Can KYC Improve ZTA and the User Experience?

Understanding ZTA

User convenience and security have long been at opposite ends of the design perspective, but that could soon change through the adoption of Zero Trust Architecture (ZTA) across more industries. Under many names, ZTA has been discussed in security circles for over a decade. It got a huge boost of notoriety in 2021 with Executive Order 14028, Improving the Nation’s Cybersecurity. While there are several active frameworks being promoted, the guiding principles are essentially the same.

  1. Don’t trust any network, including your own
  2. Know your architecture, including users, devices, services, and data
  3. Authenticate and authorize everywhere, all the time

This model flies in the face of traditional and defense-in-depth security views, which inherently rely on trusted relationships of known users, systems, and connections. ZTA adds exponential layers of user, system, and process verification and authentication. Engineers saw it as unnecessary. Accountants saw it as cost prohibitive.

Fueled by fierce competition and user demand for instant gratification, performance continues to outpace security in technical advances. The explosion of Internet of Things (IoT) devices increased end user connectivity. Cloud capabilities have made Anything as a Service (XaaS) a real possibility. And the pandemic accelerated “Anytime, Anywhere” computing, making remote work viably sustainable.

The expansion of advanced technologies also created a wider, more diverse attack surface for hackers to probe and exploit. Microservices, Infrastructure as Code (IaC), and edge computing evolved to expedite development, improve performance, and increase data accessibility and processing speeds. Networks essentially became more capable, diverse, and dynamic, which provided the capacity and justification for ZTA at the right time.

How KYC Can Help

Know Your Client (KYC) has been a mainstay in the financial industry for over 20 years. Designed to combat identity theft, money laundering, financial fraud, funding terrorism, and other financial crimes, KYC principles and capabilities are emerging in other industries such as travel, hospitality, and commerce. The Transportation Security Administration (TSA) is expanding its use of facial recognition for Global Entry customers, greatly accelerating and improving the redress process for international travelers. Delta is field testing facial recognition for ticketless check-in, baggage check, and security screening in Atlanta. Hilton, Marriott, and other hotel chains allow guests to use their phones to access their rooms. Amazon has introduced One, its palm reading technology which can be used for physical access control, cashierless merchandise purchases, and other KYC enabled services.

Among the challenges with KYC, it has historically been seen as cumbersome, costly, and a potential risk to Personally Identifiable Information (PII). Innovation and competition are bringing costs down, and more people seem willing to trade a bit of upfront hassle for longer term convenience. The biggest hurdle to overcome is confidence in the privacy protection schemas. Despite the absence of a national privacy policy, the negative publicity around data compromises continues to apply pressure from consumers for businesses to protect themselves against security breaches.

One way KYC may become more widespread is the use of biometrics for Multi-Factor Authentication (MFA) within ZTA. Organizations with biometric-enabled network and physical access systems would be able to register employees, consultants, and visitors during check-in, orientation, or annual training to help adopt KYC. Coupled with proper access policies, encryption (at rest and in transit), and continuous due diligence to keep records and permissions updated, KYC offers the opportunity to simultaneously improve security and User Experience (UX).

Savvy businesses offer perks to customers who register their IoT devices, mobile phones, and identities. This creates a web of opportunities for companies and clients to connect, whether in-person or on-line. Enabling customers to personalize their profiles and preferences further empowers them to control their data and define the terms of their business engagements. The same tactics can work for corporate systems. An effective, layered ZTA strategy should allow system owners and administrators to leverage user identity and behavior to limit unauthorized network access, monitor networks activity, and rapidly detect suspicious events.

Using KYC for MFA will require implementors to educate their users and engineers while demonstrating data security through privacy by design and sensitive data minimization. ZTA’s time has come, and it will take many forms in different organizations. Now is the time for organizations to develop comprehensive Identity, Credential, and Access Management (ICAM) strategies which integrate user, system, and facility controls to create a seamless UX and continuously monitored IT environment. Rather than reverse engineering security and backfilling compliance, embracing viable cyber solutions upfront gives all stakeholders the opportunity to address operational considerations, e.g., UX and customer satisfaction. Properly designed, implemented, and managed KYC for MFA can deliver a more seamless UX while bolstering security posture and risk awareness.

Share

Related

Breaking the EV Voodoo

Our lives are defined by a lot of things,...

AI and Big Data Expo Global Returns to London: A Glimpse into the Future of AI

The AI and Big Data Expo Global is set...

Marketing the Smarter Way

We can be anything as individuals, but a big...

Unveiling Cybersec Asia x Thailand International Cyber Week 2024 (powered by NCSA)

The Premier exhibition & conference of Global Experts in...

Remote Patient Monitoring: Reimagining healthcare across connected experiences, data, and insights

The power of computing is getting roughly twice as...

A Sobering Decision

There are a gazillion reasons why technology ended up...

The AI Future is Closer than Ever Before

Even though it might like the most practical option...

Latest

No posts to display

No posts to display