How to Make the Most Effective Use of a Multi-Tiered Security Model
Overview of the Last Article
Our last article reviewed what a Biometrics in the Cloud infrastructure would like. Essentially, this involves placing the entire Biometric system into the hands of a trusted third party, such as that of an Internet Service Provider (ISP).
But, the Cloud is also highly prone to all sorts of Cyber-attacks. Thus Penetration Testing is needed to uncover all of the hidden security gaps and vulnerabilities. But, conducting such tests is equally complex, because both the internal and external environments in which the Cloud based Biometrics infrastructure is associated with must be examined thoroughly.
An Introduction to Multimodal Biometric Solutions
Most corporations (as well as other small to medium sized businesses) often get caught in the trap that if critical funding is spent into procuring the latest security tools, then it will be completely safe from any kind of Cyber-attack.
This view is known as a “Unimodal” approach because only one line of defense is being used. However, there is a critical flaw in this thinking: What happens if a Cyber hacker breaks through that only perimeter of defense?
One of the cardinal rules of security is not to rely on just one layer of defense, but in fact, you should have at least two or more levels of it. Thus, if a Cyber attacker were to break through the first line, the statistical probability that he or she will be able to penetrate through the secondary or third layers of defense become greatly diminished. This type of an approach is known as a “Multimodal Security Solution.”
This concept applies to Biometrics as well. With a layered approach being used here, two or more Biometric devices can be used in tandem with another. This type of multimodal approach can be applied to a combination of different security environments. For example, it can be deployed just outside the premises of the corporation, inside of it, or even a mixture of both.
In fact, Biometric Technology works best when it used in conjunction with another modality. For example, a Hand Geometry Scanner would work very well with both an Iris Scanner and even a Fingerprint Recognition device. There are numerous advantages to utilizing a Multimodal Biometric solution, which include the following:
Greater accuracy of confirming the identity of an individual:
Although each of the individual Biometric modalities is very accurate in confirming the identity of a particular individual, they are also prone to errors as well. For example, a Biometric device may confirm the identity of an impostor, and grant him or her access to resources to which they are not allowed to have. The probability of this happening is known as the “False Acceptance Rate”, or “FAR” for short. By having a two-layered approach, the odds of an impostor being accepted by the second (assuming that he or she broke through the first line of defense) Biometric modality are virtually nonexistent.
Greater levels of security:
Although Biometric systems are difficult to spoof, scientific studies have shown that some direct contact modalities, such as that of Fingerprint Recognition, can potentially be tricked to a certain degree. This is often done by making the use of “Latent Fingerprints”. These can be defined as “. . . fingerprint impressions secreted in a surface or an object and are invisible to the naked eye”. (SOURCE: www.fingerprinting.com). Using a special technique, latent fingerprints can be lifted, and applied to another fingerprint sensor to allow an impostor to be verified by the system. But, by implementing a Multimodal Biometric System in which at least one non-contactless modality is being used greatly reduces the chances of a system into being spoofed.
It provides a means of security which can service all end users:
Biometric technology to a very large degree can be used quite easily by most populations. However, there are extreme cases in which a particular individual may not be able to be enrolled by a device. This could be due to a number of varying reasons; such as an illness or an ailment, a birth defect, an injury or a physiological deformity, etc. It also is the case that an end user just does not have unique features which can be captured and extrapolated by a Biometric system. In such cases, if an end user cannot be enrolled by a Biometric system in one layer, the statistical probability is increased that he or she will be able to be enrolled in the next layer of security.
It provides a very cost effective security solution:
As it was stated earlier in this article, if a corporation spends a lot of money on just one layer of defense, it will never be as good as spending the same amount of money on a security system which provides multiple layers of defense, such as that of Biometric technology.
Asynchronous & Synchronous Biometric Multimodal Systems
There are two types of Multimodal Biometric systems which can be implemented, and are as follows:
- An Asynchronous Approach;
- A Synchronous Approach.
An Asynchronous Approach
This can be defined as “. . . a system (or systems) that require that a user verify through more than one biometric [device] in sequence.” (SOURCE: www.johngilltech.com). This describes a security environment in which multiple Biometric modalities are being used one after another, in a tiered or layered approach, to confirm the identity of an individual.
There are numerous market applications which make heavy usage of the asynchronous approach:
Physical Access Entry
In this environment, most corporations tend to deploy a very rugged and durable type of Biometric device which can be located at the exterior points of entry. One of the best-used modalities is that of the Hand Geometry Scanner.
For example, it can be housed in enclosures which can withstand the most extreme temperature changes. Within just a few seconds, an employee’s hand can be scanned, and their identity confirmed. This can be considered to be the first layer of defense.
Depending on the job responsibilities or duties of the employee, he or she then may require access to the more secure areas within the corporation. For instance, if it is a law firm or a medical practice, there will exist much more secure areas in which the either client files or patient records will be stored.
