ISC West 2019 is quickly approaching! In addition to great networking, special events and new products and technologies, attendees have access to 85+ top-quality training sessions through SIA Education@ISC. While panels are common at ISC West, on Thursday, April 11, attendees can attend a session with a twist that hasn’t been done before.
Instead of featuring panelists taking rounds of questions that endeavor consensus, The Great Biometric Debate aims to illustrate differences of opinions between two industry analysts with respective domain expertise on the topic – Terry Gold, founder of D6 Research, and C. Maxine Most, founding principal of Acuity Market Intelligence. The audience will bear witness to diametrically opposing views on the topic with the goal of expanding viewpoints into considerations. The session will be moderated by Douglas Pelton, information technology manager at Wells Fargo.
We sat down with Gold, who came up with the idea and organized the panel.
How and why did you come up with this idea?
Terry Gold: The industry holds many misconceptions about this technology, and venues for bringing visibility of the core issues tend to be limited. I wanted to showcase all angles of how two people who are tasked to be nuanced in this area might contest one another’s ideas and opinions – pretty much how real conversations happen if not discussing with only those that already agree with one another. My hope is that the audience, even die-hard biometric fans, will walk away with new considerations when specifying projects or providing advice to others.
What types of misconceptions?
TG: Well, we’ll cover all of them in the session, but for the most part, they’re pretty nuanced and out of view for most people. To best characterize it, I find that it’s primarily a disconnect between what goes on in view at the presentation layer and the technical underpinnings. For example, people tend to subscribe to the belief that “biometrics are precisely who people say they are.” Conceptually, yes, but depending on the underlying process, this can be false as well, which has a significant impact at the application level, methods of exploitation and conformance to well established information security principles. As a result, there’s a pretty big gap between what some may expect, assert or receive from the technology.
Which role do you play – the advocate or the skeptic?
TG: The latter.
Are you against biometrics?
TG: No, not really. I’m equally critical of all technologies (audible laugh). That’s my job as a neutral analyst. If we’re not doing it, then who is?
TG: Yes, and D6 has a long history of working with the (white hat) hacker community. We’re pretty involved in that community, although it may surprise some that they have misconceptions as well, which is why we hear about them trying to spoof fingers (sometimes successfully, sometimes not) and they’re aghast when I show them a broader attack surface that doesn’t even involve spoofing.
You seem passionate about this subject…
TG: Yes, because there’s a tangible impact. If an end user is requesting high security, then all nuances need to be considered (and mitigated or appropriately controlled). So it’s critical that these elements are brought into view and considered when designing security programs. Conversely, if high security isn’t the objective, then security elements are less critical; however, others, such as scale, compliance, use case and agility come into scope just the same.
What’s your experience with biometrics?
TG: In addition to conducting ongoing evaluations as an analyst, long ago I worked for a biometric company to design its logical convergence product and in that time became very familiar with the low-level mechanics (e.g., algorithms, sensors, application, protocols) and non-technical considerations. One might say that I know “how the sausage is made.”
How about the other panelist?
TG: C. Maxine Most has been focused on biometrics for many years. She possesses a broad range of project, market and advisory experience across industries and applications concerning biometrics. She’s more of an advocate than I am, though a realist. We’ve connected a few times and had some “mini-debates,” although we’ve agreed at times that these considerations would benefit the broader community, so I called her up and said, “want to do this at ISC West to benefit others?”. That’s how it went down.
How about the moderator?
TG: I knew the format and scope of positions we’d each take and felt strongly that we needed a moderator who actually understood both the technical elements and use case aspects to effectively guide both sides to clarity and, at times, referee well within some context. I didn’t want just a talking head reading off questions. Doug Pelton from Wells Fargo immediately came to mind. He has a unique background in public key infrastructure, authentication and identity management, holding these roles across both physical and logical domains. He understands the real-world considerations of deployment across a large enterprise with high security requirements, but he’s also very pragmatic and has a real skill at listening and parsing out viewpoints – even those he doesn’t agree with.
So is this going to be a battle?
TG: At times, but a friendly one. I put the panel together to illustrate differences of opinions, the nuances that support those arguments. Therefore, while Maxine is more of an advocate than I am, we definitely agree in many areas, but we’re focused on disagreeing for the benefit of the audience. Hence, we are playing more extreme roles of ourselves for the benefit of the audience. She knows my positions going into this, and vice versa, but the actual discussion isn’t rehearsed and will happen in real time.
So you do like biometrics more than you’re letting on?
TG: Correct. I’m critical in some areas but a fan in others. Depends on use case, application, context – and of course, vendor implementations and practices vary greatly sometimes. My opinion can range depending on context but is measured against what’s expected and asserted. If a vendor asserts “unhackable,” then you can bet it’s a thicker lens for validation to take place.