Zero Trust and User Experience
There is a classic juxtaposition within security controls. Organizations need to make data and services available, but if it’s too easily accessible, too open, then a data breach can occur. On the other hand, if data and services are too restricted then the controls are marginalized and ignored. Organizations struggle with balancing the risk between easy access and advanced controls. Whichever approach is taken impacts the user experience, and both can lead to less than desirable results if done poorly.
I’ve asked many IT professionals if they consider the end user when implementing a new security protocol. Surprisingly the answer is often, they don’t. The reasoning for my question is simple. If you know more about the users being asked to perform the task, the task can be implemented with less friction.
Friction, or the user experience, is a critical consideration to security. To achieve the desired security outcome, IT organizations must understand and develop with their customers’ motivations and behaviors in mind. In doing so, the intended ask will be met with less resistance and higher adoption, therefore improving overall security.
Why SSO Is Still A Must
Let’s clarify with something first – SSO is still a must in an enterprise infrastructure stack.
An end user will not type in their credentials for every access point. But, SSO in its current form and with 2FA or MFA as part of the access flow does not meet Zero Trust standards. And this construct ties back into what I started with above. Organizations need to balance the risk between easy access and advanced controls.
Zero Trust is a proactive security approach that continuously verifies users, devices, and services before trusting them. This approach is commonly summarized as “never trust, always verify”. Essentially, Zero Trust assumes that anything connecting to a system is a potential threat that should be verified before earning trust. But to do that security teams need to know as much about the identity accessing the resources as possible. Without this fundamental knowledge of identity, security is more hope-based than fact-based and impacts the effectiveness of a Zero Trust architecture.
On its own, the Zero Trust sounds like it will cause friction at the time of user access, a poor user experience. But that doesn’t have to be the case. Many of the access types that are in existence are here because the end users are creating poor passwords. These passwords can be hacked or even phished. So the transition to a Zero Trust architecture can be an opportunity for organizations to improve the user experience and implement technologies that improve security and improve user experience at the same time.
How can that be done? With Identity. What does identity have to do with Zero Trust architecture? It’s a pillar of the Zero Trust architecture because when you verify user identity at each point of access, you proactively verify users before a breach can happen. This is in line with the “never trust, always verify” core principle of Zero Trust. But to securely authenticate a user, one must first implement an indisputable identity proofing process. Because an indisputable proofed ID must involve the triangulation of a user claim with biometrics. Implementing this element of identity management will ensure that every access attempt is tied to a trusted and verified identity.
The result is a secure access infrastructure that is based on verified identities tied to the user’s biometrics. So instead of using passwords and trying to secure them with additional authentication methods, the user’s identity becomes the access method.
1Kosmos Supports Zero Trust and a Better User Experience
The 1Kosmos BlockID platform ensures that individuals are who they claim to be by using an identity-based approach to authentication. We bring identity into the security forefront so that organizations implementing a Zero Trust infrastructure know with certainty who is accessing IT assets and online services.
This means we have a quick and convenient way for users to self verify their identity using government, telco, and banking credentials. Then, once verified, workers, citizens, and customers use their digital identity to be utilized at login or transaction approval. This identity pre proofing injects a level of trust into the Zero Trust implementation and provides users with a frictionless experience. Organizations will implement their Zero Trust deployment with a significantly improved access user experience and high level of identity assurance for the identity on the other side of the digital connection.