House Committee on Veterans' Affairs Banner. Click here for our home page.

About the Chairman | About the Committee | Committee News | Committee Hearings | Committee Documents | Committee Legislation | VA Benefits | VA Health Care | Veterans' Links | Democrat's Home Page | Contact the Committee

Testimony and Supporting Documents 

Hearing by Subcommittee of Oversight and

 Investigations, Department of Veteran Affairs 

Karl Ware

Co-Founder and Executive Vice President of Operations

BioNetrix 

April 4, 2001

Introduction

 

Today’s rapid advancement and adoption rate of technology is accelerating the evolution of business processes into a completely digital environment. This means that internal and external users, external partners, suppliers and vendors, customers and consumers are given 24x7x365 access to sensitive, critical and often confidential information electronically, and in most cases given significant authority to conduct materially affecting transactions in a digital form.  What was once a digital evolution within the confines of an enterprise or organization has transformed into ubiquitous access over multiple channels – the enterprise network, the Internet, mobile palm-based devices and wireless phones.  These dynamic environments are forcing organizations to evaluate traditional approaches to internetworking and network security.  

Organizations need to be able to verify the identity, authority and access privileges of individuals and entities to allow them to access confidential information or conduct transactions electronically. Additionally, as the ubiquitous environment becomes pervasive, organizations have to protect their resources from crimes such as malicious attacks, corruption of critical data and theft of sensitive information.  It is no longer sufficient to solely trust the security of the core network; organizations must be able to trust both the network and the user at the edge of the network. 

Passwords – A Weak Link in the Secure Digital Environment  

Applications and network resources today are protected by password systems that are just surrogates for a user; they do not provide conclusive authentication.  In short, passwords don’t prove that users really are who they say they are.  As the digitally ubiquitous environment grows, reliance on passwords alone will further weaken security and trust models.  As the channels of access increase, the environment presents a serious security threat and an expensive, cumbersome management problem.  This scenario is becoming increasingly troublesome as evidenced by recent press reports (Table 1). 

Table 1.

“On January 29 and 30, 2001, Verisign, Inc. issued two certificates to an individual fraudulently claiming to be an employee of Microsoft Corporation. Any code signed by these certificates will appear to be legitimately signed by Microsoft when, in fact, it is not” - ZDNET March 2001

 

“A restaurant worker allegedly masterminded the largest theft of identities in Internet history and is suspected of stealing millions of dollars from celebrities, billionaires and executives such as Steven Spielberg, Warren Buffet, and Ted Turner” - Reuters March 2001

 

 Michael Bloomberg’s personal computer passwords were stolen and the inner walls of security at Bloomberg were penetrated.

- London Times, August 20, 2000 

Fortune 1000 companies sustained losses of more than $45 billion in 1999 from the theft of proprietary information” -

American Society for Industrial Security (ASIS) and

PricewaterhouseCoopers Survey  

 

 

 

 

 
 

 

 

 

 

 

 

 

 

 

 

 

 

 


The problems with passwords have been well documented.  Some of the issues include:

(Source: The Gartner Group)      

  • Users might share passwords with colleagues to shortcut access controls request procedures. This might not expose the system to an attacker, but it does destroy accountability. 
  • Users tend to choose passwords that are easily remembered and so easily guessed or vulnerable to a "dictionary attack," an attack that uses a brute-force technique of successively trying all the words in some large, exhaustive list.
  • Users write down passwords where they can be found by an attacker, in the worst case, on notes stuck to workstations.
  • An attacker might use social engineering, employing some kind of confidence trick to persuade the user to reveal the password or a help desk operator to reset the user's password.
  • An attacker might simply observe a user keying in a password. This is known as shoulder surfing.
  • An attacker can intercept passwords that are sent over networks in clear text. This is a high risk in open, unencrypted, public networks such as the Internet.
  • If an attacker can place malicious software on the user's workstation or the organization's network, this can discover usernames and passwords and e-mail them to the attacker.
  • Users forget passwords, leading to a potentially high administrative overhead (as high as 40 percent of help desk calls in some organizations) or costly self-service password reset solutions
  • Finally, with most of these vulnerabilities, it is difficult to detect if or when a password has been compromised.

Need for Strong Authentication at the Network’s Edge 

To gain an understanding for the need for a stronger and more conclusive user authentication management system at the network’s edge requires an examination of the current solutions that address information and transaction security (Figure 1). 

The core of an organization’s computing infrastructure is applications and data.  Over the last few years, the trend has been to move from centralized assets to a more distributed form where applications are distributed across servers, geographic locations and business units.  Traditionally, the security for access and authorization has been built into each application separately.  As the number of applications has grown and the channels of access have expanded, it has become increasingly complex and expensive to include security components on an application-by-application basis. 

