The Cloud is ubiquitous: any company looking to ramp up quickly will provision its compute, networking, and storage with its preferred cloud provider, and get started rolling out their products. That makes total sense from a business perspective. The Cloud has simplified development and automation exponentially over the years, and emerging tech such as AI and IoT will only accelerate this.
However, the catch is that the very same foundational architectures which drive the Cloud’s efficiency, flexibility, and cost benefits ultimately also are its weakest links from a security perspective. The result is the daily march of headlines we all read about: ever larger and deeper breaches of data and systems.
There are three fundamental drivers that serve as the basis for the large majority of access hacks, data security breaches, and privacy vulnerabilities:
A centralized native cloud-only model for identity verification and authentication
A fundamentally flawed architecture for data security and privacy
The complexity of the native cloud-based solutions and active security measures that are layered over this inherently flawed foundation
This series of articles will dig into each of these elemental cloud security challenges that need to be addressed if we really want to improve things. Today, we will focus on the first.
Ok, What’s the Problem With Existing Password-Less Authentication?
Credentials-based authentication – that is, username and password – is notoriously insecure and the source of 80%+ of data breaches today. Yet most end users still gain access to their websites and applications this way. Even worse, so do many DevOps and cloud engineers to their sensitive production cloud environments. Thankfully, a long-overdue migration to password-less authentication is now underway, with dozens of tools vying for supremacy, and more and more sites like GitHub are deprecating password-based authentication entirely.
While this is an important step forward, it still only solves part of the problem: not all password-less authentication solutions are created equal. The new wave of solutions eliminates the password, but all still have one or several intrinsic weaknesses derived from the same foundational flaw.
They Rely on the Cloud. . . And the Cloud Is Compromised
The benefits of the cloud – its flexibility, scalability, and distributed access – are indisputable. However, the practice of having all of your much-needed services available centrally, from the data lakes to the databases, to the IAM and much more, have essentially created a security monster.
At AWS Re:Invent just a couple of weeks ago, Werner Vogels, AWS CTO said that there is virtually no service their IAM framework doesn’t touch. If that doesn’t raise the hairs on the back of your neck, I don’t know what will.
Therefore, as any security engineer knows, the Cloud’s strengths are ultimately also the Cloud’s main weaknesses. The scale and complexity of the Cloud make it practically impossible to defend, while the amount and value of data and capabilities that are concentrated into enormous cloud-based data lakes make attacks relatively easy and incredibly profitable.
So, if you really want to avoid being the next big headline, you should start with the working premise that the Cloud is essentially compromised. With this assumption in mind, here is where the current crop of password-less authentication solutions remains vulnerable:
They still rely on cloud databases of user credentials, which remain as vulnerable as ever. In fact, most are aggregating even more data on users’ identities, their activities, their history, and so on in a single place, making a hacker’s job easier than ever.
They rely heavily on user self-identification and authorization, ignoring the vulnerability of the means used to execute this: SMS and email, two extremely spoofable channels.
They add friction for the end-user, which inevitably reduces compliance. Let’s face it: users are lazy. Additional steps with authenticator apps, hardware tokens, and even SMS-based SFA are too much for many of them.
Thanks to this set of assumptions, attacks can be executed literally from anywhere in the world, from any device, and by any hacker – whether an amateur or more sophisticated professional. Even worse, it doesn’t even require a human attacker: software, especially bots, malware, ransomware, and even AI software, can probe and drive attacks that are often one step ahead of the AI monitoring being used to stop them.
Yikes, that’s scary. Until we change things, the attackers will always have the advantage.
So What Can We Do?
We can design and build a new approach to cybersecurity based on one simple premise:
The Cloud is compromised, so eliminate the attack surface in the Cloud
Based on that premise, here are the core pillars of the approach that can be architected to address the problem of identity security via credential-free authentication.
1. Enforce Access to Resources With Cryptographic Keys, Not Credentials.
As long as credentials exist, they can and will be stolen if the resources they access have value. Encryption, especially AES 256 encryption, works. Use it.
2. Bind Cryptographic Access to Devices, and Devices to Users
The good news is that both human and machine users have devices, and devices can be made secure with two simple steps.
- Bind keys to devices. In addition to the Trusted Platform Module, there are other methods to uniquely restrict the use of encryption keys to the device on which they were created and authorized.
- Bind devices to their authenticated users. Once the device can truly be trusted, now authentication methods that bind a device to the unique human that is authorized to use or control it can be added.
3. Decentralize and Bind MFA to Devices
All MFA today ultimately relies on cloud-based databases and servers, and a Chain of Trust to them for execution. To take the Cloud off the table, we can decentralize and distribute MFA out to users that are bound to devices, and eliminate the role of any central authority.
The beauty of the first three steps is that while immensely enhancing the security of access, they simultaneously reduce both friction for end users and support overhead for IT staff. The user’s device is the log-in: passwords, second device authentications, one-time codes, push notifications, or hardware tokens can all be avoided.
Instead, we can leverage cryptographic device-based authentication with the user’s device to deliver two strong factors to assure identity:
something you “own” – the possession of private AES 256 key; and
something you “are” – leveraging biometrics in tandem with cloud and device-based monitoring.
4. When It Really Matters, Introduce Zero Trust via Human in the Loop
The steps above will bring a new level of security – and privacy – to the vast majority of authentication use cases and needs. Still, there are times when the resources accessed by a person and their devices are valuable enough to warrant continuous identity verification to assure no wrongful access. In those use cases, the only way to truly be sure of the identity of the user of a device requesting access is to enforce a direct human-to-human interaction with someone that knows them directly into the authentication flow in an automated way. We have developed a way to do exactly that.
What Would That Mean?
If these pillars could be applied to truly reduce the attack surface for authentication and identity verification in the Cloud to ZERO, what would that mean for cybersecurity? There are lots of wins, but these are the three most important:
1. We Can Eliminate Credentials-Based Attacks
Phishing, spoofing, theft and loss, social-engineering attacks, you name it: all futile if there is no password, no credentials to steal.
2. We Can Eliminate Cloud-Based Company and System-Wide Attacks
If the only way to gain access to a resource is to go one by one after each endpoint device, we have raised the bar for attacks beyond the reach of the vast majority of hackers.
3. We Can Escalate and Enforce a Human-In-The-Loop Zero Trust Identity Verification When It Really Matters
At the end of the day, every cloud-based authentication today relies upon software or the endpoint device to verify identity. When your context demands real-time reauthentication of a device or a user, another authorized human that knows the user can do this job based on a pre-configured automated software-driven authentication flow.
Will this stop every possible attack? Of course not. However, it can for the first time in a long time change the equation in favor of the defense.
A Revolution Is Coming
As long as the industry continues to cling to fundamentally vulnerable, centralized native cloud-only security architectures and layer on ever more complex solutions on top of a cracked foundation, we can not only expect but guarantee that we will continue to get the same outcomes. The endless game of whack-a-mole, chasing down the last breach rather than preventing the next one, will go on and on.
Unless we do a hard reset. It’s possible.