shane - stock.adobe.com
Will nonprofit's evolution of zero trust secure consumer data?
An Australian nonprofit aims to deliver an improved security protocol through what it calls a 'true zero-trust custody layer.' Will the protocol improve consumer data protection?
Tide Foundation is developing a new way to ensure data security, one that advances zero trust to a truly trustless protocol, according to co-founder Michael Loewy.
The nonprofit was established based on the belief that current cybersecurity practices have backdoors that leave authentication credentials and authentication methods exposed. It instead offers a blockchain-based infrastructure that creates a custody layer for access that's controlled by individual consumers, not the enterprise organizations. The foundation lays out the technology in a 49-page white paper.
"It's tamper-proof, decentralized software infrastructure that automates cryptographic key management without compromising security," Loewy told TechTarget, noting that both its open source and decentralized nature provides a mechanism to "crowdsource" key elements of cybersecurity, such as consumers' personal data protection.
"We're kind of evolving zero trust another step further," he explained. "You won't even need to trust your administrators anymore."
The Sydney-based organization made a splash in the world of cybersecurity with its concept of splintering -- an open source encryption mechanism the organization claims makes passwords 140,000 times more difficult to crack.
Splintering garnered some coverage in technical publications in fall 2019 with articles detailing how splintering breaks usernames and passwords into tiny segments using decentralized technology – i.e., blockchain. Tide Foundation developers even challenged hackers to try to crack a splintered password.
Michael LoewyCo-founder, Tide Foundation
So far, no one has succeeded, despite millions of attempts. That, however, is only the start of the story, Loewy said, as splintering is just one component of the larger protocol that Tide Foundation is promoting as a more extensive approach to cybersecurity.
"We led with splintering because it was something to grab attention, but it's a small piece of a much bigger puzzle we're creating," Loewy said.
Tide Foundation introduces new layer
Tide Foundation officials said they've developed a layer that removes the liability of protecting sensitive data by liberating organizations from managing its security. The officials tout it as a "true zero-trust custody layer" that is owned by no one and available to everyone that enables the safe storage, sharing and trading of sensitive data.
By integrating Tide Protocol across an organization's systems where consumers' personal data touches, Tide hands over the control -- and, therefore, the liability -- to its consumers, all through a delegated authority that acts on the consumers' behalf and under their instructions, Loewy added.
Origins of the idea
Loewy said the idea for this new layer originated as he and his co-founders were working with marketing campaigns and consumer data. They recognized the need for both better security solutions to counter the growing number of data breaches and related regulatory infractions, as well as consumers' desire to control access to their data.
"We took the opportunity to reimagine the protection of sensitive data by upending some of the core pillars of cybersecurity solutions today. The most critical misguided notion being: There's no one better to trust your keys with other than yourself. We're contesting that claim," Loewy said.
Organizations are not proving successful at managing their own security and often end up becoming their own worst enemy.
"They carry honeypots of user credentials, leave backdoors when automating processes, have privileged employees that can cause serious damage undetected and, ultimately, hold a single key to their own kingdom somewhere, which is commonly exploited," he said.
Tide Foundation was formed as a nonprofit to develop and promote this new cybersecurity protocol and an SDK. The foundation's website offers more details about the protocol and its technology underpinnings, along with a white paper and other news.
Experts have questions
Whether enterprises will adopt this at all remains a big question, with security analysts and researchers saying they couldn't comment on Tide Foundation or its protocol because they haven't reviewed or analyzed its information.
And even those who have done so still have questions.
"Tide makes a lot of claims -- for preventing breaches and giving end users complete control over access to their data by way of keys -- but we hear these sorts of claims all the time (the personal data vault concept is 20 years old at least), and the claims can only be tested by rigorous cryptology and independent verification," said Steve Wilson, vice president and principal analyst at Constellation Research Inc.
He noted that the white paper available online on Tide's website contains "an impressive amount of technical detail, but further verification of its technology is needed to prove out the foundation's claims."
Meanwhile, he questioned Tide's decision to have a forward-looking security protocol continue to rely on passwords even if they're "splintered" for increased protection.
"I note from their 'splinter' protocol work that they are trying to redesign password security. They say they want to leverage and build on the password experience -- not because it's secure, but because it's prevalent," Wilson said. "This could be seen to swimming against the tide. The strongest identity industry initiative at the moment -- the strongest ever in my opinion -- is the FIDO Alliance, which is working to eliminate passwords."
Wilson noted, however, that the foundation is more in step with the current widespread movement to assert ownership rights to consumers' own data.
Tide adviser Doug Knopper, who co-founded media platform FreeWheel and is a former general manager of the online ad serving company DoubleClick, highlighted Tide Foundation's focus on consumer ownership.
"It's an opportunity to embrace a new approach to protecting sensitive data that not only diffuses the associated liability, but improves products and services for customers," he said. "Customers are granted the ultimate control and transparency around the use of their sensitive data, which serves to comply with legislation and creates new value off a base built on trust -- or, more appropriately, put in the case of Tide, having removed the need to trust."