TBW ADVISORS LLC

Tag: user experience

  • Whisper Report: How can organizations implement zero-trust security without disrupting user experience?

    Whisper Report: How can organizations implement zero-trust security without disrupting user experience?

    Published to clients: July 23, 2025                               ID: TBW2084

    Published to Readers: July 24, 2025

    Published to Email Whispers: TBD

    Analyst(s): Dr. Doreen Galli

    Photojournalist(s): Dr. Doreen Galli

    ABSTRACT:

    “Organizations can implement zero-trust security without disrupting user experience by prioritizing frictionless authentication, especially biometrics, and enforcing least-privilege access through dynamic policies. Understanding user context and behavior enables informed decisions that preserve continuity. Self-service access tools reduce delays, while streamlined verification processes minimize frustration. With thoughtful planning and clear communication, zero trust can enhance both security and usability, ensuring users access only what they need—when they need it—without unnecessary barriers. This report includes insights from executives and technologists at CyberSolve, Lumos, Imprivata, Simeio, Panani, Keyless, Oasis, Apono, Omada, and Cubeless, quoted throughout the discussion.”

    Target Audience Titles:

    • Chief Information Security Officer, Chief Technology Officer, Chief Digital Officer, Chief Information Officer
    • Chief Product Officer, Chief Experience Officer
    • IAM engineers, Security Architects, DevSecOps Engineers, UX Designers, IT Ops Managers, Application Security Architects

    Key Takeaways

    • Use biometric authentication to streamline access and reduce friction for users.
    • Apply least-privilege policies with dynamic adjustments to maintain secure, appropriate access.
    • Enable self-service access changes to minimize delays and improve user experience.
    • Understand user context and behavior to make informed, non-disruptive security decisions.

    How can organizations implement zero-trust security without disrupting user experience?

    We took the most frequently asked and most urgent technology questions straight to the Technologists gathering at Identiverse 2025 held at Mandalay Bay in Las Vegas. This Whisper Report addresses the question regarding how can organizations implement zero-trust security without disrupting user experience?

    What is the desired user experience?

    At the end of the day, the goal is, as Imprivata’s Diron Chai put it, “authentication and visibility and control to making sure that you know the right people are accessing the data whether remotely or within the organization in terms of their role and their functionality and then be a being able to understand who’s in the system when and why that all ladders up to a zero-trust architecture that we’re able to bring forth in a full architecture.”  Reaching this goal won’t be easy but as Simeio’s Octavio Lopez emphasized, “There’s a lot of communication that needs to happen and that’s something that we help a lot of our customers with.” A lot of communication and planning with the customers’ experience kept in mind. Here are five suggestions attendees at Identiverse offered also depicted in Figure 1.

    Five suggestions when implementing zero trust. 1. go frictionless, 2. understand context 3. understand behavior 4. use self service 5 leverage dynamic policies

    1. Go Frictionless with Bio

    One common suggestions to deploy biometric based identity and access management solution. As Panani’s Jim Harris suggested, “make the authentication of your customer as frictionless as possible a one-time identity verification process establishes that customer in the future they present a simple credential match their biometric information to the information stored in the credential that they own and control making it a very frictionless fast way to authenticate with your customer.” And this is something Alex Jones from Keyless can also agree with! “going to pitch biometrics this is the fastest way to prove who you are effectively implementing zero trust.”

    2. Understand User Context

    Guy Feinberg at Oasis suggests that understanding the user context is the winning approach. He started by simply asking “Are you familiar with the scream test?” For those of you not familiar, one not uncommon method in IT to understand how a resource, in this case an identity, is used by disconnecting or unplugging the resource and see who screams. Feinberg went on to further explain, “when you want to understand what’s this identity is used for so what you do you decommission it and just see who’s at the open space is screaming that something is broke. We do we help you construct all the context around the consumption of that identity so you can see the full picture before you’re taking actions so you’ll have informed actions deciding do we need this type of identity now uh should we change the permission should we decommissioning it completely all without disrupting the workforce and making sure that business continuity stays on and nothing is disrupted aspects of this.”

