Professional Documents
Culture Documents
Abstract
Trust is a cornerstone of the digital economy and is what makes efficient markets
possible. Without trust, few transactions would take place. While mutual benefit is
often the reason behind a transaction, trust is the insurance or likelihood that the
purchaser will receive that benefit. Consumers will not buy from a seller if they do
not trust the seller to deliver the product as agreed. Businesses will not trade if they
do not trust the other party to follow through with its promises. Clients may refuse
to do business if they don’t trust the security and privacy practices of the vendor.
Lack of trust can lead to costly legal protections, inefficient contracts, lost sales, and
business failure.
Trust is a human construct that is based on the perception that another person or
organization will deliver on a promise to do something. In the days of brick and
mortar, people (salespeople, support staff, managers, etc.) provided the basis for
trust. Now businesses are becoming digital, and that means there are fewer human
touchpoints and interactions with customers. That drives the need for the digital
platforms that demonstrate and reinforce this perception of trust; that you act
honestly and upright (Integrity), are capable and competent within your fields
(Competence), balance your own interests with the interest of others (Benevolence),
and act with consistency (Predictability).
In a world where almost any product or service can be purchased online from
countless companies globally, trust is a significant differentiator. This report defines
trust for the digital world and how an enterprise can deliver on the explicit and
implicit promises made with your customers and prospects. Note that trust builds or
is eroded over time. We break down the dimensions of Digital Trust into two areas:
• Mechanical trust, in particular as it relates to and is supported by
cybersecurity and Identity and Access Management is at the heart of Digital
Trust. This is the technical foundation means that deliver predefined outputs
reliably and predictably.
• Relational trust, the promise to abide by the social norms and agreements that
address the complex realities of the relationship between the customer and
the Digital Enterprise.
Authors:
Gary Zimmerman Gary Rowe
Principal Consulting Analyst CEO, Principal Consulting Analyst
garyz@techvisionresearch.com gary@techvisionresearch.com
Digital Trust
Zimmerman, Rowe
Table of Contents
Abstract ...........................................................................................................................................................................................1
Executive Summary
The purpose of this report is to influence the way your organization approaches trust as your
organization becomes a Digital Enterprise. The traditional approaches of creating a reputation for
trustworthiness through branding, advertising, and physical presence are shifting to the
trustworthiness customers perceive as they experience millions of digital interactions across their
entire customer journey with you and others. Establishing and maintaining Digital Trust is an
increasingly critical part of how enterprises do business.
Why is Digital Trust important? Well, the numbers tell the story.
• 83% of people trust brand recommendations from friends, and nearly 70% trust consumer
opinions more than paid advertisements.
• 87% of shoppers now begin their hunt for products and services in digital channels.
• 81% say trust impacts their purchasing decisions.
And yet,
• 61% believe digital companies put profits ahead of the welfare of customers.
• 41% say they don’t trust brands’ marketing communications to be accurate or truthful.
• 45% of consumers would never trust a brand again after it displays unethical behavior or
is involved in a scandal, and 40% say they’d stop buying from that brand altogether.
And all of these statistics are based on the fact that customers have shifted to predominantly
interacting with companies digitally and are becoming increasingly uneasy in those interactions
for the following reasons:
• Brands have ever-increasing amounts of customers’ personal information in their
databases.
• There is increasing sophistication with which brands can target or track customers.
• There is increasing reliance of brands to add to their intelligence using advanced
automation and artificial intelligence in their interactions with customers.
In order to build and maintain “digital” trust, enterprises need to shift their efforts in identity,
security, and compliance from merely providing an enterprise “protection” activity to a more
inclusive customer engagement activity and strategy.
In simple terms, digital trust can be defined as the confidence people have in an organization’s
ability to keep their digital data secure and to handle it with integrity and accountability. Digital
trust is seen as critical to the long-term success of enterprises in a connected world.
Digital trust is built on two main components: mechanical trust and relational trust.
• Mechanical trust, especially as it relates to cybersecurity, is the technical heart of digital
trust. It is the means, mechanisms and controls to deliver predefined outputs reliably and
predictably.
• Relational trust is the promise to abide by the social norms and agreements that address
the complex realities of the evolving relationship between the customer and the digital
enterprise.
To build and maintain trust, businesses need to make sure they are delivering on both mechanical
and relational trust. Without the balance, customers will not share the data required to drive the
proper customer experience. And if your customer experience is lacking it won’t be long before
customers are seeking alternatives. This is particularly important as organizations transform to
Digital Enterprises; if our digital interactions can’t be trusted, this will profoundly impact our
customer’s engagement and, ultimately, our bottom line.
For mechanical trust, organizations should directly address the challenges and opportunities in
IAM and security including new approaches such as Customer IAM, Decentralized Identity, Zero
Trust Security and advanced authentication/authorization approaches. And look to the emerging
trends that are shifting the “duty to protect” beyond the company borders.
For relational trust, refine privacy policies to reflect a more transparent and peer-like relationship
between the business and its customers; and then make sure to deliver on the promises those
policies represent. It is important to also provide assurance to your customers that your use of
AI/ML capabilities leveraging “big data” are designed to make their experiences better and are
being implemented in an ethical manner.
Companies that keep their promises and operate transparently enjoy more trust and should, as a
result find that their customers are MORE likely to share their positive experiences and spread a
good word through social media. Besides, dealing with customer complaints professionally via
social can positively impact consumers’ trust, too. While some businesses consider it’s safer to
keep sanitizing content and taking negative consumer conversations offline, those who manage to
resolve it positively in public reap even bigger reward in terms of customer trust. Remember that
customers don’t expect you to be faultless. However, the way you fix things when they go wrong
proves what your business is worth and if they can trust you.
What Is Trust?
