The compromise of biometric data has dominated headlines of late, and it’s an issue that isn’t going away anytime soon. This shouldn’t come as much of a surprise - while the idea of using fingerprints or facial recognition as a means of authentication might seem to be more secure than garden-variety passwords, biometric data is just that – data - and data can be stolen.
Unlike passwords, it’s unchangeable data, which makes it potentially far more valuable. Against this backdrop, it makes complete sense that attackers would set their sights on this gold mine of data. Organizations are increasingly using biometric data for authentication and identification purposes, which introduces several new avenues of attack for cyber-criminals:
Target: Biometric data used in multi-factor authentication; Motive: Infiltrate corporate networks
Organizations have been struggling with preventing data breaches caused by weak passwords for decades, and the tech community has continually tried to help their efforts by introducing additional layers of authentication, such as geo-location data, tokens and, now, biometric data.
Attackers have figured out various ways to defeat each layer of the multi-authentication stack, and biometric data is no exception, thanks to data manipulation tactics. Once hackers get their hands on this data, they hold the proverbial “keys to the kingdom” and can infiltrate corporate networks to steal assets and information that will result in financial gain.
Target: Biometric data used in identification; Motive: Cyber warfare
Adversaries, such as nation states, are increasingly targeting biometric data used for identification as part of their cyber warfare strategy. Additionally, facial recognition technology is making it easier and faster than ever to identify someone in public by their facial features alone. For individuals in government, law enforcement and the military, the impact of a breach of this nature could be catastrophic – even life threatening.
Is the use of biometric data really necessary?
Many organizations operate with an “outside-in” security model, where external threats and compliance mandates dictate security strategy and spend. In other words, they react to the latest threats by implementing the latest and greatest technology solution (in this case, using biometric data for multi-factor authentication and identification), without stopping to consider whether adding the technology in question is actually necessary to mitigate risk.
A better approach to security is, you guessed it, “inside-out,” where enterprise risk dictates security strategy and spend. In this world, the impact of using biometric data on enterprise risk would be the determining factor – will it make it harder for bad people to compromise identities and penetrate our systems? Or will it only add a new risk that could be expensive and time consuming to mitigate?
For example, in some cases, organizations may find that they need to leverage biometric data for multi-authentication to mitigate risk, and they may have an effective strategy for ensuring that the data is always encrypted and secure. In this case, biometrics might very well make an enterprise more secure and productive, since users won’t have to do password resets or get locked out of systems they should have access to.
However, other companies may find that it makes more sense to strategically segment their networks and data, rather than add biometric-based authentication layers that make it harder for users to get onto a network in the first place. The security strategy for each company will be different, as each organization has a unique risk profile.
The age of identity-defined security
In an age where digital transformation has made it impossible to build virtual walls around data, identity has become the new perimeter, and biometric identifiers now serve as a new type of access control. In this new world, organizations need to mature their identity and access management (IAM) programs to incorporate identity-centric security.
At a high level, identity-centric security is a concept that advances perimeter-based security by implementing next-generation IAM practices and integrating IAM more tightly throughout the entire security program. The first step to achieving identity-defined security is to commit to it, and that means making a strategic investment in a programmatic approach to IAM. Once you've done that, you will need to start with the basics:
- Developing a prioritized IAM roadmap, which includes business drivers, current-state challenges, and future-state recommendations;
- Establishing a universal understanding of every person who works for your organization or with your organization, and exactly what access they have at all times.
Key access considerations include people who have access to personally identifiable information, biometric data, source code and intellectual property, human resources data, and so on.
Once this information is understood, you can move forward with basic controls such as access control, user lifecycle management and access governance. With these controls in place, you’ve set the foundation for identity-defined security and can move on to more advanced controls.
Biometrics is one of these advanced controls – and, as with everything else in security, technology should be considered from an enterprise-risk perspective. For example, if you haven’t already implemented the “blocking and tackling” elements of IAM cited earlier, then there’s not much point in implementing biometrics.
On the other hand, if your IAM program is mature and functioning well, there may very well be cases where you want to use biometrics for specific systems (although, in most cases I’ve observed, enterprises meeting this description are doing just fine without biometrics).
Which brings us back to our original question: Is the use of biometrics really necessary? To that question I can confidently say: maybe yes, maybe no. If you’ve done a good job at implementing identity-defined security in your organization, then maybe biometrics could be useful for specific systems and data.
If you haven’t done that, then it’s likely biometrics qualifies as a “shiny object” that will only distract you from doing what you really should be doing: building a robust identity management program.