Softex Omnipass by dwc20915


More Info
									Securing the Desktop
  with Biometrics
      Dan Sanderson
    SafeLive Corporation
     New Richmond, WI
             Desktop Security Overview

  •   Desktops – the virtual work environment
  •   Security weakness at the desktop
  •   Current desktop security techniques
  •   What do we mean by securing our desktops?
  •   Factors of authentication
  •   Biometrics
  •   Example products: WEB-key, SendItSecure

SafeLive Corporation                              Page 2
    Desktops – the Virtual Workplace

  We use our desktops/laptops as a window to our work
  • E-mail
  • Personal productivity applications
  • Enterprise applications
  • Web applications
  • Instant messaging
  What if someone took away your computer?

SafeLive Corporation                               Page 3
         Desktop Security Weaknesses
  We’re getting better at perimeter-based security
     (firewalls, encrypted connections, anti-virus, anti-
  Internal threats are often underestimated
  • Account break-ins/unauthorized access by trusted
  • Careless exposure of data and applications
  • Unpatched operating systems and applications
  • Inadequate backup and recovery procedures

SafeLive Corporation                                    Page 4
               Current Desktop Security
  •   Username/password is the most common
  •   Token-based security (e.g., Xyloc)
  •   Biometrics
  •   No security

SafeLive Corporation                         Page 5
           What Needs to be Secured?

  • System/network access
  • E-mail (send/receive)
  • Enterprise applications (e.g., accounting apps,
    inventory control apps, etc.)
  • Web-based applications
  • Instant Messaging

SafeLive Corporation                                  Page 6
     Carelessness in Desktop Security

  • It’s inconvenient to be secure.
  • We forget to be secure.
  • We let the “system” take care of security (e.g.,
    cached passwords).

SafeLive Corporation                                   Page 7
                       Purpose of Security

  • Protect our data
  • Authenticate users

SafeLive Corporation                         Page 8
                 Factors of Authentication
             Something you HAVE              Something you KNOW            Something you ARE
  Natural                                           PIN
                 Drivers License                                             Face
and Easy
                   Magnetic Stripe                        Password
                                                                               Voice      Fingerprint
                         Photo ID                         Challenge-
                           Smart Card                         Encryption

                            Proximity Card                       Digital                      Iris
               More Difficult                More Difficult                Handprint
Obtrusive      To Counterfeit                To Appropriate
      and                                                                                 Retina
 Difficult                                                                                    DNA

             Low Security                                                              High Security
             Low Accuracy                                                              High Accuracy
  SafeLive Corporation                                                                       Page 9
                       Biometrics Overview
  • “Measurement of Life”
  • Using a unique physical characteristic to authenticate
    a person’s identity
  • Types:
     – Behavioral (requires several samples taken over
       time, e.g., voice, keystroke analysis, gait)
     – Biological (requires a single sample, e.g.,
       fingerprint, facial, hand geometry, iris, DNA)
  • Matching two samples requires complex analysis
  • Computers make this analysis feasible and accurate

SafeLive Corporation                                  Page 10
                       Evaluating Biometrics
  • Level of security required: How critical is the data
    or application to the core business of the
    organization? What are the consequences of
    security breaches?
  • Accuracy within the environment: Is the
    technology trustworthy and can it be deployed within
    the environment in a reliable manner?
  • User acceptance: What are the training issues?
    Will users find the technology inconvenient?
  • Cost: What are the initial hardware and software
    costs, and what are the ongoing costs for
    maintenance and upgrades?

SafeLive Corporation                                 Page 11
     Using Biometrics on the Desktop
  • Network logon: Locally stored biometric data (e.g.,
    Softex Omnipass) or enterprise solutions
    (SAFsolution from IdentiPHI)
  • Enterprise applications: Very few of these are
    protected by biometrics
  • E-Mail: Authentication of senders and receivers
    (e.g., SendItSecure)
  • Web Access: Replaces username/password for web
    site access. Local “password vault” solutions (e.g.,
    APC BIOPOD) and centrally managed solutions (e.g.,
    BIO-key’s WEB-key)

SafeLive Corporation                                Page 12
           Is Biometrics Really Secure?
  • No security technique is 100% guaranteed.
  • Don’t get caught up in the Myth Busters stories.
  • The accuracy of biometrics can be measured by:
        – False accepts (bad)
        – False rejects (inconvenient)
  • Choose solutions that are non-intrusive or else they
    won’t be used.
  • Consider multi-factor authentication schemes
    (biometric + password, biometric + token)
  • Choose solutions that protect against attacks, such
    as image injection/replay, latent fingerprints, fake

SafeLive Corporation                                   Page 13
 Practical Examples of Biometrics on
             the Desktop
  • WEB-key (BIO-key International)
  • SendItSecure (SafeLive Corporation)

SafeLive Corporation                      Page 14
  • Product is an SDK (must be integrated into your web-
    based application)
  • N-tiered architecture:
        – Client plug-in for browser
        – Application server
        – Back-end authentication server and biometric database
  • Can be used for 1-to-many identification or 1-to-1
  • Very scalable
  • Client tier must be Windows; other tiers can be
    Windows or Linux

SafeLive Corporation                                              Page 15

         Client            App server     WEB-key
             Browser         Web app      Authentication
         WEB-key plug-in    WEB-key API    Session Mgmt


SafeLive Corporation                                       Page 16
  • Demo

SafeLive Corporation             Page 17
 • E-mail “extra-structure” that makes ordinary e-mail
   highly secure
 • Service-based architecture
 • Integrates with Outlook
 • Can be used with web mail or other e-mail clients

SafeLive Corporation                                     Page 18
 • Authentication:
    – Identity of sender authenticated (receiver knows
      for sure who sent the e-mail – non-repudiation)
    – Identities of receivers are authenticated (sender is
      assured only recipients can read the e-mail)
 • Confidentiality:
    – Contents of e-mail are encrypted en route and can
      only be decrypted by authorized receivers

SafeLive Corporation                                   Page 19
• Strong authentication (beyond passwords)
• Strong encryption (end-to-end)
• Easy to use, non-obtrusive
• Leverages existing e-mail infrastructure
• Easy to administer (biometrically protected web site)
• Cost effective (hardware and software)
• “Message pickup” feature for sending to non-enrolled
• Support for very large attachments

SafeLive Corporation                                 Page 20
              SendItSecure Architecture

SafeLive Corporation                      Page 21
• Applications:
      – Transmittal of sensitive company documents and messages
      – Employees working from remote locations (telecommuting,
      – Communications with suppliers and partners
      – Improved customer service
• Industries:
      –   Health care
      –   Banking
      –   Law enforcement
      –   Professional firms
SafeLive Corporation                                         Page 22
 • Demo

SafeLive Corporation                  Page 23
                       Contact Information

                         Dan Sanderson

SafeLive Corporation                            Page 24

To top