Recently, we discovered that there was some confusion internally about the concepts of Zero Knowledge and Zero Trust. A few people here on Planet Devolutions were using the terms interchangeably. After all, zero means zero, right? Well, yes — and no!
It is true that both Zero-knowledge Encryption and Zero Trust play a significant role in safeguarding data and network infrastructure; especially in cloud environments. However, although they might seem similar, they are distinct concepts. This article compares those differences, focusing on their applications in cloud services. However, to begin we must first understand the origins of these look-alike terms and the purposes they serve.
Zero-Knowledge Encryption: Ensuring Data Privacy with Cloud Providers
Zero-knowledge Encryption allows you to maintain the privacy of your data, even when it is stored with a cloud service provider. This method ensures that your data is encrypted on your device before it is sent to the provider's servers, making the data unreadable to anyone except you. This is because only you hold the decryption key. Even if the provider's servers are compromised or subpoenaed by law enforcement, your data remains safe and private.
This approach is particularly valuable in the context of cloud-based solutions, where the service provider might have access to your data. By employing Zero-knowledge Encryption, you can store your data in the cloud, while maintaining control over its privacy. Although the cloud provider stores and manages your encrypted data, they cannot access its contents.
For example, both Devolutions Hub Business and Devolutions Hub Personal implement Zero-knowledge Encryption. Customer data (e.g., passwords) is encrypted on THEIR device before it reaches our infrastructure. In the unlikely event that our infrastructure was somehow compromised, this stored data would be simply unusable. Recently, our CSO Martin wrote an article about this, and I encourage you to read it for a deeper dive into our Zero-knowledge Encryption standard.
Zero Trust: Ensuring an Adequate Level of Assurance in Access Control Decisions
As discussed, Zero-knowledge Encryption focuses on securing your data. Zero Trust principles, however, focus on securing access to your data — once again, especially in the context of cloud services.
The guiding principle of Zero Trust is "never trust, always verify." This means that every user, device, and application MUST be authenticated and authorized — regardless of the physical location — before access to resources is granted.
This is a significant shift from traditional security models, where trust is often implicitly given to users and devices inside the network perimeter, which is deemed trusted by default. As we have learned from countless high-profile breaches, this approach is inadequate in today's interconnected world in which cyber threats are always happening, and the traditional network perimeter has become increasingly blurred.
To implement a Zero Trust model, organizations utilize a combination of well-known technologies and practices such as:
- Multi-factor authentication (MFA)
- Least-privilege access
- Micro-segmentation
However, the signature characteristic of a Zero Trust model is rooted in a policy engine that grants or denies access based on the level of trust that can be established for a specific user. This trust level is based on a wide range of variables such as user behaviour, device security posture, and contextual information like location and time.
By continuously evaluating these signals, the policy engine dynamically adjusts the level of trust, granting or denying access based on the sensitivity of the requested actions and the associated risk. This ensures that even if an attacker gains a foothold in your network, they will have a difficult time moving laterally to reach more valuable assets.
Consider this example: Jenny is an HR manager. As such, she is authorized to access all data that the organization stores for any employee. In a Zero Trust setting, Jenny would have to demonstrate different levels of trust depending on the actions she initiates, or the data that she requests access to. Here are some potential scenarios:
Scenario | Assigned Risk/Trust Level | Access Requirements Based on Zero Trust Model |
---|---|---|
At any moment, Jenny may request access to her own profile in the HR system. | Low Risk — Basic Level of Trust Required | Provide credentials Complete the MFA challenge |
During her day-to-day tasks, Jenny needs to access various employee profiles to validate their employment records and timesheets. | Medium Risk — Elevated Level of Trust Required | Provide credentials Complete the MFA challenge Must login from a company-managed device (new) Must be located in a specific geographic region (new) |
Less frequently, Jenny requires access to personal information of an employee, such as their salary or their social security number. | High Risk — Top Level of Trust Required | Provide credentials Complete the MFA challenge Must login from a company-managed device Must be located in a specific geographic region Must login with a physical security key (new) Must access the system from a very specific location or office (new) Access is only possible during regular work hours (new) |
As we can see, in essence the Zero Trust model is all about enforcing a higher level of verification and assurance when access is granted to privileged data and resources. Trust is earned and continuously evaluated, not automatically given and then forgotten about!
Unmasking the Principles: Distinguishing Zero-Knowledge Encryption from Zero Trust
Now that we have explored the fundamentals of Zero-knowledge Encryption and Zero Trust, let us recap their key differences. This chart will help you easily distinguish between the two and understand their respective applications in cloud services:
Zero Knowledge | Zero Trust | |
---|---|---|
Focus | Primarily concerned with data encryption and privacy, especially when entrusted to a cloud service provider. | Continuously securing access to data and resources. |
Implementation | Relies on techniques like client-side encryption to ensure data privacy, even when it is the hands of a cloud service provider. | Involves a suite of technologies and practices such as multi-factor authentication, least-privilege access, micro-segmentation, and a policy engine that grants or denies access dynamically based on a wide range of variables. |
Data access | Ensures that the cloud service provider is unable to access the contents of data — only you can decrypt and use it. | Verifies the identity and intentions of users and devices trying to access the data or resources, adhering to the "never trust, always verify" principle. |
The Final Word
The next time that you encounter these two essential cybersecurity principles, you can confidently use this information to differentiate between them, and understand their applications in cloud services. And if despite your best efforts someone in your workplace STILL continues to treat the concepts as interchangeable, then just point them to this article and that should be the end of it!