Businesses in the modern world must utilise security procedures like biometrics to stay ahead of the competition. Grahame Williams, Identity & Access Management Director at Thales, discusses how biometrics is being used to change the identity and access management game.
The cyber world is a constant battle. As businesses look to innovate and progress, there are always threat actors trying to either halt that progress or take advantage of it. Businesses start saving customer details to ease their convenience for future purchases and frame the development of future products, hackers steal that information to sell on the Dark Web. Passwords are invented to protect access to information, hackers steal passwords through multiple means such as phishing attacks or simply just guessing. With the world becoming more connected by the day, hackers will not back down and businesses need to remain vigilant about how to protect their logical and physical accesses.
This is because as technology has developed, businesses have sought to protect themselves using more advanced means, and hackers have had to adapt. The latest development in the cyber battle is the implementation and use of biometrics. Whereas passwords can be easily replicated or even guessed, the intended benefit of biometrics is that it is a complex system designed to be unique to the user. So, what do businesses need to be aware of when it comes to biometrics?
The development of biometrics
To start off with, biometrics is the most suitable means of identifying and authenticating individuals in a reliable and fast way through unique biological characteristics. Essentially, it allows a person to be identified and authenticated based on recognisable and verifiable data that’s unique and specific. The technology has come a long way over the past 10 years and now encompasses everything from fingerprints, retinal scans, voice identification or facial recognition. According to Global Markets Insights, the global biometric market is expected to be worth over US$45 billion by 2027.
So, what can biometrics be used for when it comes to security?
In a world where employees are now able to access systems and information outside of the core company network, amplified due to the increase in remote working, businesses have never been more at risk. The biggest issue is one of trust – how do companies know the employee that’s accessing their system from an unknown location is who they say they are?
This is where identity and access management comes in – a vital tool in the fight against hackers. The previous defence for proving identities has been the password, which once stolen can be used to log in from anywhere. The issue is further exacerbated if companies employ a system that grants full access for employees automatically, once they’ve logged in. Essentially, it means if a hacker was able to access an employee’s password, they’d have the keys to the kingdom. Biometrics is aiming to change the identity and access management game.
Put simply, biometrics systems are great for wherever identification and authentication are critical. This could be for law enforcement and public security, border travel, as well as physical and logical access to businesses’ premises or network/system.
Securing the biometrics
With such a widespread usage, the question businesses need answering is how to implement and secure biometrics. Biometrics fills the distinctions of authentication and identification, but they require two different techniques to work. Identification answers the question, ‘who are you’ – identifying the person as one, among others. Their details are then compared with others stored on the same or another system. Authentication differs in asking ‘are you really who you say you are?’. In this case, biometrics allows the person’s identity to be authorised by comparing the data they provide with pre-recorded data for the person they claim to be. To verify someone, identification requires a centralised biometric database that allows several person’s biometric data to be compared. Authentication doesn’t need this, with data able to be stored on a decentralised device, such as a smart card or on a smartphone.
For data protection, businesses should focus on the authentication method due to the decreased risk involved. This is because the ‘token’ (ID card, smart card, phone app etc.) is kept in the user’s possession and their data doesn’t have to be stored in any database. If an identification process requiring an external database is used, the user does not have physical control over their data, putting them at increased risk. Biometric data is considered highly sensitive by the GDPR and should be, as such, strongly protected and carefully managed in respect of privacy laws. Essentially, businesses can’t process the data unless given specific consent from the user.
Finally, alongside biometrics, in order to truly be successful, it needs to form part of an overall security strategy. The move beyond the company perimeter brought about by remote working, coupled with the increase in data breaches have rendered the concept of trust extinct. This is where Zero Trust comes in. It is not a specific technology, but rather a strategy with strict and continuous identity verification and control of data in the cloud to minimise trust zones. Zero Trust adds a further level of internal security by ensuring people must authorise each time they want to access something – meaning they don’t automatically have access to the entire system – with biometrics acting as the authentication method.
A new frontier
So as businesses expand beyond the border of their network perimeters, some permanently in the era of the hybrid worker, the next frontier in the cyber fight is upon us. Biometrics is set to be a game changer with its extra layer of security, through the unique identification of users. For businesses it should put them ahead of hackers by enhancing their identity and authentication methods, ensuring only those that can access systems, services and information are authorised to do so.
Organisations will likely experience some difficulties to get to grips with biometrics, due to its complex nature and strict regulatory and application frames. Unfortunately, businesses don’t have any other choice other than looking towards such highly secure and protective solutions as hackers constantly looking to take advantage of any chinks in the armour. Businesses who don’t have the expertise in-house should look to partner with companies that do or reach out to organisations like the Biometrics Institute, with its primary objectives include sharing best practices and promoting the responsible use of biometrics in both the public and private sectors. So as the race against the hackers hots up, businesses have a new vehicle to jump on and it’s up to them now to stay ahead.