Speakers
Synopsis
Technology platform developers in general, and DevSecOps in particular, are engaged in a losing game of whack-a-mole with attackers. As repeatedly witnessed, even the most resourced companies in the world, with the best cyber-hygiene, are repeatedly falling victims to 0-day vulnerabilities and compromised executives, and numbers are showing it’s only getting worse. The current security paradigm of endless-fortification has proven ineffective, and the breach inevitable. There’s a current tendency to concentrate more authority in a centralized ‘trusted’ core system, that while better protected, simply moves the goalpost for attackers, but never removes them. This reality, is seeing even the strongest vendors succumb to attacks, leaving smaller players hopeless in their struggle to offer any security assurances, necessitating a new, alternative approach.
We propose a mechanism that allows developers to design and implement technology platforms without the worry of a future breach and by assuming a compromise has already happened, but the attacker still can’t access anything of substance. Our approach is made possible by introducing a new cryptographic tool for developers, allowing the locking of sensitive digital assets, such as personal data, session data, identities, etc, with keys that no one will ever hold. Keys that are exclusively governed in a decentralized manner, by a network of independent participants – effectively offering a sort of a herd security.
This new approach, made simple for developers to implement, unlocks secured resources, at the edge, in a verifiable manner, guaranteeing that even when the platform is breached, there’s nothing for the attacker to find. Each asset is protected with a different key, a key that is govern in a decentralized mesh – such that to compromise a single key requires an attacker to breach the entire network – A successful attack would only compromise a single asset behind that key.
This new approach opens a world of opportunities beyond simple data protection, to data sovereignty, verifiable access governance, proven data ownership, all the way to trustworthy AI. Implementation could leverage existing collaboration efforts of the ASD and even extended to the AUKUS and QUAD alliances – platforms tapping into the network capability will automatically inherit these new unbreachable security properties – offering the first Cyber-Herd-Immunity model.