In simple terms, trust is a state in which on party believes in the reliability, truth or ability of the
second party to perform a given task or meet an objective. That “party” could be a person,
organization, process or even a “thing”. When you trust another party to deliver on a promise to
do something, you put yourself in a vulnerable and risky situation that the other party won’t meet
their end of the bargain. If the other party betrays us on a confirmed deal, this creates a zero-sum
situation where they win this time, but you’ll never strike a bargain with them again. On the other
hand, if our trust in is upheld, it creates a powerful incentive to engage them with them further in
the future. This is why economists recognize that trust makes our trading world go around. Acting
in a trustworthy manner, towards friends and strangers alike when it comes to exchanging goods
and services, both extends and deepens meaningful, productive economic coordination. This is
often called, in aggregate, a reputation. A good reputation means that the level of trust increases,
and a bad reputation has the opposite impact.
When we think of trust and what it means, we quickly realize it encompasses many things. In the
natural world, we use the word “trust” to:
• Interpret what people say
• Describe behaviors
• Decide if we feel comfortable sharing data
• Indicate whether we feel other people have our interests at heart
In a given situation, all of us can quickly measure our trust in someone using our experience and
basic senses. But in the digital world our senses cannot play the same role. We are removed from
the situation and the other person by electrons, time, and distance. And it’s becoming more
complex. What’s on the other end of the Internet isn’t a person; it’s a server, a smart device, or a
digital endpoint that represents a person or organization within the context of the situation.
The success of maintaining customer trust within this dimension also depends on your ability to
trust customers in return, make them feel their opinion matters and show your gratitude for doing
business with you. It’s also important to keep in mind that given there’s enough trust on the part
of the customer at this stage, you’ll have a chance of hearing their concerns if any. Otherwise, if
you fail to create a meaningful connection, you won’t even know why they decided to leave and
what exactly went wrong.
Integrity – Integrity corresponds to the ethics and values that shape and guide the company. It
largely refers to company’s honesty and ability to keep its promises, but also owes to the shared
values that underlie more meaningful and purposeful connection with a customer.
It’s in our human nature to feel good about ourselves when we do business with a company that
shares our own values and, for instance, makes an effort to go green and take care of the
environment, or supports a social initiative aimed to make this world a better and safer place. This
kind of connection creates joy and lets us enjoy a positive association with the brand, and
consequently results in more trust and long-lasting loyalty.
Predictability – Predictability includes brand reputation and customer expectations toward a
brand based on information they gathered and learned. According to a scientific research, certainty
builds optimistic outlook and inspires more positive impressions.
Companies that keep their promises and operate transparently enjoy more trust as their customers
are more likely to share their positive experiences and spread a good word through social media.
Besides, dealing with customer complaints professionally via social can positively impact
consumers’ trust, too. While some businesses consider it’s safer to keep sanitizing content and
taking negative consumer conversations offline, those who manage to resolve it positively in
public reap even bigger reward in terms of customer trust. No surprise, customers don’t expect
you to be faultless. However, the way you fix things when they go wrong proves what your
business is worth and if they can trust you
where it takes place. From that standpoint, mistrust has been linked to a demand of restrictive
regulations and costly control systems, but that is only the starting point.
Stephen M.R. Covey says, “Trust always affects two measurable outcomes: speed and cost.” When
trust goes down—in a relationship, on a team, in a company, in an industry, with a customer—
speed decreases with it. This results in redundancy in processes, everyone checking up on everyone
else, cost more. Where trust is low, everything takes longer and costs more.”
Customer trust has eroded over the past few years on several fronts. The more that consumers learn
about how their data is gathered, used, sold, and compromised, the less they trust organizations to
use it only to create better experiences or offer more relevant products. Earning and keeping
customer trust has never been as important or as difficult. Furthermore, individuals and the media
are closely watching this dynamic.
With trust in such a precarious and fragile state, it takes an instant to gain or lose a customer. And
it could be for anything, any indicator that your company is not worth trusting if the risks seem to
outweigh the benefits of doing business with you. And maintaining trust is important whether you
serve consumers or other businesses.
While most of this report is focused on consumer trust, it doesn’t mean that B2B companies are
immune to trust issues. A key difference between B2C and B2B is that in B2C, individual
consumers simply vote with their feet if things go wrong. In B2B, the customer is likely to
complain to the department that fails to meet expectations or to the account manager. Another
difference is the scale; a large organization may have hundreds or thousands of business-to-
business connections, but millions or hundreds of millions of customers and prospective
customers. If communication/action is rapid and efficient, the level of customer loyalty can
actually improve; if it remains unacceptable then the customer will start to shop around for
alternative propositions.
Regulatory Compliance
Businesses are comfortable with something called rules-based or deterrence-based trust because
they can understand and quantify punitive measures and they can clearly see and measure
boundaries and constraints. Their risk-assessment mechanisms are tuned to calculating the trade-
offs to assure them that they are covered. Nowhere is that more apparent than in the world of
regulatory compliance.
With corporate scandals (Enron, Worldcom, et al.) our trust in public markets went down because
we realized there are some people out there “cooking the books.” Congress stepped in and passed
Sarbanes-Oxley (Accounting Reform Act). Sarbanes-Oxley doesn’t generate trust itself; it’s a
series of rules, regulations and compliance measures intended to help assure trust and protect those
depending on this trust. It has helped in that markets didn’t collapse under extreme conditions, as
they perhaps could have. But it came at a price. Sarbanes-Oxley takes a whole lot of time and costs
an average of about $1 million annually to implement. And that’s just one example.
Thomson Reuters Regulatory Intelligence (TRRI) in 2019 captured 56,624 regulatory alerts from
more than 1,000 regulatory bodies, averaging 217 updates a day. Regulatory change was reported
as the top compliance challenge for 2020 with respondents anticipating that more information will
be published by the regulator. The Covid-19 pandemic and Brexit will bring new challenges and
regulations. Once again, speed goes down, cost goes up.
