Policy, Critical infrastructure

Industry Innovators: Access control

December 3, 2012

When we talk about access control, we usually assume that we are discussing all of its aspects, including identification, authentication and authorization. This month, we are hitting some important high points that touch each of those. First, we look at biometrics, which has long been thought of as expensive and, perhaps, a bit too flaky for mass use. Oh, there was never any doubt that if you could have a low cost, accurate, easy-to-use biometric tool you could have solid authentication. But cost and other factors limited their use to very high-security applications.

Unfortunately, in today's paranoid, compliance-driven world, almost everything is high security. So biometrics has started to look like a pretty attractive authentication option. We still have to get past the cost and apply biometrics to masses of people. 

Identity and access management is the next challenge. The simple question of “who are you?” is not quite so simple in an age of mobile devices and large networks with fuzzy perimeters. We've got a really nice product for you in this area. Operating in the cloud adds a level of ease of use that is a big deal in the types of applications we see today.

Finally, authorization took a hit when mobile devices – especially in an age of bring-your-own-device (BYOD) – started to take over. While not quite ubiquitous computing, these devices pose a special challenge. The organization needs to be able to control devices that access its data, but that do not belong to the organization. This is an authorization issue, but it also has elements of identification and authentication. 

The usual approach to the problem has traditionally been network access control (NAC). That has worked fine with relatively static devices on the network. But with the BYOD challenge, new wrinkles need to be added to make everything work smoothly and safely. Our Innovator this year has a good handle on the problem and is both creative and effective. The results certainly get the job done. 

So, on with the show. Here are our first Innovators for 2012:

EyeLock

For those of you who have travelled internationally – or even within the United States – you know that long lines can develop at the various security checkpoints. But, what if you could enroll once for a simple, unobtrusive biometric scan and never need to wait in a line again? Impossible? Not anymore. EyeLock has come up with a series of iris scanners that can read your eye at a distance while you are walking through the line. While it does not replace the devices that scan you and your carry-ons, for those frequent travelers who will soon have special ID cards, this is just the ticket.

What about the process of getting a visitor's badge every time you go to visit a company? Or, if you are an employee at a large facility that requires an ID card swipe every time you go in or out? This authentication would do the trick nicely.

Some of our innovators focus on creative technology and some on innovative go-to-market strategy. EyeLock is the whole package. The solutions to problems that it believes can be solved with its sophisticated biometric technology are developed in close cooperation with customers, academics and industry. Because the basic premise of replacing the swipe card with biometrics was a bit of a big bite for the market to swallow, the company set about to bring the price way down and the accuracy way up.

The key to the success of this company's products is scalability. The EyeLock tools are not intended for one-off applications residing only in high security areas. The scanners can analyze up to 20 people per minute for an average pass-through time of a little over two seconds, more than competitive with the card-swipe systems they replace. 

We liked this company both for its innovation and for its vision. Sometimes, it seems as if products such as these are solutions looking for a problem. However, EyeLock's technology shows the promise of revolutionizing how biometrics can be used – and this is no small feat, indeed. 

AT A GLANCE

Vendor: EyeLock  

Flagship product: EyeSwipe-Nano TS 

Cost: $6,000.

Innovation: In-motion and at-a-distance iris authentication technology.

Greatest strength: Creative solution to several difficult problems in biometrics.

 

<--

BehavioSec

This has been our year for very cool biometric products. While “cool” is not our primary criterion, we must admit that, at least in the biometric category, the cool factor is alive and well. We really had to do some research on this one because their claim of developing “behavioral biometrics” seemed a bit of a reach to us. 

But this is a whole lot more than keystroke monitoring. This is the application of keystroke dynamics to a concept the company calls “continuous authentication.” First, the algorithms used by this Innovator take keystroke monitoring to a whole new level. Then the company applies this to a scheme of continuous monitoring using neural networks to accommodate small inconsistencies and refines a user profile. Over time – and not very much time, it turns out – the user profile is quite solid and the user can be authenticated throughout the session, rather than simply at login time.

BehavioSec needed to apply its technology to the market and that meant developing three powerful applications, each of which meets a real need. The Enterprise version is a full desktop implementation that combines all of the firm's extensive features in a single product. The Mobile version trims down the Enterprise model to address the specific needs of the mobile device market. And our favorite, the web version, allows continuous authentication over the web for such apps as online banking. This version alone could take a very big bite out of online bank fraud.

