As business leaders look to incorporate principles of zero trust into their environment, one of the most daunting challenges is to apply this new security model to digital interactions with customers.
A key concern is that it will hamper the organisation’s ability to interact with the customer seamlessly and without barriers. However, zero trust doesn’t have to harm the quality of an organisation’s digital interactions and personalised engagements with customers, including the ability to connect with speed and convenience, according to Micro Focus.
David Rossi, Director Security Presales, Micro Focus Australia, said, “The level of digital services customers now expect isn’t possible with standard identity and access management architectures. Organisations require a customer-facing identity and access management (CIAM) infrastructure to gather, manage, integrate, and secure unique customer identities. The implementation of a zero-trust model imposes new requirements onto a company’s CIAM infrastructure, namely the need for anything that is trying to connect to the organisation’s system to be verified before access is granted. Another consideration when implementing zero trust is that customers now expect their experience to follow them no matter where they are interacting with a brand. As such, it’s crucial that the organisation keeps the experience as familiar as possible.”
There are three ways business leaders can achieve a zero-trust focus for their CIAM infrastructure:
1. SHRINK THE ATTACK SURFACE
Although network segmentation has long been a security practice for architects, zero trust formalises the approach to isolate valuable, well-protected systems.
Under a zero-trust model, organisations should shrink each network zone across their environment and then enable control access for each.
Beyond network segmentation, business leaders can section off access to applications and microservices further by using gateways.
When access to each service is segmented and secured, organisations decrease the attack surface that may be public facing or within a zone that has been compromised by a malignant agent or user. Organisations can also apply specific security processes to each microservice, shrinking their exposure further.
2. ENFORCE LEAST PRIVILEGE
As services are now commonly scattered across a variety of remote sources, they are unable to always be protected with a secured zone or a dedicated network.
Enforcing a least-privilege security model has always been a primary zero trust network strategy; however, today’s anywhere microservice environment gives credence to an expanded use of the least privilege security model.
David Rossi said, “To stay on top of their least privilege strategy, business leaders should set up an environment where they can automatically manage user access, identity information, and access policies. This may include employing comprehensive auditing to document the roles and actions of privileged users which can help deter rogue behaviour. This may also include implementing an automated privileged user lifecycle that keeps up with administrators’ changing roles and responsibilities ensuring business leaders are informed on privileged users’ access rights.”
3. ADAPTIVE AUTHENTICATION
As customers transition to being digital consumers, IT teams continue to revisit the balance between the level of risk that an organisation is willing to tolerate and the need to engage with its consumers effectively.
Keeping private data secure while offering a more powerful and compelling service to customers is a constant challenge for most organisations.
David Rossi said, “Using a zero-trust security model to meet these challenges requires stronger risk-based authentication. This model eliminates single sign-on in favour of continuous authentication, which means that, whenever a customer accesses a new resource or a protected resource outside of their expected behaviour, they will be required to verify their identity. To stop consumers from being repeatedly asked to reverify, IT teams need to implement some passive or at least low-friction methods for customers to verify themselves. This means that the risk engine needs to be much more context-aware and more effective at discerning between expected user behaviour and actual higher-risk situations.”
“Beyond adapting authentication levels based on customer context, IT teams also have the option of adapting authorisation for what the user can access. There may be situations where the best way to control risk, while keeping the interaction with the customer as open as possible, is to allow access to less sensitive information while blocking access to higher sensitive information in the same session. A zero-trust environment isn’t any more complicated or costly than what most organisations currently have in place. Often savings and simplicity are achieved by consolidating multiple disconnected technologies and the implementation of zero-trust may result in moving to a simpler solution that has a significantly lower overhead. “ Rossi said.