The IT landscape is changing before our eyes. Accessing data, applications, and services from anywhere and exchanging that information with others has never been easier — but it’s also never been more fraught with security risks. All that power and access comes at a price, and remote devices, Internet of Things (IoT) endpoints, and Software as a Service (SaaS) solutions create a large target for attackers to attempt to hit.
That’s why the zero trust network access model was created. Zero trust is a security model that differs from more traditional approaches in one notable sense: it’s a security framework that requires all users — regardless of if they’re in or outside the organization’s network — to be authenticated, authorized, and continuously validated before being granted access to, or keeping access to applications and data.
For example, in a zero trust model, access will depend on an authorized user continually being visible to their camera; this prevents the scenario of the user getting up for a moment, only to leave an unauthorized user able to view their screen. The zero trust method breaks an organization’s IT infrastructure into small chunks guarded by verification checkpoints, ensuring that any security breaches are much easier to isolate.
Between the Biden administration calling for the zero trust security model to be implemented in governmental offices and more organizations and enterprises than ever moving toward this model to reduce risk, now is a good time to consider enacting it within your own organization. That said, there is a common misconception that it’s an inconvenient security measure — but if you and your security teams are concerned about convenience and access, there is an obvious solution: biometrics.
Biometrics and Zero Trust
To further combat the vulnerabilities zero trust attempts to safeguard, this security measure is focused on identifying users based on who they are, versus what they have (a key card) or know (a password). Doing this through biometric authentication can make a lot of sense; using a voiceprint or one’s face, palm, finger, or eyes as a security measure ensures that access cannot be stolen or used. Even if an employee gave away their credentials, someone else couldn’t access their systems.
Biometric integration into zero trust is also incredibly convenient. Because zero trust requires constant, least-privileged access controls, consistent verification for every single network asset you have permission to access — rather than a single login that gets you in through a network perimeter and thus grants access to everything — biometrics, including facial recognition, are a great way to deliver this constant verification.
There are some people who disagree, however. A current privacy complaint against Apple in Europe alleges that the usage of biometrics is a violation of privacy, and if biometric databases are breached, that could lead to biometric data being exposed to bad actors.
These are valid concerns — after all, facial recognition only fights fraud if it’s deployed in a way that protects user privacy and doesn’t itself become a new source of data to steal. That’s why it’s essential to ensure that if facial recognition and biometrics become part of your zero trust implementation, it is implemented in a way that safeguards that adoption.
Implementing a zero trust security model can be a smart move for most organizations, but safeguarding biometric data like facial images is just as important. There are several guardrails your organization should put in place when it comes time to tackle this process.
Clear opt-in and opt-out procedures
Like it or not, there will always be people who are opposed to what they may perceive as a violation of privacy — and if you want to avoid the risks of legal action, make it clear early and often that participation in biometric data collection is not mandatory. For those who opt in, be extraordinarily transparent about what data is collected, how and when it’ll be used, and where it will be stored and secured.
Decentralized stored data sets
Storing biometric data in a secure way is paramount to implementing zero trust aided by biometrics. One of the most common and secure storage methods is the concept of decentralized biometrics, which entails storing data throughout a vast peer-to-peer network in the form of data fragments. This makes it virtually impossible for any hacker to assemble and access complete facial images.
While studies have found that biometric security implementations are, on average, 99% accurate, it’s still paramount that you check regularly and often to ensure your security measures are up to date and working well. Anything that isn’t performing adequately could be an access point for bad actors — or, at best, a pain point for employees.
Leveraging biometrics along with your organization’s implementation of zero trust security approaches is an excellent way to ensure the utmost confidence in your employees’ identity validation. Investing in this technology now can save countless man-hours, dollars, and frustrations in the long run — and fortunately, due to the popularity of this approach, there are plenty of tools on the market today to make that more feasible.