How to Implement Strong Security Policies in

How to Implement Strong Security Policies in
Ways that Users Rapidly Embrace
$OLJQLQJ8VHUV¶'HVLUHIRU&RQYHQLHQFHZLWK&RUSRUDWH'HPDQGV
for Security through Fingerprint Biometrics
A DigitalPersona White Paper
April 2008
Human Element Biometrics, LLC
Oklahoma City, OK USA
T : +1 405.858.8632
Tel
Fax: +1 405.858.8641
F
E-Mail: info@hebiometrics.
f
com
W : www.hebiometrics.com
Web
Table of Contents
Introduction .............................................................................................................................................................. 1
The Problem ............................................................................................................................................................ 1
The Weakest Link: Simple Passwords .................................................................................................................... 1
People are Fallible and Predictable ..................................................................................................................... 1
Alternatives to Simple Passwords ........................................................................................................................... 2
Tokens and Smart Cards ..................................................................................................................................... 2
Single Sign-On ..................................................................................................................................................... 2
Stricter Password Policies ................................................................................................................................... 3
Password Self-Reset ........................................................................................................................................... 3
The Cost to Organizations ....................................................................................................................................... 3
User Productivity and Support Costs ................................................................................................................... 3
Compliance .......................................................................................................................................................... 4
Fingerprint Authentication: Enabling Strong Security that Users Embrace ............................................................ 4
Users Enjoy Fingerprints ± and Rapidly Adopt .................................................................................................... 4
Fingerprints Address IT and Executive Needs .................................................................................................... 5
Balancing Security, Convenience and Cost ........................................................................................................ 5
+RZ'LJLWDO3HUVRQD¶V)LQJHUSULQW7HFKQRORJ\:RUNV ............................................................................................. 5
Result: Strong Security with Fast ROI ..................................................................................................................... 6
Summary ................................................................................................................................................................. 6
About DigitalPersona
DigitalPersona is the leading provider of fingerprint authentication solutions for enterprise networks, developers
and consumer OEMs. Founded in 1996, the company designs, manufactures and sells flexible solutions that
make it possible for businesses to implement strong security policies in ways that users rapidly embrace.
%XVLQHVVXVHUVDQGFRQVXPHUVDOLNHHQMR\'LJLWDO3HUVRQD¶VVRIWZDUHEHFDXVHLWHOLPLQDWHVWKHSDLQRI
remembering and typing passwords or dealing with tokens and cards ± making the Internet, applications and
computers more convenient.
,7RUJDQL]DWLRQVDSSUHFLDWHKRZ'LJLWDO3HUVRQD¶VFHQWUDOL]HGmanagement, per-user uniqueness and rapid user
acceptance simplifies data-loss prevention and compliance efforts with strong passwords, multi-factor
authentication and transaction accountability.
'LJLWDO3HUVRQD¶VDZDUG-winning technology is used worldwide by over 90 million people in the most diverse and
FKDOOHQJLQJHQYLURQPHQWV7KHFRPSDQ\¶VLQWHURSHUDEOHELRPHWULFVRIWZDUHVROXWLRQVXQLTXHO\VXSSRUWWKH
industry's widest array of notebooks with fingerprint readers in addition to its own line of optical placement
reader peripherals. For more information contact DigitalPersona, Inc. at +1 650.474.4000, or visit
www.digitalpersona.com.
© 2008 DigitalPersona Inc. All rights reserved. DigitalPersona is a trademark of DigitalPersona, Inc., registered in the United States and
other countries. All other trademarks referenced herein are the property of their respective owners.
How to Implement Strong Security Policies in Ways that Users Rapidly Embrace
ii
Introduction
The Problem
Securing access to computer systems and data is
one of the key challenges facing organizations
today. The need to safeguard these assets from
both internal and external threats has never been
more urgent. Within a six month period, The
Computer Emergency Response Team (CERT)
1
reported over 70,000 security incidents.
Most authentication solutions typically suffer from
the following problems:
'RQ¶WHQVXUHLQGLYLGXDODFFRXQWDELOLW\
compliance ± passwords, tokens and cards
can be lost, stolen or shared, limiting their
effectiveness in identifying user actions.