When we discuss compliance costs, we are really making the distinction between two types of
costs:
1. The cost of compliance, which is the amount that firms spend to manage their compliance
programs, and
2. The cost of non-compliance, which is the consequence of failure to comply (and which is
not always monetary).
The Cost of Regulatory Compliance
The estimate for US regulatory compliance and economic effects of federal intervention is $1.9
trillion annually1. If the cost of federal regulations were a country, it would be the 9th largest,
behind India and just ahead of Canada. And businesses in the U.S. on average spent $10,0002 per
employee on regulatory costs. While these costs are staggering, many regulations are focused on
general business practices and are beyond the scope of IT. For this report, we’ll focus on the ones
most germane to IT, data protection compliance regulations.
1. The average annual data protection compliance cost for organizations across all industries
worldwide is $5.47 million3
2. The financial services industry has some of the highest data protection compliance costs,
with the average cost of compliance equaling $30.9 million4
3. Companies spend the most on specialized technology, with incident response and audits
and assessments coming in second and third 5
4. GDPR is considered the most difficult framework to for businesses to achieve compliance 6
5. Most companies conduct one or more compliance audits each year7
It pays to invest in compliance: if companies spend more on compliance activities, such as audits,
enabling technologies, training and expert staffing, it would generally be less costly (at least in the
long-run) than if they were in non-compliance with data protection regulations and were caught.
According to a benchmark study conducted by Ponemon Institute, the significant costs associated
with data protection compliance fall into the following categories.
It’s interesting to note that 65% of compliance costs are directly (or indirectly) related to enabling
security technologies, which shows that organizations are increasing expenditures across the board
on technology infrastructure.
The Cost of Non-Compliance
While compliance with regulations like Payment Card Industry Data Security Standard (PCI DSS),
Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection
Regulation (GDPR) come with hefty price tags, the alternative is far more costly. In fact, this
recent report8 finds that the cost of an incidence of non-compliance is 2.71 times higher than the
cost of compliance.
1. Non-compliance costs businesses on average $4,005,116 in revenue losses
2. Spending on incident response has doubled since 2011
3. Incident response costs businesses an average of $1 million
4. Business disruption is the costliest consequence of non-compliance, with businesses losing
$5,107,206 on average
5. Fines and penalties are the least costly consequences of a data breach
Failure to comply presents a range of consequences that include both monetary and non-monetary
costs. Fines — while the most obvious and public — actually represent the smallest cost when
compared to the business disruption, revenue losses, and productivity losses. (See figure 2)
Customers, not branding efforts, drive today’s business’ reputation and customers gauge trust
based on what the business does at all of the journey’s touchpoints, not what it says.
Brands with a good online reputation are trusted more because people depend on the opinions of
others. If people appear to trust a company or person, others are likely to follow suit with the same
sentiment. If you can't even get people to trust your brand, you're going to have a difficult time
selling your products. In fact, research shows that 83% of people trust brand recommendations
from friends, and nearly 70% trust consumer opinions more than paid advertisements 9. In other
words, if they like you and continue to like you, they are going to do business with you for a long
time and recommend you to others.
But, in order for your customers to like you, you need to get to know them, and then use this
knowledge to deliver personalized experiences across their entire customer journey. But gaining
this in-depth knowledge about customers isn't something that just happens. You need to collect
customer data and bring out valuable insights from that data with speed and precision.
As the Digital Enterprise gains momentum, given the increasing dependency businesses have on
data, the consequences of consumer trust breaches will become more severe. IDC predicts that the
amount of consumer data subject to “big data” analysis
will surge by a factor of 50 by 2025, generating more than
5.2 trillion gigabytes of consumer data.
So, a big challenge for the Digital Enterprise is learning
that the best-quality customer relationships and best-
quality data come from people who are willing to give you
their data, willing to watch the messages you send them,
willing ultimately to engage with you because they have
agreed to this particular thing and believe sharing their
data with you is a win for them. This is what creates more
value.
However, the bigger challenge is to use data to provide value to customers in a way that is
inherently responsible, and also prevents you from becoming vulnerable to data breaches and even
the kinds of scandals that have dogged certain tech companies recently.
The decay of consumer trust is a serious problem. Big data, generated by consumers, fuels the
development of many new products and continued revenue growth. Should consumers choose to
withhold their data — a likely result of large-scale data breaches such as the Experian episode, or
unethical use shown in the Facebook/Cambridge Analytica data scandal — the growth of the new
business will be impeded.
Mechanical Trust
Mechanical trust, especially as it relates to cybersecurity, is the technology infrastructure needed
to support Digital Trust. It is the means and mechanisms that deliver predefined outputs reliably
and predictably. An automobile’s braking system provides a good metaphor. Step on the brakes.
The car stops. No ambiguity, no uncertainty. Predictable, reliable outputs are expected to be
delivered every time. If a system is secure and performs predictably, individuals will be more
willing to use it. They’ll be able to trust it.
Cybersecurity is based on the assumption that if you make the effort to get an asset more expensive
than the asset is worth, you have performed your “duty to protect”. Security is all about risk
mitigation and threat deterrence—not complete protection. TechVision has provided a lot of
published research in Cybersecurity and Identity and Access Management and, in this report, we’ll
focus on those areas that are most relevant to Digital Trust. For example, in our report, “Evolving
Against Vulnerabilities, Breaches, and The Next Cyber Attack” we describe the modern approach
using the NIST security framework to defend against cyber-attacks and threats.
The specific problem with any security model is that the proof of security relies on assumptions.
