Maksim Kabakou - Fotolia

Security Think Tank: A starter guide for biometrics in security

How can organisations move to biometric authentication of users without running the risk of exposing sensitive biometric information?

Biometrics in security can be anything from a simple fingerprint system enabling access to phones and laptops, through to complex systems such as retinal scanning and facial recognition.

Convergence means that biometrics can be used for physical or logical access to networks and systems; the same biometrics being potentially used for both systems. They can be combined with other technologies to create combinations, such as a smart card and fingerprint system.

When it comes to the security benefits of biometrics, they are quite clear. Unlike traditional token-based access, such as cards, and traditional two-factor authentication, which combines something you have and something you know, biometric systems absolutely tie the individual to the access.

This gives us confidence in our security in a whole new way as it is very difficult to fake or reproduce. We are physically tying the individual to the access; they cannot share or accidentally disclose it and they cannot lose it.

However, as with all systems there are pitfalls and look-outs, and biometrics can be viewed as an invasion of privacy by the user. 

This presents huge challenges for security teams to demonstrate their robust protection procedures to stakeholders with serious and valid misgivings about how personal data will be looked after, what it will be used for or how it could be shared or appropriated, abused or otherwise inappropriately accessed.

Naturally, the repository that is the stored biometric data has to be secured. Then there is the data that is captured every time someone uses their biometric access, whether on a physical or logical network, and that needs to be captured and securely stored. 

IT folk are not always great at protecting their logs, such as error dump logs, for example, and this may hold very useful and potentially sensitive information that needs to be protected just as effectively as the biometric repository.

As with any form of access technology, it should be properly risk assessed. It may mean we only need biometrics when dealing with more sensitive areas or systems, so the roll-out should be practical and pragmatic as well as cost effective.

A layered approach is best, as it may not be appropriate or practical to roll it out to all business areas or systems.

Five starter guide points

1. Use biometric systems in a sensible, proportionate and pragmatic manner – not a blanket approach.

2. Engage with users in an open and transparent way. If users feel like they are part of the security system, the resistance will potentially break down and they will be reassured, as well as less likely to attempt risky behaviours to circumvent controls.

3. As with all technology, do not view biometric technology as a panacea. Biometrics requires careful management, supported by policy, process and quality education. The old issues of tail-gating or not locking computer screens during workstation absence still remain and should not be forgotten or ignored.

4. Engage with data protection teams to ensure complete compliance and reassurance of users that the data they have lent you will be properly protected and managed.

5. Ensure human resources processes, vetting and access management are effectively integrated and joined up. The processes for starters, movers and leavers are sometimes below par (which is why we hear of people who have left a business still being able to log in to networks using their old credentials) and this needs to be tightened up and prioritised.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Identity and access management products