When passwords aren't enough
Safeguarding passwords and changing them regularly are best practice recommendations. Still, passwords "get out." The problem is that
passwords are used by people who forget them, mistype them, or choose letter combinations that are simple to guess or hack. Passwords
are a burden: managing multiple passwords is a burden, both for everyday users and IT/Help Desk staff. In a recent poll by Harris
Interactive for Quest Software, 28% of knowledge workers in the US report that they have to remember more than five passwords to do
their work, with most of those (26%) required to change passwords at least once a month. Passwords are misused: there are a number of
situations where passwords are commonly misused. For example, License Sharing, Carelessness, Impersonation and
Convenience.
Secondary authentication hardware gets lost, or worse
Hardware devices like USB keys, thumbprint readers and dongles can be lost, stolen, or passed on to others. Recently, they’ve been
hacked, too. Advanced biometrics like retinal scanners and voice recognition are great — but may not be available when you are on-the-go,
or using a public PC. And they are expensive.
A better biometric
We built CVMetrics™ to address these shortcomings in passwords and specialized hardware focused on endpoint security. It’s a software product
that does advanced biometrics without hardware. CVMetrics profiles contain no Personally Identifiable Information (PII) that could be traced
back to an individual, repurposed or "leaked." Even as you change or vary your habits over time, CVMetrics will learn these new
patterns and incorporate them into your profile. Freed from the confines of simple, credential-based design, there are numerous examples
of how CVMetrics can be used in different environments, including:
-
Password management by allowing users to self-serve account problems, identifying individuals by how
they use the keyboard, rather than relying on hints or questions that can be guessed or compromised. Instead of asking users to
name their elementary school, the system can simply ask a random question, such as "Tell me about the worst commute you ever
had." The questions can be different, and the answer itself isn't important, only how the answer is typed. Even better, if the
result doesn't meet a given accuracy threshold, the user can be asked to type a little more.
-
Regulatory Compliance for records management, documenting who had access to information, particularly in
shared environments like healthcare, where providers might share a single workstation, but need documentation to comply with HIPAA.
As evermore accuracy and transparency is required by more and more regulatory acts, there is a greater need than ever for automated,
unbiased documentation solutions, while still complying with the Paperwork Reduction Act (PRA). CVMetrics helps deal with compliance
with laws and standards such as:
- Design Criteria Standard for Electronic Records Management Software Applications (DoD 5015.2) records management in the public sector
- Family Educational Rights and Privacy Act (FERPA) privacy with student records
- Gramm-Leach-Bliley Act (GLB) privacy with consumer information
- Health Insurance Portability and Accountability Act (HIPAA) privacy with healthcare records
- Sarbanes-Oxley Act (SarbOx) internal controls over records and information
- SEC Rule 17a-4 protect the integrity of all securities records
-
Continuous Validation through providing a background process that ensures the
validated user doesn't change after authentication by the endpoint. Passwords, smart cards and other means
of verifying identity can be copied, lost, or compromised, and in some environments, credentials are
purposely shared for certain resources. In any of those cases, once the user is authenticated, there is no
assurance the ongoing access and activity represents the same person. Using nothing more than the hardware
already connected to the computer (the keyboard), CVMetrics can provide an continuous trail of information
about who is sitting at the machine.
Specifications at a glance
CVMetrics is distributed in three different offerings: 1.) as part of the TickStream® application for comprehensive
desktop analytics, 2.) as a plug-in component for applications (either web or desktop), 3.) as an interactive,
standalone application for targeted solutions.
-
If installed as part of a desktop client application, it requires Microsoft.NET 4.0 or later, and will run on
any modern version of Microsoft Windows, XP or later. If installed in a web-based environment, it requires only
a Javascript-enabled browser on the client.
-
It uses fractions of 1% of available CPU (about 2 minutes per month) for a machine running 24/7. The web
service payload is about 100 bytes per transmission, with the frequency configurable by administrators, along
with many other operating characteristics. The server storage requirements are very low, usually 1-2Mb per user,
which represents the user's encrypted metrics.
-
The backend, analytics services architecture is a straightforward Microsoft IIS/SQL deployment, offered in a SaaS
cloud, or optionally installed in a privately managed environment. Depending on the scale and security
requirements, the private implementation may range from a single server inside the firewall, to multiple servers
running across a DMZ, using SSL encryption on the web services.
Reporting
Reports include many types, running from single analytics (e.g., notification events via email) through complex,
major analysis delivered to visualization products like SAP or Oracle/OBIEE. CVMetrics can expose a variety (11 or
more) high-level statistics about the results, which provides for fine-tuning the application to the environment. For
simple password management implementations, this may be only a single, high-threshold metric, whereas more complex
scenarios, such as intelligence solutions, might employ a cross section of different measurements adjusted to
multiple baselines. Depending on the use, reporting data are available either via standard XML web services, which
can be accessed through SSL (or further encrypted using another protocol, such as 3DES), or directly through linked
libraries or reflection.
|