Per the examples noted in the question, biometric data is unique to each employee, and like their user IDs and passwords, it's often used by companies and government agencies for ensuring secure access to network and computer systems. Biometric data should be considered employee data, which conversely is guarded by policies and regulations. The problem is that unlike a user ID and password, biometric data is considered to be an authentication...
credential, and there are no policies demanding that authentication credentials be kept secure.
Current regulations, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) require security and access controls for customer and employee data, but not necessarily for authentication credentials.
Stepping to your main concern, biometric data -- regardless of regulations -- needs to be protected. Like user IDs and passwords, it is stored as digital data in directories like Active Directory (AD) or LDAP. Similar to other authentication credentials, it can be sniffed, stolen or compromised and then used to maliciously access your system.
Biometric data isn't as easy to compromise as a plain user ID and password, which can be typed into a login page to gain system access. But, if unencrypted, the digital representation of biometric data can be replayed, and used to access a system..
There are three criteria for securing biometric data. First, it should be gathered on a secure device that only passes data to your system, without storing it. Second, like any other authentication credentials, it should be transmitted with encryption and never in clear or plain text. Third, it should be stored and encrypted in a secure directory service, such as AD or LDAP.
For more information:
Related Q&A from Joel Dubin, past SearchSecurity.com expert
The security of RFID chips and smart cards may not be fully mature, but there are best practices to keep facilities safe. Identity and access ...continue reading
Picture passwords for mobile device security aren't a new idea, but they have been recently improved. Identity and access management expert Joel ...continue reading
Hacked smart cards are a large potential threat to enterprises that utilize them. Learn how to thwart smart card hackers.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.