Trends-2022 in safety: the role of facial biometrics in the Zero Trust concept
Zero Trust is a security concept based on the idea of lack of trust
Initially, the model was used exclusively in the context of protecting the company's information infrastructure. Recently, however, the Zero Trust strategy has also been applied to physical security. The fundamental principle of the Zero Trust is: «never trust anyone, and always check». How is this postulate interpreted in modern security systems? And what is the role of biometrics in implementing the Zero Trust model? We deal with the RecFaces team.
Table of Contents
- From safe period to Zero Trust
- The main areas of Zero Trust in information security
- Network protection
- Device Protection
- User Protection
- Working with users in the Zero Trust concept
- Recalculate All
- Least Privilege Model
- Zero Trust and biometrics in information security
- Zero Trust and biometrics in physical security
From safe period to Zero Trust
The first concept of Zero Trust was formulated by the analyst of the American company Forrester John Kindervag in 2010. According to his idea, in order to protect information resources, companies need to abandon the concept of «safe perimeter» and constantly check all users and all devices related to the corporate network.
In 2000s for information security specialists, the priority was to protect the borders of the local network from unauthorized access. At the same time, the zone inside the perimeter was considered by definition “safe”. However, the years went by, cloud services replaced the local IT framework, and the concept of BYOD (Bring Your Own Device) replaced corporate devices, when employees bring personal devices to the office: laptops, phones, tablets, etc. The Internet of Things (IoT) with its smart speakers, lamps and teapots, which are also a possible target for a cyber attack, has become widespread. The point of no return in the concept of a «safe perimeter» turned out to be the pandemic of coronavirus, when millions of people around the world went to the remote area. It has become apparent that devices can be compromised and user data stolen at any time. And, therefore, security checks should not be limited to the moment of connection to the network.
The main areas of Zero Trust in information security
To steal information, it is not enough to enter simply the local network: you need to be able to move inside it. To achieve maximum network security, Zero Trust proposes the principle of microsegmentation, when the network and other resources are divided into small isolated areas within a common perimeter. Each of these segments has an individual security policy and access rights. And even if the attacker falls into the one zone, he will not be able to advance further and spread the threat to the entire network.
No matter how extensive the corporate network is, the information security service is obliged to know absolutely every device with access. And these are not only employees' work or personal computers. These are smartphones, and external hard drives, and numerous «smart devices», the number of which is growing every year. Yes, stock count of all devices and regular monitoring of their state is not an easy task. However, as mentioned above, even a smart coffee maker installed at the employee's home sometimes becomes a weak link in the security system.
The human factor is traditionally the most vulnerable place of any security strategy. Especially when a person works remotely, and it is physically impossible to track all his actions. There are stories when the company's network was «put down» by the children of an employee who installed malware on a home computer. That is, the attack should not necessarily be based on some malicious intent. An employee can show banal carelessness and get caught on a «phishing rod.» And the resources of the entire company will suffer as a result.
Working with users in the Zero Trust concept
In terms of the Zero Trust concept, any attempt to access the corporate network is a potential threat to the security of the company. The principle «this person can be trusted, and this cannot» does not work, since reliable users in this model do not exist in principle. Let us list the basic principles for minimizing the «human factor» in the Zero Trust strategy.
Like access devices, all users must be recalculated and grouped. Moreover, not only employees, but also visitors, partners or contractors. Absolutely everyone who has at least a minimum right of access to the company's network.
Least Privilege Model
This principle implies the introduction of strict restrictions on access rights for each user. Anyone must be content with the necessary minimum to carry out work tasks. For example, an accountant cannot access marketing information and a marketer cannot access financial reporting materials. In this case, if the account of one user is compromised, the attackers will reach only part of the data, but not all the resources of the company.
Reliable and strong authentication is the pillar of Zero Trust. An error in choosing how to confirm a user's identity can nullify all efforts to build a Zero Trust strategy. Although this truth is evident, there is the question of which authentication can be considered truly reliable.
Passwords remain the most popular method of user verification. However, this method has many disadvantages. Password theft most often causes data breaches and hacker attacks. Complex passwords only aggravate the problem. Many employees cannot physically remember a long combination of numbers, letters, and characters. As a result, the password is simply written on a piece of paper, which is then often stored directly on the desktop. A more advanced method is multi-factor authentication, consisting of passwords, PIN codes or combinations of numbers from SMS or special authenticator applications. For mobile devices, there is an option to confirm the identity of the user, using the data of the SIM card installed in the phone and identified by the mobile operator. But, unfortunately, smartphones and SIM cards are also not protected from theft and hacking.