Specifically, the assumptions are that the implementation of any secure network, system, or
application is consistent with that model, and that the system is installed, operated, maintained,
and decommissioned consistently with that model. If it is not, the underlying assumptions are
wrong. The proof may be correct, but it is irrelevant.
At the core of mechanical trust are decisions about which information risks to accept and how to
mitigate them. Traditionally, CISOs and their business partners have made cyber-risk management
decisions using a combination of experience, intuition, judgment, and qualitative analysis.
Digital transformation and the distribution of the workforce not only scatters resources and assets
but continues to drive a divide between corporate confidence and actual ability to protect their
interests in a transformed workplace and economy. The sheer number of assets and processes to
protect, and the decreasing practicality and efficacy of one-size-fits-all protections, have
dramatically reduced the applicability of traditional security operations and decision-making
processes. These new elements and the speed by with changes occur in the Digital Enterprise
impact both Security and Identity and Access Management. Getting these foundations right are
key to Mechanical Trust and to establishing and maintaining overall Digital Trust.
So it isn’t just the Cybersecurity framework that is critical in supporting mechanical trust; it is the
Identity and Access Management infrastructure as well. As we highlight in our report, “Identity as
the New Perimeter”, Digital Enterprises can no longer be content with managing trust behind a
firewall perimeter. The perimeter now must accommodate all of those external to the business
itself. Enterprises need assurance not just about the identities of their own workers and contractors,
but also those of their partners, customers, and a variety of “things” beyond the control of the
business. This is changing the way a business needs to approach Identity and Access Management
(IAM).
Even before addressing Digital Trust in this report, we believe there is a compelling case for most
enterprises to upgrade and modernize their IAM foundation. This is based on expensive, hard to
manage and fragmented nature of most IAM infrastructures at large organizations. This
fragmentation is problematic from security, privacy and compliance perspectives and this becomes
even more acute as organizations become Digital Enterprises. We’ll now look at a few key
technologies that are critical in having the right Mechanical Trust foundation that enterprise must
have going forward.
We’ll start with the authentication methods, ensuring that there is a binding between the purported
identity and the real identity such as Multi-Factor Authentication and Risk-Based Authentication.
We’ll then examine other areas such as authorization and new approaches such as Decentralized
Identity.
MFA
As we outlined in our report, “Multi-Factor Authentication (MFA): Enterprise Strategy and
Market Assessment”, cyber threats are becoming increasingly sophisticated and include a variety
of techniques that involve guessed, hacked, or physically or virtually stolen credentials. These
threats expose the inherent weakness within traditional username/password-based authentication
schemes. Two-factor or multi-factor authentication (2FA or MFA) is an extra authentication
method that’s becoming increasingly common to compensate for the weakness in user ID /
Password authentication. The use of MFA and advanced authentication is critical to knowing your
customer and to supporting Digital Trust.
Risk-Based Authentication
Risk-based authentication, or adaptive authentication, takes MFA a step further. It is an
authentication paradigm that attempts to match the required authentication credentials to the
perceived risk of the connection or authorizations requested. The objective is to try to reduce the
authentication burden on users and provide a better experience on the one hand, while enforcing
strong authentication where it is most needed on the other. This is another key element of a
platform that supports strong Digital Trust.
All of these authorization approaches work to lessen the risks of a compromised digital identity,
but they need to be augmented with more sophisticated access strategies in order to properly
manage risk.
Authorization and Mitigating Risk
Once a user is authenticated (you know who they are) the next challenge is determining what they
can access. From a security and Digital Trust perspective it is important to protect the most critical
assets. The next type of protection called Privileged Access Management (PAM) tightly controls
the administrators and super-users that can do the most damage if compromised. We’ll then look
at role-based and attribute-based access control as scalable, more generalized methods of allowing
the right people to access the right resources at the right time while mitigating risk. These
technologies are intended to both scale to Internet levels and provide granular access control; both
critical to establishing Digital Trust at scale.
PAM
As we outline in our report, “Privileged Access Management: More Necessary Than Ever as
Cloud-Shift Intensifies”, Privileged access management (PAM) consists of the cybersecurity
strategies and technologies for exerting control over the elevated (“privileged”) access and
permissions for users, accounts, processes, and systems across an IT environment. By dialing in
the appropriate level of privileged access controls, PAM helps organizations condense their
organization’s attack surface, and prevent, or at least mitigate, the damage arising from external
attacks as well as from insider malfeasance or negligence.
While privilege management encompasses many strategies, a central goal is the enforcement of
least privilege, defined as the restriction of access rights and permissions for users, accounts,
applications, systems, devices (such as IoT) and computing processes to the absolute minimum
necessary to perform routine, authorized activities. Best practice is to implement PAM as a means
to limit the damage an intruder can create.
Role-Based Access Control/Attribute-Based Access Control
For more general access, Role-Based Access Control (RBAC) and Attribute-Based Access Control
(ABAC) are two ways of controlling the authentication process and authorizing users. The primary
difference between RBAC and ABAC is that RBAC provides access to resources or information
based on user roles, while ABAC provides access rights based on user, environment, or resource
attributes. Essentially, when considering RBAC vs. ABAC, RBAC controls broad access across
an organization, while ABAC takes a fine-grain approach.
An organization might use RBAC to provide a baseline form of fine-grained access management
that is easier to maintain because the policies don’t need to be changed every time a person leaves
the organization or changes jobs: they can simply be removed from the role group or allocated to
a new role. This also means new employees can be granted access relatively quickly, depending
on the project or organizational role they fulfill.
Attribute-based access control draws on a set of characteristics called “attributes.” This includes
user attributes, environmental attributes, and resource attributes.
• User attributes include things like the user’s name, role, organization, ID, and security
clearance.
• Environmental attributes include the time of access, location of the data, and current
organizational threat levels.
