News
“Never trust, always verify”: Can biometrics be the first step towards a Zero Trust strategy?
January 2022 by Michel Roig, President, Head of Payments & Access at Fingerprint Cards
Today’s enterprises are being challenged to stay one step ahead of security threats. Data shows that in 2021, the average cost of a data breach reached USD 4.24 million, up from USD 3.86 million in 2020 and the highest in 17 years.
The surge in flexible and hybrid working arrangements (Working From Anywhere – WFA) is making an already challenging situation even more complex. Leaders now need to decide how to combine enterprise-level security with current working models. The timing could not be more critical. In 2021, the average cost of a data breach where WFA was a factor was a million dollars higher compared to non-WFA related breaches, and many organizations still need to adopt a stronger security strategy for cloud-data storage.
An important strategy attracting increasing attention is a Zero Trust approach to security. While organizations consider how to implement Zero Trust in their IT strategies, a first step could be to consider the role of biometric authentication for logical access control, throughout digital estates.
What is Zero Trust security?
First conceptualized over a decade ago, Zero Trust is a security model that is deployed to mitigate the complexities of today’s agile and technology-driven workplaces.
Essentially, Zero Trust entails constant ID verification, assumes breaches all the time, and puts digital estates on a “never trust, always verify” footing across all its aspects: hardware, software, procedures, networks, databases, and humans.
One of the reasons Zero Trust has been attracting attention is because of its role in integrating the highly secure enterprise digital estates with less secure environments. For many organizations looking to level up their security to accommodate flexible working, this is a perfect solution as it throws up a hard security ‘shell’ around employees wherever and whenever they are working. This is a key factor as to why as many as three-quarters of organizations are looking to adopt Zero Trust.
Zero Trust is a broad approach, with several overlapping elements that create robust security throughout the digital estate. Among its key pillars supporting organizations: identity, endpoint, application, and infrastructure security, one binding technology that can help decision-makers to take the lead is biometric authentication.
A Fresh Start with Zero Trust: Getting Authentication right
As organizations develop plans to adopt Zero Trust, authenticating users that interact with digital estates is front of mind.
The fresh thinking of Zero Trust brings an opportunity to migrate away from traditional authentication methods like PINs and passwords. The rationale is obvious. 80% of breaches and hacks can be attributed to compromised credentials, and 60% of people think there are too many passwords to remember. This is having a direct effect on attitudes towards password and PIN hygiene. 40% of us admit to reusing the same one across our personal and professional accounts, and many continue to still use highly predictable ones.
PINs and passwords are therefore not fit for purpose in a world with WFA, even before Zero Trust is adopted. They can be stolen by “shoulder surfers,” hacks and breaches can occur through unsecured domestic networks, devices such as access cards, laptops, unencrypted data storage devices and tokens can be lost and stolen, putting the digital estate at significant risk.
As organizations prepare to adapt their IT strategies to “never trust, always verify,” solutions using well-established biometric authentication modalities, like fingerprints, can be a powerful tool. Using biometrics for logical access control means strong resistance to spoofs, presentation attacks and seamless reliability at every turn while limiting the potential for attacks, especially scalable ones.
The human factor has long been considered the primary weakness of cyber security, and one of the core objectives of Zero Trust is to address this vulnerability. Relying solely on PINs and passwords does little to support this. Biometric authentication can shoulder this burden, whether on its own or as part of a multi-factor authentication approach and address the human element of a Zero Trust strategy.
Integrating biometrics into the Zero Trust workflow
Many users are already familiar with biometrics, using it as their go-to authentication method when using their smartphones. In PCs, biometrics is gaining momentum, and present a golden opportunity for manufacturers to replicate the seamless authentication already seen in smartphones. Standards, such as Windows Hello from Microsoft, are also a key tool in supporting organizations move away from relying solely on passwords for authentication purposes.
And biometric-enabled peripherals can support Zero Trust proliferation across workplaces. In access cards and USB tokens, biometrics supports secure, unified access control that’s portable across many uses. For example, logging onto shared PCs, accessing VPNs and other restricted spaces throughout the digital estate. Biometric access cards can also bring the added benefit of combining logical and physical access control (using the same card when accessing the digital estate and unlocking doors, for example) that can’t be compromised if lost or stolen and works with existing infrastructures.
Levelling up security and access control with biometrics
Organizations working to implement security strategies that protect digital estates wherever and whenever employees are working will have Zero Trust high agendas.
This transition won’t happen overnight and, in some cases, will require a significant transformation of the existing IT strategy. Considering biometrics as a core component of Zero Trust from the start of projects will smooth the process further down the line and bring a “never trust, always verify” posture one step closer to success, with reliable, convenient and strong authentication throughout the digital estate.
