What effect does trust have in cybersecurity?
To understand, we might consider what happened in late March, 1999, when millions of people received emails from their friends, family and coworkers. In each case, the format was the same.
Title: “Important Message from [Name of Sender].”
Message: “Here is that document you asked for…don’t show anyone else ;-)”
Because the email came from a trusted contact, plenty of people clicked on the document attached. Thinking nothing of it, until it was too late.
Trust was also in the room in May, 2011, when some of the United States’ most decorated defense contractors–Lockheed Martin, Northrop Grumman and L3–noticed something wrong with their computer networks.
The source of the problem was SecurID: a little USB keychain that generated two-factor authentication codes. With these encrypted codes, organizations could trust that only their own people had access to their most sensitive systems.
Or, at least, they thought they could trust these codes. They thought so because SecurID was developed and sold by a highly reputable vendor, RSA Security. A vendor that could be trusted to have unbreakable security standards. Probably.
Vendors like RSA rely heavily on their reputations. Network management providers, as another example, must be trustworthy enough to be granted persistent, comprehensive access to their clients’ IT networks. It’s a tall ask because, with such unfettered access, any breach of the provider will inevitably worm its way into the client’s network via escalating privileges, or even a simple software update. 18,000 organizations throughout the Western world learned this lesson last year.
What the Melissa virus, the RSA breach and the SolarWinds attacks all have in common–what almost every cyber attack in history shares–is that the victims misplaced their trust. With a friend, a vendor, a piece of software. This poisonous effect of trust in cyberspace is what’s inspired a new, growing movement: zero trust.
Zero trust is a methodology that seeks to eliminate trust from network security. It’s about exposing with whom (third parties, employees, etc) and in what ways (internet ports, vendor portals, etc) organizations trust. It’s about eliminating those dependencies, or limiting them to such a degree that even if there’s a compromise it’d hardly matter.
Buoying this movement are several emerging technologies that better enable organizations to apply zero trust. It’s a chicken-and-egg situation: just as the world is starting to catch onto the need, technologies are being developed to meet it.
The following are just a few examples of emerging technologies either designed for, or customizable to be used in, a zero-trust environment.
1. Artificial Intelligence and Zero Trust
In 2018, a New York Times reporter traveled to Mastercard’s cybersecurity headquarters in Missouri. In only the 24 hours before she arrived, the company had fended off 267,322 potential cyber threats. An average of three per second. It wasn’t an unusually bad day, either. It was only Spring, and the company had already defeated over 20 million threats that year.
Cyberspace is awash with latent, low-grade malware bouncing around, looking for host bodies. Only a small percentage of it is meaningful and directly targeted by a human against some specified target. But if you’re Mastercard, processing millions of transactions for hundreds of millions of people around the world, that fact is of little comfort. A breach of their systems would be devastating to many people, and because any one of those 20 million threats could be the one, they all need to be stopped.
Of course, no amount of human labor would be enough to track and analyze all of these threats. That’s why large organizations need to apply algorithms–computer programs that process lots of data, much faster and more accurately than any human could–to secure their most sensitive systems.
Artificial intelligence has all kinds of use cases in cybersecurity. It can be applied in simple ways, like automatically applying software updates and regulatory compliance rules to computers on an enterprise network. It can also be deployed for sophisticated tasks, like observing all the traffic going in and out of a network and flagging packets that look suspicious.
What makes artificial intelligence effective, across all use cases, is that it is exponentially more efficient than humans at completing menial tasks. It is more consistent and accurate than humans, a naturally stumbling and bumbling species. AI is also very effective at pattern recognition–trained correctly, it can pick up on otherwise obscure and sparse data points to draw connections that human operators would never spot.
AI’s potential use in zero trust is limitless, because it is the most powerful, flexible technology in the world. However, it is not complete on its own. The best modern security combines AI with human operators, leveraging the strengths of both to achieve results unattainable by either.
2. Using Machine Learning to Get Closer to Zero Trust
It’s easy to program machines to detect basic malware. If the data is coming from an unknown location, or requests permission to do something strange, it will quickly be flagged by an automated monitoring system.
But what about information that’s not so obviously malicious?
Imagine, for example, a verified user commits an action they haven’t previously. Or, perhaps, they access a system in a perfectly legitimate way, but in the middle of the night. There may be perfectly good explanations in these scenarios, or maybe not. Either way, a simple algorithm might be slow to catch on. After all, no obvious crime has been committed.
Machine learning algorithms improve on simple ones because they don’t just apply static rules. Instead, they absorb huge amounts of varied data, “learning” about the system and its patterns. Perhaps a user has credentials for the system they’re logging into, but if it’s 3:00 in the morning and the system has only ever seen them between 8:00 A.M. and 6:00 P.M., it’ll certainly raise a red flag. If they’re logging in from a different country, or even a new IP, it’ll raise a red flag. If they’re exfiltrating sensitive data or uploading unusual data it may not be obviously illegal, but it will raise a red flag.