• Resource attributes include things like creation date, resource owner, file name, and
data sensitivity.
Essentially, ABAC has a much greater number of possible control variables than RBAC. ABAC
is implemented to reduce risks due to unauthorized access, as it can control security and access on
a more fine-grained basis. Both services are critical in supporting the foundation for Digital Trust.
External identity Management
As business has become more digital and disbursed, the networks and infrastructure that supports
it is no longer under the sole control of the enterprise. Businesses now have to securely interact
with assets (people, data, applications, organizations, infrastructure) in a different way than they
do with employees and controlled digital assets. An example of this is the supplier value chain.
The Supplier Value Chain
Digital enterprise technology investments are driving the supply chain evolution from linear,
responsive-driven flows to interconnected and predictive smart networks enabling organizations
to put the customer at the core of how products and services are designed and delivered, to meet
unique customer value propositions. Several technologies are playing key roles in the digital
supplier value chain, among them are cloud, big data, the internet of things (IoT), machine
learning, “what-if” scenario planning, and social networks.
While these new supply chain technologies bring many benefits, organizations must diligently
manage the full range of supply chain risk. Key issues include:
• Trust is regularly handed over to third party providers; unfortunately for many, without
proper due diligence, risk assessment or examination of controls.
• Customer expectations of companies that form part of their supply chain are rising –
particularly if a company wants to provide services like mass customization where the
individual customer’s requirements are built into the product as it is being delivered.
Sharing customer information is vital to customization, but third-party mismanagement of
that information will damage the relationship and ultimately end in lost opportunity.
The first step in managing these risks is through managing who has access to the data that can
impact trust.
Federated identity management allows organizations to securely exchange information with
partners and is the key to managing access across the business value chain. Federated access
management solutions allow authentication of users in the domain where their identities are stored,
thus ensuring that each company in the partner network is responsible for managing its own
identities and potentially limiting your liability.
Combined with single sign-on, federation provides access management for any type of application,
including mobile, and centralizes access control for all types of clients, such as Web browsers,
native mobile applications and server-to-server interactions. Using standards-based federated
identity is a current best practice in supply chain identity management.
While you’ll still need to manage a robust set of authorization capabilities, the need to manage
external authentication can be shifted to the suppliers, the ones that know the individual entities
best.
segmentation, preventing lateral movement, providing Layer 7 threat prevention, and simplifying
granular user-access control.
As we point out in our report, “Zero Trust Networking”, in Zero Trust, you identify a “protect
surface.” The protect surface is made up of the network’s most critical and valuable data, assets,
applications and services – DAAS, for short. Protect surfaces are unique to each organization.
Because it contains only what’s most critical to an organization’s operations, the protect surface is
orders of magnitude smaller than the attack surface, and it is always knowable.
With the protect surface identified, you can identify how traffic moves across the organization in
relation to protect surface. Understanding who the users are, which applications they are using and
how they are connecting is the only way to determine and enforce policy that ensures secure access
to your data. Using zero trust concepts, enterprises are better equipped to address Advanced
Persistent Threats (APTs), monitor behavior, record patterns, and alert when unusual activity is
detected. The automation of operational security is also important as now describe.
Security Orchestration Automation and Response (SOAR) and Security Incident and Event
Management (SIEM)
SOAR refers to a combination of solutions that optimize the capabilities and efficiency of your
security operations center without tying up your human assets in low-level tasks.
It serves to optimize three main cyber security-related tasks — security orchestration, security
automation, and security response — by improving threat and vulnerability management
capabilities, security incident response, and security operations automation.
In many ways, SOAR and SIEM are similar —after all, they both collect and use relevant data
from multiple sources for analysis to identify any anomalous activity. While these two solution
stacks often work hand-in-hand for security operations centers (SOCs), they’re still different in a
few ways:
• SIEM is more manual in nature. This system of stacked solutions requires manual
responses to alerts and regular upgrades and tweaks to the technologies, rule sets, and
signatures for optimization, efficiency, and detection effectiveness. However, it’s primarily
limited to identifying known threats and are less effective at identifying new or unknown
threats.
• SOAR is a bit more diverse in its use of internal and external applications, and it takes
those SIEM alerts and responds to them automatically for triage and remediation when
necessary. It relies on cognitive technologies and tools that use artificial intelligence (AI)
and machine learning (ML) to learn from existing threats and to help identify new ones.
SOAR is all about using automation to improve your security operations and incident response by
eliminating repetitive tasks and organizing (or “orchestrating”) the technology, people, and
processes within your organization to their full advantage. For example, in a security operations
center (SOC), SOAR complements SIEM capabilities by building upon them and providing extra
value.
Security orchestration even has benefits in terms of preventing phishing attacks from being
successful. Ernst and Young reports a “50% to 70% reduction in time to detect and response to a
phishing attack” through the use of robotic automation in the data gathering, analysis, and
remediation processes.
RPA
As we highlighted in our report “The State of Robotics Process Automation (RPA),” robotic
process automation refers to the process of using robots — whether physical or virtual, such as
software bots, to automate repetitive tasks. With regard to cyber security and security automation,
this typically refers to allowing automated systems to handle low-cognitive functions such as
scanning, monitoring, and low-level incident response. You know things like, extracting and
aggregating data, performing basic threat search and detection processes, and other low-cognitive
tasks.
There are multiple benefits of using RPA from logistical, risk, and compliance standpoints. For
one, it makes cyber security more efficient by removing the burden of manually performing
repetitive tasks. It also helps you to minimize the biggest cyber security vulnerability: human
interaction. Whether intentional or by human error, people pose the biggest risk to the cyber
wellbeing of organizations and businesses. By removing the human aspect, it makes your data
more secure.