Are too slow or bulky for individual
transactions ± products that are timeconsuming or physically inconvenient deter
usage, making them impractical for securing
low-level transactions.
The average (computer security incident) loss
per a respondent to our survey was $345,005 up
from $167,713 reported last year (2006).
Force choice of security over convenience ±
passwords that are strong enough to be secure
JHWZULWWHQRQ³VWLFN\QRWHV´while cards and
tokens have to be kept accessible.
2007 CSI Computer Crime & Security Survey
Authentication is essential to protecting your
network and data, achieving compliance and
satisfying auditors. But most authentication systems
have a major flaw: they FDQ¶WWHOO\RXIRUVXUHwho
was authenticated. Passwords, tokens, cards and
PINs all can easily be shared. Biometrics, on the
other hand, let organizations know with certainty
who accessed what and when. By linking identity to
specific actions, biometrics provides a robust
foundation for secure authentication.
Fingerprint authentication, in particular, enables IT
organizations to more easily address corporate
security needs by exploiting XVHUV¶LQVDWLDEOHGesire
for convenience. Users enjoy not having to
remember or type passwords and happily embrace
fingerprint systems. This makes it possible for IT to
implement compliance-mandated security policies
in ways that are rapidly adopted.
Fingerprints provide a natural interface for:
Drive up operational costs ± helpdesks get
burdened by password resets, token or card
inventorying and re-provisioning.
Can lock customers into a single vendor ±
creating applications that handle different
YHQGRUV¶DXWKHQWLFDWLRQKDUGZDUHFDQEHYHU\
difficult, limiting choices of platforms.
The Weakest Link: Simple Passwords
Passwords are the most pervasive mechanism
used to secure access to networks and databases.
Auditors now routinely insist that organizations
prove that they are taking steps to ensure that
passwords are used effectively. Unfortunately,
password authentication is often the weakest link in
the security infrastructure.
Strong Passwords ± Users no longer care
how complicated passwords are or how often
WKH\¶UH changed.
According to the Computer Emergency Response
2
Team (CERT), 80% of the security attacks they
investigate are password-related.
Multi-factor Authentication ± )LQJHUVFDQ¶WEH
forgotten, lost or stolen.
People are Fallible and Predictable
Transactional-level Accountability ±
Fingerprints can be used almost
instantaneously without special effort, making
them part of the normal routine when accessing
applications.
Despite countless hours spent creating policies,
designing procedures and purchasing safeguards, a
single user can undo all of ,7¶VHIIRUWVE\VLPSO\
sharing a password. 8VHUVDUHQ¶WSHUIHFWDQG
typically are more concerned with getting their jobs
done than in following complex policies. As a result,
2
1
RED HERRING³7KH*OREDO6HFXULW\*DS´
11/5/03. www.redherring.com
®
CERT Coordination Center (CERT/CC) is a
center of Internet security expertise, located at the
Software Engineering Institute, a federally funded
research and development center operated by
Carnegie Mellon University.
How to Implement Strong Security Policies in Ways that Users Rapidly Embrace
1
the human element often results in a number of
common password problems:
Too many passwords to remember: IDG
(International Data Group) found that the average
user in a 10,000-employee organization has 14
separate passwords.
Weak passwords: Users tend to set passwords
based on words that they can remember easily,
making them easy for hackers to guess. According
to the NTA 0RQLWRU¶V research, 84% of users
consider memorability as the most important
attribute of a password, with 81% selecting a
3
common word as a result. Simple password
cracking programs can find many whole word
passwords quickly. One FBI computer consultant,
who was frustrated by bureaucratic delays in
obtaining legitimate access to certain files, broke
LQWRWKHILOHVYLDWKH)%,'LUHFWRU¶VVHFUHWSDVVZRUG.
The consultant figured out the password using
4
software found on the Internet.
Single passwords for many systems: Users may
use the same work password for insecure sites
where passwords may be sent in clear text. A single
password, once cracked, may open many doors.
Accessible passwords: The NTA Monitor Password
Survey found that 49% write their passwords down
or store them in a file on their PC or Blackberry,
making the passwords accessible.
Accommodating or gullible employees: Passwords
are often subject to social engineering attacks.
frightening thought, but your information systems
are only as secure as your least responsible user.
