Thriving in a Zero Trust world: redressing the security balance with biometrics
By Anthony Eaton, CTO, IDEX Biometrics
More than 80 percent of UK organizations experienced a successful cyber-attack in 2021/2022, an increase of 10.3 percent from the previous year. The cost of cybercrime in the UK following 2021/2022 totaled over £3 billion, with global cybercrime expected to reach $8 trillion by the end of this year. With society becoming increasingly more reliant on digital technologies and infrastructure, complete cybersecurity is critical. As a result, many public and government organizations that manage state security and citizen data, and private businesses protecting consumer information, are now turning away from traditional data privacy approaches and opting for one of zero-trust.
The term ‘zero-trust’ has arisen from the escalation of cyber-attacks seen in recent years with new emerging unregulated markets such as cryptocurrencies, and the rise of hybrid working which has created gaps both digitally and physically for cybercriminals to exploit and expose.
The new zero-trust approach works on the assumption that networks are already at risk by possible cybercriminals and that all users are potential risks — verified users’ access credentials could fall into the wrong hands, or unverified users could be breaching the system. The zero-trust approach is being implemented to guarantee that only those with the proper credentials can access an increasingly complex digital and physical landscape.
So, what next for the zero-trust approach? Determining the most effective technique for controlling secure logical and physical access across vulnerable networks is crucial. Biometric smart cards represent a viable and compelling solution.
What does access look like today?
Logical access requires the validation of a person’s identity through different means to keep organizations’ networks secure, referring to ‘never trust.’ This traditionally could be enacted through PINs and passwords to gain access, or indeed — from a physical perspective — a card that could be swiped or tapped, having been linked to the person in question.
The question with both is whether these traditional means lend themselves to a zero-trust architecture. Do they tick the ‘always verify’ box?
Passwords and cards can fall into the wrong hands, be mislaid, and be used by people who aren’t supposed to access the physical and digital spaces they control. If the aim of zero-trust is to presume a person, network, device, application or data to be unsafe, then this immediate fragility of controlling security through vulnerable means contradicts that principle.
How this vulnerability manifests depends on the sector in question. Cryptocurrencies such as Bitcoin or Ethereum serve as prime examples where this would be an issue, due to their nascency and lack of regulation. As a decentralized and independent sector, each relies on the individual security of its respective infrastructure to control access and prevent cybercriminals from entering and hacking into trading platforms. Failing to do so puts all users at risk.
In more traditional corporate settings, access issues become even more complicated in the hybrid working world, where employers need to be sure that employees in different departments or locations are only gaining access to intended data. The upshots of a breach, in this case, are well documented – more than 100 million accounts were breached between July and September 2022, alone, and the average hourly loss rate because of breaches worldwide in 2021 stood at $787,671.
How biometrics plays a part
Regardless of their sector, the emphasis for all organizations should be on individual access control and a method of logical and physical access that is specific to each person. In this respect, biometrics can implement the ‘verification’ stage of a zero-trust architecture.
Biometrics refers to the individual elements of a person’s identity – the data could comprise facial, voice, or fingerprint-based credentials. With biometric smart cards, the respective ‘data’ is stored on the individuals’ cards, and only their unique fingerprint can authorize access. For payments, the use of biometric cards is already revolutionizing the ease, inclusivity, and security of transactions, while its encryption capabilities vastly decrease the possibility of data manipulation or misuse. This means that the biometric reference data captured during the fingerprint registration process is stored securely and can’t be tampered with.
From an access control perspective, the fact that a card will relate solely to the person in question, and their specific levels of clearance, eliminates the possibility of people accessing the wrong room, the wrong file, or the wrong digital infrastructure.
Organizations continue to grapple with the technical hurdles of implementing a zero-trust network. Especially the cost and time it might take to remove current access controls, replace them with new infrastructures, and encourage users to adopt the new network in a secure way. Biometric ID cards offer an automated, simple, and seamless authentication process that removes many of these barriers.
As such, they can restore identity trust at a time where ‘zero-trust’ must be the default approach. In doing so, they will also offset the cost and reputational damage that a prospective phishing or ransomware attack could cause.
The need to always verify
More than two-thirds of organizations (36 percent) have already implemented a zero-trust security framework, and 47 percent have laid out plans to follow suit soon. Given the current cybersecurity landscape and the financial and reputational costs of security breaches, this approach is both viable and sensible. It explains, more generally, why the global digital identity solutions market is expected to reach $70.7 billion by 2027, rising from an already sizable $27.9 billion in 2022.
There is an evident need to invest in security and a zero-trust model. The question now is how to best build this architecture, and through what means of access.
To achieve this, biometric smart cards provides individualized logical and physical access. However, to speed up the process in the most effective and less disruptive manner, they need to be easily incorporated into already-existing infrastructures.
About the author
Anthony Eaton has served as Chief Technology Officer of Idex Biometrics since March 2019.
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.