04:00 PM
Connect Directly

Banque Saudi Fransi Deploys Biometric Authentication

Banque Saudi Fransi invests in next-generation biometric authentication with Imprivata's OneSign single sign-on appliance.

Many institutions approach access management incrementally, but forethought at Riyadh, Saudi Arabia-based Banque Saudi Fransi (US$26.7 billion in total assets) permitted a leap from manual password input straight to next-generation biometric authentication. "Password proliferation began creating challenges in 2003," explains Abdulilah Madan, systems security manager for the bank. "But consolidation solutions were too immature, expensive and difficult to deploy in our mixed mainframe and LAN environment. This caused us to delay an authentication project to early 2006. By that time, strong authentication [i.e., tokens, smart cards or biometric devices] had become viable. So we added this capability in our requirements."

Of the six authentication and access management solutions considered, Madan's team narrowed the choices to two by June 2006. One was a software-based solution while the other was Lexington, Mass.-based Imprivata's OneSign, a purpose-built appliance. "Although Imprivata's appliance was faster and simpler to implement, its fingerprint reader capabilities sealed the deal," recalls Madan. "The other solution only supported tokens or smart cards. Since fingerprints are an identifier that can't be stolen or imitated, and you can't loose them, we chose Imprivata."

During September 2006 a contract was negotiated for 200 site licenses to cover the bank's headquarters, with plans to expand to 2,200 users enterprisewide once the initial implementation proved successful. The appliance, along with UPEK's (Emeryville, Calif.) fingerprint biometric readers, arrived in December and implementation started in January. According to Imprivata, the self-contained appliance walks users through the deployment process using a Web-based interface and automatically learns the password/access behaviors of all applications.

"Since the appliance is plug-and-play, we integrated 80 applications and distributed all of the fingerprint readers within two months," Madan notes. "By June 2007 all necessary policies and procedures were developed for an enterprisewide rollout. This included the best practice of scanning three fingers, rather than just one finger, to minimize scanning failures." Over the next 18 months Madan's team visited workstations spread across a country approximately three times larger than the state of Texas to add the remaining 2,000 users.

During the rollout, Madan learned that an impending third-party middleware issue was threatening Imprivata's biometric customers globally. But, he says, the resolution was easily deployed. "Imprivata provided a patch we could deploy overnight, so there was no business impact," Madan explains.

Mounting Benefits

As the rollout of OneSign neared completion in August 2008, benefits were mounting. "Administrative activities related to password resets and lockouts have dropped by 35 to 40 percent," reports Madan. "And workstation sharing has decreased by 90 percent. In addition, reports of password sharing declined from an average of about 20 to one or two. Most important, people stopped keeping written-down passwords under their keyboards or stuck onto their monitors."

Madan also credits Imprivata with incorporating requested improvements into the product. For example, the next upgrade will offer a bleeding-edge functionality called "layered authentication." Whenever a user needs to access a second application from within another application, a pop-up box will provide access instructions, according to Madan. "In the current version, there is no dialogue box prompting users for the second scan," he explains. "And a user's desktop is locked until a scan is completed." To overcome the situation — which affects 800 users — until the upgrade is available, the OneSign appliance currently supplies the same password for the second application that is used to access the first, not an ideal solution from a security standpoint, Madan admits.

Regardless, Madan continues to bring existing OneSign functionalities online. By late 2008 the bank's event monitoring systems were integrated with OneSign, Madan relates. In 2009, he says, OneSign's physical access monitoring capabilities will be enabled, and the bank's identity management system will be linked to the appliance.

At some point, Madan adds, Imprivata's reporting features will be used to tightly align site licenses for all types of applications to match the actual number of users. And the user population will eventually grow to almost 3,000. "Best of all, we never need to modify applications or architecture to accommodate Imprivata," says Madan. "Whatever we add, Imprivata will cater to it automatically."

Case Study Snapshot

Institution: Banque Saudi Fransi (Riyadh, Saudi Arabia).

Assets: US$26.7 billion.

Business Challenge: Improve security by automating password entry.

Solution: Imprivata's (Lexington, Mass.) OneSign appliance with UPEK's (Emeryville, Calif.) fingerprint biometrics scanners.

Anne Rawland Gabriel is a technology writer and marketing communications consultant based in the Minneapolis/St. Paul metro area. Among other projects, she's a regular contributor to UBM Tech's Bank Systems & Technology, Insurance & Technology and Wall Street & Technology ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.