³7KHELJJHVWWKUHDWWRWKHVHcurity of a company is
not a computer virus, an unpatched hole in a key
SURJUDPRUDEDGO\LQVWDOOHGILUHZDOO«7KHZHDNHVW
OLQNLQWKHFKDLQLVWKHSHRSOH´
Kevin Mitnick, Oct. 2002, BBC Interview
Alternatives to Simple Passwords
Since standard password practices do not provide
sufficient security for many organizations, a number
of alternatives have surfaced.
Tokens and Smart Cards
Strong authentication solutions typically use a token
or smart card in addition to a one time password to
authenticate users. Increasing the number of
required credentials (two-factor authentication) is a
broadly accepted method of increasing security.
Unfortunately, tokens and smart cards can¶t indicate
who is actually using them. In addition, they can be
shared, lost or stolen, limiting their effectiveness in
truly identifying user actions. Some authentication
solutions also require significant effort to work with
certain enterprise applications and lack the ability to
tightly integrate into existing network directories and
management infrastructure.
In one example, two-thirds of workers polled in
downtown San Francisco turned over their
passwords without hesitation when asked. Their
reward? A coffee coupon for $3. Of those who said
³QRZD\´WRWKHUHTXHVW, 70% still gave up hints, like
DQQLYHUVDU\GDWHZLIH¶Vor pet name. In addition,
79% said they use the same password for multiple
5
Web sites and applications. In another study, four
out of five workers would disclose their passwords
6
to someone in the company if asked.
These solutions typically require the setting up and
maintaining of a private key infrastructure (PKI),
increasing upfront and ongoing costs. Users often
forget the devices or leave them at their desk,
preventing access. As a result, deployments of
tokens and smart cards are often limited to
situations where the added security can justify the
higher cost to the organization and burden on the
user, principally remote access via VPNs.
A compromised password functions much like a key
to a lock; anyone who has it can get in. If you are
relying on only user ID and passwords for security,
there is no way to know for sure that the user was
even present at the time of authentication. It's a
Single Sign-On
3
NTA Monitor Survey, 2002
4
San Jose Mercury News, 8/28/06
5
San Jose Mercury News, 5/6/05
6
CNET News, 5/22/02
Single Sign-On (SSO) products simplify the
management of password credentials by allowing a
single password to provide access to all
applications. In theory, this eliminates the
management of all password credentials, except for
one, and gives the user free access to all
applications with only one logon.
In reality, several drawbacks limit the viability of
SSO for many companies. Most SSO solutions
require an administrator or programmer to perform
How to Implement Strong Security Policies in Ways that Users Rapidly Embrace
2
complex scripting for each supported application.
This work is often repeated whenever applications
are updated and their logon screens change.
Furthermore, many security experts consider SSO
less secure than using separate passwords. SSO
still relies on the end-users to create and maintain a
secure password, and only one password is
requiUHGWRDFFHVVDOORIWKHXVHUV¶DFFRXQWV
VRPHWLPHVFDOOHG³6LQJOH%UHDN-,Q´ In the end,
the high cost of ownership and continued reliance
on an end-user to securely manage a password can
limit the viability to all but a few organizations.
Stricter Password Policies
Some improvements have been made to the
traditional process of providing a username and
password, such as requiring "stronger" passwords.
But, the fundamental approach has not changed. Its
weaknesses are well known and are the primary
methods by which network security is
compromised.
Unfortunately, requiring frequently-changing,
complex passwords tends to backfire. People who
FDQ¶WUHPHPEHUWKHQHZSDVVZRUGVDUHHYHQPRUH
apt to write them down. Password security policies
rely on end-user cooperation, and strict policies
motivate users to compromise security. Those who
comply will generate higher support costs due to
IRUJRWWHQSDVVZRUGV,W¶VDFDWFK-22, with stricter
policies actually lowering overall security.
projects to integrate them with each application.
And, while they do significantly reduce helpdesk
costs associated with forgotten passwords, enduser productivity is still impacted as they must
perform the password reset.
The Cost to Organizations
Most users try to properly manage their identity
credentials by creating secure passwords and
hiding passwords or tokens from others. These
conscientious users often still forget their password
or token, generating a support call.