    3. Understand User behaviour

    Beyond the context of what the user is using, Imprivata’s Diron Chai recommends also understanding the how and the when. “ Being able to inject simple multifactor authentication into the environment at the local level also being able to track the behavior of credentials of people accessing  like Windows endpoints as an example or mobile devices and be able to have the analytics to show utilization of the endpoint but also who what when was accessed within that session.”

    4. Use Self-Service

    To maintain the best user experience, Apono’s Ofir Stein recommends getting the human out of the loop. “you keep the user experience by allowing self-serve in your organization to provide access changes combine these two and you actually provide zero trust to all of the resources.”

    5. Leverage Dynamic Policies

    Omada’s Craig Ramsay highlighted the potential behind dynamic policies. “By using dynamic and continuous policies to make sure that their access is appropriate and it’s always at that level of least privilege and then it’s granted, when they join the organization, and as they move around the organization, and it stays appropriate.” It’s always nice when your privileges keep up with organizational changes – without human intervention or manual configuration.

    In Conclusion

    As Cubeless’ Treb Ryan concluded, “I find zero trust has greatly enhanced our user experiences and greatly made my job easier in the old days where there’s systems where you had to figure out which networks could connect or who would have access to what particular piece it was a nightmare.”

    Finally Lumos’s Janani Nagarajan reminded all, “not just in the networking layer not just in the app layer but a critical layer for us is identities because that’s where the workforce the humans the employees the contractors the vendors your customers are actually interacting with the apps.” Identities is the key to minimizing friction for the users in zero trust. If your organization is implementing a zero trust architecture and want to ensure you are on the right track, remember to book an inquiry. 

    Related playlists & References

    1. Whisper Report: How can organizations implement zero-trust security without disrupting user experience?
    2. Conference Whispers: Identiverse 2025
    3. Conference Whispers: Identiverse
    4. Conference Whispers: Identiverse 2024

    Corporate Headquarters

    2884 Grand Helios Way

    Henderson, NV 89052

    ©2019-2026 TBW Advisors LLC. All rights reserved. TBW, Technical Business Whispers, Fact-based research and Advisory, Conference Whispers, Industry Whispers, Email Whispers, The Answer is always in the Whispers, Whisper Reports, Whisper Studies, Whisper Ranking, Whisper Club, The Answer is always in the Whispers, and One Change a Month, are trademarks or registered trademarks of TBW Advisors LLC. This publication may not be reproduced or distributed in any form without TBW’s prior written permission. It consists of the opinions of TBW’s research organization which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, TBW disclaims all warranties as to the accuracy, completeness or adequacy of such information. TBW does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by the TBW Usage Policy. TBW research is produced independently by its research organization without influence or input from a third party. For further information, see Fact-based research publications on our website for more details.

  • Whisper Report: How can we ensure compliance with new and evolving Cyber Physical security regulations?

    Whisper Report: How can we ensure compliance with new and evolving Cyber Physical security regulations?

    Published to clients: July 10, 2025                                                                          ID: 2075

    Published to Whisper Club: December 19, 2025

    Email Whispers Release:  March 23, 2026

    Public: March 24, 2026

    Analyst(s): Dr. Doreen Galli

    Photojournalist(s): Dr. Doreen Galli

    Abstract:

    Cyber-physical security, like healthcare tech, must carefully manage PII. Experts highlight privacy-preserving biometrics, user-controlled consent, and anonymous face matching. Regulatory compliance, such as GDPR, drives standardization and innovation. As laws vary by region, adaptable and consistent global system architectures are essential for scalable, secure, and compliant operations.

