Most articles like this mention biometrics only in the context of physical access control at the data center, which is important. You don't hear as much about biometrics for controlling access to data stored in the cloud, though, and that's too bad because biometrics for logical access control could make the cloud a lot safer for businesses and their customers.
At a data center, physical access control prevents this (access to places)...
Image: Copyright Paramount |
Logical access control is for this (access to information)...
...and tricking out data centers like Fort Knox, along with other logistical challenges ensures that there are a lot more of the latter than the former.
In networked logical access control solutions, the biometric sensor hardware is a part of the security. In the standard Username/Password regime, the hardware used, the keyboard, offers no additional security. With username/password authentication, a hacker needs only a keyboard to fill in the proper fields and she gains access to the network. If that username/password is a superuser or administrator credential, there's may be some turnover in the CTO function.
Biometric authentication is very different animal because with biometrics, the hardware layer does provide extra security. If the hacker steals a biometric or unencrypted biometric template (a long character string), she can't just type it in even if she finds the place in the programming that handles the template. The template resulting from a verification attempt is like a single use password created during the interaction of a physical object (body part) with certain known sensor.
For organizations using cloud services, requiring biometric authentication to authorize access to any database storing usernames/passwords should dramatically decrease the risk of high profile data breaches or other damaging hacks.
But even if every human account used biometrics for logical access control, some version of username/password verification will be around for a long, long time because username/password is a cheap, well-understood, flexible technology that supports certain access control models that biometrics does not. For one thing, people aren't the only things that claim an identity before accessing IT systems — computers do it, too, and they don't have biometrics.
The challenge that system designers now face is to identify where using Username/Password is too dangerous, and where biometrics can be used to reduce risk to an acceptable level. This requires identifying everything currently authenticated with a username/password and a determining which of these things are more efficiently protected using biometric authentication, then implementing the change. This is far easier said than done.
Requiring biometric verification of all human Administrator logins would be a good start, though. There aren't (or shouldn't be) that many of them. They are tech savvy, so they should be able to adapt to the new security environment quickly. They should have an understanding of why the extra step is worth the effort. It's their responsibility to keep the keys of the kingdom and they're the ones on the hot seat when the CEO is out apologizing to all and sundry following a data breach.