There are several ways that software robotics can aid in reducing cyber security vulnerabilities:
• RPA reduces threat detection and response time though automated detection and alert
notifications.
• RPA aids in application and device discovery and inventory, helping to identify
exposed attack surfaces to mitigate security risks.
• RPA improves security with automated rollout of updates and patching.
• RPA helps to fill the talent shortage gap of cyber security teams.
• RPA doesn’t tire or mentally “clock out” on the job, providing 24/7/365 security
coverage.
• RPA limits the involvement of IT security pros so they can focus on other high-
cognitive tasks.
• RPA limits human involvement in the management of sensitive personal information.
Additionally, RPA can help your business stay compliant with some regulations such as the EU’s
General Data Protection Regulation (GDPR) or Payment Card Industry Data Security Standards
(PCI DSS). For example, automation can be used for data collection, to roll out informed consent
notifications, data breach notifications, as well as to document all data that’s held by your
organization for audits. Why dedicate many employees to performing such tedious tasks when
automation technologies can do it for you?
RPA offers many advantages to enterprises and other organizations. However, no organization
should rely on RPA alone for more in-depth security operations that require higher cognitive and
analytical capabilities. This part is still best left to a mix of cognitive-learning technologies and
the intervention of human analysts.
Providing security operations with automated tools can help to find the needle in the haystack and
use valuable human intellect where it's needed most. A skilled SOC analyst is the very best defense
we have in combating threats; however, most of the analysis and processing they deliver is
mundane and amounts to a waste of human capital. Ideally, human SOC analysts should be focused
on more advanced and more valuable tasks like threat hunting, threat intelligence, and attribution.
By employing automation, the idea is to free analysts up to work on highly important tasks, and
let automation do the grunt work.
This is true not just for IT security teams but of identity teams as well who face a similar big data
problem of the identity variety during their digital transformation. This means more identities
(human and non-human) have to be managed across more applications (legacy and cloud) and data
(structured and unstructured).
In summary the existing IAM and security services should be examined and potentially upgraded
to support pervasive Digital Trust. But be aware that there are new approaches that are a bit more
revolutionary that should also be examined and considered in the intermediate-to-long-term as
follows in the next section.
and people, businesses and other entities are more sensitive than ever on the matter of digital
identity, as it has become an integral part of our lives.
Decentralized Identity and Verifiable Credentials
In short, Decentralized Identifiers (DIDs) are user-generated, self-owned, globally unique
identifiers rooted in decentralized systems, such as distributed ledger (blockchain) networks. DIDs
resolve to DID Documents which describe how to use that specific DID. Most importantly, it
contains a set of cryptographic material and endpoints that can be used to interact with the identity
subject.
DIDs begin by being “trustless” in the sense that they don’t directly provide meaningful identity
attributes. However, trust between DID-identified peers can be built up through the exchange of
Verifiable Credentials — credentials about identity attributes that include cryptographic proof.
These proofs can be verified by reference to the issuer’s DID and DID Document.
Both of these open standards are becoming important as they grow in adoption. For example,
Microsoft has recently announced they are building a Decentralized Identity solution which uses
DIDs and Verifiable Credentials, highlighting the potential importance these standards might have
in our future lives.
In an effort separate from Microsoft’s, the Linux foundation announced on 5 May 2020 the
formation of the Trust Over IP (ToIP) foundation to further open standards around decentralized
identity. The IBM Security Group recently provided TechVision Analysts with a detailed
perspective on ToIP as IBM is embracing this model. The ToIP Foundation will use digital identity
models that leverage interoperable digital wallets and credentials and the new W3C Verifiable
Credentials standard to address these challenges and enable consumers, businesses and
governments to better manage risk, improve digital trust and protect all forms of identity online.
As shown in the following figure, the ToIP foundation will be focusing on building out both the
technology and governance stacks of the ToIP framework.
The ToIP Foundation has been established with global, pan-industry support from leading
organizations with sector-specific expertise. Founding Steering members include Accenture,
BrightHive, Cloudocracy, Continuum Loop, CULedger, Dhiway, esatus, Evernym, Finicity,
Futurewei Technologies, IBM Security, IdRamp, Lumedic, Mastercard, MITRE, the Province of
British Columbia and SICPA. Contributing members include DIDx, GLEIF, The Human Colossus
Foundation, iRespond, kiva.org, Marist College, Northern Block, R3, Secours.io, TNO and
University of Arkansas.
Solid/InRupt
Solid/Inrupt is another effort to standardize identity and data ownership/exchange. Since 2015,
Tim Berners-Lee (the inventor of the Web and director of the W3C) has been working on a new
web infrastructure called Solid, which rethinks how web apps store and share personal data. Inrupt
aims to drive the development of the Solid platform and transform it from an innovative idea to a
viable platform for businesses and consumers.
Over the past three decades, the web has evolved into something very different from Berners-Lee's
original vision of openness, co-operation and creativity. Most of the data we put online is now
siloed on the servers of companies like Google, Facebook, LinkedIn and Twitter, and used to sell
individuals as an audience for targeted advertising. We can download and delete our online
histories, but we still can't easily move our data between services.
The big idea behind Solid is that, instead of a company storing all your personal data on their
servers, you would keep it on your own personal data “pod”, located on a Solid server. You could
run your own server or host it with a provider, much like a personal website. You could then give
individual apps permission to read and write to your pod. When you want to stop using an
application, you just revoke its access. The data remains on your pod, and businesses making
applications never have to worry about storing it, deleting it, or making it easily exportable. Solid
uses existing web standards like URLs, DNS, HTTP, and Linked Data to accomplish this. Solid
and Inrupt (Inrupt started in 2019) are newer projects and are just beginning the experimentation
phase but promising in that they are backed by Tim Berners-Lee and fit within this Digital Trust
concept.
