Part 1 of the series looked at the Infrastructure as a Service (IaaS), which is the core platform for any biometrics in The Cloud infrastructure. Part 2 will examine the Platform as a Service (PaaS) and the Software as a Service (SaaS).
The Software as a Service (SaaS)
The SaaS can be viewed as that part of the Cloud-based biometrics infrastructure which consists of all of the software applications. It will consist of two primary components:
- Software applications provided by a biometrics vendor:
In many instances, a biometrics vendor will already have created a pre-developed software application which can be deployed in just a matter of a few minutes without any further programming needed. This type of software can be stored here, and be available on demand, whenever it is needed.
- A customised software environment:
It may be the case that the pre-developed software packages may not meet all of the security needs of the corporation; thus, customised software applications have to be developed. The tools and the coding packages which are needed to create such an application will be made available at this level also. For example, if the corporation needs to create a very specific application for its iris recognition device in Angular JS, the requisite APIs will be stored here, and the sandbox will also be located in this regime so that the code can be tested before it is released into the production environment.
The Platform as a Service (PaaS)
The PaaS can be considered to be an extension of the IaaS. While the latter provides the core foundation for the biometrics in the Cloud infrastructure, it is the former which provides the extra services which are needed to make it run effectively and smoothly.
For example, it consists of specialised management tools which are needed to maintain and optimise the biometric template database. It also contains middleware, and other types of managed services to further fine tune any software applications which have been developed.
This level also allows for software development to happen at a rather quick pace because the advantage here (versus the SaaS) is that the developer can focus strictly on compiling and testing the code. They do not have to concern themselves with any back-end issues.
Penetration testing and biometrics in The Cloud
Just as in the case of any networked environment, a Cloud-based biometrics infrastructure is prone to some very serious cyber threats, which include the following:
- Anonymous attacks
- Malicious service agent attacks
- Trusted attacks
- Malicious insider attacks
- Traffic eavesdropping
- Denial of service attacks
- Insufficient authorisation attacks
- Virtualisation attacks
- Overlapping trust boundary attacks
Therefore, it is very important to do various penetration testing exercises to discover any hidden security gaps and holes. But however, keep in mind that conducting a deep, comprehensive penetration test on a Cloud-based biometrics infrastructure can be a very complex task.
For instance, penetration testing has to be approached from both the internal and the external environments. Since the Cloud is essentially a shared space, any type or kind of attack can occur from within or outside of the ISP.
Therefore, it is important to come up with a plan as to what should be specifically tested. Some factors to include are as follows:
- Application design:
Consideration needs to be given as to which biometric applications need to be penetration tested, in both the IaaS and the SaaS levels.
- Data access:
This includes penetration testing to see if they are any vulnerabilities from within the biometrics database itself. This is one of the most critical aspects of the Cloud-based biometrics infrastructure. This type of testing will occur at the IaaS level.
- Network access:
This area involves penetration testing the network connectivity from the biometric devices installed at the corporation to the IaaS and the PaaS. After all, this is a prime area for a cyber attack, and any holes and hidden weaknesses need to be discovered quickly.
- The virtual servers:
By conducting the appropriate penetration tests here, one can confirm if the virtual servers which reside at the IaaS can be isolated from the other shared spaces in the Cloud. Thus, a virtualised security wall can be created to protect the server instances.
A popular mechanism used to penetration test a Cloud-based biometrics infrastructure is that of “fuzzing”. This involves uncovering all kinds of vulnerabilities in the Cloud by subjecting it to a wide variety of inputs. There are numerous types of fuzzing tools which can be used, and they are as follows:
- The Brute Force Exploit Detector (also known as a “BED”):
This detects for vulnerabilities such as buffer overflows, format string bugs, and integer overflows.
- The Simple Fuzzer (also known as an “SFUZZ”):
This tests for vulnerabilities in Cloud-based network protocols such as the HTTP, POP3, RTSP, SMTP, other protocol scripts, and command line interfaces.
- The SICKFUZZ:
This tool has been created for conducting deep vulnerability tests from within the HTTP Protocol, focusing upon HEAD, GET, POST, etc.
Overall, this article has reviewed what a Cloud-based biometrics infrastructure will look like, focusing on the IaaS, SaaS, and PaaS levels. It is important to keep in mind that the Cloud, just like any other networked environment, is also highly susceptible to cyber attacks.
Therefore, it is very important to conduct penetration tests, to fully ensure that all major security weaknesses and vulnerabilities can be quickly discovered and fixed.
The Cloud-based biometrics infrastructure is still a new innovation and has the potential for great levels of growth into the future. In essence, the entire infrastructure will be placed in the hands of participating ISPs.
All that a corporation will have to do is just purchase the requisite biometric devices, and from there, connect them to the infrastructure via the control panel (available at the IaaS level).
This kind of scheme brings many benefits to it, especially regarding price and scalability. For example, the overall cost will come down to a fixed and manageable level.
Also, as the security needs of the corporation changes over the course of time, the size of the Cloud-based biometrics infrastructure can either be scaled up or scaled down in a corresponding manner.
Ravi Das is a Cybersecurity Consultant and Business Development Specialist. He also does Cybersecurity Consulting through his private practice, RaviDas Tech, Inc. He also possesses the Certified in Cybersecurity (CC) cert from the ISC2.