There Are Systems ‘Guarding’ Your Data in Cyberspace – but Who Is Guarding the Guards

-

A “zero trust” approach is the current best practise in secure technology architecture used by major businesses and organisations.

We use internet-connected devices to access our bank accounts, keep our transportation systems running, communicate with coworkers, listen to music, perform commercially sensitive tasks, and order pizza.

Every day, digital security is a part of our lives.
And, as our IT systems become more complex, the possibility of vulnerabilities grows.
Organizations are increasingly being breached, resulting in financial loss, disrupted supply chains, and identity fraud.

A “zero trust” approach is the current best practise in secure technology architecture used by major businesses and organisations.

In other words, no person or system can be trusted, and all interactions must be verified by a central entity.

Unfortunately, complete faith is then placed in the verification system.
By breaching this system, an attacker gains access to the kingdom.
To address this problem, “decentralisation” is a new paradigm that eliminates any single point of failure.

Our research looks into and develops the algorithms needed to set up an efficient decentralised verification system.

We hope that our efforts will aid in the protection of digital identities and the security of the verification processes on which so many of us rely.

Never trust without first verifying.
Verification is implemented at every possible step in a zero trust system.

Before implementation, every user is verified, as is every action they take.

Moving toward this approach is regarded as so critical that US President Joe Biden issued an executive order last year requiring all US federal government organisations to implement a zero trust architecture.

Many commercial enterprises are following suit.

In a zero trust environment, however, absolute trust is placed (contrary to popular belief) in the validation and verification system, which is typically an Identity and Access Management (IAM) system.

This creates a single trusted entity that, if compromised, provides unrestricted access to the entire organization’s systems.

An attacker can use a stolen user’s credentials (such as a username and password) to impersonate that user and do anything they’re authorised to do, such as opening doors, authorising specific payments, or copying sensitive data.

However, if an attacker gains complete access to the IAM system, they can do whatever the system is capable of.
For example, they may delegate authority over the entire payroll.

Okta, an identity management company, was hacked in January.
Okta is a single-sign-on service that allows employees of a company to use a single password for all of the company’s systems (as large companies often use multiple systems, with each requiring different login credentials).

Following Okta’s hack, large corporations that used its services had their accounts compromised, giving hackers access to their systems.
As long as IAM systems are a central point of authority within organisations, they will remain a tempting target for attackers.

Trust decentralisation
In our most recent work, we refined and validated algorithms that can be used to build a decentralised verification system, making hacking much more difficult.

TIDE, an industry collaborator, has created a prototype system based on the validated algorithms.

When a user creates an account on an IAM system, they select a password, which the system encrypts and stores for later use.
However, even in encrypted form, stored passwords are appealing targets.

Furthermore, while multi-factor authentication is useful for confirming a user’s identity, it can be defeated.

If passwords could be validated without being stored in this manner, attackers would no longer have a clear target.
Decentralisation comes into play here.
Instead of putting trust in a single central entity, decentralisation puts trust in the network as a whole, which can exist independently of the IAM system.

The mathematical structure of the algorithms that underpin decentralised authority ensures that no single node can act independently.

Furthermore, each node on the network can be operated by a separate entity, such as a bank, telecommunications company, or government department.

So stealing a single secret would necessitate hacking several separate nodes.
Even if an IAM system breach occurred, the attacker would only gain access to some user data and not the entire system.

To gain control of the entire organisation, they would have to breach a combination of 14 independently operating nodes.
This isn’t impossible, but it’s a lot more difficult.

Beautiful mathematics and verified algorithms, however, are insufficient to create a usable system.

There is still work to be done before we can move from the concept of decentralised authority to a functioning network that will keep our accounts safe.

Found this article interesting? Follow BG on Facebook, Twitter and Instagram to read more exclusive content we post.

0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

Latest news

Android Toll Fraud Malware Can Subscribe Users To Premium Services Without Consent

Toll fraud malware variants are reportedly targeting Android devices with API level 28 or Android 9.0 or older OS...

Intel Showcases 12th Generation Processors For Mobile Devices In India

Starting with the U and P series and moving up to the H and HX series are Intel's 12th...

Realme GT 2 Explorer Master Edition Launch Date Set For July 12

One of the earliest smartphones to include the Snapdragon 8+ Gen 1 SoC is the Realme GT 2 Explorer...

Apple Music Subscribers Can Now Get Free Beats Flex Earphones But Conditions Apply

However, Apple Music customers who are students in India are not eligible for the brand-new free Beats Flex earphones...

Latest Updates

Must read

LockFile Ransomware Targets Server In Microsoft Exchange.

Google said the company has "seen a rise" in...

How to Use Samsung Galaxy Watch 4 Without a Phone

Modern smartwatches like the Galaxy Watch can be used...

You might also likeRELATED
Recommended to you

0
Would love your thoughts, please comment.x
()
x