Last Updated on June 4, 2021
In recent weeks the global cyber community has been hit broadside by two devastating attacks—the SolarWinds hack and the Microsoft Exchange Server exploits—impacting tens of thousands of organizations, including some of the most technologically sophisticated and ostensibly secure firms on the planet.
We’ve all heard about advanced persistent threats (APTs), and how a determined and sophisticated attacker will eventually gain a foothold in almost any environment if they expend enough time and effort. But how could these mega-hacks happen so quickly and on such a large scale?
The answer lies in the fundamentally flawed design of a perimeter-based security model, which is used almost universally across systems and networks. This model works by putting a wall around the data and hoping it’s high enough. But that wall is made of software, so inevitably it fails.
Zero Trust is “the answer”
On a recent episode of The Virtual CISO Podcast, host John Verry (Pivot Point Security’s CISO and Managing Partner) spoke with PreVeil co-founder and CEO Sanjeev Verma about the Zero Trust paradigm that underlies his company’s email/file-sharing encryption solution, and why Zero Trust is “the answer” to the unwinnable war of attrition we’re fighting in cyberspace today.
Sanjeev explains: “When you drag-and-drop a file [into PreVeil Drive] it gets automatically encrypted, uploaded, and a cloud version of it is stored on AWS GovCloud, which is a FedRAMP High impact cloud. And that’s the master copy. When you change anything on your end, it’ll be synced with that. But the nice thing is, since the system is end-to-end encrypted, all that is sitting on GovCloud is an encrypted copy. And neither Amazon nor PreVeil can look at it—so neither can the attacker.
“We’ve seen recently where even a sophisticated server like the Exchange Server got breached on a massive scale. And the way the breach occurred was: exploit a vulnerability, get to the server; since the server could see the information, so could the attacker.
The Security of End-to-End Encryption
“With PreVeil… since it’s end-to-end encrypted, the server sees nothing. So in the event that either an attacker gets to the server on an Amazon admin is breached, or an admin on [the client’s] end or a PreVeil admin, nothing [unencrypted] is visible because we have no access to the information whatsoever. You would just see a bunch of garbage over there. But to the end user it just looks like a normal file. It looks no different at all from any other file on your system,” says Sanjeev.
“This is one of the things we talk about with a lot of folks when they move to the cloud,” adds John. “They say, ‘Well, it’s encrypted.’ But where is the key? Passwords are keys, and if someone can access the password, they have the key to unlock the file. What you guys are doing is putting a direct token on each individual’s device in such a way that that person doesn’t know about that token. You’re talking about a solution that’s about as secure as I can envision at this point in time.”
“Last year when you and I spoke about it, I was the excited kid on the block who was saying, ‘Look, the future of data protection lies in systems that don’t trust the server, don’t trust the administrator, don’t trust passwords…’,” recalls Sanjeev. “I was saying this because it was state-of-the-art research from MIT, Stanford and Berkeley. Now we’re in a completely different world and, in response to the SolarWinds attacks and the Microsoft Exchange Server attacks, the NSA came out clearly and said, ‘The existing methods for security rely on a perimeter defense and they’re made up of disjointed pieces of security and access controls… and they will not work.’ The NSA strongly recommends Zero Trust systems, which assume that the attacker will get to the server, which assume that the attacker will get to your password, which assume the attacker will get to the admin. And now the DoD is saying Zero Trust is their number one priority.
“We use PreVeil [at Pivot Point Security], and you would never know that you’re using encryption,” John relates. “I have another email inbox. I go there, I send a file out, or I send an email out, it’s encrypted and that’s all there is to it. When I get a file back, I know that it was encrypted but I’d have no idea that it even happened.”
“A lot of people in your audience are familiar with WhatsApp, or perhaps Signal,” notes Sanjeev. “These systems embody the same principles that I’m talking about. They don’t trust the server; everything’s encrypted from the sender to the recipient. There is no password on these systems; it’s a key-based password that’s attached to your device. Yet, a billion people use it because it’s happening behind the scenes. You never think when you use WhatsApp that you’re using a state-of-the-art encrypted system. And it’s the same with PreVeil.”
If you’re concerned about CMMC Level 3 or NIST 800-171 compliance, be sure to listen to this eye-opening discussion with Sanjeev Verma from PreVeil.