Another security patch. Another missed opportunity.

Summary

• A common bug in firewall or database software lets attackers skip the authentication step and gain administrative access.
• This happens because the same software is responsible both for verifying users and for acting on their requests.
• A zero-trust approach would separate these functions, meaning that no asset should be implicitly trusted and every component should only have the power necessary to carry out its duties.
• This could be implemented through authority control, which would lend a cryptographic key to an authenticated user to access their data, rather than the user authenticating first and then being granted access.
• Using this method, a breach of a database would only give an attacker ciphertext, which is useless without the key, rather than potentially all of the data stored by that user.

By Tide Foundation

Original Article