listen to this article:
The idea of security with zero trust is somewhat of an oxymoron. If I can’t trust anything, then it’s impossible to achieve security. However, the fallacy here is in the interpretation of what “zero trust” itself actually means. In the NIST, The Institute of Standards and Technology, Special Publication 800-207 on Zero-Trust Architecture, they present the following definition:
Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
“Zero Trust” Security Demystified
That is, zero trust is a break away from the (false) belief that we can keep attackers out of our networks, and that security is about indeed keeping them out. Rather, zero trust methods focus on minimizing the damage when networks are breached, preventing a complete failure in such cases. Zero trust solutions are not able to completely prevent damage from happening as that would be impossible to achieve; it does, however, mitigate the harm that an attacker can inflict.
A simple example of a zero-trust method is to encrypt all internal communication between all devices on the network in a single data center. In the past, communication was encrypted only between data centers, but not between devices inside a given data center. In such a case, an attacker who has breached a data center would also be able to capture internal communications, many of which may be extremely sensitive. By encrypting all communication, even between devices in the same data center, an attacker would only have access to data on machines that it can directly access.
The Underlying Premise for Zero Trust Architecture
The basic principle of a zero-trust security architecture is that no one can be fully trusted, and everything must be checked. Thus, internal and external clients must both authenticate themselves, access should be granted for short periods of times and with the least privileges possible to complete the task, all – even internal – communication must be encrypted, behavioral and environmental attributes need to be continually studied to see if a device is behaving anomalously, and so on.
Zero Trust Cryptography
Cryptography is a central building block of security, and the impact of zero trust to cryptography also needs to be considered. All of cryptography relies on secret keys, and if these keys are stolen then all security is lost. An attacker who has stolen a decryption key can stealthily decrypt all data encrypted by that key. Likewise, by stealing a signing key, an attacker can sign on any transaction, authentication token, document and the like that it wishes.
Preventing Key Theft
A concrete example that happened recently at a large scale is the theft of the SAML signing key from an organization’s Windows AD FS server. Once an attacker has this key, they can generate authentication tokens and can impersonate any user or device in the entire network. It is therefore imperative that organizations protect all cryptographic keys. Leaving a value SAML signing key in the clear on a Windows AD FS server or storing the database encryption key on the database server, and so on, are just not acceptable anymore. In a zero-trust setting, we must assume that attackers can breach machines, and we must prevent the theft of cryptographic keys even in such an event. Keys can be protected in hardware security modules (HSMs) or using an MPC-based software key store.
Preventing Key Misuse
However, preventing theft alone is not enough. If an attacker breaches a machine that is allowed to use a cryptographic key (for signing, decryption, or whatever), then they are able to carry out any operation that they like. The zero trust philosophy mandates that we mitigate this capability. Thus, key misuse prevention techniques need to be deployed. This can include policies on key usage, rate limiting, anomaly detection, and more.
How MPC Supports Zero Trust Environments
Modern cryptographic infrastructure needs to be built with a zero-trust frame of mind. Who is using the key? How can we limit misuse? How do we prevent key theft? Secure multiparty computation (MPC) is particularly suited for zero-trust environments.
- Single point of failure: When using MPC, cryptographic keys are split between two or more machines, and are never brought together even while in use. This prevents a single point of failure where an attacker breaches a machine and makes away with a valuable cryptographic key.
- Mitigate key misuse: Multiple devices can be required to approve a cryptographic operation, with each device verifying legitimacy of the operation. One example of where this is particularly important is in code signing, where a single fraudulent signature can be disastrous (more on Code Signing on this white paper). Using this approach, it is possible to prevent a code signing operation to take place without a quorum to approve it. That quorum can verify that the code was scanned and checked, and that code indeed is supposed to be signed and released at this time.
Unbound CORE utilizes MPC together with other key stores to provide comprehensive cryptographic infrastructure that is aligned with modern zero-trust environments.
Click here to read more about Unbound CORE.