Following the changes the pandemic has brought about in the business world, organizations have significantly increased their use of data and the internet. This, in turn, has increased the prevalence of cyberattacks and cybersecurity risks.

Accounting firm PricewaterhouseCoopers recently released a report estimating that about 62 per cent of Canadian organizations were impacted by ransomware incidents and attacks in 2021.

Since these risks have crucial implications for companies and their investors and clients, cybersecurity spending saw a major increase. Global cybersecurity spending grew to more than $120 billion in 2017 from $3.5 billion in 2004.

There are systems ‘guarding’ your data in cyberspace – but who is guarding the guards?

We use internet-connected devices to access our bank accounts, keep our transport systems moving, communicate with our colleagues, listen to music, undertake commercially sensitive tasks – and order pizza. Digital security is integral to our lives, every day.

And as our IT systems become more complex, the potential for vulnerabilities increases. More and more organisations are being breached, leading to financial loss, interrupted supply chains and identity fraud.

The current best practice in secure technology architecture used by major businesses and organisations is a “zero trust” approach. In other words, no person or system is trusted and every interaction is verified through a central entity.

Unfortunately, absolute trust is then placed in the verification system being used. So breaching this system gives an attacker the keys to the kingdom. To address this issue, “decentralisation” is a new paradigm that removes any single point of vulnerability.

Our work investigates and develops the algorithms required to set up an effective decentralised verification system. We hope our efforts will help safeguard digital identities, and bolster the security of the verification processes so many of us rely on.


Never trust, always verify

A zero trust system implements verification at every possible step. Every user is verified, and every action they take is verified, too, before implementation.

Moving towards this approach is considered so important that US President Joe Biden made an executive order last year requiring all US federal government organisations to adopt a zero trust architecture. Many commercial organisations are following suit.

Decentralising trust

In our latest work, we refined and validated algorithms that can be used to create a decentralised verification system, which would make hacking a lot more difficult. Our industry collaborator, TIDE, has developed a prototype system using the validated algorithms.

Currently, when a user sets up an account on an IAM system, they choose a password which the system should encrypt and store for later use. But even in an encrypted form, stored passwords are attractive targets. And although multi-factor authentication is useful for confirming a user’s identity, it can be circumvented.

If passwords could be verified without having to be stored like this, attackers would no longer have a clear target. This is where decentralisation comes in.

Instead of placing trust in a single central entity, decentralisation places trust in the network as a whole, and this network can exist outside of the IAM system using it. The mathematical structure of the algorithms underpinning the decentralised authority ensure that no single node that can act alone.