By Nathaniel Nelson (Guest)
The Problem of Trust in Information Security
Trust may be the single most dangerous word in information security.
It has been in the room during just about every data breach in history. When a secretary opens an email attachment, or a link, because it came from a friend or colleague; or when company subscribes to a service that guarantees security. Trust was what Target had for Fazio Mechanical Services, what Nortel had for Huawei, and what the NSA had in Edward Snowden.
Perhaps more than anyone, RSA Security was in the business of trust. They had a sterling reputation in the cybersecurity community, which they used to sell premier product: the “SecurID” authentication token, a trust-generating machine.
It was quite a simple thing: a little key fob device with a screen that displayed six-digit codes. The codes were pseudo-randomly generated, every sixty seconds, to provide two-factor authentication for users. Essentially, with SecurID, organizations could assume that only the right people were accessing their sensitive systems. For years, this was a correct assumption.
Then, in March 2011, an employee at RSA Security noticed strange activity happening over his company’s network.
It wasn’t surprising that hackers had targeted RSA – the company’s client list included some of the largest organizations in the world. Entities within the U.S. government used SecurID, as did their military contractors, and Walmart, and everyone else, too. RSA was the key into all these organizations. Literally, they had everyone’s keys: like one big, great doorman to the richest tenants in cyberspace.
The problem, in retrospect, is that all those keys were kept in a single lockbox. More specifically, a server: a single, highly guarded server nicknamed “the seed warehouse” because it held all the seed values (keys) associated with every SecurID token in the world.
From Wired Magazine:
If someone could steal the seed values stored in that warehouse, they could potentially clone those SecurID tokens and silently break the two-factor authentication they offered, allowing hackers to instantly bypass that security system anywhere in the world, accessing anything from bank accounts to national security secrets.
The exact details of what got stolen and who got hurt by it are disputed to this day. But, really, none of that is the point here. The reason RSA’s breach is still newsworthy today is not because of what happened back then, but how it reflects upon what’s happening today. Because even today we’re still falling into the very same traps.
Take SolarWinds, the target of the most severe data breach of the past decade. SolarWinds, like RSA, was attacked by a nation-state actor. Like RSA, they were targeted not because they themselves were so valuable, but because they were implicitly trusted by so many valuable clients. RSA had keys to everybody’s systems, SolarWinds managed everybody’s networks.
So how do we stop these kinds of attacks? How do we make sure that, in 2031, we’re not telling the same old story all over again?
The Solution to Trust in Information Security
The solution is “zero trust,” a popular, growing philosophy in cybersecurity that seeks to eliminate trust from network environments. It may sound simple, but it’s not. It requires authentication and constant verification of every entity that accesses an organization’s systems. That applies to every RSA, every SolarWinds, but also internal personnel, even down to low-level employees. In zero trust, Colin from Marketing and Mike from Engineering are threats.
Fortunately, you won’t have to stand over Mike’s shoulder while he’s working or follow Colin home to make sure he’s not a spy. There are network segmentation and access management tools to keep the wrong people out of the wrong places. Artificial intelligence algorithms can instantly and efficiently enforce zero trust rules, or catch unpermitted activity over even very large, active networks. And emerging technologies are providing even more novel paths to zero trust in information security.
Quantropi’s innovative approach to data security is one of these new technologies. Powered by quantum mechanics expressed as linear algebra, Quantropi delivers the three unique capabilities every complete cryptographic solution should have — Trust, Uncertainty, and Entropy (we call it TrUE Quantum Secure Solutions). Trust between any two parties is established through our implementation of Quantum-secure asymmetric encryption … Uncertainty provided by our Quantum Entropy Expansion and Propagation (QEEP™) symmetric encryption technology so that no matter what, an attacker can never access your data … and Entropy, strong keys and strong random numbers that unlock and enable secure communications and data.
Interested in finding out more about how Quantropi is rising to the cybersecurity challenge and how our solutions can protect your business-critical data? If so, why not sign up to receive occasional news and updates.
(Image via Wikimedia Commons).