Both Decentralized Identity and Solid are based in standards and are in essence shifting the
responsibility for data security back to the data provider, the individual. Where Decentralized
Identity is initially focused on building trust through the collection and sharing of attributes
(credentials) that are issued and verified by trusted third parties, Solid is focused on creating a
sharable version of truth that belongs to the individual and is portable across hosts and applications.
As businesses start to embrace this trend, their “duty to protect” personal data becomes less
burdensome. The business no longer needs to keep centralized stores of customer information as
a matter of convenience. As an example, businesses routinely keep user IDs, passwords, credit
card numbers, and a whole host of personal data to maximize the customer experience. If those
data could be made available to the business as needed (and permitted) from the customer’s data
stores, then the need to retain that information is eliminated.
Data Utilities
Companies now use data to add value to almost every aspect of life, enhancing people’s social
lives, lowering business costs and providing services and information that facilitate all manner of
daily interactions. To achieve this, many employ cookies and device-tracking technology to follow
online activity and infer information such as preferences. They then use these not only to improve
their own services but also to send notifications and targeted advertising.
These proprietary data platforms provide access to unique aspects of data activities, along with the
accumulation of data and analytics, and this has produced deep network effects. Each platform
also has its own approach to how much data is shared and how much control consumers have. This
is driving governments to intervene with privacy regulations that are placing more burdens on
consumers and businesses to manage personal data.
Data utilities are an emerging trend that could offer a simpler way for users to manage data without
having to manage consent with every firm with which they come into contact. Marketplaces, where
firms could trade consumer data, would give individuals centralized control over how information
about them is used and shared. There are several start-ups exploring this new concept, including
an open-standard, Ethereum-based platform, XBR, based in the EU.
Consumer-centric data utilities may not replace the need for baseline data protections entirely, but
they could streamline the complex web of data management responsibilities that businesses now
have. Models could also emerge that allow individuals not only data control but also data
monetization. This trend is shifting the responsibilities of consent management and privacy
protection towards the individual (end point) and away from the business which manages fewer
personal data on behalf of the consumer.
Even without a broader adoption of personal data marts, data utilities run by coalitions of firms
could help businesses exchange aggregate, rather than individual data. Sharing aggregated data
could help alleviate privacy concerns associated with sharing individual-level data (providing the
data is anonymized) and facilitate the sharing of “data insights” that help solve broader challenges,
for example in cyber security.
Data.World is an example of business-focused data utility. Data.World is a public benefit
corporation that:
• strives to build the most meaningful, collaborative and abundant data resource in the
world in order to maximize data’s societal problem-solving utility,
• advocates publicly for improving the adoption, usability, and proliferation of open data
and linked data, and
• serves as an accessible historical repository of the world’s data.
The Data.World platform is built on Linked Data and Semantic Web technology that makes it easy
for both humans and machines to consume the vast collection of open/public data available on the
platform. When each dataset that is added to the network increases the incremental value of every
dataset on the platform, the network effect can be an incredible multiplier for people solving the
world’s most difficult problems. While broad adoption is a way off, this is a trend to monitor.
Blockchain
Blockchain/Distributed Ledger technology is an example of imbedding trust in a system or
network. Blockchain is simply a secure, shared database. In its purest form, everyone connected
to a blockchain network has access to the same set of information. Think of blockchain as a
permanent, replicated, distributed, yet secure ledger where all parties have access to the same
information. Much like an accounting ledger, blockchain is a platform for recording transactions,
but it intrinsically makes this shared data available. Blockchain, or distributed ledger technologies
don't change our need for financial or operational transactions, but they do radically change the
way we execute and confirm those transactions.
Let’s start by looking at what most enterprises are typically doing today. Whether it is between
internal applications or across enterprise boundaries, the general architecture template is to capture
and process transactions in internally controlled data stores. That creates a workflow similar to
this.
2. Record transaction,
3. Verify transaction,
4. Accept transaction,
5. Reconcile transaction,
6. Audit transaction, Reconcile Audit
7. and all along the way, handle transaction transaction
Relational Trust
Even when all the mechanical systems work, if people don’t believe that we’re all playing by the
same rules, trust breaks down. That is why relational trust—the social norms and agreements that
address life’s complex realities—is vital. While the brakes in a car may be highly reliable, we also
need a shared agreement that a red light means that we use them. Similarly, we need a shared
agreement on when, where, why, and how technologies are used. This aspect of trust is harder for
most businesses because it has more to do with behavior than technology.
details, including who gets to view and work with the data, then put it in writing. Also, let
them know how long their data will be stored. In short, provide good data stewardship
throughout the customer relationship. It’s quickly shifting from nice-to-have policy to one
that is expected as part of the customer experience.
• Offer Customer Data Review Rights - As an active part of gathering all the necessary
customer data it’s important to offer an easy option for customer data review. When
customers see the data that brands are using with their own eyes and can correct any
misinformation, they feel they have a voice.
Trust frameworks.
Trust Frameworks are replacing individual corporate
privacy policies in instances where identity federations are
in use. Examples are Sovrin in the world of self-sovereign
identity or the payment card framework that is the basis for
today’s ATM networks. The trust framework is a document
that publishes the tools and rules together with an
assessment and enforcement infrastructure that
operationalizes them. In most cases the document serves as
a new type of contract that legally binds the members of
the trust community to the policies. In this fashion, a trust
framework operates on a much higher level than site-
specific privacy policies or TOS (terms-of-service)”. At
the core of any framework is the concept of relational trust.
