Identity and Access Management (IAM) with Biometrics: Know Your Users Better Than Ever

Organizations at enterprise level have a fairly complex IT infrastructure and resources that are simultaneously accessed by several users, devices and applications. Information and resources over a corporate network can be crucial for business continuity, and a breach may bring business operations to complete halt. Incidents of data breaches not only affect business operations, but also have long term effects on business growth and brand reputation. Information security incidents expose organizational inability to address risks and implement measures for information security. It adversely affects trust of business clients as well as end-users. Information security is a continuous effort. Threats from the digital landscape are constantly evolving and hackers have proved at many instances that they are one step ahead of cyber security experts. It is very important for an organization to know that who or what is on its network, this includes both, people as well as entities.

Data breaches may look like an expert job, but the reality is that cyber-attackers take advantage of weaknesses in a system. These weaknesses may range from insecure passwords to identified yet unpatched system vulnerabilities. Inadequate policies on usage of organizational resources can also open doors for outside threats to information security. A study, conducted by Stratecast (a division of Frost & Sullivan) in 2013, found that more than 80 percent of employees admit to using non-approved Software as a Service (SaaS) applications in their jobs. This trend was more apparent among IT professional than employees of other industries. This risky employee behavior is known as shadow IT. Shadow IT is not limited to SaaS applications. Installation of favorite applications on corporate resources also comes under this practice. This practice is often done without the permission or the awareness of the IT department. IT employees, being more skilled to practice shadow IT, pose greater risk to the information security in an organization.

According to a report by Javelin Strategy & Research, 13.1 million identity frauds took place in 2015, incurring losses of $15 billion. Illegal usage of others’ identity for financial benefits is an increasing trend around the globe. Portable devices like smartphones, tablets and laptops can contain a lot of personal information of the owner. Payments shifting from cards to portable devices have made them extremely prone to theft and cyber-attack. Spreading spywares through emails, social media links or free software to sniff personal and payment information have been a consistent method for identity theft. Spywares keep transmitting personal and payment information to a pre-defined location until they are cleaned from the device. This information can be used to perform online transactions, to steal money out of your credit card or bank account, opening new bank or credit card account on your name or just to sell it to other parties for illegal purposes.

It’s not just the identity fraud on the rise; incidents of data breaches are hitting companies and governments alike. Data breaches have grown exponentially in last five year from 419 incidents in 2011 to 1093 incidents in 2016. Verizon Enterprises publishes annual Data Breach Investigations Report (DBIR) that provides in-depth analysis of information security incidents. This report primarily focuses on data breaches took place around the world from private to government outfits. 2016’s publication of DBIR states that 63% of data braches involve usage of weak, default or stolen passwords. Unaddressed weaknesses posed by passwords are one of the culprits in data breach incidents in the whole information security scenario. People often tend to avoid password related warnings as they find it hard to change and remember new passwords. This ignorance turns out to be fatal in case of an information security incident.

Information security has become a major challenge for organizations of all sizes and verticals. Attempts of data breaches keep knocking doors round the clock. Threats to the information security are getting more and more sophisticated, organized, complex and perplexing. Money being the motive, businesses are always a preferred target of cyber attackers. Cyber extortion has been in news headlines in year 2017. Ransomware WannaCry attack around the globe adversely affected business operations and healthcare services, encrypted user data and asked for ransom of $300 for decryption key. Devices that were affected by this incident were mostly those that did not take the appropriate information security measures. Microsoft had to release a patch in emergency for its abandoned Windows XP operating system, support to which was ended back in April 2014. Usage of an obsolete operating system worked as a doorway for cyber attackers. This indicates that how lightly the information security practices are taken in most organizations.

Single Sign-On (SSO) is a session and user authentication service that permits a user to use one set of login credentials (e.g., ID and password) to access multiple applications. Single sign-on is often implemented for related but independent application to avoid further prompts if user switches to other applications in the same session. It improves user experience as the user needs to sign-in only once to access multiple applications. It also helps with logging and monitoring user activity on the back-end. Prompts to enter user ID and passwords repetitively not only deteriorates user experience, it may also cause password fatigue.

Growing numbers of online services require people to create new accounts and set a password for identity authentication. With every subscription to a service, list of passwords to remember keeps rising. Passwords that are easy to remember are often weak and can jeopardize account security. Single sign-on with user biometrics can be the answer to all password related shortcomings. One time biometric scan can authenticate users to to access all related application for a session. For example fingerprints, which are fairly easy to integrate with most services, can be used for single sign-on for a set of applications. It not only offers unmatched user experience for logging in to user accounts but also ensures account security and reduces cost by lowering the password related IT-helpdesk calls.

