The Goldilocks principle for zero trust fraud prevention
According to Wikipedia, “zero trust is an information security framework which states that organizations should not trust any entity inside or outside of their perimeter at any time.”
In the Identity and Access Management (IAM) world, zero trust is all the buzz. If you are in enterprise security, you are being bombarded with the phrase at conferences and from marketing materials. It’s inescapable. Having recently received just such a bombardment at one of the larger IAM conferences, I was curious at how well zero trust applies to fraud prevention.
Although the zero trust framework is gaining momentum in the enterprise, its basic concepts have been the mainstay of fraud prevention in industries like insurance, finance and retail for a very long time. At its core, zero trust identifies the level of risk based on a combination of the origin device, the destination system and the action being performed.
What fraud prevention seems to miss is the holistic view taken by the zero trust framework in which every interaction is evaluated for risk. For example, many e-commerce sites require a customer to log in to complete a transaction rather than the zero trust approach of determining the amount of risk displayed by that transaction and then deciding if there needs to be stepped up authentication (logging in).
The zero trust framework says that every action is evaluated in the same fashion with the same systems: collect data points about the requester and the request, run the data points against a rules engine, and require authentication that provides the correct amount of friction to protect the system without placing undue stress on the user experience. This probably sounds quite the opposite to the common assumption that with zero trust walls are put up at the risk of the user experience, impacting both revenue and productivity. When done right, zero trust security can minimize both risk and friction.
What I’m talking about is what I’ll call the zero trust Goldilocks principle of not having too much or too little friction. Let’s use the aforementioned shopping cart checkout as an example. Rather than blanketly requiring a consumer log in for checkout, evaluate the risk of the transaction. Are these common items ordered? Is this a device usually seen to make purchases? Has the delivery address previously had items delivered to it? Has this credit card previously been used to make purchases on the site? If all of these are true, you may not need to add the friction of requiring the user to log in to complete the transaction.
Once risk management is applied equally across the entire user experience, the possibilities are endless for determining and providing the right friction at the right time. Giving just the right amount of friction can provide both consumers and businesses the correct amount of assurance that they are connecting with or doing business with a legitimate entity while not providing unnecessary barriers.
After all, that’s what we’re all really trying to do anyway. Now it has a name in fraud prevention too: zero trust.