IAM-driven biometrics in security requires adjustments
IAM is foundational to cybersecurity, but the latest systems use biometrics and other personal data. Learn how to cope with the resulting compliance and privacy issues.
When security executive Chris Dimitriadis sought to strengthen his team's cybersecurity profile, he added biometric elements to its identity and access management program.
Employees who need access to the most sensitive data -- whom Dimitriadis labeled "privileged users" -- must use either their fingerprints or facial recognition scans to open applications that hold that information.
The use of biometrics in security systems simplified the company's identity and access management (IAM) program while at the same time strengthening it, according to Dimitriadis, who is responsible for IT services for customers of Intralot, a Greece-based lottery vendor and operator, and a board member and prior chairman of the IT governance association ISACA.
"The simpler the authentication is for a human, the better security it is at the end of the day," he said. "That's why I favor biometrics; it's easier, and it's also very user-friendly. The more we help humans, the easier security becomes, the better compliance you have."
There are, however, additional considerations and trade-offs that come with such IAM programs and technologies, Dimitriadis and other security experts acknowledged.
IAM systems are increasingly asking users for more personal information that organizations must then ensure is secure, well managed and compliant with data privacy regulations and user expectations.
IAM deployments and biometrics in security
Although organizations generally consider IAM to be a foundational part of cybersecurity best practices, many still struggle with implementing and maintaining an effective identity and access management program.
Findings from the 2018 "Assessment of Identity and Access Management" study conducted by Dimensional Research for IAM provider One Identity, highlighted some of the limits and challenges that come with IAM.
For example, only 15% of the 1,000-plus responding IT security professionals said they were completely confident that their organization would not be hacked because of an issue with its access control program. On the other hand, 19% said they weren't confident that such a hack would not happen, while 66% said they were only fairly confident such a hack wouldn't happen.
Such statistics help explain why security experts see organizations increasingly adopting more robust IAM practices, such as two-factor authentication, physical biometrics and behavioral biometrics.
Passwords are also cumbersome and often less effective than biometrics and behavior-based analytics, so "people are trying to get rid of the passwords, and rightly so," said George Moraetes, a security consultant and CISO with his firm Securityminders.
Maturing programs and their security challenges
But security, privacy and security executives are finding that the move beyond single sign-on passwords comes with its own security and privacy challenges. These biometrics capabilities, behavior-based security analytics and other advanced IAM systems ask users to provide data that organizations must now safeguard. Simply employing biometrics in security can create security headaches.
"It would be ironic if you're collecting this kind of data to secure your systems and then that data is left vulnerable for unauthorized access," said Rita S. Heimes, general counsel and data protection officer with the International Association of Privacy Professionals.
Additionally, organizations are seeing some people push back against having to use deeply personal information, such as one's own fingerprints, just to do their jobs.
Steve Wilson, an analyst with Constellation Research, pointed to an Australian legal battle involving an employee who was fired after refusing to provide his fingerprints to his employer, as required for a new security scanning system. The country's Fair Work Commission found the employer unfairly dismissed the employee.
"He won his unfair dismissal case on the grounds that he wasn't given any reasonable alternative to biometrics and was therefore not being accorded due-consent processes," Wilson said. "'Consent' isn't consent if you are forced to use the system."
Wilson and others said business leaders will need to address such issues as they implement biometrics in IAM systems. They'll also have to ensure the personal information that's collected and stored -- whether it's fingerprints or behavioral patterns -- is done so in ways that are secure and meet all regulatory requirements, such as the European Union's General Data Protection Regulation, or GDPR.
Steps for using biometrics in security
Organizations need to consider how biometrics and other advanced IAM practices fit into their overall security program and to think of access control and data protection holistically, experts said. Organizations must understand what data they have, what data they really need, how to get rid of what they don't require, where data is stored and how it's stored.
Heimes stressed that organizations should only collect and keep what they need in order to get their work done. Dimitriadis agreed, saying: "Know where your data sets are, how you classify them, how important each data set is and then … decide whom to give access to it. It may sound like a simple task, but it turns out to be very, very complex."
That analysis should inform the controls required, with business leaders determining what level of data sensitivity warrants the use of sophisticated IAM systems, such as those that are biometrics-based.
Wilson said organizations should ask the following: Is biometric security a proportionate response to the security problems a company is trying to solve? Is the biometric really going to be as effective as they think? Is it creating new risks by accumulating biometric data? How are the biometric scans and reference templates being stored?
Jason Taule, vice president of standards and CISO for HITRUST, said he advises organizations to start by considering the level of risk, and whether two-factor authentication or other non-biometric options available address access requirements.
From there, they should invest in identity vetting, determining how they'll validate that someone is who they purport to be.
They also need to evaluate their IAM vendors to determine how they treat the personal information they use to grant access, he said. He noted that some vendors collect and store the fingerprint, facial or other personal information they use to authenticate users. Others may not store that information but only access it once, assign values derived from it and then store those values. Although storing only numeric values greatly lowers the security risk, organizations should still vet those vendors to ensure they follow strong security protocols in addition to maintain their own enterprise security policies and procedures.
Organizations should also vet the functionality of the system. "You also want strong reporting and integration with your existing infrastructure," he added.
Experts also advise full transparency when it comes to implementing biometrics in security processes.
"The employee has to be fully aware on why they're being asked to provide biometrics, the employee should know in advance where and why it's happening," Moraetes said.