SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Customer satisfaction guide for zero trust
Thu, 21st Apr 2022
FYI, this story is more than a year old

As business leaders look to incorporate principles of zero trust into their environment, one of the most daunting challenges is applying this new security model to digital interactions with customers.

A key concern is that it will hamper the organisation's ability to interact with the customer seamlessly and without barriers. However, zero trust doesn't have to harm the quality of an organisation's digital interactions and personalised engagements with customers, including the ability to connect with speed and convenience.

The level of digital services customers now expect isn't possible with standard identity and access management architectures. Organisations require a customer-facing identity and access management (CIAM) infrastructure to gather, manage, integrate, and secure unique customer identities.

Implementing a zero-trust model imposes new requirements onto a company's CIAM infrastructure, namely the need for anything that is trying to connect to the organisation's system to be verified before access is granted.

Another consideration when implementing zero trust is that customers now expect their experience to follow them no matter where they are interacting with a brand. As such, the organisation must keep the experience as familiar as possible.

There are three ways business leaders can achieve a zero trust focus for their CIAM infrastructure:

1. Shrink the attack surface

Although network segmentation has long been a security practice for architects, zero trust formalises the approach to isolate valuable, well-protected systems. Under a zero-trust model, organisations should shrink each network zone across their environment and then enable control access for each.

Beyond network segmentation, business leaders can further section off access to applications and microservices by using gateways. When access to each service is segmented and secured, organisations decrease the attack surface that may be public-facing or within a zone that has been compromised by a malignant agent or user. Organisations can also apply specific security processes to each microservice, shrinking their exposure further.

2. Enforce least privilege

As services are now commonly scattered across various remote sources, they cannot always be protected with a secured zone or a dedicated network. Enforcing a least-privilege security model has always been a primary zero trust network strategy; however, today's anywhere microservice environment gives credence to expanded use of the least privilege security model.

To stay on top of their least privilege strategy, business leaders should set up an environment where they can automatically manage user access, identity information, and access policies.

This may include employing comprehensive auditing to document privileged users' roles and actions, which can help deter rogue behaviour. This may also involve implementing an automated privileged user lifecycle that keeps up with administrators' changing roles and responsibilities, ensuring business leaders are informed on privileged users' access rights.

3. Adaptive authentication

As customers transition to digital consumers, IT teams continue to revisit the balance between the level of risk that an organisation is willing to tolerate and the need to engage with its consumers effectively. Keeping private data secure while offering a more powerful and compelling service to customers is a constant challenge for most organisations.

Using a zero-trust security model to meet these challenges requires stronger risk-based authentication. This model eliminates single sign-on in favour of continuous authentication. Whenever a customer accesses a new resource or a protected resource outside of their expected behaviour, they will be required to verify their identity.

To stop consumers from being repeatedly asked to reverify, IT teams need to implement some passive or at least low-friction methods for customers to verify themselves. This means the risk engine needs to be much more context-aware and more effective at discerning between expected user behaviour and actual higher-risk situations.

Beyond adapting authentication levels based on customer context, IT teams also have the option of adapting authorisation for what the user can access. For example, there may be situations where the best way to control risk while keeping the interaction with the customer as open as possible is to allow access to less sensitive information while blocking access to higher sensitive information in the same session.

A zero-trust environment isn't any more complicated or costly than what most organisations currently have in place. Often, savings and simplicity are achieved by consolidating multiple disconnected technologies. The implementation of zero-trust may result in moving to a simpler solution with a significantly lower overhead.