I'm someone's customer. You're someone's customer. We're all customers. And as customers of all kinds of businesses, we expect each one to carefully protect our personal data.
If you're reading this blog, you may also be the person responsible for managing customer identities for your organization. So you probably have an idea how complicated securing customer identities really is.
You also know the damage that a data breach can do. Customer breaches, in particular, can severely impact a brand, arguably much more than a breach of employee data. Just think about how many headlines of customer breaches you've seen in the last five years. Now, how about employee breaches? I'd wager to say it's way fewer, if any at all.
As you strive to secure customer data, you find that some security measures, while effective, significantly detract from the customer experience. In an increasingly competitive marketplace, that can also negatively impact your brand.
So how do you deliver the experience customers want and the security they demand?
A three-layered approach that addresses authentication, application/API and data can ensure that no security vulnerabilities are left open to attack, while preserving a convenient and seamless customer experience.
1. Authentication Layer
The first and most critical place customers interact with your brand is during authentication. At this important first layer, you need to make the experience both secure and convenient for your customers.
Multi-factor authentication (MFA) is a great way to address security, but it can also affect customer experience if implemented in a one-size-fits-all fashion. Too much MFA causes friction that quickly gets old and irritating for customers.
To deliver the best user experience, you can use contextual multi-factor authentication. Contextual MFA allows you to require additional authentication factors only in high-risk situations as defined by you, such as high-value transactions or when a customer tries to login from a new device.
Employing best practices, like centrally enforcing secure password policies and providing single sign-on (SSO) across all of your applications, can further reduce password fatigue and create a more secure, user-friendly customer authentication experience.
2. Application/API Layer
When exposing multiple internal and partner applications to customers, you want to provide a seamless and secure experience. Customers shouldn't know they're accessing multiple applications, but should feel like they're interacting securely with one brand. To minimize security risk, and provide a cohesive experience, you can use centralized session management to ensure that customers' sessions and interactions are protected.
You also want to be certain that your customers don't accidentally remain authenticated to an application that they think they've signed out of. Single logout enables your customer to terminate all server sessions with one logout and prevents unauthorized access until a new login occurs.
3. Data Layer
The third and final layer, the data layer, is another critical place to protect customer data. Among the many best practices, ensuring data is encrypted in every state--at rest, in motion and in use--is vital. This protects against insider attacks, as well as ensuring that any leaked data isn't useful to attackers.
Passive and active alerts are also recommended. These alerts inform you of potential administrator actions that could be malicious in intent. Limiting the number of records that can be pulled by an administrator, maintaining tamper evident logs and protecting against DDoS attacks are additional considerations. Though it may seem far removed from customer experience, the data layer must encompass these security features, while still maintaining high performance and meeting customer SLAs.
Keep Customer Security Layered And Centralized
Securing customer identities is often a high-priority initiative for enterprises. It can also be a daunting and intricate task. There are a number of best practices and considerations for securing customer identities, even more than I've covered here. For example, it's also important that all of the security features discussed are able to be centrally managed by security teams versus application development teams, who are not security experts.
This is where they layered approach not only protects your customer data, but can also makes your job easier. By breaking the challenge into three pieces, you can make sure you've tackled each one thoroughly.