A “zero trust” approach is the current best practise in secure technology architecture used by major businesses and organisations.
We use internet-connected devices to access our bank accounts, keep our transportation systems running, communicate with coworkers, listen to music, perform commercially sensitive tasks, and order pizza.
Every day, digital security is a part of our lives.
And, as our IT systems become more complex, the possibility of vulnerabilities grows.
Organizations are increasingly being breached, resulting in financial loss, disrupted supply chains, and identity fraud.
A “zero trust” approach is the current best practise in secure technology architecture used by major businesses and organisations.
In other words, no person or system can be trusted, and all interactions must be verified by a central entity.
Unfortunately, complete faith is then placed in the verification system.
By breaching this system, an attacker gains access to the kingdom.
To address this problem, “decentralisation” is a new paradigm that eliminates any single point of failure.
Our research looks into and develops the algorithms needed to set up an efficient decentralised verification system.
We hope that our efforts will aid in the protection of digital identities and the security of the verification processes on which so many of us rely.
Never trust without first verifying.
Verification is implemented at every possible step in a zero trust system.
Before implementation, every user is verified, as is every action they take.
Moving toward this approach is regarded as so critical that US President Joe Biden issued an executive order last year requiring all US federal government organisations to implement a zero trust architecture.
Many commercial enterprises are following suit.
In a zero trust environment, however, absolute trust is placed (contrary to popular belief) in the validation and verification system, which is typically an Identity and Access Management (IAM) system.
This creates a single trusted entity that, if compromised, provides unrestricted access to the entire organization’s systems.
An attacker can use a stolen user’s credentials (such as a username and password) to impersonate that user and do anything they’re authorised to do, such as opening doors, authorising specific payments, or copying sensitive data.
However, if an attacker gains complete access to the IAM system, they can do whatever the system is capable of.
For example, they may delegate authority over the entire payroll.
Okta, an identity management company, was hacked in January.
Okta is a single-sign-on service that allows employees of a company to use a single password for all of the company’s systems (as large companies often use multiple systems, with each requiring different login credentials).
Following Okta’s hack, large corporations that used its services had their accounts compromised, giving hackers access to their systems.
As long as IAM systems are a central point of authority within organisations, they will remain a tempting target for attackers.
Trust decentralisation
In our most recent work, we refined and validated algorithms that can be used to build a decentralised verification system, making hacking much more difficult.
TIDE, an industry collaborator, has created a prototype system based on the validated algorithms.
When a user creates an account on an IAM system, they select a password, which the system encrypts and stores for later use.
However, even in encrypted form, stored passwords are appealing targets.
Furthermore, while multi-factor authentication is useful for confirming a user’s identity, it can be defeated.
If passwords could be validated without being stored in this manner, attackers would no longer have a clear target.
Decentralisation comes into play here.
Instead of putting trust in a single central entity, decentralisation puts trust in the network as a whole, which can exist independently of the IAM system.
The mathematical structure of the algorithms that underpin decentralised authority ensures that no single node can act independently.
Furthermore, each node on the network can be operated by a separate entity, such as a bank, telecommunications company, or government department.
So stealing a single secret would necessitate hacking several separate nodes.
Even if an IAM system breach occurred, the attacker would only gain access to some user data and not the entire system.
To gain control of the entire organisation, they would have to breach a combination of 14 independently operating nodes.
This isn’t impossible, but it’s a lot more difficult.
Beautiful mathematics and verified algorithms, however, are insufficient to create a usable system.
There is still work to be done before we can move from the concept of decentralised authority to a functioning network that will keep our accounts safe.
Found this article interesting? Follow BG on Facebook, Twitter and Instagram to read more exclusive content we post.
