Stepping up cybersecurity: Biometrics and multifactor authentication
October 14, 2021
Guests
Rob Douglas, Founder, Chairman and CEO of BioConnect
Christian Morin, Vice President Cloud Services and Chief Security Officer at Genetec
Description
In episode 10 of Engage, we welcomed Rob Douglas, CEO, and President of BioConnect. He sat down with us to discuss biometrics and privacy in physical security. Genetec Chief Security Officer, Christian Morin, joins the conversation too. He shares his thoughts on recent changes in the industry and improving cyber hygiene– a hot topic during cybersecurity awareness month. According to a Gartner prediction, CEOs will be liable for cyber-physical security incidents. In this episode, we look at the best ways to fight new cyber threats through multi-factor authentication.
Transcript
DAVID CHAUVIN: Welcome to Engage: A Genetec podcast.
“’Computer, this is Lieutenant Commander Data, please access all Starfleet command orders to starships, starbases, and colonies, for the last six months.’
‘Working.’”
DAVID CHAUVIN: Biometrics was once just science fiction used in movies and TV shows like this clip from Star Trek The Next Generation. Decades later, however, biometrics has become a part of our everyday lives. From fingerprint scanners on our phones to facial and voice recognition, our use of technology is ever-expanding and can play a beneficial role in our everyday lives. But we need to ask ourselves, how is it being used to make us safer, and at what risk and cost to our privacy?
DAVID CHAUVIN: I’m David Chauvin.
ROB DOUGLAS: I remember walking the show floor of ISC West, which I’ve been doing for many years, 11 years ago, looking at all the vendors, looking at the marketplace, and thinking to myself, my industry is just not going to get the fundamental need for higher trust.
DAVID CHAUVIN: And that’s my guest. Rob Douglas, CEO of BioConnect. In the first half of our show, I speak to Rob about biometrics and its role in today’s physical security industry. After that, we hear an excerpt from an upcoming interview with Christian Morin, Chief Security Officer at Genetec, about privacy, cybersecurity, and multifactor authentication.
ROB DOUGLAS INTERVIEW
DAVID CHAUVIN: But first, let’s start with my interview with Rob Douglas, president and CEO of Bio Connect, a leader in biometric applications in the security industry. I asked about his concerns around authentication and trust in the physical security world.
ROB DOUGLAS: My industry is driven off two primaries or, at the time, was driven across two primary economic engines. One was video surveillance, and the second one was card-based credentials. The interesting thing is like what is a card? The card is a piece of plastic that has now been assigned to a person. So, therefore, you’re supposed to use this card for the rest of the time from this moment forward. And every time it touches a little black reader, an access control system is supposed to assume that that’s Rob. The problem with that, of course, is that it’s a piece of plastic that touches the card reader. So we don’t know where Rob is. All we know is that his piece of plastic showed up. And so, as a result of that, you haven’t established trust. You haven’t established human trust with the transaction of gaining access to whatever it is that’s sensitive to you. So I just viewed that at some point, the market we as an industry have to solve that problem, particularly for higher security access events. And so that began the journey of BioConnect.
DAVID CHAUVIN: So for you, the need was more around higher security requirements, making sure it’s indeed the right person. People are just in biometrics, not necessarily because of security, but because of convenience. Is that also a big driver, you think? Or is that more of a perception that some people make?
ROB DOUGLAS: I mean, it is a driver for sure, and people are looking for more convenient ways of gaining access to everything. But the more significant issue that we were centered around was how do you provide higher security, higher levels of trust, and confidence that that person is whom they say they are? For us, biometrics is just the last inch. It’s the last inch between technology and human. It is strictly a sensor that is helping gain better insight into whether it’s likely me who’s requesting access. So what we’re not so interested in biometrics was more interested in the application of the technology and how one can use it to establish trust.
DAVID CHAUVIN: You know, we talk biometrics, and the perception is, well, it’s an invasion of privacy. Who owns the data on your side? If I use, you know, bio, not even sure, but in general in the industry, if I use biometrics readers, where does that data reside? Is it always encrypted? Do you see any challenges around the privacy of personal information?
