6. Biometrics - Rewards
Dr Liam Terblanche
Single Sign-on • Across all IT systems
3-Factor
Authentication
• What you know (password)
• What you have (token)
• What you are (biometric)
Single
Identification
Token
• Logical & Physical access
• Time & Attendance
• Payroll
• HR (monitor truancy, absenteeism, etc.)
8. Legislative Framework
PROTECTION OF PERSONAL INFORMATION BILL (ISBN 978-1-77037-998-5)
Biometrics – Special Personal Information (Section 26)
• Prohibition on processing of special personal information*
Retention of Personal Information (Section 14)
• Only for as long as necessary to achieve agreed purpose.
Hosted solutions and multi-nationals
• Clause 72: Information will not be transferred to another country if
proper safeguards for the protection of the information have not
been adopted in that country
Dr Liam Terblanche
9. What if it gets hacked?
Dr Liam Terblanche
for i = 0 to length(CloudProviders) do
BEGIN
writeln(“Attention: “ +
CloudProviders[i] +
” has been hacked, reset your password!”);
END;
10. What’s the solution?
Dr Liam Terblanche
Identity
Management
Limited shelf-
life
Don’t
recycle, redo
Introduce SelfPhysical biometric access control is pervasive in the industry. But the adoption of logical biometric access control has been much slower than anticipated.What does biometric access control offer the CIO in terms of physical and logical security?What is the risk/reward ratio of using biologically identifiable features to grant/deny access to your physical and virtual assets?Where does the line between orporatesecuritty and personal privacy get drawn when storing personal biometric traits in a centralised database?And what does the law say about all this?Over the next 20 minutes, I will endeavour to open up this world to you and try to answer some of these questions in as concise possible way. Feel free to interject at any point if you want us to elaborate on any of these points.
Less Secure:FAR of 1 in 5 000. A 128-bit encrypted password has a likelihood of 1 in 10^38 to be decryptedPermanence:When a password has been lost/stolen/breached, resetWhen a fingerprint template has been lost/stolen/breached, …Physical Spoof AttacksDuplicate fingerprint characteristics (lift it from a glass) and use that to generate a template.(Like finding someone's password in his drawer on a stick-it note)
When an employee leaves a company, his access card gets returned, and reused for another person.But what guarantee does an employee have that his biometric data will be completely removed from the system?A password means nothing. It’s encrypted, salted, hashed, and even if it gets breached, one can change it.There is a global trend to standardise biometric templates across manufacturers. Your template used in this company, will be interpretable by Dept. of Home Affairs.
The POPI bill (soon to be enacted)Is Biometrics encompassed?Biometric data classifies as Personal Information‘‘personal information’’ means information relating to an identifiable, living,natural person, and where it is applicable, an identifiable, existing juristic person,including, but not limited to—the blood type or any other biometric information of the person;What qualifies as biometrics?‘‘biometrics’’ means a technique of personal identification that is based on physical, physiological or behavioural characterisation including blood typing, fingerprinting, DNA analysis, retinal scanning and voice recognitionSection 14 – Retention of Personal InformationRetention and restriction of records14.(1) Records of personal information must not be retained any longer than is necessary for achieving the purpose for which theinformation was collected or subsequently processed.14.(5) The destruction or deletion of a record of personal information must be done in a manner that prevents its reconstruction in an intelligible form. Section 26 - Prohibition on processing of special personal information26. A responsible party may not process personal information concerning—(a) the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric informationof a data subject unless explicitly being granted consent by the data subject
Antivirus firm Symantec estimated the 2011 global price tag of direct financial loss and the cost of remediating attacks at $338 billion, excluding the theft of intellectual property and damage from data breaches. When theft of intellectual property is factored in, the figure soars past $1 trillion, according to former head of the NSA, General Michael Hayden.
Identity is contextual. People have different identities that they may wish to keep entirely separate. An identity attribute that is relevant in one context [...] perhaps should not be mentioned in another context [...]. Information could be harmful in the wrong context, or it could simply be irrelevant.All of us have different sides of ourselves that we share with different people. The side we show our families is different to the side we show our work colleagues, and this is different again to the side we show our doctor.Privacy means managing those different sides of our identity in a way that allows us to feel comfortable. When personal information is linked or compiled into profiles, we limit an individual's ability to operate under nuanced and multi-faceted identities. Identities are flattened into a single homogenous entity.The problems with this have been well demonstrated recently by some individuals' experiences with social networking sites, where people have posted photos or information about their social lives, only to have that information make an untimely reappearance when applying for jobs. Identities are not meant to be the same for all of our public interactions, and this is why we need to take care to cultivate an environment conducive to good identity management.Biometric technology should, and indeed must, play a role in this. We must take care to ensure that a biometric identifier does not become an excuse to ''flatten' people's identities and curtail their ability to maintain and present separate and different sides to themselves.Identities are sophisticated and so biometric technologies must be the same.