By Cassandra Balentine
As digital communications and interactions continue to gain traction, new considerations for reputation emerge. Digital trust is one such area that organizations must consider.
David Duncan, VP, CA Technologies, comments that digital trust is defined by the company as the confidence placed in an organization to collect, store, and use the digital information of others in a manner that benefits and protects those to whom the information pertains.
CA Technologies recently commissioned a study by Frost & Sullivan exploring digital trust. The report, titled The Global State of Digital Trust, provides an important look into this necessary concept for modern businesses.
The idea of digital trust comes into the spotlight as the European Union’s (EU’s) General Data Protection Regulation (GDPR) is starting to be enforced. The role of GDPR is to provide data protection and privacy for all individuals within the EU and the European Economic Area (EEA). However, its existence sets the precedence for such rights worldwide. Additionally, its reach extends beyond the EU borders and affects any company that handles the information of anyone within its protection in the EU.
GDPR comes from issues around how personal data is used for testing and marketing, as well a person’s ability to opt-out of a company’s database.
Duncan states that the government plays a large role in managing digital trust. “When the GDPR officially became law this year, it immediately impacted every organization that markets to consumers in any member country. But these new guidelines did more than just set a new standard for consumer rights regarding their data. They also created a new opportunity for advertisers to form and develop more transparent relationships with consumers.”
In addition to emerging regulations, technology trends like the Internet of Things, blockchain, and artificial intelligence (AI) play a role in how businesses think about digital trust.
“The volume, variety and velocity of cyber attacks, malware, and potential exploits grows exponentially each year. And yet the overwhelming majority of data breaches result from a human making a mistake—clicking on something they shouldn’t—to deliver malware into an organization, that is being distributed from an IP with low provenance, authority, small numbers of users and low popularity,” shares Duncan. He says understand the pattern, and you can understand how to prevent a large percentage of attacks. User security training, awareness, gamification, and access control technologies can go a long way towards digital trust.
He points out that as solutions have to get smarter. “It’s no longer a static rule-based detection world for malware. The security teams and daily firewall updates and AV updates can’t keep up. Most successful cyber-attacks operate inside of the security threat updating cycle. They still the data before the vulnerability can be fixed.”
He also explains that AI can go a long way in joining the disparate data elements—e.g. low popularity IP, that is associated and liked to a known bad IP address, delivering an executable that has low known usage—and quickly stopping the malware delivery cycle in its tracks.
“We have to move from reactive to predictive. AI can go a long way to solving that. In terms of blockchain, it could be very interesting as a way to federate or share successful user authentication information, but it has significant problems from a privacy perspective—you can’t delete records from the chain. So for now, let’s say the jury is still out on blockchain. I am a big fan in terms of how it can be used in a distributed and federated identity system across different organizations, but will require some abstraction of user information—e.g. tokenization—from the chain itself to ensure users can still delete their identity information,” says Duncan.
Measuring Digital Trust
Determining your level of digital trust is part of the challenge.
The first way to measure digital trust is to determine if your organization has had a publicly disclosed data breach. Duncan points out that you have had a breach, you should do a structured survey of your customer base because half of the customers surveyed in the Global State of Online Digital Trust study stopped using the services of an organization that had a publicly disclosed data breach. Use the survey findings to understand if the damage is long-lasting or repairable. Take the steps needed to reinstall confidence in your customers—publish audit results, streamline your privacy notifications, apologize but clearly show you will correct your mistakes.
The second way to measure digital trust is to understand if your business monetizes customer PII. If so, do you clearly and simply disclose this information to your users? In many cases the development teams and cybersecurity professionals may not be as aware that this is happening as your business executives are. “This was a key data point found out in our Global State of Online Digital Trust study—49 percent of surveyed business executives admitted that they sold or licenses PII to other organizations. But only 19 percent of surveyed cybersecurity professionals were aware this is happening.”
The third way for developers to determine the level of digital trust in their applications is to ask two important questions. Duncan says, first, find out how much open source is included in applications and whether or not those open source components were scanned to determine if they include known high severity/easily exploitable vulnerabilities. Second, for proprietary code, do you do both static and dynamic testing of the code for common vulnerabilities and exploits? Do you check run time behavior—e.g. dynamic—and any packaged third-party components need to run the application included in your containers?
There are several steps to take to help improve and maintain digital trust, including being clear and transparent with your users, auditing IT and development infrastructure, modernizing your approach to identity and access management, and implementing top-notch authentication in your applications. Duncan elaborates below.
One of the most important steps towards digital trust is to be clear and transparent with users. Duncan says building trust needs to begin with open and honest communication between your organization and its users. Users deserve to know exactly what kind of data organizations are collecting and how it will be used.
Organizations need to proactively share that information and give users the opportunity to opt out of sharing sensitive information. Organizations also need to be clear about how they are using this information—who will be able to see it—whether for internal analysis or sales to third-parties. There is a big difference between anonymized analysis of data en masse and targeted profiling based on individual activity, so organizations should distinguish their approach to using that data. In the digital economy, data is the new currency, so consumers have a right to know what they’re getting in return for providing an organization access to their personal information.
Organizations should also consistently audit IT and development infrastructure and security practices, and implement controls over internal user privileged access rights. “Users deserve to have their data protected not only from poor intentional use like selling the data, but also from malicious actors seeking to steal the data for their own nefarious purposes, as well as accidental loss of data caused by an organization’s weak security practices. Once an organization assumes the role of data steward, protecting user data in their systems becomes a continuing duty,” says Duncan.
