What zero trust security will mean for the payments industry

Since it was first put forward as an architectural model for enhancing organizational security by Forrester Research in 2010, the zero trust approach has mostly remained the preserve of systems architects and security experts.

In 2014, it was recommended as the model to follow by the U.S. House of Representatives Committee on Oversight and Government Reform, who were responding to a hack that compromised the records of 18 million federal employees. However, apart from that, it has gained little widespread attention.

That is until earlier this year, in response to the long list of data breaches that have affected large organizations in recent years. One of the biggest of these occurred in 2017, when an estimated 145 million people were affected by a data breach at credit reporting agency Equifax.

What is zero trust security?

Essentially, a zero trust architecture is one based on the principle of trusting no one and always verifying. One of the main reasons it is considered advantageous is because it removes lateral movement, a key approach that hackers use to travel deep into an organization’s systems. Even though they may enter through a seemingly peripheral entry point, lateral movement allows hackers to move through a network, searching for important files and data.

It is a major problem for the ‘castle and moat’ approach to security that is so prevalent today. This approach attempts to protect the edges of a system but does little to stop hackers moving freely once they are in.

At a high level, zero trust security works by verifying the ID of the user, validating devices and limiting access to data. It also advocates for only the minimum amount of data required to complete a specific task being provided, and no more. Of course, every entry into the network is done via a verified identity, so that no one is able to participate without a proven ID. For instance, in a commercial setup, one could see an already-connected merchant onboard customers and employees so that they would subsequently be able to interact with other businesses using a ZK setup for digital identities—allowing them to make payments or verify themselves across the board.

Zero knowledge storage and zero knowledge proof

Two technological approaches at the heart of this strategy are zero knowledge storage and zero knowledge proofs.

Zero knowledge proof is a nascent technology that is also much talked about at the moment within blockchain and cryptocurrency circles. That’s because, while cryptocurrency networks such as Bitcoin are able to function with anonymous parties trading with one another, all the members of the network can see the transactions that have occurred and the addresses involved.

For situations where all the data needs to remain private, even when stored on a public blockchain, zero knowledge proof provides an answer. Where two parties want to transact while safeguarding privacy, zero knowledge proofs allow the ‘prover’ to assure the ‘verifier’ that they have knowledge of a secret without revealing the secret itself. Operation on top of a distributed ledger allows token attestations to be leveraged to these ends.

Zero knowledge storage is a similar process for storing sensitive data. It involves encrypting personal information so that only the user can access it while removing the need for root-level admin access, which can act as a ‘backdoor’ for hackers.

In the case of a blockchain network, zero knowledge storage means that data is encrypted on the device before it is stored on a blockchain or on other associated services such IPFS this can again be encrypted on the blockchain. The user has a personal cloud of data that no-one can access apart from themselves. It is only available for decryption via asymmetric keys by those entities that the user chooses.

Zero trust security in e-commerce payments

One of the things that anyone working in e-commerce knows is that a huge amount of personal information is shared and then stored when it doesn’t need to be.

This is partly because the protocols underpinning the internet were designed to make data sharing easy. It is also because a whole range of merchants, banks and payment providers have seen it as useful to collect and sometimes share this information with other organizations, such as credit reporting agencies.

This has resulted in the data breaches mentioned earlier, where huge amounts of personal data were stored, as well as (at least to some extent) data protection rulings such as the EU’s General Data Protection Regulation.

However, e-commerce does not need to work in this way.

The quick and simple payments that we have become used to can continue, without the need for the sharing of masses of personal information. Blockchain technology solutions, which incorporate the benefits of zero knowledge storage and zero knowledge proofs, can enable individuals to store and control their data while also having the option to share it securely with e-commerce organizations.

Chunks of personal data can be encrypted on a device and on the chain, such as a smartphone, and then tokenized so that they can be used with products and services that an  individual chooses. Instead of sharing personal data on mass, tokens can ensure that organizations only get the information they need in order to complete the task required of them. In this way, payment providers can receive information required for payment  but not a delivery address. Merchants can receive a delivery address but not credit card details and even then the delivery information can be tokenized and revoked after delivery

As such, a new, blockchain-enabled payments and ID network can operate zero trust security that protects individuals, eliminates data breaches and enables the e-commerce industry to continue growing.

—

DISCLAIMER: This article expresses my own ideas and opinions. Any information I have shared are from sources that I believe to be reliable and accurate. I did not receive any financial compensation for writing this post, nor do I own any shares in any company I’ve mentioned. I encourage any reader to do their own diligent research first before making any investment decisions.