The security operating model of “Zero Trust” could go a long way to solving the current confidence problems of Digital Trust.
Consumers, cybersecurity professionals and business executives have never been more sensitive to the issues surrounding digital trust. But each has different perspectives on why it is important and what they are doing to improve it.
If last week’s dramatic drop in the value of Facebook’s stock taught us anything it is that digital trust matters. And in the online world, much like in our offline lives, trust can take time to achieve, but it can be lost in an instant. Twitter, Equifax, Target and Anthem have all learned painful lessons in terms of the impact on their business results when they lose digital trust with their customers. Some have lost digital trust with their customers due to privacy concerns, and others have lost digital trust because they have lost control of users’ personal information as a result of a data breach.
What’s your Digital Trust tolerance
So, what is digital trust and what does it mean? Frost & Sullivan’s Principal Cybersecurity Analyst Jarad Carleton, in the 2018 Global State of Online Digital Trust Report, defines it as:
Digital trust is the confidence placed in an organization to collect, store and use the digital information of others in a manner that benefits and protects those to whom the information pertains.
In parsing this sentence, a few keywords stand out: CONFIDENCE, PROTECT, BENEFIT. Think for just a minute about all of the online apps and web services you use during the course of an average digital day, all of the privacy permissions you have granted to apps on your mobile devices, the extended network of health care providers and financial organizations that have access to your most sensitive personal information, and online shopping sites that store your credit card information and corroborating personal details. Do you have confidence that they will protect your information in a way that benefits you?
It’s a worthy exercise. Simply jot down a list of websites, apps and organizations that you believe have access to your information. Answer ‘yes’ or ‘no’ that you have confidence in their ability to protect your information, and if you believe that the fact that they have your personal information actually is a benefit to you. The results should surprise you. Many organizations require that you divulge personal information to use their services or applications, but do you get real value? Is the “juice really worth the squeeze”?
In some cases, the answer may be a resounding yes. Billions of people love a free Facebook platform, including this author. But there may be millions more who are concerned enough about how Facebook uses our personal information that they would rather pay to use the platform so that their personal information is not divulged to any advertisers or political organizations. However, today we don’t have that choice. To use the platform, you have to consent to the current terms and conditions—even though Facebook has recently made the privacy settings easier to understand and control. But is this enough of a change to regain your trust? Time will tell, but there are many privacy and cybersecurity experts in the industry that think that Facebook is in for a rough ride.
Without a doubt, digital trust matters
In the 2018 Global State of Online Digital Trust Report, (a survey of 1,000 consumers, 350 cybersecurity professionals and 325 business executives from all over the world), 47 percent of businesses reported significant, long-term damage to their business as a result of a loss of customer information from a data breach. And this makes sense, because, in that same survey, 48 percent of consumers stated they would drop or stop using the online services or applications of an organization that lost control over their personal information (for instance, identity credentials, health info, banking information and more).
A loss of trust can be an “Extinction Level Event” for organizations and their executives. Size, scope, public awareness and availability of other alternatives or choices for consumers are all factors that determine if the impact to an organization is short-term and moderate, or if it is long-term and significant.
How are organizations responding? A strategy recently being adopted in the cybersecurity industry is to implement a “Zero-Trust” authentication operating model and technical infrastructure to reduce the risk of a data breach. The Zero-Trust operating model enforces a model of mandatory authentication and discretionary access control by requiring that anyone or anything inside or outside an organization’s network perimeters prove that they (or it) are who they say they are, before granting access, and that the user’s rights to access the apps, services or data is evaluated and restricted in scope based on a concept of “least privilege”.
You might be asking, “This seems obvious—why didn’t we do this before?” In many cases, it is because executives in organizations were concerned that the “friction” associated with authentication security would turn off users. They were rightfully concerned that the constant need to either keep a mobile device by the computer to respond to a second factor SMS authentication request, or the need to always answer a secondary challenge request could be enough of an annoyance that their customers would take their business elsewhere. Instead, the focus was on making it easy for consumers (and internal users) to gain access.
Security trumps consumer convenience
The 2018 Global State of Online Digital Trust proved this point. When asked the same question, “Should the user authentication process be more secure or more convenient?” only half (52 percent) of business executives responded it should be more secure, with 48 percent responding, it should be more convenient. But consumers overwhelmingly chose security. A resounding 86 percent of consumers chose security over convenience when asked the same question.
It is safe to say that consumers are a lot more worried about keeping their information safe. And this is completely compatible with the Zero Trust authentication operating model. A little inconvenience in the authentication process goes a long way toward reducing an organization’s cyber exposure to either an internal or external data breach.
More important is that the technical approach to user authentication and access control is getting smarter. Modern Identity and Access Management technology includes many more variables in the user authentication process—not just username and password. These solutions use numerous “hidden DNA markers” that determine your identity, such as your IP Address, Device ID, and have stored behavioral profiles that provide a baseline to compare the user’s current access request against—only stepping up dual factor authentication or challenge requests when the network is unknown, the device hasn’t been seen before, or the user access pattern looks different than the behavioral baseline.
Mr. Duncan is the Vice President of Product Marketing for CA Technologies Security and Veracode Business Units. Mr. Duncan is a well-known expert in cyber security, serving previously as CEO and founder of ENCRYPTX, a data encryption and digital rights management company with 30 million users worldwide, as CMO of Webroot an endpoint security and threat intelligence company, as VP of WW Marketing of Tenable Network Security, creators of Nessus and Tenable.io, and as cyber security engineer and validation tester on numerous classified government systems. Mr. Duncan was assigned to the NSA for a decade while a member of the USAF, performing intelligence collection and cryptographic analysis operations against the Peoples Republic of China.