ROB DOUGLAS: So historically, biometrics was originally given commercial life because of the horrific event on 9/11. That 9/11 attack brought biometrics into mainstream technology as a way to have higher levels of trust of who’s getting into airports, into sensitive areas. And in that time, it was strictly around security. Yes, privacy was a consideration, but it was not a dominant consideration. The biometric information is stored as a set of zeros and ones. So it’s machine-level code. It’s not actual images of people, and it’s encrypted, which is all fantastic. But that template could be resonant anywhere. That’s historically. If you look at where we are today, we live in a world where privacy matters. Legislation across the US, across Europe, and now coming into Canada as well is privacy protection. And with that protection comes the responsibility to allow the individual to have control of their biometric information. So they are the ones who consent to its use, and they can solely decommission it at their election. And so this shift is moving from the enterprise having control over the biometric information to the individual. And so, if you look out into the future, that’s where we’re headed. We’re heading to a world where the individual citizen is the one in control of their biometric through its complete lifecycle. When that move is happening now, it’s allowing privacy to achieve what it was always intended to do.
DAVID CHAUVIN: So we have to be clear again, especially for people outside the industry; there’s a big difference between the Hollywood concept of facial recognition versus saying, I authorized my credential. Whether it’s facial recognition or printer hand geometry, I approved my credential to be stored and used to grant me access. The moment I want to decline that authorization, everything’s deleted, right? So I still have complete control over the fact that the data even exists.
ROB DOUGLAS: So we see evidence of that. We see that in different laws being passed across the US. But the basic idea is that you can’t just take my face and capture that information just through surveillance. The difference is that I’m just trying to get access into a facility; I’m now granting access to use the biometric to authenticate who I am to allow me entry into a room or into my autonomous vehicle or whatever. And that, to me, is very acceptable and can be done in a way now with technology where the user can retain control of that biometric information.
DAVID CHAUVIN: Are you worried that some legislation might go a bit too far and make it harder for biometrics to thrive? In the same vein, have you worked with legislative leaders, whether in Canada, the US, or Europe, to try and better educate them on the differences you explain? That’s a significant difference. Are you confident that lawmakers understand those differences?
ROB DOUGLAS: So I think legislatively, you’re now seeing people understand the difference between surveillance and access. The legislation calls out that difference where I now see it’s going to its rightful place. And in the end, it’s going to benefit the individual citizen. The citizen is going to be in much greater control, unlike they’ve ever been before. Now it’s also worth noting that we’re not storing biometric information or your image. The fact is that it’s all machine code, zeros, and ones and the fact is that it’s in an encrypted template. All of those things can give a person great confidence that their PII is being protected because it’s no different from the zeros and ones sitting on your visa credit card. So I think it’s heading in the right direction. I believe that technology has to change to accommodate this change. I know for us as a company, I look at the engineering work we’ve done over the last 12 months to create a world where the individual citizen can be in control of granting access to their biometrics and suspend at their discretion is now available on our platform and that wouldn’t have existed a year or earlier before. So we and other companies like us have stood up to the challenge of privacy and have brought technology to market to solve it.
DAVID CHAUVIN:And you know, earlier you talked about some of the weaknesses of, you know, traditional access control hardware. So why are these cards such a weakness in such a security risk for organizations?
ROB DOUGLAS: I walked into a 7-Eleven store only to be shocked to see a kiosk sitting there, and it’s a kiosk that will duplicate your card and key fob in 15 minutes. It fundamentally means that anyone can walk in with your card or key fob and replicate it in 15 or 20 minutes and can create duplicates of your credential. The people who provide those technologies are just trying to make it easier to recreate their credentials. But if you’re a chief information security officer, this is a new threat that has presented itself as an example.
DAVID CHAUVIN: Do you know out of the top of your head, what’s the percentage of biometrics adoption in the industry today?
ROB DOUGLAS: I do in the physical biometric device for every ten doors in the marketplace. Historically, about one out of every ten doors uses biometrics. The thing that’s also now changing is that we’ve got four or five billion people using biometrics on their mobile devices. So we have a new level of biometrics that are coming into the marketplace from one of every ten doors to. I would imagine, probably within the next short bit of time will be four of those ten doors or six of those ten doors because people are going to want to use their mobile device. They’re going to want to do face recognition from that device as a second-factor authentication for higher security. And we’re going to eliminate the need to use a physical card and enjoy the benefits of biometric security without actually having to put a device on the wall.
DAVID CHAUVIN: So we talk about using your phone. You know, a conversation would not be complete without talking about the pandemic touching surfaces and the virus’s transmissibility through contact. Did you experience that firsthand? Did you see either technical issues or issues of perception around biometrics due to the pandemic that’s been going on?
ROB DOUGLAS: Yeah, so a year ago, we observed in particular finger recognition devices where, you know, nobody wanted to touch anything, including a biometric reader, so nobody wanted to touch a door handle. Nobody wanted this as a reader. Nobody wanted to touch anything. And so this particular device is wrapped up in sort of that view, and everybody then wanted to move to facial recognition solutions. And here we are a year later; there’s no question that the demand for facial recognition systems has increased materially due to the other end to COVID. And yet, at the same time, the number of finger recognition devices that are being sold is not quite back to where it was pre-COVID, but it’s very close.