Protecting network applications from unauthorized access and, at the same time, supporting the growing number of applications, users, and channels of access has led to privilege or permission-based management systems.  Such systems provide authorized users with the appropriate access to specific applications and network resources based on user profiles.  Providing a way to manage user access privileges means that it is possible for authorized users to move between applications without logging on to each application.  This function, known as single sign-on, has the potential benefit of remembering and using a single password to gain authorized access to multiple applications.  The downside of using passwords for single sign-on is that a compromised password is a single, and critical, point of vulnerability. 

Figure 1.

 

 

The need to provide cost efficient but secure network access to distributed applications over the intranet, extranet and the Internet has given rise to widespread deployment of firewalls and Virtual Private Networks (VPNs).  Firewalls are used to secure sensitive portions of an organization’s network and ensure that all communications across it conform to the organization’s security policy.  Firewalls are essential gateways, which are usually positioned between a LAN and the Internet.  They intercept all communications before entering an organization’s private network and decide whether to pass or reject these communications based on predefined rules.  VPNs typically use the Internet as the transport backbone to establish secure links, via authentication, encryption and secure tunneling.  A VPN is usually installed on the existing network infrastructure such as a firewall.  VPNs provide the ability to secure and trust the network when remotely accessed by mobile users or when networks connect multiple locations. 

As we review the security stack from the applications and privilege management systems all the way to the firewall and VPNs at the edge of the network, it is evident that these systems provide acceptable authentication at the machine-to-machine and application-to-application level.  The problem is that in this “security chain,” applications and network resources are compromised at the very edge of the network because password systems serve as surrogates for a user and do not provide personal, conclusive authentication.  A system that provides privilege-based access to users assumes that the user is who he says he is.  A robust personal authentication infrastructure (PAI) relies on strong authentication at the edge of the network to conclusively identify the user before the user is authorized for access to information and transactions.  Furthermore, authentication cannot be considered in isolation.  There is little point in requiring a user to authenticate to a firewall using a challenge-response token if all subsequent authentication events to services behind the firewall use memorized passwords transmitted without encryption.  A PAI can ensure that an organization deploys strong authentication for all services within the security infrastructure. 

Personal Authentication Infrastructure 

A Personal Authentication Infrastructure (PAI) enables organizations to deploy personal authentication at the network’s edge – and know for certain who is accessing sensitive information, applications and transactions.  A PAI deploys and manages multiple advanced authentication methods – biometric (fingerprint, voice, face, iris and signature recognition) and non-biometric (token and smart card) – to protect access to any application or resource.  A PAI extends the organization’s existing security infrastructure and supports the adoption and migration to advanced authentication methods.  It should be flexible enough to enable dynamic, multi-factor authentication, allowing organizations to dial up the appropriate level of security without sacrificing convenience.   

Benefits of Deploying a Personal Authentication Infrastructure (PAI) 

When it comes to deploying security measures even within one organization, it is likely that one authentication method or combination of methods will suit some users, and another will suit other users, depending, for example, on what information or services they are authorized to use.  Furthermore, different authentication methods might be appropriate to the same user at different times – or, rather, in different locations, such as in the office or dialing in from home.   

1. Flexibility to Choose Authentication Methods 

A PAI provides the flexibility of selecting from various means of user verification.  Authentication by its very definition verifies an identity claimed by or for a user or other system entity by demanding proofs and credentials. The means of identification supported may be classified as: 

  Identification based on something the user is 

 

 

 

Identification based on something user does

 

 

 


  Identification based on something user has

 

 

 


  Identification based on something a user knows  

                USER ID/ PASSWORD/PIN 

2. Ability to Implement Strong Authentication Policies 

Through a policy-based infrastructure, a PAI allows an organization to deploy varying methods and levels of security throughout its computing environment.  Policies are defined and managed based on individuals, groups, applications, channels or entry points.  When necessary, they enable multi-factor authentication, requiring any desired number and combination of biometric and non-biometric verification methods. 

Table 2.

Examples of Multi-Layered Authentication Policies 

 

 

Policy

Assigned

 

 

 

 

 

Password

 

 

 


            +

 

 

Fingerprint

 

 

 

             +

 

 

 


             +

 

+

 

 

 

Application

or

Environment

 

 

 

 

Standard Remote

Access

 

 

Standard Desktop

Access

 

 

Access to

mission critical information

 

 

High value transactions

(Wire Transfers)

3. Fraud Prevention and Ability to Enforce Policies 

A PAI provides real-time logging of authentication activity and detailed auditing reports to prevent fraud and to monitor and enforce policy.  Detailed reports can allow administrators to know who, what, when and where – who is attempting to gain access to what applications; when the attempts occur; and from what platform the attempts are made.  In addition, they specify whether the attempt is successful and what authentication policy is governing user access.  Costs saved through fraud prevention and non-repudiation of fraudulent transactions alone can return the investment on a PAI deployment in less than one year. 

