Continue in 2 seconds

Biometrics: Advancing Effective Security Management

  • May 01 2001, 1:00am EDT
More in

Safeguarding the security of computer networks and applications is mission- critical for business today. Information system security breaches are widespread and result in serious and costly damages.

How big is the problem? The Computer Security Institute (CSI) is a leading international membership organization dedicated to helping information security professionals protect the information assets of their organizations. CSI conducts an annual security survey in collaboration with the Federal Bureau of Investigation's Computer Intrusion Squad. Survey respondents include high-tech firms, financial services companies, manufacturers, retailers, utilities, medical institutions and government agencies at the federal, state and local levels.

In 2000, 70 percent of the respondents reported that they had detected computer security breaches in the previous 12 months, up from 42 percent in 1996. Security breaches are defined as unauthorized uses of computer systems, and the data is adjusted to exclude organizations that answered "yes" but only reported incidents of laptop thefts, virus attacks or employee abuse of network privileges.

The costs of various cyber attacks are difficult to quantify precisely. Many companies cannot put an exact price tag on the costs. However, according to CSI and the FBI, in 2000, the average loss due to sabotage of networks or data reached an estimated $535,000. On average, incidents of financial fraud cost about $617,000. Theft of proprietary information resulted in average financial losses of approximately $1.1 million. Clearly, the security problem is big, growing and costly.

Security Management Challenges

No organization is immune from cyber attack. Any company engaging in e-commerce has to be concerned about security.

As IT professionals respond to these demands, the intricacy of network technology compounds their problems. Client/server systems (including thin-client networks) continue to grow and sprawl. Applications and data become spread far and wide across ever-larger systems of multiple PCs and servers. With the Internet, extranets, virtual private networks and remote-access technologies that open access to systems behind corporate firewalls, vulnerable back doors are left unlocked.

Passwords, of course, have been a traditional mainstay of computer network security. However, conventional passwords are cumbersome, costly and inadequate. Users forget them, and they are readily misused. Passwords are particularly problematic in corporations that have more than one operating system. In such environments, individual users often have three or more passwords.

Forrester Research, Inc. has found that password problems account for between 40 and 80 percent of all IT help desk calls. According to Gartner, resetting forgotten or compromised passwords can cost as much as $340 per user annually. Other experts place the total annual cost of password administration today in the range of $600 to $800 per user.

How are CIOs and IT managers responding to the demands and challenges of computer security management? They are seeking new solutions for improving network security. Forrester Research projects that companies will spend nearly $20 billion on computer security by 2004, up from an estimated $5 to $6 billion in 2000.

Biometric Technology

As IT professionals strive to improve security, biometrics now gives them a technology advantage. Network security protection is the fastest growing application of biometrics today.

Biometric technology provides automated methods of authenticating the identity of a person based on unique personal characteristics. Major biometrics derived from physiological characteristics include fingerprints, hand silhouettes, facial geometry, the color pattern in the iris of the eye and the blood vessel pattern in retina of the eye.

All biometrics use a four-step process. First, a sample biometric (such as a fingerprint) is captured for each user. Then, key features of the sample are extracted from the sample. Third, an encrypted comparison template is created that stores a mathematical model of the key features in digital form. Finally, biometrics automates matching of an individual's biometric to the stored comparison template.

What is the fundamental advantage of biometrics? A biometric template is unique to the individual from whom it is created. Unlike a password, a personal identification number (PIN) or smart card, it cannot be forgotten, misplaced, lost or stolen. Thus, biometrics ensures that a person attempting to access a computer system is actually the authorized user, not someone who stole a smart card or found a password on a note under a mouse pad.

Better Technology, Lower Costs

The International Biometric Group is one of the industry's leading integration and consulting firms. This group advises that with proven accuracy, faster transaction speed, improved design and decreasing costs, biometrics is ready for large-scale deployment and poised for a breakthrough to new levels of acceptance.

Improvements in optics and scanning have made biometric readers more accurate and much faster. Enhancements to ergonomic design have made the devices easier to use, and prices for biometric hardware have fallen dramatically. Fingerprint scanners that cost about $500 just two to three years ago are now available for under $100. Iris recognition devices have cost from $4,000 to $7,000 but are now available for under $1,000, with some new devices even priced under $500.

In addition, many vendors have advanced innovation in software design to effectively apply biometrics for enterprise solutions. Effective security software centralizes users' biometric templates and system authorization profiles in secure storage. It automates the process of matching a user's biometric to the stored templates and then permits authorized users to access the set of servers, applications and files in their profile from anywhere in a system with a single, simple and secure biometric sign-on.

Evaluating Alternatives

How can you assess whether network security software with biometrics is right for your company? Here are some key questions you should ask: Does the security software support all of your operating systems? Can it apply biometrics to all of your applications without requiring modifications to application code? Does the software truly eliminate the redundancy of user names, PINs or tokens? Does it support the biometric devices that your organization may want to use today, and tomorrow?

Advances in hardware and software coupled with decreasing costs make a compelling business case for biometrics as a replacement for conventional network passwords. Solutions that include both network software and workstation hardware are now priced at about $300 per seat, comparable to the approximate annual per-user cost of resetting forgotten or lost passwords.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access