Biometrics in the Cloud
Many of us have heard about the Cloud, and even use it. It’s obviously a rather simple process, you sign up for an account, you get a user name and password, and within seconds, you can start provisioning software applications and other services that you need on a fixed, monthly cost. Probably the largest Cloud Provider out there is the Amazon Web Services, or AWS.
But have you actually taken the time to really understand what the Cloud is all about? Probably not, because it is so ingrained in us to use it every day. Therefore, a formal definition of it as follows:
“The cloud is not a physical entity, but instead is a vast network of remote servers around the globe which are hooked together and meant to operate as a single ecosystem. These servers are designed to either store and manage data, run applications, or deliver content or a service such as streaming videos, web mail, office productivity software, or social media. Instead of accessing files and data from a local or personal computer, you are accessing them online from any Internet-capable device—the information will be available anywhere you go and anytime you need it.”
Because of the great vastness of the Cloud Infrastructure and the sensitive information and data that it possesses, it has become of the prized targets for the Cyber attacker. There are security-based mechanisms in place to protect it, but it hardly ever seems to be enough. But, there is one technology that could almost “bullet proof” a Cloud Infrastructure – and, that is Biometrics.
In this article, we continue to examine some more technical details of a Cloud Infrastructure, and how Biometrics can fit in there in order to provide a better layer of security.
The Three Major Components of the Cloud Infrastructure
There are three major aspects of the Cloud, all of course which need to have an added layer of protection. They are as follows:
1. The Infrastructure as a Service, or IaaS:
As its name implies, the IaaS provides the framework or the foundation from which all of the IT assets and IT resources can be leveraged towards the end user, whether it is a business or a corporation, or even just an individual.
The IaaS, in particular, includes the hardware, network connectivity, all of the software applications (which includes for example, all of the VoIP applications, E-Mail applications, database applications, software development applications, etc.) as well as the other “raw” tools which helps to comprise this Infrastructure.
So as one can see from the above diagram, the IaaS platform is literally stored in physical servers, and then are partitioned off into instances of virtual servers that each end user will have of their own.
How can Biometrics be used to protect the IaaS?
Since these servers are probably stored in large data centers, having superior levels of secure Physical Access Entry points is key. At the current time, most of the security measures that are used to protect the rooms in which the IaaS servers are stored in make use of smart cards, ID badges, using a secure FOB, etc. But these have their inherent security weaknesses. For instance, what if any of these mechanisms are lost or stolen, or worst yet, what if another employee gives out their credentialing tools to another employee so that they can gain access as well, when they are not supposed to?
In these instances, you need a device which not only lets just authorized users to enter the area in which the IaaS resides in, but can also 100% confirm their identity as well. Probably the best suited tool for this situation is the Hand Geometry Scanner.
From here, the end user (which is typically the employee), would align their hand into the pegs. At this point, over 96 measurements of the hand are taken in a rapid, successive fashion. From here, the raw image is compiled, and the unique features are then extracted. This same process is used to compile both the Enrollment and Verification Templates. So, if an employee wants to gain access to the secure area which houses the IaaS servers, he or she would have their hand scanned, in a process that takes under two seconds. If there is enough statistical correlation between the two Templates as just described, the employee is allowed access to the IaaS servers.
It should be noted that the Hand Geometry Scanner would be wired to an electromagnetic lock strike, and upon successful identification of the employee, this lock strike would then automatically open the door for the employee to enter into. This is illustrated in the diagram below:
It should be noted that in the above diagram, it is the Hand Geometry Scanner which is the primary means of gaining access to the area where the IaaS servers are stored at. Of course, the Hand Geometry also has functionality for Two Factor Authentication, such as using a Smart Card, along with confirming the identity of the employee by their hand.
2. The Platform as a Service, or PaaS:
The second deployment model for the Cloud Computing Infrastructure is known as “Platform as a Service”, or “PaaS” for short. It can be specifically defined as: “A complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications . . . PaaS includes infrastructure—servers, storage, and networking—but also middleware, development tools, business intelligence (BI) services, database management systems, and more.”
How can Biometrics be used to protect the PaaS?
