The cloud is ubiquitous:  Any company looking to ramp up quickly is likely to provision its compute, networking, storage with its preferred cloud provider, and get started rolling out their products.  The catch though, is that the very same foundational architectures which drive the cloud’s efficiency, flexibility and cost benefits ultimately also are its weakest links from a security perspective.

There are three fundamental drivers that serve as the basis for the large majority of access hacks, data security breaches and privacy vulnerabilities:

1. A centralized cloud-only model for identity verification and authentication.
2. A fundamentally flawed architecture for data security and privacy.
3. The complexity of the cloud-based solutions and active security measures, that are layered over this inherently flawed foundation.

This blog series will dig into each of these elemental cloud security challenges that need to be addressed if we really want to change things. Then we will lay-out how an API approach to security will enable developers to bake-in data security, privacy and access control into their applications from the ground floor with little or no code, rather than simply layering on active security measures as an afterthought.

Ok, What’s the Problem with Existing Password-less Authentication?

Credentials-based authentication - that is, username and password - is notoriously insecure and the source of 80%+ of data breaches today. Yet most end users still gain access to their Web sites and applications this way.   Even worse, so do many DevOps and cloud engineers to their sensitive production cloud environments. Thankfully, a long overdue migration to passwordless authentication is now underway, with dozens of tools vying for supremacy, and more and more sites like Github are deprecating password based authentication entirely.

While this is an important step forward, it still only solves part of the problem: not all passwordless authentication solutions are created equal. The new wave of solutions eliminate the password, but all still have one or several intrinsic weaknesses, all derived from the same foundational flaw.

They Rely on the Cloud - and the Cloud is Compromised

The benefits of the cloud - it’s flexibility, scalability and remote access - are indisputable. It has simplified development and automation exponentially over the years, and emerging tech such as AI and IoT will only accelerate this.

But as any security engineer knows, these strengths are also the cloud’s main weaknesses. The scale and complexity of the cloud make it practically impossible to defend, while the amount and value of data and capabilities that are concentrated into enormous cloud-based data lakes, make attacks relatively easy and incredibly profitable. Given that formula, it’s no wonder why the breaches - and headlines - just keep getting bigger.

So, if you want to really take a security-first approach in your cloud engineering, and avoid being the next big headline, you should start with the working premise that the cloud is essentially compromised. With this assumption in mind, here is where the current crop of passwordless authentication solutions remain vulnerable:

The Cloud is Compromised

If you are serious about data security, you have to start with the simple premise that any resource of value in the Cloud can and will ultimately be successfully attacked.

1. They rely on cloud databases of user identities, which remain as vulnerable as ever.   In fact, this modus operandi is quite dangerous, as it just aggregates even more data on users' identities, their activities, their history and so on in a single place (making a hacker’s job easier than ever).
2. They rely heavily on user self-identification and authorization, ignoring the vulnerability of the means used to execute this:  SMS and eMail, two extremely spoofable channels.
3. They assume the user is human, and put all their chips on cloud-based software to determine that. There is an almost religious faith that advanced monitoring, and observability coupled with AI, is foolproof in identifying whether a user requesting access to a resource, is actually the human authorized to do so.

Thanks to this set of assumptions, attacks can be executed literally from anywhere in the world, from any device, and by any hacker - whether an amateur or more sophisticated professionals.  Even worse, it doesn’t even require a human attacker - software, especially bots, malware, ransomware and even AI software, can probe and drive attacks of virtually unlimited scale.
Yikes - scary.  Until we change things, the attackers will always have the advantage.

What about Zero Trust?

Zero Trust was, of course, developed to acknowledge and address this inherent weakness of cloud security. Zero Trust (as a quick recap):

1. requires all users, whether in or outside the organization's network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data; and
2. assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid with resources anywhere as well as workers in any location.

While both are vital principles and steps, there are gaps in how Zero Trust is implemented and enforced, usually due to the cloud’s previously mentioned inherent weaknesses:

1. identity databases can be hacked;
2. user identity verification and authentication spoofed; and
3. you can’t really ever be sure the authorized human user is on the other end of that Chain of Trust in the cloud.

Therefore, Zero Trust solutions are still not able to prevent unauthorized access, and will continue to be broken. It is a necessary part of an overall strategy, but not sufficient on its own.

So, What Is Better Than Passwordless Authentication?

Since we are writing this blog, we have a few ideas! Several years ago, Circle’s founders started thinking about, designing and then building a new approach to cloud security - cybersecurity based on the basic premise that the cloud is compromised.

If you accept that, then the strategy is obvious: we need to eliminate the attack surface in the cloud entirely. These are the pillars that make this strategy feasible.

1. Enforce access to and control of software and resources with cryptographic keys, not application logic.   Encryption - especially AES 256 encryption - works.  Use it.
2. Bind user access to cloud resources - software, networks, IOT devices, anything important - to devices.  We have to eradicate the notion that, giving users the ability to log-in from anywhere on any device, at the spur of the moment- just because they want convenience - is acceptable. , It’s not, and never will be secure.
3. Bind keys to devices and devices to users.   In addition to the Trusted Platform Module - clunky, but improving - there are other methods to uniquely restrict the use of encryption keys to the device on which they were created and authorized.  The right authentication method can then bind a device to the unique human that is authorized to use it. (This can also be used for APIs and IOT, but that’s a different story).
4. Eliminate credentials entirely.  As long as passwords are stored and used to authenticate, just taking them out of the end user's hands is not enough. Back end identity and access management databases can, and will be hacked. We need to replace this with cryptographic signatures that are tied to devices and their authorized users.
5. Decentralize MFA.   All MFA today ultimately relies on cloud-based resources and databases, and a Chain of Trust between them for execution.   Oops: the cloud is compromised! To take the cloud off the table, we can delegate and distribute MFA out to authorized decentralized users without a central authority.

These pillars can also be applied to many other vulnerabilities in cloud security, including in particular protecting data and privacy. But more on that in the next blog!

Want to Learn More?

• No software or system can ever be 100% “hack-proof”. However, Circle has developed a revolutionary, breakthrough architecture for cybersecurity based on the principles articulated above to address the vulnerabilities of both password-based and password-less authentication. It features:

1. continuous cryptographic credential-free authentication across browsers, devices and contexts; and
2. unspoofable peer-to-peer multi-factor authentication.

Too good to be true?   We would be the first to say that seeing and implementing the code is believing.  We hope that you will take the Circle API for a spin!   

• Register Now - It's Free

You can also follow to the blog and articles below to learn exactly how you can use Circle API to rapidly and easily bring these benefits to your Web sites and applications and end users.

• Getting Started with Circle Credential-free Authentication
• Article:  Circle Cryptographic Credential-free Authentication
• Article: Circle Distributed Multifactor Authentication