To make sure that only the employees who need access to such information are authorized to access these secure areas, a second layer of defense will have to be implemented, such as that of a Fingerprint Recognition device.
Finally, if this employee also requires access to one of the most critical assets to a corporation, namely the IT infrastructure (such as the servers and the databases), then a third layer of security will be required.
In this fashion, the use of an Iris Recognition device will be best suited here, because it is deemed to provide the most irrefutable proof in confirming the identity of an individual. This is so because the structure of the iris hardly ever changes over the lifetime of an individual, and thus, is considered to be very stable.
Ever since the events of 9/11, international airport security has received great notice and attention not just here in the United States, but around the world as well. To combat the threats of terrorism and identifying terror suspects, many international airports have now started to deploy an asynchronous approach. This can be applied to both within the actual airport environment as well as to people passing through immigrations and customs.
For example, both Facial Recognition and Iris Recognition have advanced to the point where the unique structures of the face and eye can be captured from very far distances, even when groups of people are walking. From this angle, any images can be captured and compared against a terror watch database in real time.
Also, to ensure that legitimate travelers are allowed to enter the country of destination, the e-Passport is also being used as well. This is very similar to the traditional paper passport, with the primary difference being that the e-Passport contains a Smart Card chip, and a miniature RFID antenna.
The chip contains the Biometric templates of the traveler (in particular the Facial, Iris, and Fingerprint Recognition Templates) and is transmitted to the e-Passport reader via the antennae. Using this type of infrastructure provides a three-layer approach to positively confirm the identity of the traveler.
These asynchronous solutions are being used quite commonly in the international airports located in Europe and the Middle East. Examples of this include the Hamad International Airport in Qatar, and both the Barajas and Barcelona airports located in Spain.
A Synchronous Approach
This type of scenario uses two Biometric modalities, and at the same time to confirm the identity of an individual. It should be noted that the number of asynchronous applications far exceeds those of the synchronous applications. This is so because the former is much more effective in providing a robust, multilayer security model for the corporation. In other words, using a staggered approach is much more effective in maintaining and confirming the appropriate hierarchy of resource permissions for the employees.
The synchronous approach is gaining good traction with that of mobile devices. For instance, rather than having to enter a PIN Number or a password, many Smartphones these days now offer the use of Fingerprint Recognition so that the end user can login with the swipe of their finger.
One of the best examples of this is the “Touch ID” fingerprint sensor which is deployed on most iPhone models. In just a matter of a second, an individual can be logged into their iPhone.
But also realizing that only one layer of identification may not be enough, many wireless vendors are now also offering a second Biometric modality, in the way of either Facial Recognition or Iris Recognition.
In these instances, the camera of the Smartphone can either capture an image of the face or the iris, respectively. The templates can then be processed and compared via a mobile app. Since the Biometric technology implemented into the Smartphone is so miniature, the issue of two modalities being used at the same time is almost negligible.
Summary and Conclusions
In summary, this article has reviewed the use of Multimodal Biometric solutions. This simply means using two or more modalities in either a staggered (asynchronous) approach or a simultaneous (synchronous) approach.
Keep in mind that Multimodal Biometric solutions can also include the deployment of other non-Biometric technologies as well. This includes using Smart Cards or FOBS (when protecting the physical assets of the of the corporation) or Routers, Firewalls, and Network Intrusion Devices (when protecting the logical assets of the corporation).
It is also important to conduct Penetration Testing on Multimodal Biometric systems as well; using the same types of tests outlined in our previous two articles (“BioCryptography and Penetration Testing” and “Biometrics in The Cloud and Penetration Testing”).
But, Pen Testing will become much more challenging and complex if it is being done in a heterogeneous security environment (where both Biometric and non-Biometric technologies are being used together to provide multiple layers of defense).
But, before deploying and implementing a Multimodal Biometric solution, there are three key considerations which need to be evaluated first:
- Determining what needs to be protected:
In this regard, thought needs to be given as to which assets need to be further fortified, is it the physical or the logical ones?
Ascertaining which Biometric modality will work the best:
In a multimodal environment, just about any Biometric technology, whether physical or behavioral based, can be networked together. But, very careful attention needs to be given to which Biometric modalities will be the most effective for a particular environment. For instance, a Signature Recognition device will not be effective for a Physical Access Entry Solution, and likewise, a Hand Geometry Scanner will not be conducive at all as a Single Sign On Solution.
If the Multimodal Biometric system will be implemented in conjunction with a legacy security model:
As just described, Biometric technology can work well with other non-Biometric technology in a layered security environment. But, a detailed analysis needs to be conducted first to determine in which ways the Biometric modalities can fit into a legacy security system. In the end, it is much more cost effective for a corporation to implement a Multimodal Biometric system into an existing framework, and build up the defenses from there.