Understanding ZTA
User convenience and security have long been at opposite ends of the design perspective, but that could soon change through the adoption of Zero Trust Architecture (ZTA) across more industries. Under many names, ZTA has been discussed in security circles for over a decade. It got a huge boost of notoriety in 2021 with Executive Order 14028, Improving the Nation’s Cybersecurity. While there are several active frameworks being promoted, the guiding principles are essentially the same.
- Don’t trust any network, including your own
- Know your architecture, including users, devices, services, and data
- Authenticate and authorize everywhere, all the time
This model flies in the face of traditional and defense-in-depth security views, which inherently rely on trusted relationships of known users, systems, and connections. ZTA adds exponential layers of user, system, and process verification and authentication. Engineers saw it as unnecessary. Accountants saw it as cost prohibitive.
Fueled by fierce competition and user demand for instant gratification, performance continues to outpace security in technical advances. The explosion of Internet of Things (IoT) devices increased end user connectivity. Cloud capabilities have made Anything as a Service (XaaS) a real possibility. And the pandemic accelerated “Anytime, Anywhere” computing, making remote work viably sustainable.
The expansion of advanced technologies also created a wider, more diverse attack surface for hackers to probe and exploit. Microservices, Infrastructure as Code (IaC), and edge computing evolved to expedite development, improve performance, and increase data accessibility and processing speeds. Networks essentially became more capable, diverse, and dynamic, which provided the capacity and justification for ZTA at the right time.
How KYC Can Help
Know Your Client (KYC) has been a mainstay in the financial industry for over 20 years. Designed to combat identity theft, money laundering, financial fraud, funding terrorism, and other financial crimes, KYC principles and capabilities are emerging in other industries such as travel, hospitality, and commerce. The Transportation Security Administration (TSA) is expanding its use of facial recognition for Global Entry customers, greatly accelerating and improving the redress process for international travelers. Delta is field testing facial recognition for ticketless check-in, baggage check, and security screening in Atlanta. Hilton, Marriott, and other hotel chains allow guests to use their phones to access their rooms. Amazon has introduced One, its palm reading technology which can be used for physical access control, cashierless merchandise purchases, and other KYC enabled services.
Among the challenges with KYC, it has historically been seen as cumbersome, costly, and a potential risk to Personally Identifiable Information (PII). Innovation and competition are bringing costs down, and more people seem willing to trade a bit of upfront hassle for longer term convenience. The biggest hurdle to overcome is confidence in the privacy protection schemas. Despite the absence of a national privacy policy, the negative publicity around data compromises continues to apply pressure from consumers for businesses to protect themselves against security breaches.
One way KYC may become more widespread is the use of biometrics for Multi-Factor Authentication (MFA) within ZTA. Organizations with biometric-enabled network and physical access systems would be able to register employees, consultants, and visitors during check-in, orientation, or annual training to help adopt KYC. Coupled with proper access policies, encryption (at rest and in transit), and continuous due diligence to keep records and permissions updated, KYC offers the opportunity to simultaneously improve security and User Experience (UX).
Savvy businesses offer perks to customers who register their IoT devices, mobile phones, and identities. This creates a web of opportunities for companies and clients to connect, whether in-person or on-line. Enabling customers to personalize their profiles and preferences further empowers them to control their data and define the terms of their business engagements. The same tactics can work for corporate systems. An effective, layered ZTA strategy should allow system owners and administrators to leverage user identity and behavior to limit unauthorized network access, monitor networks activity, and rapidly detect suspicious events.
Using KYC for MFA will require implementors to educate their users and engineers while demonstrating data security through privacy by design and sensitive data minimization. ZTA’s time has come, and it will take many forms in different organizations. Now is the time for organizations to develop comprehensive Identity, Credential, and Access Management (ICAM) strategies which integrate user, system, and facility controls to create a seamless UX and continuously monitored IT environment. Rather than reverse engineering security and backfilling compliance, embracing viable cyber solutions upfront gives all stakeholders the opportunity to address operational considerations, e.g., UX and customer satisfaction. Properly designed, implemented, and managed KYC for MFA can deliver a more seamless UX while bolstering security posture and risk awareness.