The Trust in Zero Trust

Opinions expressed are solely my own and do not express the views or opinions of my employer

Hafnium/UNC2452 used novel techniques that abused and took advantage of the adoption to cloud technologies without understanding the full implications and architecture.

Microsoft has made a push in recent years to Office 365 and as a result many organizations now have hybrid cloud environments, whether they know it or not.

How is this relevant to Zero-Trust? 

The spate of attacks has revealed weaknesses and tactics that pen-testers and adversaries can exploit against a hybrid cloud or zero trust environment. In a Zero trust environment there is still trust relationship between the Identity provider and Service provider. By attacking the cryptography protections in this trust relationship, UNC2452 was able to launch sophisticated attacks that often went undetected. Tokens generated by the Identity provider are trusted by the service provider. UNC2452 by forging tokens was able to abuse this trust relationship to bypass controls normally enforced when accessing Services. Through forged tokens they were able to short circuit the normal authentication piece by directly authenticating to the Service provide via tokens bypassing the Identity provider.

Great what does this mean? 

For defenders, it is important to get good AAA telemetry. This means getting good logging from your Identity provider, and Service provider. Logs to track authentication, authorization, and auditing. This is a lot easier said than done. 

Implementing zero trust can provide gains to an organization by lowering the overall risk by "reducing or removing implicit trust in networked systems by addressing network identity, endpoint health, and data flows." (NIST) However, it can also mean introducing a single point of failure. An attacker that can compromise the identity manager can gain access to multiple resources. If the identity provider is based in the cloud, how much trust do you place in them? What if your cloud identity provider was breached, what are the impacts to your organization? While I believe many cloud providers provide better patching and maintenance than organizations, the risk is non-zero.

References:

https://csrc.nist.gov/News/2022/planning-for-a-zero-trust-architecture-white-paper

Non-compete clauses

Recently the FTC has proposed a ban on most non-compete clauses. This is a great idea, if this ban gets enacted the US stands to benefits in multiple ways including, increased worker mobility, increased innovation, increased growth, and increased market competition.

Silicon Valley

The lack of enforcement of non-complete causes in California is one of the factors that have helped to create a vibrant technology sector in that state. Non-compete clauses are a method for employers to reduce the competition by making it hard to poach and recruit talent. Without non-competes start-ups in California are able to grow and thrive in the shadow of giant technology companies because they are able to better execute on their roadmaps and strategy. Organizations such as Zoom have been able to thrive in California by identifying a need in the market not met by larger technology companies. Large technology companies have been sued by the Federal government for illegally preventing employees from getting offers from competing firms. For example, Steve Jobs was sued by the Feds for a gentlemen's agreement with one of the founders at Google to stop the organization from poaching talent away from Apple.

Abuses of Non-complete clauses

Non-compete clauses have also been abused by employees by using overly broad language that prevents employees from leaving the firm, or going to the competition. For example, in healthcare non-complete clauses often will dictate a geographical radius. In dense metropolitans, such as New York or LA, a non-complete clause of 25 miles means you'll essentially need to find another job in another city. 25 miles can mean a 2 hour commuting radius in large crowded cities with traffic.

Non-complete clauses are un-American

Non-complete clauses go against the ideas of America. The US should be a nation that encourages competition, entrepreneurship, free markets, and the ability for employees to freely move if they find better opportunities elsewhere. The rise of non-complete clauses is allowing for many larger well-resourced organizations to reduce competition and continue their rent-seeking behavior. The continuation of this will reduce the economic growth of the country, and the limit opportunities of employees. 

References: 

https://money.cnn.com/2014/08/11/technology/silicon-valley-poaching-case/