Zero-trust security could reduce cyber trust gap

Enterprise

The Transform Technology Summits start October 13th with Low-Code/No Code: Enabling Enterprise Agility. Register now!


Customer trust in companies is increasingly rare, especially when it comes to data management and protection. The trend is accelerating as cyberattacks continue to grow and vendors look to utilize more customer data as part of strategic initiatives.

Businesses need more customer data to improve online sales, and how well a business handles this cyber trust gap could mean the difference between driving new digital revenue or not.

KPMG’s recent “Corporate Data Responsibility: Bridging the consumer trust gap” report quantifies just how wide the trust gap is today and which factors are causing it to accelerate. With 86% of customers surveyed saying data privacy is a concern and 68% saying companies’ level of data collection is concerning, closing the growing trust gap isn’t going to be easy. The survey draws on interviews with 2,000 U.S.-based consumers and 250 director-level and higher security and data privacy professionals.

While most security and data privacy leaders (62%) said their organizations should be doing more to strengthen existing data protection measures, one in three (33%) say customers should be concerned about how their company uses their data.

In addition, security and data privacy leaders aren’t sure how trustworthy their own companies are when it comes to handling customer data. A third (29%) say their company sometimes uses unethical data collection methods. And 13% of employees don’t trust their employer to use their data ethically.

In short, the cyber trust gap is wide, with enterprises’ future outlooks largely dependent on the soundness of their data security.

Data governance alone isn’t working

Top-down approaches to data governance and data management aren’t closing the gap fast enough. KPMG concludes 83% of customers are unwilling to share their data to help businesses make better products and services. And a third (30%) aren’t willing to share personal data for any reason at all. This cyber trust gap continues to accelerate despite many businesses implementing corporatewide data governance frameworks.

The trend of customers pushing back against data requests comes as 70% of security and privacy leaders say their companies are increasing efforts to collect customer data, according to Orson Lucas, KPMG U.S. privacy services leader.

“Failure to bridge this divide could present a real risk of losing access to the valuable data and insights that drive business growth,” Lucas said. Clearly, data governance and data management initiatives need to prioritize the customer from the start of a project if the major investments companies make in these areas are to pay off.

This way to zero trust

The goal is to protect privacy with cybersecurity that is adaptive enough to grant every customer access to their entire customer record. Three out of every four customers (76%) want greater transparency in terms of how their personal data is being managed and what it’s being used for, yet just 53% of companies are providing that today.

To close the data trust gap, companies need to go for full disclosure, provide a complete view of customer data, and explain how they are using it. The best way to accomplish this is to implement zero-trust security at the individual customer account level to protect access endpoints, identities, and other threat vectors.

By choosing to prioritize zero-trust security, companies can make progress in closing the trust gap with customers and achieve greater transparency at the same time. Choosing zero-trust security as the framework for securing data answers the concerns of customers who say companies are not doing enough to protect their data. Customers are not happy — 64% say companies are not doing enough to protect their data, 47% are very concerned their data will be compromised in a hack, and 51% are fearful their data will be sold.

The following are a few of the many ways companies can use zero-trust security to provide secure, complete transparency while protecting every threat surface in their businesses at the same time:

Define identity and access management (IAM) first to deliver accuracy, scale, and speed. Getting IAM right is the cornerstone of a successful zero-trust security framework that provides customers with secure transparency to their data. Defining an IAM strategy needs to take into account how privileged access management (PAM), customer identity and access management (CIAM), mobile multi-factor authentication (MFA), and machine identity management are going to be orchestrated to achieve the customer experience outcomes needed to improve trust. CIAM systems provide identity analytics and consent management audit data that is GDPR-compliant, something sales and marketing teams need to improve online selling programs. Companies are also adopting a more granular, dynamic approach to network access that can offer customers greater transparency. It’s based on zero-trust edge (ZTE), which links network activity and related traffic to authenticated authorized users that can include both human and machine identities. Ericom Software, with its ZTEdge platform, is one of several companies competing in this area. The ZTEdge platform is noteworthy for combining micro-segmentation, zero-trust network access (ZTNA), and secure web gateway (SWG) with remote browser isolation (RBI) and ML-enabled identity and access management for mid-tier enterprises and small businesses. Additional vendors include Akamai, Netskope, Zscaler, and others.

Improve endpoint visibility, control, and resilience by reevaluating how many software clients are on each endpoint device and consolidating them down to a more manageable number. Absolute Software’s 2021 “Endpoint-Risk Report” found the more over-configured an endpoint device is, the greater the chance conflicting software clients will create security gaps bad actors can exploit. One of the report’s key findings is that conflicting layers of security on an endpoint are proving to be just as risky as none at all. There is an average of 11.7 software clients or security controls per endpoint device in 2021. Nearly two-thirds of endpoint devices (66%) also have two or more encryption apps installed. The goal with zero-trust security adoption is to achieve greater real-time visibility and control and enable greater endpoint resilience and persistence of each endpoint. Absolute Software’s approach to self-healing endpoints is based on a firmware-embedded connection that’s undeletable from every PC-based endpoint. Additional providers of self-healing endpoints include Ivanti and Microsoft. To learn more about self-healing endpoints, be sure to read: “Tackling the endpoint security hype: Can endpoints actually self-heal?”

Enable multi-factor authentication (MFA) for all customer accounts so customers can view their data securely. Endpoints and user accounts get breached most often because of compromised passwords. Getting MFA configured across all customer accounts is a given. Long-term, the goal needs to be moving more toward passwordless authentication that will further protect all endpoints and customers from a breach.

Define a roadmap for transitioning to passwordless authentication for customer record access as quickly as possible. Bad actors prefer to steal privileged access credentials to save time and move laterally throughout a network at will. Verizon’s annual look at data breach investigations consistently finds that privileged access abuse is a leading cause of breaches. What’s needed is a more intuitive, less obtrusive yet multi-factor-based approach to account access that overcomes passwords’ weaknesses. Leading providers of passwordless authentication solutions include Microsoft Azure Active Directory (Azure AD), Ivanti’s Zero Sign-On (ZSO), OneLogin Workforce Identity, and Thales SafeNet Trusted Access. Each of these has unique strengths, with Ivanti’s Zero Sign-On (ZSO) delivering results in production across multiple industries as part of the company’s unified endpoint management (UEM) platform. Ivanti uses biometrics, including Apple’s Face ID, as the secondary authentication factor for gaining access to personal and shared corporate accounts, data, and systems.

KPMG’s research found that 88% of customers want companies to take the lead in establishing corporate data responsibility and share more details on how they protect data. Addressing cyber trust issues boils down to providing greater transparency, and companies need to focus on zero-trust security and its inherent advantages for customer data access.

VentureBeat

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative technology and transact.

Our site delivers essential information on data technologies and strategies to guide you as you lead your organizations. We invite you to become a member of our community, to access:

  • up-to-date information on the subjects of interest to you
  • our newsletters
  • gated thought-leader content and discounted access to our prized events, such as Transform 2021: Learn More
  • networking features, and more

Become a member