Zero Trust and biometrics in information security
The most reliable alternative to passwords today is biometric authentication. And, above all, facial biometrics. Its main advantage is the inalienability of the access factor: a person's face cannot be hijacked or hacked. Let's take the example of Id-Logon — a ready-made RecFaces biometric solution, designed to authenticate users in information systems.
- Authentication must be carried out continuously
- Control of unauthorized persons' access
- Additional verification for important transactions
- Multi-factor authentication capability
- Protection against deepfakes and illegal access To combat attempts to log in using a user's photo or video with access rights, the software solution provides Liveness algorithms. They allow the system to make sure that a real person is behind the device. In addition, the facial recognition algorithm itself is highly accurate. The probability of denying access to an eligible employee is less than 3%, and granting access to an unauthorized person does not exceed 0.0001%. If you try to authenticate or log in with photos or videos repeatedly, your device may be completely blocked.
The identity of the user is checked not only at the time of login, but also during operation. The background check option allows you to verify that the person is still at the computer. If the system does not see the employee, the frequency of checks increases, and after the selected time period, access to the device is automatically blocked. New authentication will be required to continue.
For example, an employee is successfully authorized, but then a colleague or a stranger is at his table. In this case, based on the results of the background check, the system will notify the information security department about the incident or it will completely block access if such a work scenario is provided.
The software solution can be connected to DLP data loss protection systems or other monitoring systems. In case of suspicious activity of the user or during significant operations, the system gives a signal for an extraordinary biometric check. All facts of such confirmation are stored in a special archive. Therefore, if necessary, the security service or company management can always check by whom and when a specific operation was carried out.
User biometric verification can be used both separately and together with passwords, PIN codes and other factors.
Zero Trust and biometrics in physical security
The Zero Trust concept can be implemented not only in information, but also in physical security, where a person remains the main «vulnerability». Regardless of who he is: employee, visitor or even security specialist. Following the principle of «trust no one», it is always necessary to know for sure who is on the territory of the enterprise. Standard access cards do not give such confidence: we only know that a person with a certain identifier passed through the turnstile or door. But we can never be sure whether it was in reality, or whether the card was in the hands of a stranger.
For Zero Trust in physical security it is also preferable to use identification by facial biometrics, because it is almost impossible to forge a person's face or transfer it to another. In addition, this type of identification solves the problem of lost or forgotten passes, and also eliminates the need to search for a pass in a hurry in front of a turnstile or other ACS device. The pass procedure becomes faster and more comfortable. For example, identifying one person using the Id-Gate software solution by RecFaces takes less than one second.
Biometrics allows you to achieve continuity of control, which also corresponds to the concept of Zero Trust. Not only once to check the identity of a person at the time of access to the enterprise, but also to continue control when he is already in the territory. As well as monitor and suppress possible violations of the right of access. For example, in rooms requiring special protection, or even in separate isolated areas in the open air. At the same time, it is not necessary to install additional equipment or devices of physical control. It is enough to deploy a network of virtual access points based on Id-Guard. Using them, you can not only control the presence of strangers on the site, but also regulate the rights of access of employees to certain locations. If the camera detects an unauthorized person, the system will automatically notify the security officers. So, the software solution Id-Guard developed by RecFaces allows you to control quickly an access to the territory of people without the right of access, work with stop-lists and conduct prompt investigations of possible security incidents.
It is important to note that in addition to abuse by employees or visitors, there is another potential point of compromise in physical security. Specifically, reception staff, pass and identification unit and security services. That is, those authorized persons who give the right of access to others. Following the Zero Trust model, they must also be subjected to constant checks. Especially when it comes to any significant actions: from issuing a pass to working with any important documents. Here physical security engages closely with information security, and we are returning to the problem of accurate authentication of employees with access to accounting systems, which we mentioned earlier.
Implementing Zero Trust concept is a time-consuming process. Systematizing employees with different access rights, conducting a comprehensive stock count of devices, updating obsolete software that does not fit modern security standards is not an easy task. By comparison, Google took about seven years to create a BeyondCorp system. This is a framework based on the Zero Trust model and originally intended for internal use. In 2020 it was based on the BeyondCorp Remote Access cloud product, which gives employees the ability to access securely and remotely the company's internal resources from any device without using VPN. Certainly, this is an exceptional example. But even medium-sized companies require at least a few months. As an alternative, implementation of the concept can be carried out gradually, starting with a revision of the rules for verification and authentication of users. For example, by introducing biometric authentication into the company. Modern software solutions in the field of biometrics do not require large-scale investments in updating the infrastructure, nor complex installation, but at the same time fully meet the idea of Zero Trust. So, the installation of RecFaces biometric products takes 20 minutes. This time is enough for the user to get a complete and reliable product with full functionality.
Learn more about use cases and software specifications of RecFaces here.