The American Bar Association (ABA) defines a trust framework as follows:
A Trust Framework is the governance structure for a specific system consisting of:
• The Technical and Operational Specifications that have been developed –
o to define requirements for the proper operation of the system (i.e., so that it works),
o to define the roles and operational responsibilities of participants, and
o to provide adequate assurance regarding the accuracy, integrity, privacy and
security of its processes and data (i.e., so that it is trustworthy); and
• the Legal Rules that govern the identity system and that —
o regulate the content of the Technical and Operational Specifications,
o make the Technical and Operational Specifications legally binding on and
enforceable against the participants, and
o define and govern the legal rights, responsibilities, and liabilities of the participants
of the system.
It is written in terms of equal peers not users and applications, and every member of the network
agrees to comply with the framework. The trust framework is a digital form of social contract that
manages behavior and can be enforced for every transaction that occurs.
Regardless of whether the agreement is through an individual privacy policy or a network trust
framework, once the promise is made, you have a duty to deliver on that promise. And now that
promise extends to your supply partners as well as traditional supply chains become adaptable
digital supply networks.
Data Stewardship Delivers on That Promise
The definition of stewardship is “an ethic that embodies the responsible planning and management
of resources.” In the realm of data management, data stewards are the keepers of the data
throughout the organization. A data steward serves as the conduit between data governance
policymaking bodies, like a data governance council, and the data management activity that
implements data policies. Data stewardship is critical in maintaining Digital Trust in that proper
data stewardship delivers on the promises of the privacy policies as it carries out its governance
and management responsibilities.
Data Governance – Data governance is a system for defining who within an organization has
authority and control over data assets and how those data assets may be used. It encompasses the
people, processes, and technologies required to manage and protect data assets. The goal of data
governance is to establish the methods, set of responsibilities, and processes to standardize,
integrate, protect, and store corporate data. Data governance needs to include a role for the
customer so that the governance function reflects the reality of relational trust.
Data Management – Data management is the set of functions designed to implement the policies
created by data governance. These functions have both business and IT components, so it is vital
that the overall program be designed holistically. Data management functions include data quality,
metadata, architecture, administration, data warehousing and analytics, reference data, master data
management and other factors. Reflecting the growing role of the customer and regulators requires
building flexibility into data management functions to enact and demonstrate transparency and
compliance.
Define and implement an ethical framework for AI/ML
The final aspect of improving relational trust is to be transparent about how AI and ML capabilities
will be applied to customer data. The most commonly deployed form of AI can be described as a
set of math functions (model) that given some inputs (data), learn “something” and use that to
“infer” something else (make predictions). In other words, AI is data, model and predictions.
Ethical exploration of this realm covers issues like bias in a models’ predictions and fairness of
the outcomes; as well as approaches to address them via accountability and transparency. Most of
the mistrust customers have of AI capabilities can be summarized in three points.
• Safety - Safety in AI can be understood as “AI must not cause accidents or exhibit
unintended or harmful behavior”. For a hardware-software composite to make the right
calls requires that it be responsive to contexts as they arise, be able to model this uncertainty
in its environment, and be aligned on what is “right”. Alignment to the “right” goal, aka
value-alignment, is a key theme of safety in AI.
on marketing to meet the challenge for you in the future. Your organization needs to prove itself
in your policies supported by a strong Security and Identity foundation.
To build and maintain trust, businesses need to make sure they are delivering on both mechanical
and relational trust. Without the balance, customers will not share the data required to drive the
proper customer experience. And if your customer experience is lacking it won’t be long before
customers are seeking alternatives.
For mechanical trust, address the challenges in IAM and security that infrastructure
decentralization and enhanced customer engagement pose to traditional approaches. And look to
the emerging trends that are shifting the security landscape as digitalization and decentralization
increases.
Enterprise security/IT leaders have refined their authorization strategy through PAM, RBAC, and
Zero Trust to a least privilege stance. For external identities, they have also deployed Federation
and CIAM to manage the scale, consent, and relationships for millions of entities.
Furthermore these leaders are applying automation through SOAR/SIEM and RPA driven by
AI/ML to manage the complexity of shifting and increasing volumes of transactions.
Finally, explore and plan for the adoption of emerging technologies that are shifting the “duty to
protect” to the owners of the data or embedding them into a shared network or system.
For relational trust, refine privacy policies to reflect a more transparent and peer-like relationship
between the business and its customers; and then make sure to deliver on the promises those
policies represent. Assure your customers that the AI capabilities that are designed to make their
experiences better are designed and used in an ethical manner.
Companies that keep their promises and operate transparently enjoy more trust as their customers
are more likely to share their positive experiences and spread a good word through social media.
Besides, dealing with customer complaints professionally via social can positively impact
consumers’ trust, too. While some businesses consider it’s safer to keep sanitizing content and
taking negative consumer conversations offline, those who manage to resolve it positively in
public reap even bigger reward in terms of customer trust. No surprise, customers don’t expect
you to be faultless. However, the way you fix things when they go wrong proves what your
business is worth and if they can trust you.
About TechVision
World-class research requires world-class consulting analysts and our team is just that. Gaining
value from research also means having access to research. All TechVision Research licenses are
enterprise licenses; this means everyone that needs access to content can have access to content.
We know major technology initiatives involve many different skill sets across an organization and
limiting content to a few can compromise the effectiveness of the team and the success of the
initiative. Our research leverages our team’s in-depth knowledge as well as their real-world
consulting experience. We combine great analyst skills with real world client experiences to
provide a deep and balanced perspective.
TechVision Consulting builds off our research with specific projects to help organizations better
understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded
experience and strong analytical skills help us separate the “hype” from the reality. This provides
organizations with a deeper understanding of the full scope of vendor capabilities, product life
cycles, and a basis for making more informed decisions. We also support vendors in areas such as
product and strategy reviews and assessments, requirement analysis, target market assessment,
technology trend analysis, go-to-market plan assessment, and gap analysis.
TechVision Updates will provide regular updates on the latest developments with respect to the
issues addressed in this report.