DAVID CHAUVIN: What’s the future of biometrics, in a nutshell?
ROB DOUGLAS: If you are Chief Information Security Officer, if you are a director of physical security, if you are the chief information officer, you are in a very challenging role today. And the reason why I say that they are in a very, very difficult position is that the enterprise risk is accelerating. You see, historically, access control security moves at the speed of a building. Once it goes in, it never changes. We have lived in a world for 30, 40, 50 years. For once, somebody put something at the door. It stays forever. There are in circulation; I’m told somewhere between 400 million and 500 million cards in circulation are still being used today. So we are an industry that thinks about security, but once it goes in, it never comes. It just stays there. So now, let’s put that as the backdrop. Now let’s look at the world we’re living in today. What’s the enterprise risk today? Well, the first one is work from home. I now have a variable workforce; my workforce of tomorrow, all of them and look more like visitors than employees. The second is that every company has had to figure out how to digitize its value. And as a result of that, the amount of zeros and ones and data being created has accelerated. What’s the implication of that? The protection of the physical data, both in terms of its storage, transmission, and processing, has accelerated because the enterprise is more reliant on data to run its business and deliver its value than it’s ever been before. The third area is cyber attacks. So if you read what Gartner publishes, Gartner published a report recently that says that by 2024 75 percent of CEOs will be personally liable for cyber-physical attacks. That means cyber attacks coming in through physical access that could cause harm to others will be a personal liability, and we’re talking only three years from now. You now have all the regulation changes in privacy. You currently have people, for health reasons, not wanting to touch devices. They’re looking for technology solutions. Companies are the acceleration of acquisition. So you’ve got more new companies being consolidated, which changes the access control landscape. And then, if that’s not enough, you have the credential changing. It’s no longer acceptable to know who you are. Now I need to know, how are you? How is your health? I need to know, why are you here? I need to know how long you’re going to be here. For the C-level people that I was referring to have to take, they’ve got to find an accelerated way to adjust to the threats currently facing them and the old world of putting it in and leaving it; that’s over. And so you’ve got to be able to find a platform approach that you can layer in the security and adjust security as your threats are changing. Personally, from my limited experience on the planet, this has got to be one of the biggest challenges that exist for the enterprise. How can I adapt to the changing threats that I’m experiencing and move away from inflexible tools to a world where I can adjust my security posture based on the threats I’m experiencing?
DAVID CHAUVIN: Thanks, Rob, and I have one more question as we bring our conversation to a close. What do you think the future of physical security should be like?
ROB DOUGLAS: I think that to succeed in tomorrow for the world of physical access security, we’ve got to become more nimble and use IT-based technologies to be able to adjust to these threats we’re talking about. I’m an active member in our industry and have been for a long time; we have to become more adaptable. Our technologies need to become less proprietary, more open, more capable of adjusting to change. And I think our industry is learning now how to achieve this. But one thing’s for sure the threats are only going to accelerate, and the tools and technology and the partnerships that one works with have to be adaptable.
DAVID CHAUVIN: Rob, thank you so much for your time. That was Rob Douglas, president, and CEO of BioConnect. We now turn to Christina Morin, Chief Security Officer and Vice President of integrations and cloud services at Genetec. Our team recently sat down with him for October’s cybersecurity month.
CHRISTIAN MORIN INTERVIEW
DAVID CHAUVIN:: So Christian, in the last two years, obviously the reality is just a drastically and that impacted how we deploy systems that way with Korvin and everything. So what are some of the key challenges and some of the new threats you’re seeing out there in terms of cybersecurity?
CHRISTIAN MORIN: So clearly, you pointed it out. Things have changed dramatically over the last year and a half two years. The biggest of these changes has been how the workforce has gone from working from offices and buildings controlled and secured by various systems to working from home. So the overall surface of attack and also how people work has changed dramatically. In many cases, organizations have scrambled to adjust to this new reality changing processes, changing systems, implementing systems that they did not have before to ensure that people can continue to work. You know, business continuity was a huge thing and, in some cases, actually cutting corners in doing so. We’ve seen organizations also trying to expose some systems that were maybe air-gapped before, expose them to the outside world, allowing employees that now have to work from home to connect to those systems. We’ve also seen how these remote office setups are not as secure as the corporate setups, making it much harder for the security professionals to understand what is going on and if their network is under attack. This leads me to how, you know, like phishing campaigns, credential harvesting campaigns, and how account compromises are very, very rampant. And this plays directly into how our supply chain is more and more fragile. You know, from a security perspective, it just compounds the problem.
