View
219
Download
0
Tags:
Embed Size (px)
Citation preview
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
The Cost Justification for Choosing Biometrics
Roy Lopez
System Engineering Director
Novell Inc.,
2
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Agenda
• How real is the threat?
• Will the technology facilitate your business objective?
• Understanding the issues
• Building a business case
• Additional considerations and futures
• Q&A
3
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
•How real is the threat?•How real is the threat?
4
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
How real is the threat?“It’s not hacking that results in the most damaging penetrations to an enterprise’s security system. It is often the work of an employee within the enterprise that causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees - often without their knowledge - that results in the theft of crucial data. “
Rich Mogull, Senior AnalystGartnerGroup
Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses. Kristen Noakes-Fry, Research Director
Gartner
5
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
How REAL is the threat?
6
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Traditional, Best of Breed Security Architecture
Web serverWeb server AppsApps
AIX, Solaris, HP-AIX, Solaris, HP-UX, UX,
Linux, etcLinux, etc
DM
Z
NT/2000NT/2000
OS/390OS/390
NetWareNetWare®®/NT/NTadminadmin
UsersUsers
Web serverWeb server
Web usersWeb users
VPN, Dial-VPN, Dial-up, up,
Wireless Wireless usersusers
Access Access Control Control serverserver
OS/390OS/390AdminAdmin
UnixUnixadminadmin
AppsApps
NetWareNetWare
AppsAppsadminadmin
Web adminWeb admin
7
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
• Leveraging technology to achieve business objectives
• Leveraging technology to achieve business objectives
8
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
What is your objective?• What benefits do you hope to gain and
which pain points do you hope to address with the deployment of this technology?– A stronger form of authentication/better
security?– An improved end user experience?– Are you hoping to reduce password related
help desk and administration costs?
• Will you be requiring your mobile workforce to biometrically authenticate?
9
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
• Is your main objective to be secure?
– Tsutomu Matsumoto and the gelatin finger• Two factors are better than one
– How secure is the entire software architecture?• Is the client and server software digitally signed?
– Tamper resistant• Are the client and server software mutually
authenticating?– What is the authentication protocol?
• Is the communication between the biometric device and the back end system encrypted?
– Integrated, circuit-based readers are probably more appropriate than optical-based readers
Biometrics for security
10
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Biometrics for convenience• Is your main objective to improve the end user
experience?
– Can be very successful as a password replacement
– Initially, saw more convenience than security- oriented engagements, but this is changing
• Which form factor is right?
– While this model often provides the greatest ROI, there’s still the cost of managing the solution
11
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
•Understanding the issues
•Understanding the issues
12
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Lessons learned from other Big Ideas• What lessons can we learn from PKI?
– 1999 Headlines: “This is the year for PKI”– 2000 Headlines: “PKI, Nothing but Pilots”– 2001 Headlines: “This is the year for PKI”– 2002 Headlines: “What’s PKI?”
• Why have PKI deployments failed to take off as hoped?
• What percentage of your applications recognize a digital certificate?
• It’s probably higher than the percentage of your applications that recognize a biometric device, let alone the one your organization is considering
13
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Enabling applications
• In order for the project to be successful, it must be focused– Focus on enabling a specific area for
biometric authentication with clear milestones• What needs the higher level of authentication
– A certain application– A group of users– All network access
• Which of those applications recognize or respect the biometric authentication?
– The easiest way to restrict access to network resources is via single sign-on products
14
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
•Building a business case•Building a business case
15
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Building a Business Case• Some aspects of advanced authentication can be
quantified, but most value is very difficult to quantify and in some cases more qualitative.– Quantifiable benefits
• Password management• Advanced authentication by itself does not provide an easily quantifiable
ROI• Advanced authentication coupled with other access management
components provides compelling ROI• Fraud protection
– How much is your company’s reputation worth?• Value of data• Value of transaction• Audit and Compliance
– Not easily quantified• Improved security/reduced risk• Compliance to regulations
16
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
What are you spending today?: Calculating the cost of passwords
Calculating Password Costs with IDC Data
Number of employees
IDC’s estimate of password management costs per year per user
Annual Password Management Cost
1000
$200.00
$200,000.00
Calculating Password Costs with Gartner Data
Number of employees
Gartner’s estimate of password calls per user per year
Your estimate of cost per call
Annual Password Management Cost
1000
4.8
$30.00
$144,000
17
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
What costs should I consider?• Hard costs
– Hardware• Can range from $50 per device on up• An average finger print reader will cost $125 per
device– Software
• Some vendors try to charge you extra for the software to make their hardware products work
• Soft costs– Implementing, managing, and supporting a
biometric based solution– Enabling applications to leverage the biometric– These costs can vary by significantly by vendor
and can easily make up the majority of costs
18
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Calculating the cost of biometric solution
Calculating Biometric Solution Costs
Biometric device cost X # of users
(@$125 per device)
Software
Administration Costs (first year)
Plant and Facilities (Hardware/Servers)
Total Cost of Deployment
$125,000.00
Varies by vendor
Varies by VendorVaries by vendorVaries by vendor
$???,???.00
Note: Does it require a separate user repository, a separate security policy, etc.? The less it integrates with reusable infrastructure, the higher the cost of deployment and ownership will be.
Annual password management costs - total cost of biometric deployment = first year return
19
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Administration Costs• Things to consider that will affect
administrative costs:– What will it take to biometrically register each user?– What if later on you choose a different biometric vendor?– Is the access policy for biometric users separate from your
application and operating system policy? • What will it take to make these consistent?• How will you enforce policy change across these systems?
– Does the solution require a separate user repository?• How will you manage the life cycle of users in multiple
repositories?
– Does the solution provide standards-based or open interfaces or will custom and proprietary work be required to integrate the authentication with the applications?
20
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
• Additional considerations• and the future
• Additional considerations• and the future
21
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
My opinion
• A couple key things have happened in the industry that enable biometric deployments to show a positive ROI.
– Vendors have begun to consider the life cycle management and deployment issues and have begun implementing this into their products.
– Single sign-on technologies are finally coming of age and can greatly reduce integration costs and enable application integration
22
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
My advice• Additional considerations:
– There are over 450 biometric vendors in the market today• The market is no where near being large enough to support this many
vendors• Plan on continued consolidation and attrition
– Either deploy biometrics for a single application or deploy as part of a holistic access management strategy that considers:
• Identity management• Policy management • Access control
– Require your biometric vendor to integrate with your standard’s-based user repositories, and support Multi-Factor Authentication
– Understand the role of new standards such as SAML, SOAP, XACML and how this will not only relate to your biometric strategy, but affect the overall security of your organization
23
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com
Questions?
24
Hosted by:June 23-26, 2003 • New York City
www.biometritechexpo.com