| Martin was starting to put his project together. The project objectives would involve the use of biometrics to reduce user inconvenience and, at the same time, help with the risk management of shared passwords. Both objectives were hot buttons for management. Management wanted the traders to be as productive as possible and also, if possible, they wanted to reduce the risks of conducting business. Martin felt confident in his objectives. Jason looked at what was facing him. He had a promising global project that could possibly be delayed or scrapped because of the concerns of the security group. Jason needed biometrics to strongly secure the users' digital certificates and silence the concerns of the security group . |
The Methodology For the successful overall deployment of a biometric solution, there must be a driving business need or objective. Without this, it will be difficult to set performance goals and objectives, money spent on the project will be tough to justify, and finding an internal sponsor will be next to impossible . Some of the main business needs or objectives should include: -
Regulatory ” The regulating bodies of the company's industry may have put into place regulatory requirements for the use of strong authentication. The regulatory bodies may have created requirements for the removal of shared credentials. To conduct e-commerce activities in the industry, a strong binding needs to be provided between the employees of the company and their electronic representation. -
Risk management ” The company's own risk management group may drive the adoption of the biometric system. The members should be looking at ways to reduce the internal risk for weak passwords or the sharing of passwords. They may also see biometrics as a way to increase security. -
User inconvenience ” The help desk managers and business unit IT support group are constantly besieged with the users' need to reset passwords. As more applications come to the users' desktops, the majority of them have their own password authentication mechanisms. Thus, a new application on the desktop means a new password to remember. This large number of passwords is a source of inconvenience and it is also a security risk. By implementing SSO in conjunction with a biometric system, user inconvenience is reduced, and system security is maintained or improved. -
Introduction of PKI ” With the move to doing more business over the Web, the need to authenticate and validate transactions and individuals is increasingly difficult to meet. The use of a digital certificate in combination with a digital signature is very useful. If digital signatures are to be used for transactions in which non-repudiation is desirable, protecting access to the certificate with only a password seems weak. The implementation of a biometric to provide a strong physical binding of an individual to his/her certificate provides true non- repudiation , removes one more password that needs to be remembered , and increases the overall security of the solution. -
Better password management ” This business driver goes hand in hand with user convenience. If we can find a better solution to password management and reduce password resets, all parts of the company benefit. The user benefits from increased convenience, the IT group benefits from reduced calls to the help desk and the assignment of staff to higher-value functions, and the company benefits because the cost of doing business decreases and risk management is satisfied. Once the business driver is identified, a lead business unit needs to be defined. The success of the project increases if that business unit is a profit center. Profit centers normally have the ears of the CEO and CFO. These two company managers can make or break a project. If the project is seen as expensive, the fact that a profit center is leading the way increases the likelihood of the project's survival. Since the profit center makes money, anything that makes its job easier or increases its morale is good for the company. Once you have your lead business unit, identifying an executive sponsor becomes easier. |
