Penetration testing

Biometrics in the Cloud and Penetration Testing

Ravi Das
August 1, 2016 by
Ravi Das


Our last article provided a review into what Biometric Technology is generally about. There is no doubt that there are a lot of security tools out there, but there are also an extremely few amount which can provide 100%, irrefutable proof of the identity of an individual. Biometrics allows this because it captures the unique features of either our physiological or behavioral traits.

At the core of this technology is what is known as the "Biometric Template." These are the mathematical files which are used to confirm the identity of a particular individual. Although these templates are in theory difficult to reverse engineer, they are also vulnerable to Cyber-attacks, especially in a networked environment.

Earn two pentesting certifications at once!

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

Therefore, the use of BioCrpytography becomes important, when it comes to the encryption and decryption of the Biometric Template. Two examples of this were provided, in the way of Symmetric and Asymmetric mathematical algorithms.

A more extensive review of the latter was provided, as this has a much more robust and secure infrastructure, especially when it comes to using a Public Key Infrastructure (PKI),

Finally, examples of the various Penetration Tests which can be conducted on a Biometric system were also reviewed. This article will continue exploring the use of Biometrics in a large and complex networked environment, namely "The Cloud".

The Cloud

Before we delve any deeper as to what how Biometric Technology can be deployed into the Cloud, we must first have a basic understanding of what the Cloud is about. For example, we have heard the likes of Microsoft Azure, Amazon Web Services, Google Drive, Apple iCloud, etc.

But how is it defined? In its simplest terms, the Cloud is essentially taking all of the information and data you have stored on your local hard drive and moving it to the storage disks of a trusted third party, such as that of an Internet Service Provider (ISP).

Another way of looking at it is you are simply using the Internet to access all of that information and data located in a different environment. There are many advantages to this process, which are as follows:

  1. Flexibility:

    If your business is one with extreme dynamic data sets, the Cloud can provide you with the ability to either scale up or scale down your storage needs in just a matter of seconds. This is also referred to as "Operational Agility". In other words, IT assets can either be deployed or taken away according to the exact needs of the corporation.

  2. Disaster Recovery:

    In today's Cyber threat environment, all corporations (no matter how large or how small) must implement a Disaster Recovery plan. Using the traditional methods can be very cost-prohibitive and time-consuming. But when your data and information are all backed up in the Cloud, you can restore all of that to your local servers in just a matter of a few minutes.

  3. No Capital Expenditures:

    The Cloud possesses a unique trait known as "Resource Pooling." With this, economies of scale regarding both hardware and software can be realized. This simply means that you do not have to worry about any licensing fees, downloading and installing any software patches, or even upgrading any server hardware. All of this is done at the ISP. Also with the Cloud, the IT staff from a corporation can work from anywhere in the world, thus saving even more on tight budgets.

  4. A Predictable Pricing Regime:

    Because of the advantages of Resource Pooling (as described above), using the assets in the Cloud comes at a very affordable price. For example, software which costs thousands of dollars to acquire can be procured for a fraction of that cost by using the Cloud. This allows for the CIO to have a fixed and predictable monthly price for the IT assets which have been allocated.

The Components of Biometrics in The Cloud

The premise behind Biometrics in the Cloud is to have the entire platform (which includes the servers, software applications, databases, etc.) outsourced to a third party, namely the ISP. All that the corporation has to do is to purchase the required Biometric hardware (such as the Fingerprint Recognition Systems, Iris Recognition Systems, etc.).

Keep in mind that a large, Biometric Technology implementation in a corporation can be a very costly endeavor. For instance, there are Project Management and Consulting Fees, expenses related to the deployment, wiring, and networking of all of the Biometric devices to the central server(s), costs related to software development applications, and even the hidden costs of training employees to properly use the new Biometric system.

Therefore, the goal of a Biometrics in the Cloud is not only for a corporation to take advantages of all of the strategic benefits as outlined in the previous section, but to also provide an enhanced means of security which is so gravely needed. Such a regime consists of three main segments, which are as follows:

  • The Infrastructure as a Service (also known as the "IaaS");
  • The Software as a Service (also known as the "SaaS");
  • The Platform as a Service (also known as the "PaaS").

The Infrastructure as a Service (IaaS)

The IaaS can be viewed as the core platform for any Biometrics in the Cloud infrastructure. In other words, with the exception for the Biometric devices themselves, it is at this level where the entire Biometrics infrastructure resides.

At this regime, it is completely virtualized, consisting of two primary components:

  1. The Virtual Server:

    This is where all of the databases will be located which store and house the Enrollment Templates. Also, the mathematical algorithms which are used to process the transactions between the Enrollment and Verification templates will be located here as well. The Biometrics infrastructure will also need to possess an Operating System, whether it is Windows or Linux based, and will reside here as well. From here, the IT or Security Administrator can then access the entire Virtual Server, and make any modifications or enhancements as necessary through the use of the Control Panel.

  2. Networks:

    It as this level also where the network connectivity will be established from the Biometric devices to the Cloud based Biometrics infrastructure, and vice versa. For example, if an Iris Recognition Device were to be used, it would be mounted on a special aperture. From this point, the network connection would then be established to the Virtual Server, via the control panel. Thus, if an end user started the Enrollment process, the Iris Recognition device would capture the multiple images, create the composite image, extract the unique features, and create the Enrollment Template. But rather than storing it on the device itself, it would be transmitted from the device to the database in the Virtual Server with the network connectivity configured from within the control panel. Therefore, it will be very important for each Cloud-based Biometrics infrastructure to possess its own IP address, to specifically distinguish it from other infrastructures stored at the ISP.