We found this to be a real poster company for innovation because BehavioSec has taken a core concept that has not been executed well and, through creative thinking and very good market understanding, built upon the concept. The result is keystroke dynamics done right and applied appropriately to very useful applications in the real world. BehavioSec has come up with an excellent technology that is not just a cool product looking for a problem to solve.

AT A GLANCE

Vendor: BehavioSec

Flagship product: BehavioWeb

Cost: Starts at $1 per user per year. 

Innovation: Invented the concepts of “behavioral biometrics” and “continuous authentication.”

Greatest strength: Vision and creativity.

 

Lighthouse Security Group

Identity and access management (IAM) can mean big, complicated applications that cost a lot of money and are challenging to deploy. That generally rules out smaller organizations as IAM customers. However, size and complexity of the application does not mean that these smaller organizations don't have many of the same needs as the larger ones.

Lighthouse Security had a history in large multi-tenant IAM deployments and sought to bring that expertise to a different market. Already expert in the use of IBM's IAM product, Lighthouse repurposed that implementation into a cloud-based service for smaller organizations. That meant that the company needed to provide an easy-to-use front-end so that organizations lacking expertise or resources for the larger more complicated deployment still could take advantage of the power of the system. 

The Lighthouse Gateway is completely cloud-based and integrates nicely with a customer's existing applications. In fact, the product comes with more than 70 connectors for various applications, such as lightweight directory access protocol (LDAP), Active Directory and SAP, and additional connectors are possible as well.

It takes a lot of vision to see beyond the obvious – on-promise integration and resale of the product – and apply solid user-focused principles to delivering an entirely new concept based on tried-and-true technology. This Innovator has done exactly that. By implementing IBM technologies in which Lighthouse is expert to a totally different, but equally important, environment, the company has changed the dynamic of IAM for smaller businesses. But, because the capability is scalable, larger businesses can take advantage of it as well, allowing them to do what they are good at rather than focus on IAM. They can have the capabilities without sacrificing power or utility for cost and ease of use.

AT A GLANCE

Vendor: Lighthouse Security Group 

Flagship product: Lighthouse Gateway

Cost: Starts at $2,995/month.

Innovation: Moved best-of-breed identity and access management to the cloud, making it accessible for smaller organizations.

Greatest strength: Ability to match a complicated technology to market needs through adroit application of market-focused customization to a large-scale, best-of-breed product.

 

ForeScout
We asked this Innovator what their vision was. The answer, actually, didn't surprise us much: simplicity, visibility of the network and compliance. That is exactly what we would expect to hear from a leading developer of traditional NAC products for the enterprise. However, we weren't talking about traditional NAC products. We were talking about mobile devices, and that is an entirely different, and usually more demanding, world.

This is the age of BYOD. Allowing users to connect personal devices to the organizational network poses a list of challenges that would more than fill this section. However, ForeScout did the obvious thing: It treated mobile devices exactly as it would treat a Windows or Linux device.

Suppose that a mobile device goes onto the network. It is fully compliant and it gets the necessary credentials to connect. Then the user jailbreaks it (or, in the case of Android, roots it). Will it be seen by the NAC or whatever mobile device management (MDM) tool is being used?

The secret is visibility of the network. That means that the NAC needs to see everything on the network and be able to ensure that every device belongs on the network and is configured securely. In the case of mobile devices, it also means that the NAC needs to manage BYOD without infringing on the owner's private data. However, there is a huge challenge in BYOD NAC: Protect the organizational data while not impacting the user's personal data. This requires a unified approach to controlling what can and what cannot access the network.

Since some organizations may or may not already have MDM, there are three ways that ForeScout can deploy. The first is the whole kit. This is full integration of ForeScout MDM with NAC. The second, ForeScout Mobile, is a slimmed-down deployment that focuses more on the mobile security requirements. This solution supports both iOS and Android. The third, for those that have MDM deployed already, is integration of the existing MDM into the ForeScout NAC (CounterACT).

AT A GLANCE

Vendor: ForeScout Technologies

Flagship product: ForeScout Mobile

Cost: $2,000 for 1,000 Android/iOS devices (plus CounterACT NAC Appliance).

Innovation: Bringing traditional NAC to mobile devices. encryption applications.

Greatest strength: Long experience in the NAC market.


prestitial ad