Looking for Products and services? Then click here for our product showcase section

Featured article in issue 43 of the Security Middle East Magazine.

Banking on the right identity

Fingerprint recognition authentication can be a valuable tool for the banking sector, where the data access security is critical, writes Wayne Parslow

In any industry , keeping data secure is one of the prerequisites for companies to consider, balancing the need to protect information with the ability of employees to make use of it to get their jobs done.

In the banking and finance sector, there are also significant regulations to follow on making sure that only designated employees can access certain data. So how can banks ensure security for their data, while also keeping access simple? Using finger biometrics, either alongside or instead of passwords, can provide an elegant route to tighter security, alongside other business benefits.

Previously, passwords would have been used to control access to applications and manage user identities, but these are no longer seen as strong enough by themselves, particularly in highly sensitive industries such as banking or financial services. Just using passwords by themselves opens up additional risk for the bank. Users can potentially share passwords between each other, breaking security policy. In most cases, users don’t see this as breaking the rules, and are doing it to make their working lives easier. In other cases, a user could potentially steal another employee’s identity by using their log-in details.

Preventing these issues involves strong authentication, where the user has an additional physical factor in order to gain access. Alongside something you know (a password or PIN), the employee can use a variety of different methods to authenticate themselves to the network, such as a finger biometric, a smart card or one-time-password token, or a physical access card. Using finger biometrics is proving very popular in the Middle East, as they are very convenient for users – as one IT manager stated, “You cannot forget your fingers!”

The popularity of finger biometrics for security is shown as more laptop and keyboard manufacturers are including fingerprint readers within their products as standard. If the device does not have this included, then a USB reader can be attached to the user’s machine. Once the reader is operational, the user simply swipes their finger for it to be recognised. In the background, the fingerprint image is turned into a unique identity number, and then matched to the user’s identity within the network. Once they have been authenticated, the user is granted access to the network.

Alongside the strong authentication implementation, another technology that can offer benefits to users is single sign-on, or SSO.This involves replacing multiple application log-ins with one strong credential, tied to a user’s network identity. Because SSO reduces the number of passwords a user has to remember, it means that organisations can concentrate on making that one ID stronger.

Overall, using SSO and a biometric strategy together can offer more benefits to the business than they can achieve separately. SSO can automatically manage access to applications on behalf of the user, while using this along with biometric security means that users can swipe their fingers once to be granted entry to all the IT assets they are allowed to use.

At the same time, SSO allows the bank to create a complete report on all the access requests that a user makes. This means that the organisation can see what applications an employee opens, when they open these, and what network assets they use. Having this information stored within a secure database offers the business a simple way to report on individual employee, application or group level activity.

This combination of technologies can also demonstrate if users are sharing their passwords: as all the access requests are tied to the individual identity and biometric factor, if two mployees use the same password then this will automatically be noted. A report to correlate end-user identities and passwords used can flag any incident of password sharing, and this can then be taken up by the IT team.

While some organisations may use shared passwords at a departmental level, most banks will require users to have individual accounts to enable all transactions to be traced back. In these circumstances, shared passwords can mean that users may get access to customer data that they would otherwise be unable to see. Using biometrics alongside SSO offers a quick route to stop this from taking place, as users can’t share their fingerprints.

In the future, banks can look to integrate biometrics with employee workflows in areas where transactions are particularly sensitive, such as a trading system. From a technical perspective, this requires a call from within the application at the point when the transaction is about to be completed. The user will then be prompted to swipe their finger to authorise the transaction, which will then be allowed to go through. This approach provides an audit trail for the bank at the transaction level, alongside their workstation and application logs.

Implementing this can add another layer of security for the bank, as each transaction can be linked to the individual that authorised it to be carried out.

Using biometrics can make life easier for users, but there may be cultural issues to confront with users around using fingerprint readers – this can be caused by employees not knowing how the biometric device actually works, so they are concerned that images of their fingerprint will be stored. Sitting down with user groups to explain how the technology functions can set any potential worries aside, and lead to greater user acceptance in the long term.

Another area to consider is the investment required to support this strategy – while a set of USB fingerprint readers is not excessively expensive, there will be a cost implication to consider. Using SSO and finger biometrics can quickly provide a return on this investment, as users will not be locked out of applications or have to call the helpdesk to reset their log-ins. Banks can also look at self-service password reset systems to automate the process.

The last area of consideration is whether finger biometrics is a suitable technology for all the bank’s employees to use. Those that are remote or mobile workers are more likely to use tokens. For organisations that may have multiple user groups with different strong authentication requirements, being able to choose which are the right additional security factors and support them simply should be part of the bank’s identity management strategy.

Finger biometrics can play a key role within a bank’s identity management strategy, helping the organisation to prove that all access to sensitive customer data is authorised and part of normal business processes. This ability to provide proof is just as important as any security technology implemented, because it can be a long-term burden on the IT team, particularly around industry legislation such as the Payment Card Industry Data Security Standard. By using finger biometrics, banks can improve the security of their systems, while linking it with other technologies such as SSO can provide opportunities for cost reduction, greater productivity in the wake of greater security and auditability of access.

Parslow is vice president, operations EMEA at Imprivata. For more info visit: . www.imprivata.com