First and foremost it is important to understand where data is being stored and how it can be accessed. Duncan says the information sprawl created by the growth of digital transformation and the cloud has made it easy to lose track of all the endpoints and servers where data can end up. Once organizations have a good handle on what assets are under their control, they need to make sure they are well protected.
IT teams should conduct an audit to ensure systems are patched on a regular basis that applications are closed against major vulnerabilities, and that cloud systems are configured to secure settings. They also need to ensure the concept of least privilege and implement technologies like privileged access management that limit how, when, and where internal users can access user data and the servers and systems on which that data resides.
Another step is modernizing your approach to identity and access management. Duncan notes that the industry standard approach to authenticating users is based on user names and passwords. And yet, when this authentication methodology was first implemented in the late 1970s and early 1980s, it was based on the premise that users authenticated to only one system, or a small set of applications each day. Contrast that with today’s world, and it is easy to understand the problems surrounding the ease of use and recall of traditional usernames and passwords.
Duncan points out that The Global State of Digital Trust survey research shows that consumers have a strong preference towards alternative approaches, such as biometrics, voiceprint recognition, and behavioral-based techniques. While 85 percent use username and password for authentication on devices today, 56 percent prefer to use of alternative authentication technologies. Consider simpler and more secure forms of authenticating users and corroborating their identities than perpetuating the old username and password model.
Finally, consider implementing a zero trust model that does continuous authentication in your apps. Duncan points out that modern identity and access management (IAM) technologies—such as CA Digital Risk Insights —use continuous user assessment and risk analysis techniques that look at behaviors of the user, to determine if the user identity has been compromised. Additionally, Modern IAM solutions federate successful authentication and login information across apps and web services by using industry standards like SAML and OpenID Connect. They reduce the storing of PII and instead store data about the analytics and the behaviors of the user to best determine if the user requesting access is in fact the genuine user. They provide tight controls and data security practices like encryption, auditing, and the enforcement of least privilege access control to systems, applications, and databases involved with or storing user authentication information.
There are a few challenges that developers/ISVs face in terms of managing trust. Duncan explains three.
He says the first is given the large inclusion of open source in most development projects, development teams needed a comprehensive security assessment and testing program to ensure they aren’t putting out applications that have the latest high severity vulnerability that can be exploited—e.g. Apache Struts. Think of it as security for the software supply chain. And with the use of contract or offshore programmers, how do you ensure that any submitted code from these sources is free of high severity CVEs, or even a malicious rootkit? Evaluating and testing software for open source risk, known security vulnerabilities and poor coding practices is essential.
The second major challenge is that developers need to collaborate, share code, across multiple network environments and use and share different software development tools and source code repositories—and this creates access control issues that can result in a loss of sensitive data or IP. In sharing and collaborating, development teams need to think about if they are posting sensitive information—e.g. data and data tables—associated with their applications for either live production use, and/or for development and testing purposes. How can your team control access to that data so that you are not the latest development team that falls victims to good intent, but lack of security controls—e.g. Uber. “Development is a team sport but sometimes security isn’t. You need to deploy access control tools and technologies that can help you create extensible access control and usage permissions across your source code repositories, data and data tables, and development tools. Yet make it friendly enough that it doesn’t impede the development process,” says Duncan.
The third challenge is that development teams are often pressed by executives to sacrifice security and quality assurance for time to market. “Leaders in the development organization have to impress on other business executives in the organization that putting out an insecure application or web service can and will be an extinction level event for many executives if it results in a data breach. Likewise the organization may be in violation of their terms and conditions with their cybersecurity insurance policy. An extra week or two to thoroughly test and verify all code and relied components is well worth it in the long run. Our Global State of Online Digital Trust showed clearly this fact—59 percent of surveyed business executives stated that a publicly disclosed data breach had a significant to moderate long-term impact to business results and consumer trust.”
Third Party Relationships
Developers and ISVs must consider third-party relationships and their effect on digital trust.
“You need to look at third party relationships just like a supply chain. How to any third parties involved in managing your development environments, providing cloud hosting, or assisting in the development process show that they can be trusted? Do they have regular audits for compliance? Do they have a security team and both policies and the technology to look for cyber exposures. How do they control access within their own organizations to your applications and data? Remember, that flaws or weaknesses in the security defensive strategies of your related third parties that result in a data breach, will still land back at your feet. Ultimately, your organization will be held responsible. California SB 1386 was the very first regulation that enforced that rule, and many other regulations since then continue to enforce the notion that it is your application, your customer data, and you are responsible for it—no matter whom is running it or accessing it,” comments Duncan.
Digital Trust Considerations
An organization’s digital trust is increasingly essential to its reputation.
The results of the Global State of Online Digital Trust study show that if consumers trust an organization, it will be rewarded. “Surveyed consumers that have high digital trust spend more and transact more online. Consumers that reported high digital trust scores spent on average 53 percent more online. Key factors impacting their assessment of digital trust included the lack of a disclosed data breach, brand reputation, well displayed use of browser certificates, clear security/privacy notices/information, and recommendations from friends and trusted affiliate organizations,” says Duncan.
Ultimately, organizations must be aware of their digital trust in order to maintain a favorable reputation.
Sep2018, Software Magazine