User Productivity and Support Costs
Helpdesk Password Costs
Between 25 to 40% of all help desk calls are
for password problems. Forrester
Average cost of a password reset call is
between $10 and $31. Forrester
Each year companies spend up to $150 per
user trying to maintain secure passwords.
Gartner Group
In many cases, the actual cost of a password reset
goes beyond the support costs:
For example, Mountain America Credit Union used
to require employees to lock their PC when they
stepped away. Multiple passwords were required to
unlock their computer and gain access. These
passwords led to staff documenting passwords on
®
Post-it notes or sharing them among co-workers.
However, after the company deployed a fingerprint
solution that replaced the typing of passwords with
a simple touch, the sticky notes disappeared, and
password reset calls to the helpdesk stopped.
Users also UHVSRQGHGSRVLWLYHO\WRWKH³FRRO´IDFWRU
in using fingerprints for authentication.
Loss of employee productivity and
effectiveness: (PSOR\HHVZKRFDQ¶WORJ in are
often idle until support is able to help them.
Impacts mission critical operations: In hospitals
where medical records must be quickly
accessed from a VKDUHG3&DWDQXUVHV¶
station, signing out another user before signing
in as an authorized user delays medical
treatment.
Impacts service: Call centers or any customerfacing operation where employees repeatedly
log in and log out of various applications while
customers wait decreases the number of
customers being served.
Password Self-Reset
Password self-reset solutions are intended to
reduce helpdesk calls about forgotten passwords by
allowing users to reset their own passwords.
However, such products do not address the source
of the security problem; end-users still must create
and manage a number of secure passwords.
In addition, password self-reset solutions are not
turn key and often require professional service
In California Commerce (Citicorp) BanN¶VFDOO
center, employees need to quickly access multiple
databases and accounts, all of which use different,
frequently changing passwords. Switching between
databases requires signing out of one program to
access the next. One forgotten password seriously
impacts the banking workflow. By using fingerprints
How to Implement Strong Security Policies in Ways that Users Rapidly Embrace
3
for secure authentication, CCB employees can now
quickly access information, improve service levels
and eliminate password reset calls.
Compliance
Almost all organizations are subject to some
regulatory or corporate mandates that require data
to be secured. Failure to comply with these
regulations can result in significant financial and
legal consequences:
The Sarbanes-Oxley (SOX) Act of 2002
requires high security standards for data that is
financial or confidential. Any public company
may be liable if it has not taken adequate steps
to protect this type of data. Many existing
password and security policies would not be
considered sufficient under SOX.
The Health Insurance Portability and
Accountability Act (HIPAA) mandates that
individually-identifiable health information must
be kept private and secure. HIPAA affects
virtually all healthcare-related information
created or received in virtually any medium by
the healthcare industry or an employer (Human
Resources). Password costs are not limited to
maintaining passwords, but also include the
potential $250,000 fine or imprisonment of up to
10 years or both, for wrongful disclosure with
intent to sell information.
Payment Card Industry Data Security Standards
(PCI DSS) is a multifaceted security standard
that requires security management, policies,
procedures, network architecture, software
design and other critical protective measures.
Data Breach Security Laws requires the
individuals be notified if their confidential or
personal data has been lost, stolen or
compromised. As of 2007, more than 35 U.S.
states have enacted these laws.
Financial Risk for Public Data Loss:
8% decline in the market value
8% loss in customers
Institutions are required to demonstrate that access
to private data is secured and provide an auditable
trail showing who signed into which application and
when. The costs of a disclosed data loss can be
significant, including damage to reputation, lower
stock value, and administrative expenses.
In March of 2008, Maine-based Hannaford Brothers
grocery chain announced that 4.2 million customer
card transactions were compromised. More than
1,800 of those credit card numbers have already
been used for fraudulent transactions. Within two
days of the breach announcement, customers filed
two class action lawsuits against the retailer.
Despite being PCI-certified in February of 2008, the
suits charge Hannaford was negligent for failing to
7
provide adequate security for computer data.
Fingerprint Authentication: Enabling
Strong Security that Users Embrace
Fingerprint authentication avoids many of the
security issues identified above. Unlike other
authentication methods, fingerprints are based on a
physical characteristic: who you are, not what you
know. Users simply touch their finger to the reader
and are immediately authorized and logged into the
network, application or Web site. Biometrics
enables administrators to know for sure that the
authorized user was present when signing in.
