Boca Raton, FL 33431 (561) 244-2524 (888) 504-5564 www.identifyss.com June 2014 ASAD SYED, CISSP-ISSAP, CISM, CISA CHRIS CHENEY, MBA, PMP In real life, circumstances and conditions are rarely ideal. The purpose of this paper is to re- view current practices and explore new ways to compensate for the residual inaccuracies of pre- vailing biometric credentialing methods.
WHITE PAPER
IDENTITY ACCESS MANAGEMENT (IAM)
Why 99.9999% accuracy is not good enough?
Copyright 2014, Identify Security Software Inc. All Rights Reserved. 2 Problem In a pool of two million employees, 99.9999% ac- curacy means the process will work for all but two, and for those two the system cannot differentiate between them. However, if the conditions are less than ideal, and the percentage falls to 99.99% ac- curacy then the number of people unidentified increases to two hundred people. If the pool is greater than two million, such as with the TSA, FBI and other United States government agencies, and the conditions are less than ideal, then thousands of people may remain unconfirmed, thus current methods can be considered only as an aid to final human confirmation. Current practices to improve on those odds are the so called Multimodal credentialing processes. They direct the user to do a procedural authentication multiple times in a series of different sensors. The drawback of this approach is that it expects inter- active cooperation from the user allowing human error to corrupt the process. Most IAM systems are designed to operate within an ideal set of environmental conditions such as at border crossings, passport control points, and the office lobby where designers can tailor the en- vironment to match the requirements of the IAM system. However, these systems also need to work at the most critical locations where the environ- ment is often less than ideal such as poor or mal- functioning lighting or when peoples hands are full or they are moving rapidly as they stream in to start their work day. In addition, in the real world some people are trying to avoid identification all together by blending in with the crowd. In these challenging situations, the IAM system needs to work the same, whether in a pristine environment or under real world challenging conditions. Even when peoples faces are sweaty and soiled, wear- ing glasses, face coverings, aging effects, or what- ever else life throws at it the IAM system needs to be able to identify the people that challenge it un- der all environmental domains and conditions it operates. Challenge The key challenge for a legal entity today is to veri- fy the person requesting access with a high degree of confidence. It is done via a complex process of series of Authentication methods referred to as multiple-factor authentication, until now, where we are at a point in time that we can use biometric authentication and achieve this critical task with a very high confidence and within the prescribed Privacy Rules and Regulations of different coun- tries. With 99.9999% we are still going to miss two or more depending upon the target population size.
User identification is rightfully expected to be a transparent and seamless experience for the users with minimum interaction during the process. The users are not machines and should not be ex- pected to act like one. The users expect to be rec- ognized without fail and allowed to proceed with their work without any concern about security, privacy and confidentiality. Goal Develop a credentialing system and process which is potentially superior to all methods currently in use elevating the level of system confidence above
Copyright 2014, Identify Security Software Inc. All Rights Reserved. 3 current biometric systems, and human face to face observation.
The process and technology is designing will con- sequently circumvent human error, opinion, sub- jectivity and bias toward gender, race and sexual preferences that could possibly corrupt the pro- cess. Solution Advance the technology from the prevailing pat- tern recognition practice to true person recogni- tion. Acquire the full biometric description of a person by using a combination of mature biometric technologies, analog life sciences and the passing of time as a component to confirm the identity of a known person. A proposed new security platform iDentifyME (Patent Pending) will operate perpet- ually in dual mode. Primary mode: 1. Autonomous scanning while the user is in sight. Does not require any cooperation or interaction from the user. 2. Progressively scan multiple biometric charac- teristics of the user. Cross referencing between known, historical and statistical data. 3. Conjunctively evaluate correlation between multiple biometric readings. Confirming digital data and practical reality. Secondary mode: Supplements the primary mode and this function- ality is available only while the primary mode is in progress. 1. Scan input from auxiliary devices. Devices the users can carry on them or stand alone devices. 2. Scan input from external biometric reading devices. Such as finger, palm and other reading de- vices. 3. Accommodate static biometric data. Backward compatible with current existing biometric data in leg- acy systems. Advantages iDentifyME brings to the table Residual inaccuracies of current practices still allow for security breach, impersonation, and identity theft and affect each entity in different ways. In some cases may be nothing more than an easily correctable inconvenience, while in some other cases it can have detrimental effects on the organ- izations public perception, market valuation, en- tanglement in litigation and drain on its finances via penalties. While we cannot claim that our proposed solution will permanently eliminate the problems in current practices in credentialing, we can predict with high degree of confidence that it will come to as close to true identity confirmation of a person as tech- nology allows it while complying with societys pri- vacy and confidentiality rules and regulations. Summary Biometric Authentication is unique to an individual and it cannot be CLSed meaning Copied, Lost or Shared. Biometric traits are unique to the user; and the users do NOT have to remember it. Hence the users do not need to be reminded to change their passwords. Moreover, it cannot be easily
