Blog article
See all stories »

Treating Your Customers Like Criminals: A Zero-Trust Security Model

Back in the day, if you heard the phrase “trust no one,” it meant either you were talking to someone with problematic levels of paranoia or you were at a theatre watching a really cliche spy movie. Now, with every day seeming to bring with it a new corporate data breach, those times are considered the good old days and “trust no one” has become the hot IT security strategy.

It’s called the Zero-Trust Security Model and it does away entirely with the old moat-and-castle idea that threats can only come from outside the firewall. Instead, it’s based on the idea that companies can no longer provide automatic trust to anyone on either side of the firewall. This means anything and everything interacting with the IT system must be not only on first contact but also each time it tries to access more information.

It’s easy to see why we need to lock down access as tightly as possible: The average cost of an organizational data breach last year was $3.62 million, according to the Ponemon Institute Data Breach Study, and involved more than 24,000 records.

This is happening despite $86.4 billion being spent on IT security products and services in 2017, according to Gartner. That number is expected to hit $93 billion this year.

Clearly, something more needs to be done. Zero-trust is a very promising solution. When properly implemented it stops hackers from roaming free once they get past corporate firewalls – which is how many data breaches happen. However, applied too broadly, it can also result in companies treating their customers like criminals.


The cost of security goes beyond what is spent on products and services. Making data safer means making it harder, i.e. more inconvenient, to access. Employees have to put up with that inconvenience, customers don’t. If it’s too difficult to do business with you then they will take their business elsewhere.

So does that mean customer-facing applications and portals have to be insecure? Of course not. It means additional levels of security should be applied only when the customer does something out of the ordinary. Credit card providers are already doing a type of this. When their algorithms spot a purchase that significantly deviates from a customer’s previous behavior in amount spent, location, or what it is being spent on, the transaction is flagged and the customer is contacted to make sure it is legit. I know I’ve been glad anytime that’s happened to me. Just knowing that level of security is in place makes me feel better about the business providing it.

There are equally secure and unintrusive methods available to other types of businesses. Simply put, the customer is asked to provide additional information when executing higher risk transactions (like moving large amounts of funds between accounts) or asking for access to more valuable information.

A biometric authentication platform can do this without consumers having to remember additional passwords or provide personal information – birthdate, social security number, etc. – that a hacker could gain access to. Scanning fingerprints, irises, or faces, is fast and convenient. User behavior analysis – which also tracks the unique ways someone interacts with a device – can make this even more convenient. By providing a method of continuous identification verification, the customer gets an even greater level of protection without having to do anything.

Back in the 1980s, when the Cold War was about to run out of steam, President Reagan used the Russian phrase "Доверяй, но проверяй" (Doveryai, no proveryai) to describe his approach to negotiating with the Soviet Union. Companies will be well served by adopting that same attitude of “Trust but verify” when dealing with their customers.


Comments: (0)

Now hiring