-Andrea Kirkby
Since 1999, when Salesforce started up with the concept of Software as a Service (SaaS), more and more business functions and data have moved on to the cloud. The vast majority of companies now run much of their workloads in cloud, and the cloud environment has become more complex, too, with many corporates adopting hybrid cloud - linking public cloud services such as Amazon to their in-house IT infrastructure.
That has brought benefits in terms of lower costs and greater flexibility. Companies have better control of their data, and cloud based storage and backup can deliver improved resilience, helping companies with their disaster recovery plans.
But increased use of the cloud has also created a security headache for IT departments. Data is no longer held in the secure fortress of a device such as the corporate server, and access is no longer limited to a particular location or network. In a world where too many employees still use 'password' as their password, or write their passwords on post-it notes stuck prominently on their desks, cloud computing opens up the possibility of access to a company's most sensitive data if identification, credential and access management is mishandled or insufficient. Numerous data breaches - Hitachi, Yahoo, eBay, Equifax - have shown that passwords are no longer enough; better security is crucial.
That's led to a twofold shift in authentication; first, to biometric data, and secondly, to two-factor authentication.
While a password can be stolen easily, it's difficult to steal biometric data. (It's not impossible; researchers managed to fool early fingerprint authentication systems with impressions made in chewing gum. But anti-spoofing measures have become more sophisticated since then.) Biometric data uses distinctive, measurable characteristics to identify individuals - fingerprinting and facial recognition are the best known, but a wide variety of characteristics can be used. These can include the heartbeat, iris, voice, veins under the skin, retina, and even the rhythm and pressure of a person's typing or analysis of their gait.
Multi-factor authentication requires two or more types of authentication. For instance, it can require something a person knows, such as a password, to be backed up with biometric authentication. It can also include use of tokens or smart cards, and can further be overlaid with geographical access control. By adding two or more measures of authentication together, the probability of a breach is vastly reduced. Two-factor authentication usually includes a password element and either a token or biometric element, so while it's linked to biometric authentication in many implementations, that's not always the case. The use of a bank card as well as a PIN, for instance, is a simple instance of two-factor authentication.
Two-factor authentication is useful, but it can be circumvented. For instance, chip-and-pin isn't secure if users have written down their passwords, and tokens such as smart cards for accessing corporate networks can be stolen. On the other hand biometric data is difficult to steal or fake. That's why most two-factor authentication systems now include a biometric component.
Biometric identification is now gaining traction both in the public sphere, with passports containing biometric data, and in corporate applications. Windows Hello, using the FIDO Alliance protocols adopted in 2014 by companies including Paypal and Lenovo, already had 37 million individual users when Microsoft held its Ignite conference in September last year, and is being rolled out to all Windows 10 users. Storage and file sharing apps like Dropbox and OneDrive are already using it to secure access. As major suppliers like Apple and Microsoft start building biometrics into their systems, it will become cheaper and easier for the mid-sized company to get started with biometric authentication.
Biometric authentication can help protect data from unauthorised access. But equally importantly, it provides a strong audit trail. If systems are hacked using someone's password or smart card, it's possible that the password might have been guessed, or the smart card stolen. On the other hand if someone accesses a system using a retinal scan, you can be pretty sure it was that person, not someone else. Biometric data provides a strong authentication that's extremely difficult for anyone to repudiate (the rate of false acceptances using Apple's FaceID is one in a million, and using Microsoft's fingerprint reading, one in 100,000).
Biometric authentication also provides a way for companies to deal with BYOD (Bring Your Own Device). An increasing number of tablets and smartphones have biometric data, such as the Samsung Galaxy S8 with its iris scanning technology, and iPhone 8 with fingerprint scanner and facial recognition. Biometric authentication avoids some of the most common security flaws with mobile device access, such as employees using the same password for corporate and personal accounts, as well as the problem of stolen devices, and is therefore a key enabler for mobile device management.
Putting strong authentication on the mobile device can protect access to data that's held on the device as well as data stored in the cloud. It's a cost-effective solution, as well as an effective one - which wasn't the case, say, five years ago - and enables companies to reap the benefits of increased flexibility together with improved security.