| Martin hated Mondays. On Mondays, his limited technical support staff spent most of the time resetting passwords for traders. Martin looked after the technology needs of a global trading group for his company. The traders were there for one reason: to generate money. They were not concerned with remembering passwords, or knowing that each others' passwords was a security risk. They just wanted to make money. Thus, every Monday ”and even worse if it was a Tuesday after a long weekend ”the traders would flood the floor, and immediately Martin's help desk would get overwhelmed with requests for password resets. He also knew that by this time, the head trader of each group had picked a new password for the week, one that all the other traders were told to use. This way, any trader in a group could cover the position of another if someone was away from a trading station. This gave Martin no end of grief . He was tired of this self-defeating cycle and wanted to find a better approach. The real fly in the ointment was the password itself. Traders had passwords for everything! A typical trader would have 12 “15 passwords per day to use. In addition, the password rules among applications were inconsistent and thus prevented the use of the same passwords. Martin realized that if he could replace the password with something more easily remembered , he could maybe alleviate, if not eliminate, the password reset deluge every Monday. Martin had recently attended a trade show at which he had seen a company that sold fingerprint biometric devices which also had the ability to replace the Windows login. This seemed like a good starting point. If he could get biometrics in place on the trading floor, surely the traders could remember to bring their fingers to work. Thus, his mission was clear: His business unit would need to drive a biometrics project for password replacement. Jason looked over the latest project reports for the deployment of digital certificates for email signing. They showed that the project was moving ahead, but with some red flags. The project had been initiated because someone had sent a spoofed email purporting to have come from the CEO to all employees promising large pay raises. This email was too good to be true, as it had been faked. This incident clearly showed the weakness of unsigned and encrypted emails. The company had spent millions in organizing a digital signature outsourcing arrangement. The company had procured licenses for all the employees and, after going through training, each employee was to be issued a digital certificate. The project up to this point had gone very smoothly, but a new wrinkle was just thrown into the plans. The security group had sent out an unsolicited email to senior management, red-flagging the project for lax security. It seemed that one of their security engineers had attended a training session and had found out that the passwords being used were relatively weak so that users could remember them, and that the digital certificates themselves were being stored on local hard disks. These two things made the security group believe that an easy attack could get the digital certificate and compromise the password, leading to faked but signed email messages. This left Jason with a project that had high visibility and was currently under scrutiny for security concerns. He had suggested stronger passwords, but the user community had rebelled. He proposed storing the certificates on smart cards, but again, the security group said that protecting them with weak passwords was still no good. Jason now needed to provide a way to deliver digital certificates to the company and satisfy the security group. Jason finally hit on the solution: Use a biometric to replace the password and, ideally , have that biometric work with smart cards as well. He would tie in this new biometric project with the support of the digital certificate project and, in this way, avoid the meddling of the security group in this new initiative. After all, he had satisfied their original objection to weak passwords. He would replace them with a biometric. Besides, he was from the corporate IT group, which had a mandate to deliver new technologies to the company. He was in the perfect position to drive this project forward. |
The Methodology The origination of a project can affect how the project is managed and put together. It can also clearly define what group in the company should lead the effort. If the project is being driven by regulations or risk management, it can succeed in being driven by IT as long as the IT group can find a lead business unit. This lead business unit should be the one being regulated or risk-managed. Additionally, IT needs to have a global vision that the project will likely be rolled out to the rest of the company. Jason clearly has the mandate to deliver his biometric project. There is a risk to be managed, and it is clear that the current status quo is not acceptable. He has not yet defined a lead business unit. This could be difficult to do, as the digital signature project is company-wide. Biometrics for Jason need to be implemented as a way to increase security. If the project is being driven by a business unit, it needs to have clear goals, objectives, and buy-in from the employees of the business unit. The business unit driving the project must involve IT from the earliest steps to increase the chances of success. Even if the business unit is a profit center, it is still dependent on the IT staff for support. It is better to have everyone informed and involved than to try to force something through that one of the partners may not want. Martin definitely has the right idea. He is supporting a business unit that is a profit center, and his goals are clear. Biometrics will be used to replace passwords, and they will be positioned to increase user convenience. Martin realizes that biometrics can also increase security, but in selling the technology this way, he will need to provide a much stronger level of proof of their accuracy. |