Users Enjoy Fingerprints ± and Rapidly Adopt
Fingerprints take the pain out of using
passwords. Fingerprints eliminate the need to
remember or type login IDs or passwords, making
even the most complex passwords easy to use. As
a result, security doesn't depend on human effort.
People can't "forget" their fingerprints ±
eliminating a common source of helpdesk calls.
Users find biometric technologies convenient
because they use a physical characteristic instead
of something to be remembered or carried around.
Fingerprints protect users. When fingerprints are
used with specific transactions, users can be
credited more accurately with what they do and can
DYRLGEHLQJDFFXVHGRIDFWLRQVWKH\GLGQ¶WSHUIRrm.
Temporary decline in revenue of 8%
Costs of litigation, notification, settlements.
IT Compliance Group, July 2007
7
www.bankinfosecurity.com, April 4, 2008
How to Implement Strong Security Policies in Ways that Users Rapidly Embrace
4
Fingerprints Address IT and Executive Needs
Make strong password and two-factor policies
feasible and easy for users. Fingerprints are fast,
instinctively easy and make life easier for users,
leading to rapid adoption. By using fingerprints, IT
organizations can H[SORLWXVHUV¶QDWXUDOEHKDYLRUVWR
drive corporate security goals.
Get auditors off your back: link actual people to
specific actions with complete nonrepudiation ±
Authenticating with a fingerprint tells you exactly
who does what, where and when. Fingerprints are
fast, so they can be used for each transaction, not
just securing each session. In addition, fingerprint
authentication creates an irrefutable audit trail
linking specific people to each action.
Deter Fraud ± people intuitively understand that
their fingerprint represents them, and only them,
reducing the likelihood that policies will be violated.
Balancing Security, Convenience and Cost
Regardless of how secure a technology promises to
EHLILW¶VKDUGWRXVHRULQFRQYHQLHQWIRUHQG-users, it
ZRQ¶WEHDFFHSWHG Organizations face a tough
challenge, trying to address evolving security threats
without hampering productivity or increasing IT costs.
Increased Security
Reduced Support Cost
(Admin productivity)
Two-factor
with Tokens
Password
Self Reset
Fingerprint
Authentication
Traditional
Password
Authentication
Easier to Use
Single Sign-On
(End-user productivity)
Fingerprint authentication eliminates the reliance on
users to manage their authentication credentials
(passwords, tokens, etc). And, bHFDXVHLW¶VKDUGWR
forget a finger, fingerprints avoid many of the issues
that drive up support costs with other mechanisms.
Don Davis, CIO and Senior Vice President of
Information Services at Rite Aid, said they chose to
use DigitalPersona technology in their pharmacies
EHFDXVHRI³WKHHIILFLHQFLHVZHIHOWZHZRXOGREWDLQ
from not having to administer password resets, the
speed of logging into the system, audit trail creation
and compliance with role-EDVHGWDVNV´
+RZ'LJLWDO3HUVRQD¶V)LQJHUSULQW
Technology Works
'LJLWDO3HUVRQD¶Vfingerprint biometrics solutions
combine a highly-accurate fingerprint recognition
engine, rich user experience features, centralized
manageability and a broad set of applications.
These solutions work with DYDULHW\RIYHQGRUV¶
fingerprint readers, both built into computers (such
as in notebooks) or plugged in as peripherals.
'LJLWDO3HUVRQD¶VWHFKQRORJ\LVZHOO-proven and is
used by over 90 million people around the world.
Users VHWXSRU³enroll´WKHLUILQJHUSULQWV by simply
scanning one or more fingers. DigitalPersona Pro
software on the PC extracts a mathematical
representation of the fingerprint called a ³WHPSODWH´
and uses that for all operations ± it does not store any
fingerprint images. Templates are then sent to the
DigitalPersona Pro server where they are stored in
Active Directory so that the user can use fingerprints
from anywhere on the network without having to reenroll at each computer.
