Coming Full-circle: Zero-Knowledge End-to-End Encryption for Zero Trust
Zero-knowledge with end-to-end encryption: Filling the ZTA gap.
With zero trust architectures now a global initiative, organizations must consider how zero-knowledge solutions reinforce their cloud service provider-level strategies, says Szilveszter Szebeni, CISO at Tresorit.
With digital transformation moving mission-critical business operations to the cloud, organizations increasingly strive to implement zero-trust architectures. Over the last five to ten years, vendor marketing materials have led security professionals to have zero trust in zero-trust architectures. No “silver bullet” technology exists to provide a plug-and-play zero-trust architecture. Companies must implement defense-in-depth strategies that respond to identity and access, device, network, application, and data security risks.
When building their zero-trust enabling technology stack, organizations must consider the role that their cloud service providers (CSPs) play and the potential risks that they pose.
It’s a Matter of Trust
Using cloud services is a business imperative. Remote and hybrid work models are now the norm, and organizations need to enable workforce collaboration using cloud technologies. As a result, organizations are increasingly aware that while their CSPs are responsible for the security of the cloud, they remain responsible for security within the cloud.
In response, organizations engage in robust due diligence to gain insight into their CSPs security posture. Even after they choose to engage with a CSP, they continuously monitor their provider’s security controls. They implement a “verify first, then trust” approach to vendors.
However, CSPs and cloud-based vendors still require a certain level of implicit trust. While they encrypt data at rest and in transit, they store the encryption keys. Some transmit or store files, encryption keys, or passwords in unencrypted or unhashed forms. For example, traditionally, at-rest encryption occurs on the provider’s servers, meaning they need to store the decryption keys.
Using Zero-Knowledge Vendors
Most conversations about zero-knowledge focus on password management tools. However, zero-knowledge is a tool-agnostic approach, meaning a service provider never stores files, encryption keys, or passwords on its servers.
Zero-knowledge solutions store all the important encryption and decryption data on the client side. For example, a zero-knowledge solution would:
- Encrypt files and metadata on the customer’s devices
- Protect keys with encryption chosen by the client-side application
- Use a Public Key Infrastructure (PKI) to authenticate users and their devices
- Apply a Message Authentication Code (MAC) to each file and its content to protect data integrity and privacy
Zero-knowledge eliminates the need to place any implicit trust in vendors. Instead, organizations implement holistic strategies that include users and technology vendors, ultimately “closing the zero” in zero-trust architectures.
See More: Zero Trust: What Is It and How Can Businesses Make It Work?
A Zero-Trust Venn Diagram: Access, End-to-end encryption, and Zero-knowledge
To implement holistic zero-trust architectures, organizations must close as many security gaps as possible. Despite what vendor marketing teams suggest, companies need cybersecurity solutions with overlapping and integrated capabilities across the zero-trust pillars.
Data Access: Protect the user layer
Identity and access are foundational pillars for any zero-trust strategy. Organizations need solutions that limit access according to the principle of least privilege, ensuring that only the right user gains access to the right resource at the right time.
Any solution that a company integrates into its business technology stack should enable robust access management capabilities, including monitoring user access to resources, removing access, and documenting activities.
Access management controls should also extend to external third parties. From customers to contractors, organizations share information with users outside their corporate boundaries. The “share with a link” functionality that enables remote collaboration often leads to privacy violations and data loss.
End-to-end encryption technologies: Protect the data layer
When organizations implement encryption, they incorporate an additional layer of security at the data level. However, they must look for technologies that provide true end-to-end encryption (E2EE).
Generally, cloud-services providers encrypt:
- Data-at-rest: stored on their servers
- Data-in-transit: the channel itself
E2EE encrypts the data:
- At the time of the creation
- On the user’s device
Encrypting the data before it leaves the user’s device, the E2EE solution protects it even when someone shares it outside the organization.
Zero-Knowledge: Protect the vendor layer
With zero-knowledge solutions, organizations add a layer of protection that sits beyond the layers addressed in most zero-trust guidelines.
A zero-knowledge solution means that organizations limit risks associated with vendors:
- Storing passwords
- Storing encryption keys
- Accessing data stored on its servers
Privacy and Security with Zero-Knowledge E2EE
Zero-trust architectures require companies to take a multi-faceted approach to security and privacy. At the security level, they need defense-in-depth strategies across various layers of risk. At the privacy level, they must protect data from unauthorized access across internal and external users.
However, they also need to consider their ability to control sensitive data, including their own. Organizations often feel forced into trusting that their contracts with vendors will protect customers and security data, like encryption keys and passwords. Unfortunately, this layer of implicit trust placed in vendors is why threat actors value supply chain attacks.
As companies build out their zero-trust strategies, they should implement tools that provide capabilities – or augment current tools’ capabilities – for a comprehensive approach to data protection.
Why do you think organizations should consider zero-knowledge solutions? Let us know on Facebook, Twitter, and LinkedIn.
MORE ON ZERO TRUST
