“Never Trust, Always Verify”: The Role of Biometrics in a Zero-Trust World
By Anthony Eaton, CTO, IDEX Biometrics
‘Zero-trust’. ‘Never trust’. ‘Always verify’. These phrases are becoming etched into security discourse in a climate where the cost of cybercrime is predicted to hit $8 trillion in 2023, before growing to $10.5 trillion by 2025. A Deloitte Center for Controllership Poll compounded these figures by affirming that, in the past 12 months alone, 34.5% of polled executives reported that their organizations’ accounting and financial data were targeted through cyber-attacks. For public and governmental entities in charge of state security and citizen data, private businesses protecting consumer information, and across the rapid rise of new sectors such as cryptocurrencies; the default approach to data privacy, now must be one of zero-trust.
The term ‘zero-trust’ has arisen from the escalation of cyber-attacks seen in recent years. Such attacks have thrived due to the accelerated emergence of unregulated markets, such as cryptocurrencies which have left gaps for exploitation. They’ve also capitalized on the post-pandemic digitalization of companies, where remote devices across disparate networks have made access control more critical. And finally, they have also exploited more unpredictable physical access to workspaces amid the rise of hybrid working.
Zero-trust works on the assumption that networks are already endangered by possible attackers, and that all users are potential risks – verified users’ access credentials could fall into the wrong hands, or unverified users could be breaching the system. This has paved the way for a default approach of ‘never trust, always verify’, to ensure an increasingly complicated digital and physical landscape is only accessed by the right people, with the right credentials.
The next phase in this zero-trust journey is to establish the best method to manage secure logical and physical access across these vulnerable networks. Biometric smart cards represent a viable and compelling solution.
Access in its current form
Logical access requires the validation of a person’s identity through different means to keep organizations’ networks secure, referring to ‘never trust’. This traditionally could be enacted through PINs and passwords to gain access, or indeed – from a physical perspective – a card that could be swiped or tapped, having been linked to the person in question.
The question with both is whether these traditional means lend themselves to a zero-trust architecture. Do they tick the ‘always verify’ box?
Passwords and cards can fall into the wrong hands, be mislaid, and be used by people who aren’t supposed to access the physical and digital spaces they control. If the aim of zero-trust is to presume a person, network, device, application or data to be unsafe, then this immediate fragility of controlling security through vulnerable means contradicts that principle.
How this vulnerability manifests depends on the sector in question. Cryptocurrencies such as Bitcoin or Ethereum serve as prime examples where this would be an issue, due to their nascency and lack of regulation. As a decentralized and independent sector, each relies on the individual security of its respective infrastructure to control access and prevent cybercriminals from entering and hacking into trading platforms. Failing to do so puts all users at risk.
In more traditional corporate settings, access issues become even more complicated in the hybrid working world, where employers need to be sure that employees in different departments or locations are only gaining access to intended data. The upshots of a breach, in this case, are well documented – more than 100 million accounts were breached between July and September 2022, alone, and the average hourly loss rate because of breaches worldwide in 2021 stood at $787,671.
The role of biometrics
Regardless of their sector, the emphasis for all organizations should be on individual access control and a method of logical and physical access that is specific to each person. In this respect, biometrics can implement the ‘verification’ stage of a zero-trust architecture.
Biometrics refers to the individual elements of a person’s identity – the data could comprise facial, voice, or fingerprint-based credentials. With biometric smart cards, the respective ‘data’ is stored on the individuals’ cards, and only their unique fingerprint can authorize access. For payments, the use of biometric cards is already revolutionizing the ease, inclusivity, and security of transactions, while its encryption capabilities vastly decrease the possibility of data manipulation or misuse. This means that the biometric reference data captured during the fingerprint registration process is stored securely and can’t be tampered with.
From an access control perspective, the fact that a card will relate solely to the person in question, and their specific levels of clearance, eliminates the possibility of people accessing the wrong room, the wrong file, or the wrong digital infrastructure.
Organizations continue to grapple with the technical hurdles of implementing a zero-trust network. Especially the cost and time it might take to remove current access controls, replace them with new infrastructures, and encourage users to adopt the new network in a secure way. Biometric ID cards offer an automated, simple, and seamless authentication process that removes many of these barriers.
As such, they can restore identity trust at a time where ‘zero-trust’ must be the default approach. In doing so, they will also offset the cost and reputational damage that a prospective phishing or ransomware attack could cause.
Never trusting, always verifying
More than two-thirds of organizations (36%) have already implemented a zero-trust security framework, and 47% have laid out plans to follow suit soon. Given the current cybersecurity landscape and the financial and reputational costs of security breaches, this approach is both viable and sensible. It explains, more generally, why the global digital identity solutions market is expected to reach $70.7 billion by 2027, rising from an already sizable $27.9 billion in 2022.
There is an evident need to invest in security and a zero-trust model. The question now is how to best build this architecture, and through what means of access.
To this end, biometric smart cards allow for logical and physical access on a completely individual basis. Moreover, they can be easily integrated into existing infrastructures, to accelerate the process in the most efficient and least disruptive way.