When users wish to authenticate (for login, canceling
a screensaver or other places where a password is
typically used), they touch the fingerprint reader. A
template representing their fingerprint is created and
compared against the template that was registered
during enrollment. If the templates match, the
DigitalPersona Pro client software takes appropriate
action, such as writing an audit trail, logging the user
in or asking for other authentication information such
as a PIN (depending upon policies set by the
administrator). Client-side caching of templates
ensures that fingerprints can be used even when the
computer is not connected to the corporate network.
Simple Deployment on Existing Infrastructure ±
DigitalPersona Pro is designed to work with existing
PCs, servers, networks, and applications without
the need for extensive consulting or custom
programming. Client software can be easily
deployed wherever needed through existing
mechanisms for distributing standard MSI files,
including Active Directory GPOs, SMS, or other
software distribution tools.
Fingerprint logons can be added on top of current
and future Web, Citrix or legacy apps by an
administrator without having to modify the
application. This configuration information can then
be pushed to eacKXVHU¶VFRPSXWHUYLD*32V.
Individual users specifically do not have to set up
fingerprint authentication for each logon page.
Users only enter their ID and password one more
time to initialize fingerprint authentication. When the
How to Implement Strong Security Policies in Ways that Users Rapidly Embrace
5
logon page is opened, DigitalPersona Pro prompts
the user for their fingerprint, avoiding the need for
any special user training.
Integration with Active Directory ± DigitalPersona
Pro is certified by Microsoft to extend the Active
Directory schema to store biometric data in each
user¶V data records. DigitalPersona Pro uses the
native user interface of Active Directory, eliminating
the need to learn new tools. Administrators can use
the Active Directory Group Policy Editor to create
Group Policy Objects (GPOs) for tailoring the
behavior and functionality of DigitalPersona Pro. This
familiar point-and-click interface makes it easy to
configure or make changes for groups of users
DQ\ZKHUHLQWKHRUJDQL]DWLRQ¶VQHWZRUN.
"The strongest return on our DigitalPersona Pro
investment came through a reduction in
demand on our help desk, where passwordrelated help desk calls have dropped by 90%."
Patrick Honny
Department Information Services Manager
County of San Bernardino, California
Summary
Using fingers to authenticate creates a more secure
environment by enabling users to prove who they
are in the most natural way. Users enjoy
fingerprints since they eliminate the pain of
remembering and typing passwords. Because
fingerprints are so fast and easy to use, they
provide users a natural interface for otherwise
complicated security actions such as:
Strong Passwords ± Users no longer care
how complicated or how often WKH\¶UH changed.
Multi-factor Authentication ± )LQJHUVFDQ¶WEH
forgotten, lost or stolen.
Incremental Rollout ± Each domain controller
running the DigitalPersona Pro server can support
3000 concurrent fingerprint authentications.
DigitalPersona Pro scales linearly by adding server
software to additional domain controllers. Using DNS
capabilities in Windows, DigitalPersona Pro servers
are automatically detected, allowing new servers to
be added incrementally. DigitalPersona Pro takes
advantage of Active Directory to provide automatic
server load balancing, data replication and failover.
'LJLWDO3HUVRQD3URFDQEHDGGHGWRQHZXVHUV¶
computers without disrupting existing users. Similarly,
fingerprint logons for new applications can be added
at any time.
Transactional-level Accountability ±
Fingerprints can be used without special effort,
making them part of XVHUV¶ normal routine.
Fingerprints are a powerful approach for
implementing strong security. They uniquely align
users¶ natural drive for convenience with
businessHV¶ need for security.
Considering that fingerprint authentication is more
convenient, easier to use, more secure and reduces
costs, the decision to go with fingerprint recognition
technology is an easy one.
© 2008 DigitalPersona Inc. All rights reserved. DigitalPersona is
a trademark of DigitalPersona, Inc., registered in the United
States and other countries. All other trademarks referenced
herein are the property of their respective owners.
Result: Strong Security with Fast ROI
Fingerprint authentication solutions link individual
people to specific actions, allowing organizations to
know for sure who is doing what, where and when.
This information is critical for maintaining security
and fingerprints can make it easy to deploy strong
security policies. In addition, fingerprint systems
can also rapidly pay for themselves in helpdesk
savings.
How to Implement Strong Security Policies in Ways that Users Rapidly Embrace
6