Copyright 2014, Identify Security Software Inc. All Rights Reserved. 4 compromised or impersonated. User Biometric traits cannot be shared or put on a Post-it note under the keyboard. Biometric traits are an intrin- sic property of an individual, and we do not have to worry about losing or compromising those be- cause you cannot share your makeup of biometric composition with another person. However, improvement is needed to deal with life anomalies that may interfere with the credential- ing process. Our approach is a major step in that direction. Conclusion Identity has played a critical role as long as human civilization existed. With the evolution of the in- dustrialized world, Identity and Access Manage- ment first took hold in the physical security arena and evolved. Then we entered into the digital world with the advent of the Internet and it evolved again. In 2013, the Worlds ecommerce was a thriving industry of $1.25 trillion 1,2 and grow- ing. Digital a.k.a. logical identity and its manage- ment is one of the backbone factors that have put trust behind the growth of this industry. Today IAM has become an inseparable part of enterprise Regulatory and Compliance processes and an inte- gral part of Risk Management processes. IAM comprises of people, processes and technolo- gy to manage digital identities and access to en- terprise resources. IAM sub-components could broadly be classified into 5 major categories: 1. Authentication 2. Authorization (a.k.a. Access Management) 3. User Management or Provisioning
1 http://www.internetretailer.com/2012/06/14/global-e-commerce-sales-will-top- 125-trillion-2013 2 http://www.emarketer.com/Article/Global-B2C-Ecommerce-Sales-Hit-15- Trillion-This-Year-Driven-by-Growth-Emerging-Markets/1010575 4. Central user repository a.k.a. Enterprise Di- rectory a.k.a. Source of Truth (SoT) 5. Single Sign-On (SSO)
The ultimate goal of any IAM Framework is to pro- vide the right people with the right access with the goal of increasing security and productivity, while decreasing the cost and eliminating the downtime to resource access along with making the IAM pro- cess repetitive. UserID and associated passwords are one of the widely used forms of authentication utilized across the world today. In spite of its limitations, like sto- len passwords and brute force cracking, yet the biggest problem today is ID and password man- agement with its overall management process and associated costs.
A 2007 study of Web users by Microsoft Research 3
found that an average user has 6.5 Web Pass- words, each of which is shared across almost four different websites. In addition, each user has about 25 accounts that require passwords. That means if one is compromised then all other sites that have the same password could also be com- promised as well. The Microsoft research also highlighted that out of the average 25 accounts, a
Copyright 2014, Identify Security Software Inc. All Rights Reserved. 5 normal user has to type the password an average of 8 times per day. Various solutions have come up to address the lim- itations posed by the User-ID and Password as the users Digital Identity. For example, the use of bi- ometric authentication, digital certificates, one- time pass-words, two or multi factor authentica- tion, use of pass phrases or cognitive questions, etc. Today the onus to prove ones identity is on the user and we want to move this burden to the system with the iDentifyME Platform. In addition, companies are allowing users to get their own ID referred to as bring-your-own-identity (BYO-ID) 4, 5
and when the user leaves the company they take their ID with them.
Another challenge within the IAM realm that en- terprises are facing today is the need to manage access to information and applications scattered across internal and external (Cloud) Systems. As enterprises are trying to provide the access for the growing number of identities, both inside and out- side of the organization, they expend a lot of re- sources, energy, and cost to keep the digital Identi- fication process secure, replicable, and cost effi- cient. iDentifyME Platform was developed in re- sponse, as a solution to some of these challenges.
4 http://www.ibm.com/developerworks/security/library/se-selfarticle/index.html 5 http://www.isaca.org/Knowledge- Center/Blog/Lists/Posts/Post.aspx?List=ef7cbc6d-9997-4b62-96a4- a36fb7e171af&ID=321 About the company Identify Security Software Inc. is a Florida C cor- poration established on April 2nd 2013. The com- pany is privately held by its three principals having over sixty years of combined experience in rele- vant computer software, computer security, pro- ject management and business administration. Identify Security Software Inc. is a security soft- ware engineering enterprise. Its first project, iDentifyME, is targeted at the Identity Access Man- agement segment of the security space. The com- pany has already evaluated and qualified a number of leading and certified vendors in the field of bio- metrics as vendor/partner collaborators in the pro- ject. The available expertise from our ven- dor/partners includes facial and iris pattern recog- nition, eye tracking, emotion analysis, proof of life signs, finger and palm print, keystroke dynamics, voice pattern, and gait and motion recognition. As of this writing, Identify Security Software Inc. has begun to invite companies to jointly participate in the development of this new security platform and the subsequent development of specific prod- ucts for their market segments. For additional information, please contact Chris Cheney by email at ccheney@identifyss.com or by phone at 561 244-2524 ext 7.