Since it was first put forward as an architectural model for enhancing organizational security by Forrester Research in 2010, the zero trust approach has mostly remained the preserve of systems architects and security experts.
In 2014, it was recommended as the model to follow by the U.S. House of Representatives Committee on Oversight and Government Reform, who were responding to a hack that compromised the records of 18 million federal employees. However, apart from that, it has gained little widespread attention.
That is until earlier this year, in response to the long list of data breaches that have affected large organizations in recent years. One of the biggest of these occurred in 2017, when an estimated 145 million people were affected by a data breach at credit reporting agency Equifax.
What is zero trust security?
Essentially, a zero trust architecture is one based on the principle of trusting no one and always verifying. One of the main reasons it is considered advantageous is because it removes lateral movement, a key approach that hackers use to travel deep into an organization’s systems. Even though they may enter through a seemingly peripheral entry point, lateral movement allows hackers to move through a network, searching for important files and data.
It is a major problem for the ‘castle and moat’ approach to security that is so prevalent today. This approach attempts to protect the edges of a system but does little to stop hackers moving freely once they are in.
At a high level, zero trust security works by verifying the ID of the user, validating devices and limiting access to data. It also advocates for only the minimum amount of data required to complete a specific task being provided, and no more. Of course, every entry into the network is done via a verified identity, so that no one is able to participate without a proven ID. For instance, in a commercial setup, one could see an already-connected merchant onboard customers and employees so that they would subsequently be able to interact with other businesses using a ZK setup for digital identities—allowing them to make payments or verify themselves across the board.
Zero knowledge storage and zero knowledge proof
Two technological approaches at the heart of this strategy are zero knowledge storage and zero knowledge proofs.
Zero knowledge proof is a nascent technology that is also much talked about at the moment within blockchain and cryptocurrency circles. That’s because, while cryptocurrency networks such as Bitcoin are able to function with anonymous parties trading with one another, all the members of the network can see the transactions that have occurred and the addresses involved.
For situations where all the data needs to remain private, even when stored on a public blockchain, zero knowledge proof provides an answer. Where two parties want to transact while safeguarding privacy, zero knowledge proofs allow the ‘prover’ to assure the ‘verifier’ that they have knowledge of a secret without revealing the secret itself. Operation on top of a distributed ledger allows token attestations to be leveraged to these ends.
Zero knowledge storage is a similar process for storing sensitive data. It involves encrypting personal information so that only the user can access it while removing the need for root-level admin access, which can act as a ‘backdoor’ for hackers.
In the case of a blockchain network, zero knowledge storage means that data is encrypted on the device before it is stored on a blockchain or on other associated services such IPFS this can again be encrypted on the blockchain. The user has a personal cloud of data that no-one can access apart from themselves. It is only available for decryption via asymmetric keys by those entities that the user chooses.
Zero trust security in e-commerce payments
One of the things that anyone working in e-commerce knows is that a huge amount of personal information is shared and then stored when it doesn’t need to be.
This is partly because the protocols underpinning the internet were designed to make data sharing easy. It is also because a whole range of merchants, banks and payment providers have seen it as useful to collect and sometimes share this information with other organizations, such as credit reporting agencies.
This has resulted in the data breaches mentioned earlier, where huge amounts of personal data were stored, as well as (at least to some extent) data protection rulings such as the EU’s General Data Protection Regulation.
However, e-commerce does not need to work in this way.
The quick and simple payments that we have become used to can continue, without the need for the sharing of masses of personal information. Blockchain technology solutions, which incorporate the benefits of zero knowledge storage and zero knowledge proofs, can enable individuals to store and control their data while also having the option to share it securely with e-commerce organizations.
Chunks of personal data can be encrypted on a device and on the chain, such as a smartphone, and then tokenized so that they can be used with products and services that an individual chooses. Instead of sharing personal data on mass, tokens can ensure that organizations only get the information they need in order to complete the task required of them. In this way, payment providers can receive information required for payment but not a delivery address. Merchants can receive a delivery address but not credit card details and even then the delivery information can be tokenized and revoked after delivery
As such, a new, blockchain-enabled payments and ID network can operate zero trust security that protects individuals, eliminates data breaches and enables the e-commerce industry to continue growing.
DISCLAIMER: This article expresses my own ideas and opinions. Any information I have shared are from sources that I believe to be reliable and accurate. I did not receive any financial compensation for writing this post, nor do I own any shares in any company I’ve mentioned. I encourage any reader to do their own diligent research first before making any investment decisions.
Genomcore Finalizes its Entry into the United Kingdom after Increasing its Turnover by 73% in 2021
Genomcore has recently entered the market in the United Kingdom. In 2020, the company had a turnover of $912,000 (€750,000),...
The Fintech Ecosystem in Colombia Exceeds 322 Companies
The digital credit segment is the leader in Fintech service offerings, followed by payments and corporate finance, according to Fintank...
Valsabbina Bank and Siav Purchase 25% of MyCreditService
Valsabbina Bank and Siav will purchase 25% of MyCreditService, as part of an investment agreement. The entry of the two...
Cybersecurity Rising Among America’s Infrastructure Priorities
The proposed budget allocates $110 million to the Cybersecurity and Infrastructure Security Agency. Another $750 million is targeted for additional...
Axes Enters the Fertility Business in Spain: the Group Buys Ovoclinic Barcelona
Axes Capital is an international family office focused on investments in the following sectors: healthcare, real estate and renewable energies....
Cannabis7 days ago
On the Way to Cannabis Legalization: Frankfurt Positions Itself as a Pioneer
Featured7 days ago
Ant Group Creates a New Fintech Company: Chongqing Ant
Featured6 days ago
Crowdfunding for the Creation of a Legal Defense Fund for Wind Power Projects Completed
Business7 days ago
Fed’s Tools are Broken