The Software as a Service (SaaS)

The SaaS can be viewed as that part of the Cloud based Biometrics infrastructure which consists of all of the software applications. It will consist of two primary components:

  1. Software applications provided by a Biometrics Vendor:

    In many instances, a Biometrics Vendor will already have created a pre-developed software application which can be deployed in just a matter of a few minutes without any further programming needed. This type of software can be stored here, and be available on demand, whenever it is needed.

  2. A customized software environment:

    It may be the case that the pre-developed software packages may not meet all of the security needs of the corporation, thus customized software applications have to be developed. The tools and the coding packages which are needed to create such an application will be made available at this level also. For example, if the corporation needs to create a very specific application for its Iris Recognition device in Angular JS, the requisite APIs will be stored here, and the sandbox will also be located in this regime so that the code can be tested before it is released into the production environment.

The Platform as a Service (PaaS)

The PaaS can be considered to be an extension of the IaaS. While the latter provides the core foundation for the Biometrics in the Cloud infrastructure, it is the former which provides the extra services which are needed to make it run effectively and smoothly.

For example, it consists of specialized management tools which are needed to maintain and optimize the Biometric Template database. It also contains middleware, and other types of managed services to further fine tune any software applications which have been developed.

This level also allows for software development to happen at a rather quick pace because the advantage here (versus the SaaS) is that the developer can focus strictly on compiling and testing the code. They do not have to concern themselves with any back-end issues.

Penetration Testing and Biometrics in the Cloud

Just as in the case of any networked environment, a Cloud-based Biometrics infrastructure is prone to some very serious Cyber threats, which include the following:

  • Anonymous Attacks
  • Malicious Service Agent Attacks
  • Trusted Attacks
  • Malicious Insider Attacks
  • Traffic Eavesdropping
  • Denial of Service Attacks
  • Insufficient Authorization Attacks
  • Virtualization Attacks
  • Overlapping Trust Boundary Attacks

Therefore, it is very important to do various Penetration Testing exercises to discover any hidden security gaps and holes. But however, keep in mind that conducting a deep, comprehensive Penetration Test on a Cloud-based Biometrics infrastructure can be a very complex task.

For instance, Penetration Testing has to be approached from both the internal and the external environments. Since the Cloud is essentially a shared space, any type or kind of attack can occur from within or outside of the ISP.

Therefore, it is important to come up with a plan as to what should be specifically tested. Some factors to include are as follows:

  • Application Design:

    Consideration needs to be given as to which Biometric applications need to be Penetration Tested, in both the IaaS and the SaaS levels.

  • Data Access:

    This includes Penetration Testing to see if they are any vulnerabilities from within the Biometrics database itself. This is one of the most critical aspects of the Cloud based Biometrics infrastructure. This type of testing will occur at the IaaS level.

  • Network Access:

    This area involves Penetration Testing the network connectivity from the Biometric devices installed at the corporation to the IaaS and the PaaS. After all, this is a prime area for a Cyber-attack, and any holes and hidden weaknesses need to be discovered quickly.

  • The Virtual Servers:

    By conducting the appropriate Penetration Tests here, one can confirm if the Virtual Servers which reside at the IaaS can be isolated from the other shared spaces in the Cloud. Thus, a virtualized security wall can be created to protect the server instances.

A popular mechanism used to Penetration Test a Cloud-based Biometrics infrastructure is that of "Fuzzing". This involves uncovering all kinds of vulnerabilities in the Cloud by subjecting it to a wide variety of inputs. There are numerous types of Fuzzing tools which can be used, and they are as follows:

  • The Brute Force Exploit Detector (also known as a "BED"):

    This detects for vulnerabilities such as buffer overflows, format string bugs, and integer overflows.

  • The Simple Fuzzer (also known as an "SFUZZ"):

    This tests for vulnerabilities in Cloud-based network protocols such as the HTTP, POP3, RTSP, SMTP, other protocol scripts, and command line interfaces.


    This tool has been created for conducting deep vulnerability tests from within the HTTP Protocol, focusing upon HEAD, GET, POST, etc.


Overall, this article has reviewed what a Cloud-based Biometrics infrastructure will look like, focusing on the IaaS, SaaS, and PaaS levels. It is important to keep in mind that the Cloud, just like any other networked environment, is also highly susceptible to Cyber-attacks.

Therefore, it is very important to conduct Penetration Tests, to fully ensure that all major security weaknesses and vulnerabilities can be quickly discovered and fixed.

The Cloud-based Biometrics infrastructure is still a new innovation and has the potential for great levels of growth into the future. In essence, the entire infrastructure will be placed in the hands of participating ISPs.

All that a corporation will have to do is just purchase the requisite Biometric devices, and from there, connect them to the infrastructure via the control panel (available at the IaaS level).

This kind of scheme brings many benefits to it, especially regarding price and scalability. For example, the overall cost will come down to a fixed and manageable level.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Also, as the security needs of the corporation changes over the course of time, the size of the Cloud based Biometrics infrastructure can either be scaled up or scaled down in a corresponding manner.


Ravi Das
Ravi Das

Ravi is a Business Development Specialist for BiometricNews.Net, Inc., a technical communications and content marketing firm based out of Chicago, IL. The business was started in 2009, and has clients all over the world. Ravi’s primary area of expertise is Biometrics. In this regard, he has written and published two books through CRC Press. He is also a regular columnist for the Journal of Documents and Identity, a leading security publication based out of Amsterdam.

You can visit the company’s website at (or; and contact Ravi at