DAVID CHAUVIN: In the early days of the pandemic, there was a significant increase in the demand for touchless access control and companies wanting to use biometrics like facial recognition to avoid people touching surfaces. But when it comes to the use of biometrics, what are some of the privacy and cybersecurity considerations that companies should keep in mind when we talk about biometrics, such as facial recognition?
CHRISTIAN MORIN: It falls under the purview of PII or personally identifiable information. More and more countries are regulating how organizations must sensitively handle PII and how they handle it. Kind of. There are going to be specific variances. For example, if you use a cloud service versus an on-site system that you control entirely, you have to ensure that you know whatever service you are leveraging. If it’s a cloud service, they handle PII appropriately and have the appropriate controls to secure that type of information. And the same goes, you know, if you’re doing it yourself, you know you probably have much more hoops to go through to safeguard that type of information adequately. So, you know, rule of thumb, when you have PII to deal with, you have to do it with extreme care. You have to protect the privacy of the individuals whose information you’re handling.
DAVID CHAUVIN: Cybercrime is expected to continue to accelerate in 2022, and the growing adoption of IoT physical security professionals need to get ahead of the risk. If you can summarize for us, what would be your best practices to maintain proper cyber hygiene?
CHRISTIAN MORIN: So there’s quite a lot to do, but there are some basics that we cannot forgo and that we cannot gloss over. Number one, awareness, essential awareness. People need to understand the problem, need to understand the risks, need to understand the do’s and don’ts, and having a good awareness campaign within organizations is the key to success. Number two is having a proper asset inventory. You cannot protect what you do not know you have, and you cannot put in place the appropriate mechanisms if you do not know all the ins and outs of your environment. So you need to know what computers, what IoT devices, who are your users, what type of data. Otherwise, you’ll forget something, and you will create a vulnerability in your environment. Number three, this one sounds easy to implement. Still, it’s its patching, you know, being up to date with the patches and the updates, specifically those that address security vulnerabilities because of security vulnerabilities. Just a question of time before a vulnerability is discovered and having that inventory; then you can figure out what you need to implement in terms of patches and updates and keep those systems up to date. A fourth element that I think is very important is like get rid of passwords. Passwords are totally useless and very, very weak in nature. Whether through hardware security tokens such as a YubiKey or a smart card, multifactor authentication could be through biometrics. It could be through a phone authenticator app. There are several different ways to put additional safeguards to your authentication mechanisms to ultimately eliminate phishing attacks. And point number five, as a defender, you have to be successful 100 percent of the time, which is impossible. As an attacker, you only need that one shot at it that goes through the defenses. So having a proper system that detects possible compromise is essential, but more importantly, is having a plan. What happens if something does happen? Having a plan, an incident response plan, is highly, highly important. So that would be like some of the five big things that come off the top of my head to help customers do the basics from an information security perspective.
DAVID CHAUVIN: So when we talk about multifactor authentication or MFA, what are we seeing right now in terms of trends in the physical security industry? Is it that common?
CHRISTIAN MORIN: Short answer, I would have to say that it’s not common enough. Not enough people use additional factors to guarantee or provide higher assurance of identity on any authentication method, whether on the physical or the logical side.
DAVID CHAUVIN: OK, and then for the customers using it, how is that being deployed? What are the most common methods being used?
CHRISTIAN MORIN: So, there are several methods that you can use to add an additional factor to your authentication. From a logical perspective, it usually starts with the password, typically complemented by a phone authenticator application by a text message sent to a phone, by a hardware security token like a YubiKey or an RSA token, a smart card. There are many ways to implement multifactor on the logical side and the physical side. You will typically add that biometrics is very common, so you have to swipe your card, and then you will add either a fingerprint or facial recognition. But these other factors can also be used on the logical side. So again, there’s quite a number of ways to ensure that you have a much higher level of assurance for your authentication, be it physical or logical.
DAVID CHAUVIN: That was Christian Morin from Genetec. His full interview will go live in October during cybersecurity month. Subscribe to the Genetec social media channel to be the first to get access to this complete interview. And if you’d like more information about biometrics, cybersecurity, and privacy right away, well, head over to the Genetec Resources and Learning Library at www.genetec.com. Thanks for joining me today. We hope you’ve enjoyed this episode of Engage. I’m David Chauvin, and we’ll see you next time. Engage, a Genetec podcast is a production of Genetec Inc. The views expressed by the guests are not necessarily those of Genetec, its partners, and its customers. For more episodes. Visit our website at www.genetec.com, use your favorite podcasting app or ask your smart speaker to play Engage, a Genetec podcast.