Zero trust is a well understood concept in the security industry and has become foundational to many organizations' cybersecurity strategies. However, zero knowledge has stayed largely under the radar, despite it being critically important to containing data breaches.
Darren Guccione is CEO & Co-Founder of Keeper Security.
What is zero knowledge?
Zero knowledge is a security model that utilizes a unique encryption and data segregation framework to protect against remote data breaches. The zero knowledge model adheres to these principles:
- Data is encrypted and decrypted at the device level, not on the server
- The application never stores plain text (human readable) data
- The server never receives data in plain text
- No employee or intermediary can view the unencrypted data
- The keys to decrypt and encrypt data are derived from a user's master password
- Multi-Layer encryption provides access control at the user, group and admin levels
- Sharing of data uses Public Key Cryptography for secure key distribution
Put simply, if zero trust’s tagline is “Trust no one,” then zero knowledge’s tagline is, “We know nothing, and we can’t access your data.”
Zero knowledge is particularly relevant for security vendors and organizations charged with protecting their customers’ data, as it ensures that end users are the only ones able to access their information. Even if the company that stores the data is breached, their end users won’t be compromised, because even the company itself can’t even access the data, let alone any third party.
Why is zero knowledge so important today?
In our increasingly digital world, the typical consumer’s personal data is being stored and processed by a dizzying array of organizations, many of which are using the data for marketing and advertising purposes. Much of this data consists of highly sensitive personally identifiable information (PII) that, if breached, leaves consumers open to identity theft. Yet the overwhelming majority of these end users do not understand how their data is being stored or if their digital information is secure.
In addition to being bad news for customers, organizational data breaches also have negative, sometimes catastrophic impacts on the breached organization, as well as its employees and partners. Data breaches erode trust, degrade a business’ brand image and leave the organization open to expensive mitigation costs, heavy fines for violating the GDPR and other data privacy regulations, along with lawsuits from impacted individuals.
However, if the organization has correctly implemented a zero knowledge architecture, then all of its customer data is encrypted on the client side. In the event of a breach, whether at the hands of an external threat actor or a malicious insider, the only “data” that gets compromised is encrypted text, also known as cipher text, consisting of a series of random letters and numbers that are unreadable by humans or machines. Zero knowledge, used in conjunction with a zero-trust security architecture, is currently the best way possible to protect user data.
How to tell if a company is really “zero knowledge”
When major consumer tech companies like Apple, Google or Signal tout features such as “end-to-end” encryption, the benefits are obvious; end users don't want anyone else accessing their email, text messages, photos or any other personal communications. This same guarantee of privacy should apply to any enterprise that holds user data, whether it’s a social media platform or a workplace.
However, this isn’t necessarily the case. While many organizations take data security very seriously, just as many play fast-and-loose with user data, including some companies that claim to be “zero knowledge.” Although SSL/TLS and the green lock on websites are an important security measure, consumers need to understand what the green lock actually protects, which is data in transit between the consumer and the website or app. The data is decrypted once it reaches its intended recipient.
Another issue arises when vendors claim they have “full disk encryption” on all servers – but the vendor owns the encryption keys. They may even store them in the same database that contains user data, which is akin to locking valuables in a safe, then writing down the combination on a piece of paper and sticking it on the front. In a zero-knowledge environment, the vendor doesn’t store the encryption keys. They don’t even have access to them!
How can a layperson tell if an organization that claims to be “zero knowledge” really is? Here are some red flags to look out for:
- If the company can email you information about your data, it is likely not zero knowledge
- If it has any kind of in-app trackers or usage analytics, it is likely not zero knowledge
- If it can do meaningful processing based on data (AI, analytics, automated workflow), it is likely not zero knowledge.
Conclusion
A zero knowledge architecture, especially when used in conjunction with zero trust, can prevent most data breaches, or at least drastically minimize their impact. Passwords, street addresses, mobile phone numbers and other PII don’t just show up on the dark web by themselves: Somebody stole this information from a vendor that was storing it. That “somebody” could be a malicious insider or an external threat actor. Data breaches and their impacts could become far less frequent and less severe if more organizations used zero knowledge.
Any company storing sensitive data, which is pretty much everyone these days, should strongly consider implementing a zero knowledge architecture. For security vendors, such as password management companies, this should be a no-brainer. Users put an incredible amount of trust into keeping their passwords safe. However, users want all of their data protected, not just their passwords. It’s just as important to ensure that threat actors can’t access customers’ health information, credit cards, photos, videos and instant messages as it is to secure their passwords.
In addition to ensuring that customer data is secure, zero knowledge benefits an organization's overall security and compliance efforts, especially compliance with data privacy regulations like the GDPR. It’s a win on both sides.
