A New Paradigm for Absolute Zero Trust and Infrastructure Resiliency

By Rajiv Pimplaskar, President and CEO, Dispersive Holdings, Inc.

How Secure is your Public Cloud?

Public cloud is an IT model where 3^rd-party-managed on-demand computing and infrastructure services are shared with multiple organizations using the public Internet. Over the last decade public cloud services and SaaS applications have exponentially grown to become mainstream across governments and enterprises worldwide. This phenomenon, coupled with the unprecedented shift of people working from home during the COVID-19 pandemic, have “de-perimeterized” the corporate network and eroded IT’s control over infrastructure.

Erosion of control and the rise of new and emerging threat actors have led to an “implicit trust” problem with the network. Implicit trust occurs where a public cloud or network resource is “trusted” on a de facto basis without meeting the burden of proof for earning that trust.  Implicit trust can be very dangerous as information is most vulnerable for a data breach or malware infection when it’s in motion. As we’ve seen on multiple occasions over the last two years, network resources are prime targets for unauthorized access, insider threats, code and injection attacks, Man-In-The-Middle (MITM) attacks, privilege escalations, as well as lateral movement.

The public cloud can also become a gateway for attacks by Nation state threat actors.  The current geopolitical events are a stark reminder of the security risks and fragility of business resiliency when relying on public cloud infrastructures across different countries.  Unquestionably, an evolved paradigm for both securing corporate users, sensitive data and resources and assuring underlying infrastructure resiliency is no longer a luxury – it is essential!

Zero Trust and The Achilles Heel of Session-level Encryption

Central to any zero trust strategy is the belief that organizations should not automatically trust anything inside or outside its perimeters. Rather, they must verify anything and everything trying to connect to its systems before granting access. While incredibly relevant for today, most zero trust approaches stop at the network as they rely on traditional cryptographic protocols to keep communication secure and private.

Transport Layer Security (TLS) is a common cryptographic protocol that operates at the session layer (layer 5) of the Open Systems Interconnection (OSI) model and is designed to provide communications security over a computer network. Once the client and server have agreed to use TLS, they negotiate a stateful connection by using a “handshaking procedure” with an asymmetric cipher to establish not only cipher settings but also a session-specific shared key with which further communication is encrypted using a symmetric cipher. Applications generally use TLS as if it were a transport layer, even though applications using TLS must actively control initiating TLS handshakes and handling of exchanged authentication certificates.

The danger of solely relying on this approach is that unfortunately, modern threat actors can operate underneath the session layer (at the network and the transport layer – layers 3 and 4 respectively) and intercept, as well as harvest all data (including the shared secret). Threat actors with these capabilities may have powerful economic and / or Nation state motivations and the luxury to play a “long game.” Their focus may not be decryption but, disruption or capturing data in transit for replay attacks and / or future analysis.  Nation state actors have evolved tremendously and now possess powerful compute and coordinated resources available at their disposal that can reframe a traditional cryptographic math problem into a much more insidious (yet much simpler) database lookup one.

Finally, the next decade will determine the outcome of the ongoing war for quantum computing supremacy, now being waged between the world’s superpowers.  Quantum computing, while inherently very useful, changes the game dramatically when it comes to protection rendered by conventional IPsec or TLS encryption. The Quantum Alliance Initiative at the Hudson Institute highlights some sobering facts about the potential cost of a quantum computing attack noting that, a single attack on the banking system could cause $1.9 trillion in overall damages on the financial systems. An attack on cryptocurrency would cause a $3.3 trillion blow to the United States economy.

Lessons From the Past – Introduction of Spread Spectrum in the Radio Frequency (RF) world

Interestingly, a similar problem was first identified and subsequently solved in the last century after World War II in the context of radio guidance systems for Allied torpedoes that used spread spectrum and frequency hopping technology to defeat the threat of jamming and interception by the axis powers. The principles of this work are incorporated into today’s Bluetooth, GPS and 5G technology.

Military communication systems strategically “spread” a radio signal over a wide frequency range several magnitudes higher than minimum requirements. The core principle of spread spectrum is the use of noise-like carrier waves and, as the name implies, bandwidths much wider than would be required for simple point-to-point communication at the same data rate.  The use of the spread spectrum delivered several benefits:

• Resistance to jamming (interference)
• Resistance to eavesdropping
• Multiple access capability or code-division multiple access (CDMA)

Absolute Zero Trust – The Modern Paradigm

The Internet as well as cloud operators can learn a great deal from the RF world and leverage the proven battlefield concepts of RF frequency hopping and spread spectrum communications to securing TCP/IP communications regardless of the level of trust with the underlying infrastructure.

Secure communications technologies are now available that can establish dynamic virtual active/active multipath networks with rolling encryption keys and granular access controls. In addition, orchestration, control and data planes can be separated, thereby further protecting data flows from potential interception and future analysis. Managed attribution can also keep virtual endpoints, users and network resources obfuscated, making them virtually impossible to detect. Finally, proper access control and device posture checking can be implemented to prevent unauthorized access.

Such networks can be both intelligent and predictive, enabling dynamic routing and management capability with smart deflection and redirection of traffic from impacted resources and network nodes to mitigate against availability issues and DDoS attacks. Importantly, performance can be enhanced, even across high latency, low bandwidth environments, enabling alternative communication pathways such as mobile hotspot, ADSL, broadband, satellite, MPLS, LTE, and others to maintain business continuity—even in the face of primary network disruption.

Zero trust and infrastructure resiliency can certainly be achieved, but only if the appropriate safeguards are implemented and all existing vulnerabilities mitigated. Combining the lessons of the past with technologies and measures we now possess can provide the needed security and protections against even the most aggressive and skilled bad actors.

About the Author

Rajiv Pimplaskar is the President and CEO of Dispersive Holdings, Inc. A zero trust industry leader, Rajiv is passionate about growth, driving innovation and scaling SaaS cybersecurity companies. Rajiv has two decades of experience across product, go-to-market, and sales and until recently was the CRO for Veridium US, LLC. Prior to Veridium, he held sales, corporate development, and technical roles at Cloudmark (acquired by Proofpoint), Atlantis Computing (acquired by HiveIO) and Verizon. He has an MBA and master’s degree in computer science from Widener University in Pennsylvania and a bachelor’s degree in electrical engineering from the University of Pune in India.

Rajiv can be reached online at [email protected], https://www.linkedin.com/in/rajiv1p/, and at our company website: www.dispersive.io.