By Anthony Eaton, CTO, IDEX Biometrics
As the world continues to evolve digitally, so have cyber-attacks, with the number of attacks escalating significantly in recent years. In fact, global cyber-attacks increased by 38% in 2022, compared to 2021. A Deloitte Center for Controllership Poll reported that 48.8% of C-suite and other executives expect the number and size of cyber events targeting their organizations’ accounting and financial data to increase in the year ahead. Yet only 20.3% of those polled say their organizations’ accounting and finance teams work closely and consistently with their peers in cybersecurity. For public and governmental entities in charge of state security and citizen data, private businesses protecting consumer information, and across the rapid rise of new sectors such as cryptocurrencies; the default approach to data privacy, now must be one of zero-trust.
Zero-trust is a significant change from traditional network security, which followed the ‘trust but verify’ method. The traditional model for network security became obsolete with the cloud migration of business transformation initiatives and the acceleration of a distributed work environment due to the COVID-19 global pandemic in 2020.
The zero-trust model requires organizations to continuously monitor and validate that a user and their device have the right privileges and attributes. This approach requires the organization to know all of its service and privileged accounts and establish controls of what and where these accounts are connected. This has paved the way for a default approach of ‘never trust, always verify’.
According to a Gartner report, by 2025, 60% of companies will use zero-trust solutions instead of virtual private networks. So, what’s next for zero-trust? The need to establish the best approach to manage secure logical and physical access organizations with vulnerable networks.
Fingerprints for Access
Logical access requires the validation of a person’s identity through different means to keep organizations’ networks secure, referring to ‘never trust’. This traditionally could be enacted through PINs and passwords to gain access, or indeed – from a physical perspective – a card that could be swiped or tapped, having been linked to the person in question.
The question with both is whether these traditional means lend themselves to a zero-trust architecture. Do they tick the ‘always verify’ box?
Passwords and cards can fall into the wrong hands, be mislaid, and be used by people who aren’t supposed to access the physical and digital spaces they control. If the aim of zero-trust is to presume a person, network, device, application or data to be unsafe, then this immediate fragility of controlling security through vulnerable means contradicts that principle.
How this vulnerability manifests depends on the sector in question. Cryptocurrencies such as Bitcoin or Ethereum serve as prime examples where this would be an issue, due to their nascency and lack of regulation. As a decentralized and independent sector, each relies on the individual security of its respective infrastructure to control access and prevent cybercriminals from entering and hacking into trading platforms. Failing to do so puts all users at risk.
In more traditional corporate settings, access issues become even more complicated in the hybrid working world, where employers need to be sure that employees in different departments or locations are only gaining access to intended data. In this case, the upshots of a breach, are well documented – more than 100 million accounts were breached between July and September 2022, alone, and the average hourly loss rate because of breaches worldwide in 2021 stood at $787,671.
Why Biometrics Holds the Key
Regardless of their sector, the emphasis for all organizations should be on individual access control and a method of logical and physical access that is specific to each person. In this respect, biometrics can implement the ‘verification’ stage of a zero-trust architecture.
Biometrics refers to the individual elements of a person’s identity – the data could comprise facial, voice, or fingerprint-based credentials. With biometric smart cards, the respective ‘data’ is stored on the individuals’ cards, and only their unique fingerprint can authorize access. For payments, the use of biometric cards is already revolutionizing the ease, inclusivity, and security of transactions, while its encryption capabilities vastly decrease the possibility of data manipulation or misuse. This means that the biometric reference data captured during the fingerprint registration process is stored securely and can’t be tampered with.
From an access control perspective, the fact that a card will relate solely to the person in question, and their specific levels of clearance, eliminates the possibility of people accessing the wrong room, the wrong file, or the wrong digital infrastructure.
Organizations continue to grapple with the technical hurdles of implementing a zero-trust network. Especially the cost and time it might take to remove current access controls, replace them with new infrastructures, and encourage users to adopt the new network in a secure way. Biometric ID cards offer an automated, simple, and seamless authentication process that removes many of these barriers.
As such, they can restore identity trust at a time where ‘zero-trust’ must be the default approach. In doing so, they will also offset the cost and reputational damage that a prospective phishing or ransomware attack could cause.
The Importance of Always Verifying
More than two-thirds of organizations (36%) have already implemented a zero-trust security framework, and 47% have laid out plans to follow suit soon. Given the current cybersecurity landscape and the financial and reputational costs of security breaches, this approach is both viable and sensible. It explains, more generally, why the global digital identity solutions market is expected to reach $70.7 billion by 2027, rising from an already sizable $27.9 billion in 2022.
There is an evident need to invest in security and a zero-trust model. Implementing the zero-trust model is not a one-time thing: it’s a journey that never ends. To stay ahead of new threats, organizations must keep up with the latest technological advancements and trends, and always adapt and improve their security.