching it to their workstation monitors. This is dubiously known as the “Post-It Syndrome.” In the end, it totally defeats the purpose of having a long and complex password in the first place.
Fortunately biometrics is a solution that obviates the need for passwords while enabling an organization to confirm the identity of an individual with a 100 percent rate of confidence.
Biometrics is an authentication technique based on unique physical characteristics that are “measurable,” and that can be checked automatically. Such techniques began in ancient Babylon with fingerprints pressed into clay tablets for business transactions. In 14th-century China, the palms and footprints of small children would be ink-stamped onto paper in order to differentiate them from one another.
It was in India, however, that modern biometrics really took off. In 1858, Sir William Herschel, Chief Magistrate of the Hooghly District in Jungipoor, India, on a whim used fingerprints on a contract with a native. Ironically, it wasn’t for identification purposes, but for security.
The local natives believed that physical contact made a contract more binding than just a signature. “The idea was merely to frighten [him] out of all thought of repudiating his signature,” said Herschel. The native was suitably awed, and from then on, a palm print on each native contract became standard practice. Eventually Herschel would only use the prints of the right Index and Middle fingers, and over time, he began to notice that fingerprints could, indeed, prove or disprove identity.
Today’s biometric technology is evolving rapidly, and falls under two broad categories: Physical and Behavioral. Physical biometrics include the automatic electronic recognition of fingerprints, facial characteristics, hand-geometry (the unique shape of a hand), retinas and irises, and even voices based on their unique pitches and even sentence structure.
Behavioral biometrics include recognition of signatures and even keystroke patterns.
The goal of biometrics is to take all of these unique physiological and behavioral traits an individual possesses and create a way in which they can be used in order to positively confirm identity. Although the wide-spread use of biometrics is relatively new, it is beginning to play a critical role in computers and especially in e-commerce.
How biometrics replace passwords
Biometrics are increasingly popular and have wide market application. The industries most expected to benefit from biometrics include defense, government services, travel, banking, commercial and home security, transportation, healthcare and home electronics users.
Experts also forecast an increased usage of biometrics in the fight against terrorism. Security will be the main application as the movement and protection of large numbers of people into and out of public venues like airports, sporting arenas, and public transportation becomes a necessity.
Home and commercial users will be able to control physical access to a building. Employers will better be able to track the time worked for employees and be able to compute payroll quicker and more accurately.
Home electronics users will also contribute to the growth of biometrics due to widespread irritation and inconvenience with having to use multiple passwords. Single sign-on solutions like a fingerprint of retinal scan, can eradicate passwords once and for all.
Physical recognition scans have received the most attention in film and literature. For example, if your fingerprint is your password. All you have to do is wire-up a simple fingerprint or retinal recognition device to a computer (via a USB connection), install the software, and enroll your fingerprint in just a matter of a few seconds).
Biometric recognition devices have a number of advantages that make their use practical and convenient. Memorized passwords, and the need to constantly create new ones, are done away — no more Post-it syndrome, and physical characteristics are unique and cannot be forged — at least with current levels of technology.
Businesses can look forward to reducing the hidden costs of password resets — an estimated $300 per employee per year for large companies, and lost IDs. Administrators can unequivocally link individuals to events or transactions, to automatically know Who did WHAT, WHERE, and WHEN.
Biometrics and IT Certifications
Because of the importance of the role that Biometrics is now taking in Logical Access Security, many IT certifications are requiring candidates to have some baseline knowledge. The CISSP certification for example, covers biometrics in Domain 1, which is about access control. To learn more about the role of biometrics in the exam, click here.
Candidates need not have in-depth knowledge of biometrics, just a basic understanding of how the technology works, and how it can be implemented into the workplace.
Biometrics are gaining widespread acceptance in India and other countries. However, it is still not widely accepted around the world, especially in the United States where there are a lot of social implications surrounding the use of Biometric Technology, especially as it pertains to civil liberties and privacy rights.
My next article will examine these and other social issues in more depth.