Identification

Biometric Technology - Part IV

Technology attacks and attendant security compromises are never easily managed. Parallel to the ingenuity of attackers and proportional to the value placed on entrusted information assets, effective security access controls are imperative. Given the current accuracy of automated user identification and authentication processes, no single security system should ever be promoted as infallible. However, there is sufficient merit in most available biometric systems to warrant deployment consideration for information assets protection. Coupled with other access restriction techniques, biometric technology systems can be a formidable deterrent to unauthorized activities that may disable an entity’s information security infrastructure.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part III

Through the identification or authentication process, decisions are made regarding access. Typically, biometric identification supports physical access controls, while biometric authentication supports logical access controls. With reliance on biometrics for asset protection, security managers must accept humanness features are dynamic, yet reproducible. Consequently, it is difficult to find a single perfect access security system employing physical and/or behavioral traits.

Voices change over time or under abnormal conditions and can be modulated. Handprints can be altered — by a cut or bruise — as well as replicated. Even eyes and ears can undergo biological transformation from one day to the next. Furthermore, behaviors can be affected by emotional or fatigue states. Thus, biometric systems developed for identifying and/or authenticating authorized users that eliminate all potential errors can be prohibitively time-consuming and expensive, especially in high-traffic areas.

“View Part I of the Biometric Technology series here“

Biometric Technology - Part II

Most information security practitioners accept biometrics as the science employing distinctive human attributes to discern access right validity. Specifically, imparting the Information Systems Audit and Control Association’s definition, biometrics is the process for identifying or authenticating a living person’s identity based on physiological or behavioral characteristics. Delineated, biometrics identification usually involves a one-to-many individual characteristics search utilizing linked data repositories; whereas biometric authentication entails establishing a one-to-one relationship verifying the claim to an identity made by an individual.

“View Part I of the Biometric Technology series here“

Physical Token Protection - Part IV

Regarding provisioning physical authentication mediums, an entity’s deployed access control process should clearly define the way encoded identification is delivered to users — within the context of promoting adequate confidentiality, integrity and availability. Specifically, the process to dispense tokenized authentication attributes to users should employ a different delivery channel than the physical item. When physical items are tokenized prior to individual assignment or usage, security management should ensure the identification mechanism remains dormant and protected until the authentication verification enabler reaches the intended owner empowered with activation and usage rights.

As suggested in COBIT Security Baseline: An Information Security Survival Kit; depending on the country, state or industry, information asset usage is subject to various laws and regulations. These laws and regulations need to be known and obeyed to enable appropriate IT security. Domains covered by such rules include privacy, information retention, minimal system protection requirements as well as attestation requirements. Consequently, physical tokenized access items should receive the same protection consideration as other entity information assets.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part III

As a corollary requirement, when considering physical tokens, functionality is directly related to capabilities. Consequently, physical token appropriateness should be evaluated based on the set of attributes applicable to the existing set of activities and their specific properties. In other words, determining physical token functionality is a characteristic association ensuring the quality of hardware and/or software products utilized for accessing objects meet intended purpose expectations throughout their life cycle. Adequate physical token functions are those that satisfy stated or implied criteria of users and management. These value drivers emanate from business and governance domain perceptions, where the former is typically focusing on functionality and delivery velocity, while the latter tends to emphasize cost-efficiency, return on investment and compliance.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part II

Information asset usability implies availability to perform requested services as well as transparency. Determining physical token usability necessitates assessing relevant and pertinent services for the access process as well as secure user delivery in a timely, correct, and consistent manner. Whether access control is outsourced to a third party or is maintained internally, the time frame for processing of each user security administration operation should be defined and agreed to by the entity’s representatives through a service level agreement (SLA) that aligns with corresponding service objectives and goals. For example, if providing timely user provisioning is established as a goal, user resets for critical applications should be responded to within the SLA specified time period. Where a SLA does not stipulate the response time, a best practice standard should be adopted and sustained by management to monitor performance achievement.

“View Part I of the Physical Token Protection series here“

Physical Token Protection - Part I

Organizationally, information security normally is considered a program enabling and optimizing IT security services for the entity in order to satisfy business requirements, while simultaneously providing strategic and tactical IT security infrastructure management that complies with applicable laws and regulations. Cascading from the generally accepted risk management goal of adequately addressing threats, opportunities, and weaknesses, a primary security risk assessment objective is to provide recommendations that maximize confidentiality, integrity and availability protection reflective of the operating environment; while sustaining usability and functionality. Though IT security advice generally focuses on enhancing data and information protection, equal attention should be given to physical identification credentials utilized for accessing IT objects.

Access Control Convergence - Part 2

Integrated policies improving access control are needed to increase safeguarding capabilities. Furthermore, due to technological and operational diversity, it is critical to have standard processes to control access that will permit economies of scale. Potential candidates for access control convergence include Tokens, Biometrics, Smart Cards and Tracking Systems. When physical and logical penetration protection mechanisms are converged under a unified access control policy, the resulting combination can operate as a baseline, customized to redress entity-centric needs for effective threat countermeasures. Beneficially, regarding operational complexity, access control convergence can simplify security administration. To enable organizational coexistence with technological convergences, an entity’s security function should assume responsibility for implementing and sustaining blended physical and logical controls.

Physical information security is a critical aspect to adequate perimeter and interior controls. Yet, physical controls alone cannot ensure that information assets are protected. For this reason, it is important to establish logical security controls that rebuff information confidentiality, integrity, and availability threats. Both control types should have as their primary objective appropriate asset protection, particularly information in electronic form. Consequently, where feasible, entities should deploy cost-effective processes for protecting the network infrastructure through converged physical and logical security controls.

Access Control Convergence - Part 1

Computer technology continues to advance toward a tiered decentralized world of distributed platforms for entering, processing, and retrieving information. Technological implementations are diverse and complex; however, all IT deployments should be protected from unauthorized usage utilizing suitable information asset access controls. Given IT interconnectivity, entities should also protect information assets from unauthorized manipulation to safeguard investments from risks associated with resource misuse. Consequently, information assets access control is typically viewed from two abstraction perspectives: physical and logical security.

Physical security provides tangible assets protection whether an item is at rest or in transit. Sub-categorically, information physical security involves reducing technological vulnerabilities, usually by limiting access to the buildings and rooms where information assets are housed, or by installing mechanical locks on devices. However, physical access controls should address not only the area containing hardware, but also wiring locations utilized to connect system elements, supporting services, backup media, and other items required for IT operational effectiveness.

Distinctively, logical security focuses on safeguarding intangible assets whether data is at rest or in transit. Logical access controls are the manual and electronic policies, procedures, and organizational structures deployed to safeguard symbolic objects. Essential elements for adequate logical access control are identification, authentication, authorization, and accountability.