Can Customer Identity Benefit from Zero Trust?

Matt Edwards
Matt Edwards
  • Jul 17, 2020
  • 5 min read

We have all heard (repeatedly) the phrases “Zero Trust” and “Least Trust.” In fact, I recently visited the NIST website and searched for the phrase “Zero Trust” and received 846,937 results! Combine that with the sheer noise in the industry where everyone is banging the drum about Zero Trust, and it now seems a foregone conclusion for many organizations that Zero Trust is the only model to adopt.

If people are the new perimeter in a Zero Trust model, can this help in the world of customer identity? Or is Zero Trust just for the benefit of workforce or employee identity? If a brand tries to adopt a Zero Trust approach will this negatively impact the customer experience? Will a brand suffer an increase in abandonment rates and risk revenue through trying to benefit from additional layers of (Zero Trust) security at the expense of customer experience?

Forrester, the originator of Zero Trust came up with the original idea based on the assumption that traditional security models are broken because they assume that everything inside the network can be trusted – including identities – and have not been compromised. But does this model work when trying to apply it to customers, while not having known information and workflows to verify identity?

The Kipling method advises organizations to address the who, what, when, where, why, and how when defining policies and building Zero Trust approaches for the workforce (employee identities). When it comes to customer usage and buying patterns that aren’t as formulaic and predictable, how do you apply that approach to a customer-centric model, and balance the needs of security with the needs of the CMO and omni-channel experiences? Is Zero Trust really the right approach for achieving both digital transformation and for attracting and retaining (e)customers? When the majority of online customers are seeking the quickest possible path to leave a site, finish a purchase, complete a registration form etc., are they going to tolerate a brand using a Zero Trust model?

The reality for Customer Identity and Access Management, is that we must balance security with privacy and never at the expense of the customer experience. But attackers stealing customer identities; and through their misuse; customer PII isn’t the only threat. Only last week the news was dominated by the pervasive app “TikTok” harvesting customer information. Customers freely give firms access to their information with little consideration as to the consequences – often because they’re getting something for free or for the purposes of convenience. Another simple example along the same lines is that when faced with having to provide a password customers may opt to reuse a previous one, even if that password is easily guessable, or has been previously breached. Brands now must protect online customers from themselves! Moving from traditional Multi-Factor Authentication (MFA) to Adaptive MFA is a massive step in moving to a Zero Trust model and in a way that doesn’t negatively impact the customer experience. A traditional IAM approach of role based management and entitlements is not applicable or effective here. Instead, to achieve Zero Trust a CIAM solution must be ever evolving through evaluating customer risk and preventing bad behaviors and intrinsically linked into Marketing and Sales CRM to provide progressive profiling, social integration and social proofing.

While it is true that customers have a built-in tolerance and have become somewhat conditioned to using Multi-Factor Authentication, that tolerance is linked to the value of what they’re trying to do. Everyone runs the risk vs. reward equation instinctively:

I’m accessing my online bank account or 401(k) – sure, I’m happy with an extra step of using MFA to know my hard-earnt money is protected.

I need to buy a pizza – no thanks, I’ll buy elsewhere rather than jump through that extra step.

According to Blue Research, 54% of users go to another site if they are asked simply to register, let alone having to provide additional verification steps during a registration process. Many online customers now opt either to select a social login such as Google or Facebook or may simply reuse the same password over and over again. When you start lining up the dominos of expedience and convenience over security, it is little wonder that people choose the former over the latter, and we’ve seen 3.5 billion credentials stolen in recent years.

Ultimately, applying Zero Trust approaches to customer identity can only strengthen a brand's security posture. However, it’s not a one size fits all approach. When applying the model to B2B or B2E, which are typically more predictable events, then yes, Zero Trust is simple. But how can you apply “I don’t trust you, you’re a bad actor” when you’re trying to interact with a customer?

So here it is, the shameless product pitch: Strivacity Fusion embraces a perfect balance between context aware access and the customer experience. Strivacity was created with the single purpose of providing the most comprehensive Adaptive Access Control that satisfies the needs of a CISO, without jeopardizing the customer experience, leading to no loss of customers. No square peg cramped into a round hole that you experience with traditional IAM solutions. Strivacity Fusion enables security and marketing teams to work in collaboration, and drive e-commerce with tools and insights to grow your customers. With built in compliance and consent management, it also removes the complexities of adhering to data privacy regulation. So next time that email from the Chief Compliance Officer comes to your inbox, or when that surprise audit happens, you’ll no longer have to experience that moment of dread.

I won’t end by saying talk to sales – no one wants a sales pitch. But please do check out our complete set of adaptive access control solutions. Learn how to protect your brand, safeguard your customers, and streamline your business.