Author: Paul Reid
Publisher: Prentice Hall PTR
The promotional material I’ve got with this book explains the need for biometric systems and it notes that the biggest vulnerability in most enterprise networks is the authentication system, especially if it solely relies on passwords. Maybe this isn’t the biggest problem, but where we have human interaction, we can expect a number of security issues. With all the problems related to using simple password-based authentication methods, biometrics surely has major “pros” for its implementation in enterprise networks.
About the author
Paul Reid is a Security Manager at BearingPoint in Ottawa, Canada. His specialty is real world application of biometric systems including their implementation and design. Mr. Reid has worked globally for many Fortune 500 companies and is a frequent presenter at conferences.
Inside the book
There are three main ways of authenticating an identity – something you know (password), something you have (token) and something you are. Obviously the book is all about the third option. The author starts by giving some information about the authentication mechanisms and follows each of them with a set of pros and cons. As the biometrics are mostly needed in larger organizations, Reid offers some good insides on the influence biometric technology can have on both employer and employee privacy.
After introducing the readers with all the positive aspects of the technology, the author provides a valuable list of things that make a good biometric solution. This is followed by a powerful section on different technologies. The concise way of presenting these technologies will surely make the readers to understand all the good and bad things of specific way of biometric authentication. This section covers in details finger, face, voice and iris biometrics, focusing both on the inner workings, authentication mechanisms and ways to spoof them.
The final part of the book centers on the application of biometrics in network security. After providing most of the positive and negative aspects of each different technology, the author gives another round of help by providing the readers a scorecard of each technology from a couple of different points of view: acceptance, easy implentation, ROI, deployment, noninvasion, maturity, size, habitation, FAR and FRR. The latter ones, FAR and FRR are statistical measure of biometrics and the math behind these measures also gets some exposure.
Now, when the reader is familiar with biometrics, it is time for the information needed for deployment of a biometric-secured network. Before starting to read the book I was expecting the author to provide a working case study scenario that will guide us through all the steps of technical biometric deployment within a network. I was bit disappointed that it wasn’t so, but a case study wouldn’t be fair as it would probably focus on just one or two biometric technologies. Also, it is more important to understand how to successfully plan the whole process of the actual implementation. Therefore the readers are presented with a valuable set of procedures on choosing technology vendors, creating a testing deployment site and rolling out.
I was interested in reading and reviewing this book primary because biometrics was always an interesting topic for me and I didn’t see any network security publications covering exclusively biometrics. After yet another pre-InfoSecurity Europe conference study showed that employees are willing to trade their passwords for stupid things such as chocolate bars, I surely hope trend of biometrics adoption will go upscale.
Overall the book provides a wealth of knowledge for anyone interested in implementing biometrics for the purposes of fortifying the network environment he/she works in.
The biggest positives for Reid’s “Biometrics for Network Security” is that the author presents information that is of a great interest for different types of readers – the security enthusiasts new to biometrics, network security administrators trying to leverage pros and cons for biometric deployment and even upper management that needs some knowledge on these topics to give the final OK for the possible implementation.