Machine learning is far from the perfect solution to zero trust. In fact, you have to place your trust in it, because it is a black box. What ML offers, instead of outright zero trust, is efficient detection at a level unparalleled by any other technology. It can improve an otherwise diverse and multifaceted EDR infrastructure, to make stamping out threats quicker and simpler.
And, frankly, it’s a lot easier to trust a machine than a person.
3. Unidirectional Networks in a Zero Trust Infrastructure
Throughout history, ancient cities have had too much trust in their big walls. Constantinople, Jerusalem. The strategic city of Antioch had legendary fortifications–impenetrable, it was thought until a Crusader struck a deal with an insider. Walls can’t stop that. The Great Wall of China–mankind’s most impressive wall–was breached not once but multiple times by Genghis Khan’s Mongols. All they needed was strategy, trickery, and brute force.
These days, IT professionals, service providers and companies boast about their “secure” systems, as if what they’re referring to–firewalls, mostly–are impenetrable. But software is never 100% secure. With a little strategy, trickery, and some brute force, a well-resourced and motivated attacker will be able to get through.
That’s why the really serious industries–military, energy and the like–rely on hardware. Specifically, unidirectional hardware.
Unidirectional devices consist of two parts: a transmitter and a receiver. Physically, the transmitter can only send data, and the receiver can only receive it. Think of it like a waterfall: the water can only ever go in one direction. No amount of ingenuity will cause the water to rise instead of fall.
In practice, this allows organizations to effectively segment their critical systems from their non-critical systems, without losing information in the process. For example, the management and IT employees at a nuclear power plant can see what’s going on with their reactors, but even if everybody in the room is taken hostage by a cybercriminal gang, none of those gang members could do anything to the reactors. There exists no path through which to send information.
Firewalls are only as trustworthy as the enemies they can keep out. They fail when faced with Ottomans, Crusaders and Mongols. But until the laws of physics change, unidirectional hardware will remain trustless.
4. (BONUS) Quantum Key Distribution – Zero Trust Communication
Quantum key distribution (QKD) achieves zero trust differently. It doesn’t remove trust, or even limit it. In fact, with QKD, you can guiltlessly connect with any computer in the world on the open internet, without worrying about compromise. To understand how, consider Schrodinger’s Cat.
In the famous hypothetical, we’re asked to consider a cat enclosed in a box. Also inside the box is a device which, by whatever mechanism you wish to imagine, has a 50% chance of killing the cat. Before opening the box, we intuitively assume that the cat is either dead or alive inside–that there’s a 50% chance of each possibility. According to quantum mechanics, however, the cat is neither dead nor alive, but dead and alive, in equal parts. It is only upon opening the box and collapsing the uncertainty that the cat adopts a single state.
In other words, the act of observation itself affects the state of the system.
What quantum computers can do is encode data–usually photons, but also nuclei or electrons–in a quantum state. These aren’t classical bits–0s and 1s–but “qubits” in a superposition of both 0 and 1. Dead and alive. Little Schrodinger’s Cats. Like the cat, there’s a probability that the qubit may end up 0 or 1, but it is both and neither until we measure it–until we open the box (in this case, receive the photon).
Do you see where this is going? If you can encrypt data in a quantum state, and observing a quantum state necessarily affects the state, then what you end up with is a perfectly tamper-proof system. Any hacker who tries to intercept, manipulate, or even view quantum-encrypted data cannot do so without permanently changing the data, in effect leaving blood at the scene.
Perhaps some hackers don’t care about subtlety–they’re fine making a mess so long as they get what they want. Quantum encryption has an answer for this, too. If the hacker doesn’t possess the credentials of the intended receiver, a quantum key suddenly becomes a self-destructing device, blowing up the encrypted data in transit.
QKD doesn’t eliminate all forms of trust on its own. In theory, quantum data itself could be malicious. What QKD does achieve, every time and without fail, is impenetrable data transfer. Zero trust communication.
There is no single answer, no one-stop-shop for completely eliminating trust in a network environment. Zero trust requires, first and foremost, that smart, thoughtful people carefully examine where they rely on trust, and how best to get rid of it. Even the strongest AI/ML, quantum algorithm, or blockchain is useless if applied without forethought and tact. This is a philosophy, after all; a way of thinking and being.
As the Melissa virus spread across America, it prompted people to think both about whom they trusted and whether to download antivirus. When RSA announced its breach, it forced corporations and governments to reconsider their trust in vendors, and whether there was a better way to do multi-factor authentication. This year we’re asking the same questions all over again, this time about SolarWinds, and whether it’s possible to hire network managers without giving away the keys to the kingdom.
Removing trust in such varied environments will require a change in thinking, alongside an evolution in technology. Even then, achieving absolute zero trust will likely be impossible. But we can try.