    Target Audience Titles:

    • Chief Technology Officer, Chief Security Officer, Chief Information and Security Officer, Chief Trust Officer, Chief Compliance Officer, Chief Risk Officer
    • Head of Product, VP of Product, Chief Marking Officer, Data Protection Officer,
    • Enterprise Architect, Director of Data Protection, Director of Data Governance, Chief Privacy Officer

    Key Takeaways

    • Privacy-first design: Cyber-physical systems must protect PII using encrypted biometrics, local storage, and user-controlled consent mechanisms.
    • Anonymity matters: Face matching enables identity verification without revealing personal data, preserving user anonymity.
    • Compliance drives innovation: Regulations like GDPR standardize data practices and encourage secure, privacy-focused system development.
    • Global consistency is key: Scalable, compliant operations require adaptable, non-proprietary architectures across diverse regions and regulatory environments.

    How can we ensure compliance with new and evolving Cyber Physical security regulations?

    We took the most frequently asked and most urgent technology questions straight to the cyber physical security experts gathering at ISC West 2025. This Whisper Report addresses the question regarding how can we ensure compliance with new and evolving cyber physical security regulations? We will know explore the four signs you are on the correct path as depicted in Figure 1.

    4 signs you are on the correct path Ensure data privacy, maintain anonymity, meet regulatory compliance and deploy leveraging a globally consistent architecture

    Data Privacy

    One very interesting aspect of the cyber physical security space that reminds of healthcare tech is the handling of PII or personally identifiable information data. As Safr’s John Cassie shared, in the cyber physical space it, “has a lot to do with what we talked about as far as PII and how we manage data.” Or as LVT’s Steve Lindsey observed, “what we call private or data of sovereignty .. from a data security perspective the technology and the architectures of how these systems are built really have to be in place to address that the PII information really comes down to our use of AI.”

    Fortunately, the regulations for privacy include related standards for vendors. As Intel’s RealSense’s Mike Nielsen noted, “I have been very excited about the Privacy preservation of biometric data is really possible now so I can get a template of a human being from their face that can be stored and encrypted it can be handed back to me so in my pocket.”

    Managing user consent is a must to achieve privacy in the cyber physical space. Bioconnect’s Edsel Shreve argued, “in privacy where more and more controls going in the user’s hand to say yes I am allowing you to use my biometric. If I ever want to revoke that consent I need proof that you deleted my data and that it’s no longer being used.” He further explained, “we build in to both a upfront gather consent with an audit trail that says okay the user provided consent we didn’t just check a box and say yeah.” Furthermore, the solution must realize the full lifecycle of permission. Edsel Shreve further explained, “you can just do regular maintenance and go in and say who hasn’t authenticated in 6 months what are we going to do with that data right do we want to delete the template or just alert the person or alert an administrator.”

    Anonymity

    Anonymity has to do with the lack of the ability to identify the person. As LVT’s Steve Lindsey commented, “there’s a difference between facial recognition and face matching right.” Facial recognition includes identification while facial matching allows the face to remain anonymous. A great example was revealed by Intel’s RealSense’s Mike Nielsen.

    “I’ve actually got a version of my this QR code is my face template. From this is 512 bytes it’s a it’s just a simple Vector map that looks at 80 points on my face but it’s mine. This isn’t siting in a database somewhere. This isn’t living on somebody’s server. This is physically in my pocket as a badge. I can then apply that (badge) by walking up to one of our devices – one of our cameras have the scan. It pulls in that QR code, evaluates what that template looks like. Then I look at the camera it pulls the template from my actual face and compares the two. The cool thing about the techniques that is it’s privacy preserving by definition it never leaves the device it can be dissolved immediately and you never have to send a picture or any personally identifiable info anywhere outside of me scanning my badge. Then the device makes sure I can unlock that door.”

    Thus, this example achieves privacy and anonymity.