4. Increased Security with Increased Convenience 

Implementing security measures has always come at the cost of convenience.  A PAI enables organizations to choose from various authentication methods to implement the technology that is best for the user population.  The ability to apply flexible policies to meet specific needs rather than implementing a “one-size-fits-all” solution accelerates the user adoption and compliance of security measures deployed. 

Summary 

As organizations move to a completely digital environment, users are given 24x7x365 access to sensitive, critical and often confidential information electronically and in most cases given significant authority to conduct materially affecting transactions in a digital form. What was once a digital evolution within the confines of an enterprise or organization has transformed into ubiquitous access over multiple channels – the enterprise network, the Internet, mobile palm-based devices and wireless phones.  

Organizations need to be able to conclusively verify the identity of individuals and entities before providing the authority and access privileges to allow them to access confidential information or conduct transactions electronically.  It is no longer sufficient to solely trust the security of the core network; organizations must be able to trust both the network and the user at the edge of the network. 

Organizations should consider deploying a personal authentication infrastructure (PAI) that integrates with and manages all components of existing security systems that may include any combination of user authentication – biometric or non-biometric.  It mitigates interoperability problems between multiple applications, authentication methods, channels and platforms, driving cost savings, convenience and security. 

Appendix 1. 

**Note: BioNetrix and Karl Ware have not received any Federal grant or contract relevant to the subject of this testimony. 

Biography of Karl Ware, Co-Founder, Executive Vice President of Operations, BioNetrix

Karl Ware co-founded BioNetrix in 1997 and launched the company’s flagship product, the BioNetrix Authentication Suite. As executive vice president of operations, Ware now oversees the company’s day-to-day operations.  Before founding BioNetrix, Ware worked in various capacities at Dow Jones Telerate and Motorola, creating and executing successful marketing initiatives. He launched more than 18 different products for the two companies into both domestic and international markets. 

Ware started his career in Washington, D.C., where he obtained an expertise in information security working for the Central Intelligence Agency (CIA). He later served as vice president of information/communications security for JP Morgan, where he defined technical and user security policies for the organization.  Ware has worked extensively in England, Hong Kong, Singapore and Indonesia.  

BioNetrix Company Overview

BioNetrix delivers information security at the network’s edge – the intersection where people access information – through an authentication software platform that allows organizations to control who accesses their critical applications, transactions and data.

The BioNetrix platform deploys and manages a host of personal authentication technologies, including biometrics (fingerprint, face, iris, voice and signature recognition), smart cards and tokens.  Through the deployment of these advanced authentication technologies, BioNetrix provides conclusive identity verification of employees, customers and partners, strengthening security for enterprise computing and Internet transactions.  With BioNetrix, organizations can authenticate people, not just machines, and as a result, deliver trusted, higher-value electronic business.

Recent industry accolades for the BioNetrix product include Network Computing’s “Well-Connected” and “Editor’s Choice” awards, and Network World’s “World-Class” and “Best of the Tests” awards.

Now led by CEO John Ticer, BioNetrix was founded in 1997 by Peter Bianco, Vice Chairman, and Karl Ware, executive vice president of operations.  BioNetrix is headquartered in Vienna, Va., in the heart of the area’s high-tech corridor.  The company’s management team and board of directors have successfully built companies that dominated their markets. The BioNetrix team is made up of proven, driven individuals who have done it before. 

The BioNetrix PAI

BioNetrix extends information security to the network’s edge – the intersection where people access information – through a centrally managed authentication platform that allows organizations to control who accesses their critical applications, transactions and data. The BioNetrix platform deploys and manages a host of personal authentication technologies, including biometrics (fingerprint, face, iris, voice and signature recognition), smart cards and tokens.  Through the deployment of these advanced authentication technologies, BioNetrix provides conclusive identity verification of employees, customers and partners, strengthening security for enterprise computing and Internet transactions.  With BioNetrix, organizations can authenticate people, not just machines, and as a result, deliver trusted, higher-value electronic business.

The BioNetrix Authentication Suite is the industry’s first multi-channel PAI, providing a single identity verification management system for both enterprise and Web-based applications.  With one universal management platform, an organization can manage authentication throughout its entire computing environment, streamlining administration functions and reducing complexity.

The Authentication Suite integrates with and manages all components of existing security systems that may include any combination of user authentication, biometric or non-biometric.  It mitigates interoperability problems between multiple applications, authentication methods, channels and platforms, driving cost savings, convenience and security. 

The BioNetrix solution includes the most extensive authentication method and application libraries in the industry.  The product’s open architecture ensures that methods and applications not supported in the core product are easily integrated using BioNetrix’s suite of toolkits.  


Back to Witness List