BYOD and biometrics in the enterprise – ally or enemy?

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

BYOD continues its victory march as the enabler of choice among employees juggling increasingly intertwined home and work lives – for IT managers however it is the stuff of nightmares. The risks to the enterprise have been written about many times so I shall not repeat on this occasion.

However, as smartphone capabilities evolve, the balance between “IT friend” and “IT foe” must be constantly re-evaluated. The advent of mainstream biometric technology in smartphones is a great example of how the tables might be turning. But what is the true potential of this technology for the enterprise?

Biometric technology certainly opens up a host of new possibilities and an entirely new level of security for BYOD devices. For a start biometrics does “feel’ – pun intended – more secure than passwords. After all, biometric information can’t be easily guessed or shared among users, and therefore offer the potential to deliver a higher level of assurance, at least for basic device access.

But could the benefits go further? It’s inevitable that personal devices will hold ever-increasing amounts of corporate data – and with confidence in passwords fading it is hoped that biometrics will lead the way towards greater security and data protection within the enterprise.

Biometrics is particularly well suited to mobile devices with their plethora of on board sensors – including cameras, microphones and the fingerprint technology now boasted by Apple.

Traditionally, the only way to get this type of authentication technology in the hands of corporate users was by giving dedicated tokens which are costly and complex to deploy, often representing a barrier to all but the most security conscious (and well-funded) organizations.

Using the actual phone as a token is not only cheaper for businesses than issuing tokens to the workforce, it also means that the same experience can be applied when accessing apps from a phone or from the desktop or even physical access – and when it comes to security, consistency is a good thing.

This is where the phone really does become a corporate ally, bypassing the huge expense of giving staff traditional authentication tokens such as OTP widgets and smart cards. There’s also the fringe benefits that people never forget to bring their phone to the office and since it’s a familiar device the user experience is improved years of experience tells that happy users don’t try to dodge the system in an attempt to side-step inconvenient controls.

Sounds great, but the big question is whether biometrics is it ready for prime time? Biometrics is hardly a “one size fits all’ solution. For some, biometrics simply doesn’t work – the fingerprint won’t scan, the iris isn’t recognised and the voice goes unrecognised. Unlike passwords and tokens, biometrics is indicative rather than definitive, it’s not a binary go/no-go, there room for error – false negatives and false positives. This lack of reliability means that a fall-back is always necessary.

These secondary forms of authentication can range from behavioural traits to geo-location data and other credentials such as certificates – but all too often they come in the form of a good old-fashioned password. The danger with this is obvious – a cyber-criminal could simply bypass the sophisticated biometrics system by performing a basic password reset. The challenge is therefore to introduce strong comprehensive back-up systems without driving costs sky-high or complicating user experience.

Another challenge with the use of biometrics in the enterprise is that the number of tokens available is finite – you only have ten fingerprints. Once one of your biometric “tokens’ is compromised it’s gone and can never be used again, not even in another application. While this finite number might be sufficient for personal use, in an enterprise setting, IDs and credentials are in a constant state of flux. Roles change, people and systems come and go and security requirements change.

If an employee used his index finger to open a door at one company and then changed jobs would his new employer be happy for him to use the same finger to access the door to his new office? Of course, there are other forms of authentication such as voice verification and facial recognition and all are potentially a good fit for smart phones. However, these technologies are even further away from mainstream adoption than fingerprint authentication and face the same basic challenges – on the whole, authentication that is based solely on “things you have’ rather than “things you know’ can be somewhat limiting and inflexible.

The last – and possibly the most pertinent – issue with biometrics is that, like everything else, it can be hacked. The movies have us focus on the biometric sensors themselves and how they can be fooled by lifted fingerprints or even severed fingers but the reality is more mundane. Authentication and authorization decisions are taken on or at least pass through the phone, many of which are relatively open and can be easily compromised – why fake the fingerprint when you can just fix the decision. Stories of biometric cracking as has already happened in the case of the new iPhone and no-doubt there are more to come.

Of course, even if biometrics does succeed in delivering incremental security that is easy to use and holds up adequate defences, it will be of little use if it remains a closed technology, solely for the use of the phone manufacturer. We will only really see this innovative authentication method taking over the mass market if pioneers like Apple or Android open it up so that app developers and the organisations that approve the use of mobile devices can take full advantage of it.

So far I’d focused on the biometric technologies but it’s vitally important to not lose sight that authentication and authorisation are processes and that the scope of those processes are always changing. One of the current trends in this space is a shift to a more dynamic approach. In many situations merely presenting a credential to gain access needs to be augmented with adaptive secondary controls. Risk based systems can enable additional security levels to kick in as and when needed.

This is where behavioural analytics will play an increasingly important role, allowing factors such as the type and volume of data being accessed to prompt additional authentication stages and assessment of the time of day and location to be matched against an employee’s “normal’ behaviour to detect any discrepancies.

This type of analytics has been used in the online payments arena for years will likely be applied to a much broader set of enterprise situations in the future. There will also be an increasing use of more sophisticated attribute-based controls where authorisation decisions focus more on the user context than the use themselves. For example, a hospital A&E ward may allow access based on attributes such as a “nurse with burns expertise’ rather than to “Susan’ or a “nurse’ in general.

This shift towards adaptive and situational access controls creates a whole new problem, and that problem is at the system level. With basic authentication schemes the primary vulnerability of the authentication system was the theft of the password database and we have all seen news stories of these databases being breached. In a more sophisticated, more contextual authentication model the amount of highly sensitive and critical data that needs to be protected is much higher and includes private and personal data such as location, usage patterns, entitlements as well as biometrics. For this reason, it is crucial to ensure that back end systems such as decision engines, big data analytics and storage systems are secured with the highest possible protection. Authentication is not just about the user but about the entire system. If one element fails, the entire chain can be compromised and all other security measures rendered useless.

It is easy to get carried away amidst all the hype around emerging authentication schemes and devices – ultimately whatever means of authentication is used will only be as strong as the technology securing the back-end. Authentication data is highly treasured and will work its way up cyber criminals’ agendas as it gives access to increasingly sensitive and personal information. The key to minimising risk of compromise is to encrypt all authentication data, securing the critical keys and cryptographic processes from physical and logical tampering. After all, your biometric data is meant to belong to you only.