As can be seen from the definition, the PaaS consists of both the hardware (primarily the servers) and software aspects. So, in other words, it is essentially yet another server but unlike the IaaS platform, it also consists of many types of software as well. In order to protect the server aspect of the PaaS, the same methodology that was used to protect the IaaS can also be used again in this instance. But in most cases, the PaaS servers will be stored in yet another separate area of the Data Center (away from the IaaS servers). In these instances, Biometrics can also be used to protect the PaaS servers. For example, once the employee has gained access through the 1st point of entry (via the Hand Geometry Scanner), he or she can then gain access to the 2nd point of entry (this is the area where the PaaS servers are stored) by having their identity confirmed by a Fingerprint Scanner.
By using a Hand Geometry Scanner and a Fingerprint Recognition Device in tandem like this, it also serves a Two Factor Authentication (2FA) solution.
The software component of the PaaS will be protected in the same way as the SaaS, which is described next.
3. The Software as a Service, or SaaS:
This is the platform that consists of all of the software applications one can purchase and download onto their own device. A specific definition of the SaaS is as follows:
“The (SaaS) allows users to connect to and use cloud-based apps over the Internet. Common examples are email, calendaring, and office tools (such as Microsoft Office 365).”
Typically, the SaaS platform will reside in the same part of the PaaS server where that has its own set of software applications (as discussed previously).
How can Biometrics be used to protect the SaaS?
Since at this point we are now discussing securing software applications, Physical Access Entry is no longer the issue, it is now how to secure the Logical Access Entry side of this equation. In this scenario, there are four assumptions that are made:
- The PaaS Server (which also contains the SaaS Platform) will have a separate “Authentication Server” which will store the Enrollment Biometric Templates of the subscriber’s whom have purchased SaaS based applications;
- Fingerprint Recognition will be the predominant Biometric Technology to be used in this regard;
- A Web Browser will be used to access the SaaS applications;
- The use of APIs is also made in the authentication process.
How Fingerprint Recognition can be used to authenticate the end user wishing to connect to a SaaS app and also protect the SaaS platform is illustrated in the diagram below:
The end user submits their fingerprint via a Fingerprint Recognition Device connected to their computer via a USB connection. From here, the raw image is compiled, the unique features are extracted, and the Biometric Template (which is a mathematical file) is created. This then becomes what is known as the “Model File”.
The “Model File” is then sent from the Fingerprint Recognition application (which actually resides in the device itself) to the API Service using what is known as a “REST Call”.
The “REST Call” then connects to the Authentication Server; it sends it the “Model File”, and also requests for the authentication process of the end user to begin.
The Authentication Server then confirms the Enrollment Template it has of the end user with the information that is presented in the “Model File”.
If the authentication proves to be successful in Step #4, the Authentication Server then ends over an API based username/password combination.
Now having the username/password combination that was established in Step #5, the API now sets up a new session on the web interface for the end user to access the SaaS application that he or she needs access to.
The API then creates and sends over the Session ID to the end user’s computer.
The end user can now download this specific SaaS-based application onto their own computer and access via a Graphical User Interface (GUI) through the web browser of their choice.
The SaaS Platform can further manage this connection and service that is being provided through the Session ID that was created in Step #7.
Overall, this article has examined the three major components of a Cloud Infrastructure, and how Biometrics can be used to protect each of them, both from a Physical Access Entry and Logical Access Entry standpoints. So really in the end, we have presented a methodology which can protect an entire Cloud based Infrastructure.
Although other security measures are used to protect a Cloud based Infrastructure (as reviewed earlier), Biometrics does have one distinct advantage over them. That is, it is the one mechanism that can 100% confirm the identity of an individual, because it is the unique, physiological traits of the individual in question that is being examined.
But like anything else, Biometrics should not be the only line of defense in protecting a Cloud based Infrastructure. It should be used in tandem with the other security measures that are in place at the Data Center, in order to create what is known as a “Multimodal Security Solution”. This ensures that the highest levels of security are being implemented, because multiple layers of it are being used at the same time.
- G.L.Masala, P. Ruiu, A. Brunetti, O.Terzo, and E. Grosso. “Biometric Authentication and Data Security in Cloud Computing. The Int’l Conf. Security and Management