When talking about zero trust with technical colleagues, you may have heard a reference to something called zero knowledge proof.
Although the two terms sound similar, they refer to distinctly different computer security concepts with a slight overlap. Let’s compare the two to understand the difference.
What is Zero Trust?
Companies looking for greater control of communications over a corporate network are considering zero-trust philosophies as a potential solution. Zero Trust is a security framework that requires users and devices to be continuously authenticated, authorized, and validated over time. Each user and device is bound to a set of granular controls that they must adhere to when communicating with other users, devices, and systems within a secure network.
Zero trust principles can be extended to data centers and the cloud. The idea is to place applications and services in logically created secure areas. All traffic entering or leaving a zone must be explicitly authorized before transferring data over. This means that, if a server or application is compromised, the bad actor cannot easily move laterally in the data center to potentially compromise other systems.
What is zero-knowledge proof?
Zero-knowledge proof is a term used in the field of cryptography that has been around since the mid-1980s. This methodology involves one party proving that they have information that they claim to be true and a second party wants to verify that the information in the first part is indeed true. With a zero-knowledge proof system, the proving party does not pass on any secret information that could prove whether what it claims is true.
A zero-knowledge proof requires no real knowledge or secret information to prove the claim. Instead, a scenario must be set up that allows the party of proof to demonstrate that it has particular information without actually revealing it.
Zero-knowledge proofs are used in modern cybersecurity in situations where a system claims to have sensitive data but does not want to pass that data to prove it to another system. Cryptographic algorithms based on zero-knowledge proof can be used to allow the verifying party to test the proof in such a way that it would be mathematically impossible not to be factual.
Where do zero-trust and zero-knowledge proof intersect in business?
Zero-knowledge proofs can be used to protect data confidentiality. This type of cryptography is therefore a great way to authenticate and verify users without having to transmit secrets that should never be known to others.
In most cases, the information that the proving party wants to keep secret is a password. Some types of two-factor authentication (2FA) and multi-factor authentication (MFA) use zero-knowledge proofs, never requiring the proof party to divulge secret information. Of course, authentication – and MFA and 2FA in particular – is an integral part of zero-trust frameworks.
This was last published in May 2022
Deepen data security and privacy
Related Q&A from Andrew Froehlich
What is the difference between zero trust and defense in depth?
Security administrators don’t have to choose between zero-trust and defense-in-depth cybersecurity methodologies. Find out how the two frameworks… Continue Reading
What are the benefits and challenges of microsegmentation?
Administrators are evaluating microsegmentation to strengthen access control and security. But deploying microsegmentation can be complex. Continue reading
Comparison of Network Segmentation and Microsegmentation
Network segmentation and microsegmentation both control access, but vary in how they do it, as well as in the granularity of their approach. Learn the… Continue Reading