Every service availed online gives birth to a new password and with most services marking presence over the internet; it becomes a lot of passwords to remember. Increasing number of threats have made most online services to implemented minimum password complexity policy, that requires you to use a strong password by adding numbers, capital letters and special characters to it. Complex passwords may be good for account security but they are not at all easy to remember, specially when there are a lot of passwords to remember. Amid this password chaos, password manager comes to rescue.

Password manager is a program that can generate, store and retrieve complex passwords for you. Most passwords managers are available as an online service; some publishers may also offer local installations though. Passwords are stored in an encrypted format to keep them safe from malicious users and applications. A master password is required to access all stored passwords. This master password can be kept fairly complex as it is the only password a user has to remember. Password managers can automatically fill login/password fields on online forms and applications, enhancing user experience and ensuring information safety at the same time. Many operating systems also provide in-built password managers to store and retrieve passwords in encrypted format, however, they come with limited functionality in comparison with independent commercial products.

Access control can strengthen information security. Physical access control to server rooms, equipment, data centers, etc. can address physical threats to information security. Access control at logical level, e.g. identification and authentication of users and entities, can neutralize a threat at login prompts. Biometric authentication can play a vital role in physical as well as logical access control and can address inadequacies introduced by traditional login/password, pin or card based authentication. Traditionally, passwords have been used as a trusted tool for authentication, but with changing information security scenario and increasing threats from all corners, they are rapidly losing their significance. Biometric authentication can offer solution during this hard time faced by information security. Access to information only to the right person, at the right time and for right reasons is the whole idea of access control, and biometric authentication can help implement it.

Fingerprints as authenticator will not only eliminate risks associated with PINs are passwords, but also ensure that right person has access to resources, as live fingerprint scan is the only way to pass the authentication layer. Implementation of fingerprint based authentication also gives organizations a chance to meet government mandates without much hassle. Regulated industries often go through rigorous audits to verify compliant state of several aspects. Auditors pay special attention to how access control is implemented in an organization. Fingerprint access control helps achieve the level of access control required by regulatory compliances.

According to Gartner IT Glossary: Identity and access management (IAM) is the security discipline that enables the right individuals to access the right resources at the right times for the right reasons. Management of individual users, their authentication, authorization and privileges within or across system and enterprise boundaries are the practices of Identity and Access Management. Identity is the new firewall against the threats, be it internal or external. Identity driven information security can overcome challenges that go unaddressed in other approaches. Conditional access to resources, mitigation of administrative risks, compliance reporting, reporting of inconstant access patterns, etc. are some of the ways organizations can have more transparency throughout the network and resources.

• User transparency throughout the network
• Reduced help desk costs
• Recognition and elimination of active accounts that have no valid owner
• Elimination of unapproved account configuration
• Administrators having better knowledge of user accounts, their behavior and patterns
• Improved information security, reduced threats, hence reduced cost
• Improved accuracy, faster than passwords based logins

There are multiple challenges to information security coming from all directions, be it physical threats, cyber threats or an inside job to open doors for external attacks, information security is probably going through its hardest time. More and more resources coming to the connected world and increasing potential of cyber attackers at the same time, have increased the risk multifold. Ransomware attack that shook the world in May 2017, was repeated again in June same year, affecting several computers in many parts of the world. This shows user tendency of not taking countermeasures even after taking a hit. Many organizations didn’t apply the patch that was released to fix the vulnerability. This is mostly because of unavailability of proper policies and staff to do the job in comparatively smaller non-IT organizations. It is an unfortunate fact that this attack was carried out by a tool prepared by NSA to exploit PCs for government organized hacking attempts.

Internal threats to information security like inside job, shadow IT and other potentially insecure activities needs to be ceased with proper countermeasures. Shadow IT can pose significant risk in an organization. This irresponsible and potentially harmful behavior can be addressed by deploying shadow IT discovery and data protection tools to enable the safe selection, deployment and notification of unauthorized cloud services. Implementation of proper Identity and access management practices can greatly reduce information security risks. A good electronic identity is something that is verifiable and difficult to reproduce. It must also be easy to use. Biometrics meet all these conditions and beyond. It can serve as a maintenance free electronic identity, that does not need to be changed or reset, and can work at all login and single sign-on screens. It ensures user accountability as a user has to be there to scan his or her biometrics. Knowing your users, their behavior, understanding their activity patterns is the key to distinguish between an authorized user and an unauthorized one.