Biometric Access Control: The First Step Towards Zero Trust?
November 2022 by Maria Pihlstrom, Global Marketing Manager at Fingerprints
How can decision makers navigate Zero Trust projects? Maria Pihlström, Director of Marketing and Communications at Fingerprints explores that the first step is turning to readily available biometric solutions when rethinking logical access control.
Workplaces continue to digitize at an unprecedented scale. PCs, smartphones, dongles, enterprise applications in the cloud…all are fundamental to today’s working world. Gartner forecasts a rapid global expansion of cloud adoption, with end-user spending on cloud services projected to grow 21.7% in 2022. They also project that cloud spending will exceed 45% of all enterprise IT spending by 2026, with 100 Zettabytes of data set to be on the cloud by 2025.
While enterprise digital transformation is unlocking business models and empowering agile working, it is expanding the attack surface. Hackers have readily exploited these growing vulnerabilities as 2021 saw a rise in the scale and audacity of hacks and breaches.
In addition, there are signs that enterprise security has not caught up with hybrid and flexible working (Working from Anywhere – WFA). In 2021 the average cost of a data breach (where WFA was a factor) was a million dollars higher compared to non-WFA-related breaches.
When scoping IT transformation strategies, many organizations have fallen into the trap of “digitize first…secure later”. To reverse this trend, many are considering a Zero Trust approach to secure digital estates. Achieving Zero Trust will be essential to help organizations grapple with continued digital transformation and end the run of record years for hacks and breaches.
Why Zero Trust makes sense
Over the years, cyber threats and data breaches have risen to become one of the biggest organizational risks. In 2020, the average cost of a breach was $3.86 million. In 2021, this rose to $4.24 million – its highest in 17 years. With the World Economic Forum reporting that the rate of detection or prosecution of cyber-attacks in the USA is as low as 0.05%, rethinking preventative approaches is more critical than ever.
Since it was first proposed over a decade ago by Forrester, Zero Trust has continued to attract attention. Forrester’s recent survey revealed that 78% of firms plan to bolster Zero Trust operations in 2022, and more than two-thirds will allocate increased funding.
Why is it such a needed strategy? One reason is that it directly responds to the increased threats posed by WFA, where robust enterprise security is hampered by more lax domestic environments. By implementing Zero Trust, organizations can throw up a hard security shell around employees wherever and whenever they are working.
It is important to note, though, that it is not a simple process. Yes, tech giants such as Google and Microsoft are putting their might behind it, but Forrester’s survey highlights the complexity, finding that only 36% of organizations have started to deploy Zero Trust, and a mere 6% have fully implemented their Zero Trust projects.
To support decision makers in this space, the first approach is considering how to authenticate users at logical access control points throughout the digital estate. This is where biometrics enters, making it a ‘logical’ first step of a Zero Trust project.
Rethinking authentication for the Age of Zero Trust
The Zero Trust approach enables a “never trust, always verify” mindset throughout digital estates, covering hardware, software, procedures, networks, databases, and humans. Of all these elements, humans are often the piece of the puzzle to get right.
Given the digital security challenge, relying solely on PINs and passwords for authentication and logical access control is not the best approach. Even medium-term. Poor cybersecurity hygiene around knowledge-based credentials makes for worrying reading. Over 80% of breaches and hacks are down to compromised credentials. As of 2022, more than 24+ billion credentials are circulating on the dark web (so far). Users are becoming increasingly frustrated with credentials too as 60% of people think there are too many passwords to remember (often more than 85 for most). This leads to many users reusing the same password/PIN or selecting predictable ones, opening up the risk of highly scalable attacks.
Zero Trust projects allow decision makers to think beyond PINs and passwords. To address this, it’s important that access control solutions consider security, speed and convenience. Biometrics, whether on their own or as part of a multi-factor authentication approach aligns perfectly with the “never trust, always verify” footing of a Zero Trust approach.
Biometrics: Zero Trust by design
After years of R&D biometric technology, especially fingerprint recognition, is a widely used, reliable and secure access control solution ready for the Zero Trust world.
In the early days, it was technically possible to replicate or “spoof” a fingerprint with a gummi bear or a high-quality picture. Today, biometric data is captured, authenticated and stored as a binary template code, making it highly resistant to spoofing. Sensor R&D, increasingly sophisticated matching and authentication algorithms, and robust standards such as FIDO2 and Windows Hello have transformed biometrics’ reliability and security. This is not just with security, but also reliability. Today, sensors have significantly improved false rejection rates and work in a variety of settings, such as 360-degree recognition, and can even read wet, damaged, and aged fingers.
Compared to biometrics, PINs and passwords remain highly vulnerable to hackers and breaches. This can be cybercriminals using brute force attacks, trading on the dark web, or even prowling shoulder surfers. Colleagues sharing credentials also present a significant vulnerability. Consequently, can you ever trust a user who has authenticated themselves with just a password or PIN? Biometrics, on the other hand, means only the authorized user is authenticated to access corporate devices or sensitive parts of the digital estate. This means that biometrics can be considered Zero Trust-by-design.
What does biometrics in a Zero Trust project look like?
More users are using biometrics in their daily lives. Consider how many smartphone users unlock their devices or authenticate with biometrics. For corporate mobiles, mandating biometric authentication is a quick and easy step to protect sensitive data.
Within a Zero Trust strategy, decision-makers can integrate biometrics into their employee workflows relatively easily. One of the most obvious examples is requiring PCs to be unlocked with biometrics. For access control, biometric access cards and USB tokens can work with existing infrastructures and pose no additional risk to organizations if they are lost or stolen. Biometric cards also bring the added benefit of converged access control – bridging logical and physical access where users can use the same card to log into work devices and access their building.
The challenge of securing digital estates is more acute than ever before as organizations strive to stay one step ahead of hacking and improve cyber-hygiene amongst workforces. Trends like Zero Trust will require a drastic change in IT strategies. Achieving this won’t happen overnight as the security sector matures its approach to Zero Trust. What’s urgently needed is a readily available, tried and tested solution that offers significantly enhanced security without creating any additional burdens on users.
Biometrics can play a significant role when in enabling employee workflows securely. By doing so, organizations will address one of the biggest cyber-security vulnerabilities in their IT strategies, unlock improved productivity and performance, and close the “digitize first…secure later” gap.