    Regulatory Compliance

    When it comes to cybersecurity and data governance – there are the things you want to do as an organization based on your public commitments such as your privacy statements. Then, there are requirements which are legal requirements sometimes coming from a location and sometimes defined based on your industry referred to as regulatory compliance. As LVT’s Steve Lindsey put it, “we think about the problem in the context of the of the compliance and Regulatory things that we have to have as we’re designing and building this stuff from the beginning.” Furthermore, since we are dealing with cyber physical security,

    The best part about regulatory compliance according to Intel RealSense’s Mike Nielsen is, “they’re really well defined at least in the case of like GDPR so GDPR has very strange requirements on how to use PII but specifically how to use sensitive PII like biometric information one of the things that we’ve seen help move the industry forward ironically is having the regulation in place allows people to have a Level Playing Field.” That means that vendors will not be penalized for taking the more difficult road by protecting the customer as all must take equal precautions. Gary Chen of EverFocus noted, “to ensure that we have keep our regulations up to date, we need to keep advancing our technology and mostly from our end installers that will be the key .. also keep good connection with your customer.”

    Requirements evolve by location as every product vendor will realize. “One of the things that’s occurring is that whether it’s in Europe or in each state coming up with new requirements for both security of data and compliance.” Edsel Shreve, Bioconnect. When faced with this challenge, it is always best to step back and see how to adjust the architecture to accommodate this capability as a configurable option vs to create a product branch. Today’s regulations in location A become tomorrow’s regulation in location Z. One can then configure at the system level as regulations evolve in different locations.

    Finally, it is important to keep in mind the architecture must accommodate the cyber physical security space. who has “from an access control standpoint is not only managing who has access in and out of the mine but also incorporating some functionality around safety who’s completed what safety classes and if they haven’t completed the proper classes then we have the ability to manage access control based on what needs to happen.” Cyber physical security includes the physical safety of the employees themselves and all that goes into ensuring safety compliance regulations are met – in each location.

    Consistent Architecture

    The complexity of cyber physical security is magnified in organizations the wider the physical disparity across country and continental boundaries. As one might expect, different vendors have different footprints across the globe. For smooth global operations one generally recommends standardized solutions as opposed to propriety solutions. As Safr’s John Cassie explained, “would be nice if I could just capture that from the existing access control system and not have to do some extra procedure so that’s another element that allows us to have sort of this compliance across my entire security platform. As long as I am not using solutions that are pigeonholing me into proprietary solutions.” There may be slightly better solutions in this aspect or that aspect locally available but those frequently ruin the ability to have global clarity. It is critical to maintain a consistent architecture globally unless you want custom roadmap items for each and every change. If you are anywhere in the lifecycle of trying to realize such as solution, be sure to set up an inquiry plan so that an expert who has been there can provide actionable guidance.

    Related playlists

    1. Industry Whispers: Public is Private – Confidential Computing in the Cloud | TBW ADVISORS
    2. Conference Whispers: Black Hat USA 2019
    3. Whisper Report: How can we enhance our cybersecurity measures to protect against emerging Cyber Physical threats? 
    4. How can we ensure compliance with new and emerging cyber physical security regulations?
    5. Conference Whispers: ISC West 2025

    Corporate Headquarters

    2884 Grand Helios Way

    Henderson, NV 89052

    ©2019-2026 TBW Advisors LLC. All rights reserved. TBW, Technical Business Whispers, Fact-based research and Advisory, Conference Whispers, Industry Whispers, Email Whispers, The Answer is always in the Whispers, Whisper Reports, Whisper Studies, Whisper Ranking, Whisper Club, Whispers, The Answer is always in the Whispers, Vegas Convention Library, and One Change a Month, are trademarks or registered trademarks of TBW Advisors LLC. This publication may not be reproduced or distributed in any form without TBW’s prior written permission. It consists of the opinions of TBW’s research organization which should not be construed as statements of fact. While the information contained in this publication has been obtained from sources believed to be reliable, TBW disclaims all warranties as to the accuracy, completeness or adequacy of such information. TBW does not provide legal or investment advice and its research should not be construed or used as such. Your access and use of this publication are governed by the TBW Usage Policy. TBW research is produced independently by its research organization without influence or input from a third party. For further information, see Fact-based research publications on our website for more details.