Home > Ask the Security Experts > Identity Management and Access Control Questions & Answers > Is there any policy or regulation to help protect biometric data?
Ask The Security Expert: Questions & Answers
EMAIL THIS

Is there any policy or regulation to help protect biometric data?

Joel Dubin EXPERT RESPONSE FROM: Joel Dubin

Pose a Question
Other Security Categories
Meet all Security Experts
Become an Expert for this site


Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


>
QUESTION POSED ON: 02 May 2007
I work for a government agency and I am concerned that our users' biometric data may be at risk. Is there any policy or regulation to help protect data like fingerprints, retinal, iris scans, etc.?

>
EXPERT RESPONSE
You're correct; biometric data is indeed sensitive. But, unfortunately, there aren't any policies or regulations requiring its protection.

Per the examples noted in the question, biometric data is unique to each employee, and like their user IDs and passwords, it's often used by companies and government agencies for ensuring secure access to network and computer systems. Biometric data should be considered employee data, which conversely is guarded by policies and regulations. The problem is that unlike a user ID and password, biometric data is considered to be an authentication credential, and there are no policies demanding that authentication credentials be kept secure.

Current regulations, such as Sarbanes-Oxley (SOX), the Health Insurance Portability and Accountability Act (HIPAA) and Gramm-Leach-Bliley Act (GLBA) require security and access controls for customer and employee data, but not necessarily for authentication credentials.

Stepping to your main concern, biometric data -- regardless of regulations -- needs to be protected. Like user IDs and passwords, it is stored as digital data in directories like Active Directory (AD) or LDAP. Similar to other authentication credentials, it can be sniffed, stolen or compromised and then used to maliciously access your system.

Biometric data isn't as easy to compromise as a plain user ID and password, which can be typed into a login page to gain system access. But, if unencrypted, the digital representation of biometric data can be replayed, and used to access a system..

There are three criteria for securing biometric data. First, it should be gathered on a secure device that only passes data to your system, without storing it. Second, like any other authentication credentials, it should be transmitted with encryption and never in clear or plain text. Third, it should be stored and encrypted in a secure directory service, such as AD or LDAP.

For more information:

  • In this SearchSecurity.com expert response, Joel Dubin discusses the pros and cons of using biometric authentication devices.
  • Visit SearchSecurity.com's Data Protection Security School to learn more about the tools and tactics needed to successfully secure data throughout an enterprise.


    • Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


    RELATED CONTENT
    Identity Management and Access Control
    What are the options for a mechanical (not electrical) door security system on a server room door?
    What's the difference between access control mechanisms and identity management techniques?
    What courses can improve fundamental knowledge of infrastructure systems (Active Directory, LDAP, etc.)?
    What tools provide user provisioning and single sign-on for PeopleSoft- and Unix-based products?
    Should a new user have to confirm his or her email address before gaining access?
    Can home PCs provide a way for viruses and spyware to enter a corporate LAN?
    What should an enterprise look for in a password token, and in a vendor?
    Is it possible to write a batch file that allows user access to the local admin group for a short time?
    IAM best practices for employees with varying degrees of access to the same computer
    What are some good pre-boot biometric user authentication tools or strategies?

    Two-Factor and Multifactor Authentication Strategy
    PKI and digital certificates: Security, authentication and implementation
    Security token and smart card authentication
    Enterprise single sign-on: Easing the authentication process
    Exploring authentication methods: How to develop secure systems
    What should an enterprise look for in a password token, and in a vendor?
    If the encryption on the Mifare Classic RFID has been cracked, are smart cards insecure?
    How do RFID-blocking passport wallets work?
    What are good features to look for when searching for new access control software?
    Quiz: The new school of enterprise authentication
    The steps of privileged account management implementation

    Biometrics
    Exploring authentication methods: How to develop secure systems
    What are some good pre-boot biometric user authentication tools or strategies?
    To what exactly would a request for biometric data from an insurance provider pertain?
    Keystroke recognition aids online authentication at credit union
    What are the possible benefits of microchip implants and RFID tags for employees?
    Biometrics vs. biostatistics
    How are biometric signatures more than a fingerprint scanner?
    What precautions should be taken if biometric data is compromised?
    How to choose the right biometric security product
    Using fingerprint door locks in a network environment
    Biometrics Research

    RELATED GLOSSARY TERMS
    Terms from Whatis.com − the technology online dictionary
    AAA server  (SearchSecurity.com)
    authentication  (SearchSecurity.com)
    authentication, authorization, and accounting  (SearchSecurity.com)
    federated identity management  (SearchSecurity.com)
    Kerberos  (SearchSecurity.com)
    password hardening  (SearchSecurity.com)
    typeprint analysis  (SearchSecurity.com)

    RELATED RESOURCES
    2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
    Search Bitpipe.com for the latest white papers and business webcasts
    Whatis.com, the online computer dictionary



    Search and Browse the Expert Answer Center
    Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.
    Browse our Expert Advice



    Find Security Solutions for Your Business
    Targeted Security Channel Tips for Resellers, Integrators and Consultants
    TechTarget Security Media
    Information Security View this month\\'s issue and subscribe today.
    Information Security Decisions Apply online for free conference admission.
    		SearchSecurity.com
    HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us
    SEARCH :     Site Index Powered by: Search Powered by Google

    About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
    TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

    TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




    All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy     		  TechTarget - The IT Media ROI Experts