Demystifying Technology: Zero-Knowledge Encryption

Organizations are also using Platform-as-a-Service (PaaS), where a complete cloud platform (from hardware and software to network infrastructure) is provided for them to run all their applications and store all of their sensitive, corporate information. Although this provides greater flexibility and less administrative burden for the IT personnel, this also creates a greater risk, as an attack against these cloud providers could lead to major data breaches with disastrous consequences for thousands of customers.

Several months ago, an enterprise password manager provider determined that an unauthorized party could have gained access to some of their customers’ information. The consequences could have been tremendous if all these credentials would have been directly available to a malicious actor, who could use them to access customers’ infrastructure, provoke service interruptions, and/or steal valuable information to later request a ransom. However, all these credentials remained safe as that provider was using a Zero-Knowledge architecture to safely store all customer data and ensure that, even in case of a data breach, malicious actors would not be able to do them any harm.

All cloud-based service providers are using some kind of end-to-end encryption to protect data while in transit, for example, when an employee uploads a document from his mobile device to a personal or shared folder to make it accessible on other devices and to share with colleagues.

That is already covered. The concern is how is that data protected when it is not being used, stored locally on said back-end servers, or hosted and managed by the cloud-based service provider? In that case, Advanced Encryption Standard (AES) algorithm with 256-bit key is currently considered the strongest level of encryption for data-at-rest for commercial use, and remains the only algorithm approved by the U.S. government for storing classified information. While cloud-based storage providers combine these encryption methods to offer reasonable data protection, there are still some security risks here. Even if the data stored locally is encrypted, the server still holds a copy of the encryption key used to protect it. Thus, a cybersecurity attack against that server could result in a third-party not only stealing the encrypted data but also the corresponding encryption key, and would result in a data breach.

Zero-knowledge offers superior privacy and data protection, in that encryption happens exclusively at the endpoint level before syncing with the cloud-storage provider, for example, to store documents or credentials. Only the user that owns the documents can decrypt them, no one else – not even the provider that stores them. The encryption key used to encrypt and protect the data is never shared with the storage provider, so even if that data would be stolen during a cyberattack resulting in a data breach, no useful information would be usable as it is all encrypted with only the owner having a key. Like stealing a safe with an unbreakable lock, whatever it contains is useless as it is inaccessible.

Zero-knowledge encryption provides a higher level of control over data and flexibility, as virtually any provider can be used, no matter how “secure” they are, since our data will be protected using encryption that only the user can access. If said provider offers reasonable security like strong authentication, such as Multi-Factor Authentication (MFA), access control, and good service availability, we can access data fast and from any location. We don’t need to worry about trusting our providers as much since even if they get hacked, nobody will be able to access and use our data. A parallel can be made with app containers on mobile devices; even if we cannot trust the device as a safe place, we will just put the data into an unbreakable safe.

If the user forgets the password used to encrypt and protect their data, then there is no recovery possible, as no one else – neither the company nor the provider – has the password. Thus, ALL the data would be lost forever.

Hopefully, zero-knowledge encryption is an alternative to help with these issues and deliver the best possible protection for all our data, wherever it is located, locally or in the cloud, and in any of its states.

Zero-knowledge encryption is not something that needs to be enabled or implemented by organizations, but rather by their cloud-storage providers. Still, we recommend reviewing your security posture as an organization, checking with all your cloud-based service providers to understand what type of encryption methods and security measures they are using to protect your data. Only a handful of them provide zero-knowledge encryption out of the box, but for the others, there are some third-party vendors which allow you to integrate with them and deliver that missing extra layer of security, privacy, and protection.

It is critical to educate your employees on the basics of security and best practices, so they understand how and where their personal work information is stored, and the impact associated with losing their password when using said encryption method with a given service (e.g., password manager). When reviewing your security posture, please don’t hesitate to reach out to the team at ISEC7. ISEC7 has worked extensively with organizations large and small in both the private and public sector to enhance their security posture and fortify their ecosystems through the industry best practices, a curated product suite, and most importantly training. The team at ISEC7 can complete a security assessment and help you navigate the best options available to you to help strengthen and protect your infrastructure.

(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group