Hosted by: June 23-26, 2003 New York City The Cost Justification for Choosing Biometrics Roy Lopez System Engineering Director.

Hosted by:June 23-26, 2003 • New York City

www.biometritechexpo.com

The Cost Justification for Choosing Biometrics

Roy Lopez

System Engineering Director

Novell Inc.,

[email protected]

2



Agenda

• How real is the threat?

• Will the technology facilitate your business objective?

• Understanding the issues

• Building a business case

• Additional considerations and futures

• Q&A

3



•How real is the threat?•How real is the threat?

4



How real is the threat?“It’s not hacking that results in the most damaging penetrations to an enterprise’s security system. It is often the work of an employee within the enterprise that causes the most damage. And while many of those incidents are due to employee malice, a great number stem from the manipulation of employees - often without their knowledge - that results in the theft of crucial data. “

Rich Mogull, Senior AnalystGartnerGroup

Gartner estimates that more than 70% of unauthorized access to information systems is committed by employees, as are more than 95% of intrusions that result in significant financial losses. Kristen Noakes-Fry, Research Director

Gartner

5



How REAL is the threat?

6



Traditional, Best of Breed Security Architecture

Web serverWeb server AppsApps

AIX, Solaris, HP-AIX, Solaris, HP-UX, UX,

Linux, etcLinux, etc

DM

Z

NT/2000NT/2000

OS/390OS/390

NetWareNetWare®®/NT/NTadminadmin

UsersUsers

Web serverWeb server

Web usersWeb users

VPN, Dial-VPN, Dial-up, up,

Wireless Wireless usersusers

Access Access Control Control serverserver

OS/390OS/390AdminAdmin

UnixUnixadminadmin

AppsApps

NetWareNetWare

AppsAppsadminadmin

Web adminWeb admin

7



• Leveraging technology to achieve business objectives

• Leveraging technology to achieve business objectives

8



What is your objective?• What benefits do you hope to gain and

which pain points do you hope to address with the deployment of this technology?– A stronger form of authentication/better

security?– An improved end user experience?– Are you hoping to reduce password related

help desk and administration costs?

• Will you be requiring your mobile workforce to biometrically authenticate?

9



• Is your main objective to be secure?

– Tsutomu Matsumoto and the gelatin finger• Two factors are better than one

– How secure is the entire software architecture?• Is the client and server software digitally signed?

– Tamper resistant• Are the client and server software mutually

authenticating?– What is the authentication protocol?

• Is the communication between the biometric device and the back end system encrypted?

– Integrated, circuit-based readers are probably more appropriate than optical-based readers

Biometrics for security

10



Biometrics for convenience• Is your main objective to improve the end user

experience?

– Can be very successful as a password replacement

– Initially, saw more convenience than security- oriented engagements, but this is changing

• Which form factor is right?

– While this model often provides the greatest ROI, there’s still the cost of managing the solution

11



•Understanding the issues

•Understanding the issues

12



Lessons learned from other Big Ideas• What lessons can we learn from PKI?

– 1999 Headlines: “This is the year for PKI”– 2000 Headlines: “PKI, Nothing but Pilots”– 2001 Headlines: “This is the year for PKI”– 2002 Headlines: “What’s PKI?”

• Why have PKI deployments failed to take off as hoped?

• What percentage of your applications recognize a digital certificate?

• It’s probably higher than the percentage of your applications that recognize a biometric device, let alone the one your organization is considering

13



Enabling applications

• In order for the project to be successful, it must be focused– Focus on enabling a specific area for

biometric authentication with clear milestones• What needs the higher level of authentication

– A certain application– A group of users– All network access

• Which of those applications recognize or respect the biometric authentication?

– The easiest way to restrict access to network resources is via single sign-on products

14



•Building a business case•Building a business case

15



Building a Business Case• Some aspects of advanced authentication can be

quantified, but most value is very difficult to quantify and in some cases more qualitative.– Quantifiable benefits

• Password management• Advanced authentication by itself does not provide an easily quantifiable

ROI• Advanced authentication coupled with other access management

components provides compelling ROI• Fraud protection

– How much is your company’s reputation worth?• Value of data• Value of transaction• Audit and Compliance

– Not easily quantified• Improved security/reduced risk• Compliance to regulations

16



What are you spending today?: Calculating the cost of passwords

Calculating Password Costs with IDC Data

Number of employees

IDC’s estimate of password management costs per year per user

Annual Password Management Cost

1000

$200.00

$200,000.00

Calculating Password Costs with Gartner Data

Number of employees

Gartner’s estimate of password calls per user per year

Your estimate of cost per call

Annual Password Management Cost

1000

4.8

$30.00

$144,000

17



What costs should I consider?• Hard costs

– Hardware• Can range from $50 per device on up• An average finger print reader will cost $125 per

device– Software

• Some vendors try to charge you extra for the software to make their hardware products work

• Soft costs– Implementing, managing, and supporting a

biometric based solution– Enabling applications to leverage the biometric– These costs can vary by significantly by vendor

and can easily make up the majority of costs

18



Calculating the cost of biometric solution

Calculating Biometric Solution Costs

Biometric device cost X # of users

(@$125 per device)

Software

Administration Costs (first year)

Plant and Facilities (Hardware/Servers)

Total Cost of Deployment

$125,000.00

Varies by vendor

Varies by VendorVaries by vendorVaries by vendor

$???,???.00

Note: Does it require a separate user repository, a separate security policy, etc.? The less it integrates with reusable infrastructure, the higher the cost of deployment and ownership will be.

Annual password management costs - total cost of biometric deployment = first year return

19



Administration Costs• Things to consider that will affect

administrative costs:– What will it take to biometrically register each user?– What if later on you choose a different biometric vendor?– Is the access policy for biometric users separate from your

application and operating system policy? • What will it take to make these consistent?• How will you enforce policy change across these systems?

– Does the solution require a separate user repository?• How will you manage the life cycle of users in multiple

repositories?

– Does the solution provide standards-based or open interfaces or will custom and proprietary work be required to integrate the authentication with the applications?

20



• Additional considerations• and the future

• Additional considerations• and the future

21



My opinion

• A couple key things have happened in the industry that enable biometric deployments to show a positive ROI.

– Vendors have begun to consider the life cycle management and deployment issues and have begun implementing this into their products.

– Single sign-on technologies are finally coming of age and can greatly reduce integration costs and enable application integration

22



My advice• Additional considerations:

– There are over 450 biometric vendors in the market today• The market is no where near being large enough to support this many

vendors• Plan on continued consolidation and attrition

– Either deploy biometrics for a single application or deploy as part of a holistic access management strategy that considers:

• Identity management• Policy management • Access control

– Require your biometric vendor to integrate with your standard’s-based user repositories, and support Multi-Factor Authentication

– Understand the role of new standards such as SAML, SOAP, XACML and how this will not only relate to your biometric strategy, but affect the overall security of your organization

23



Questions?

24



Hosted by: June 23-26, 2003 New York City The Cost Justification for Choosing Biometrics Roy Lopez System Engineering Director.

Documents

new york city

security slide

server software

futures qa slide

enterprises security

end system

security oriente

main objective