Thought Piece

Part 1: It’s time for platform developers to rethink cybersecurity


TL;DR:

Despite advances like “The Zero Trust Model”, cybersecurity is still fundamentally broken, as repeatedly proven by the increasing breaches in the largest, most secured companies in the world. This series unveils an entirely different approach, made possible by a breakthrough in cryptography, that allows developers, like you, to stop worrying about the next vulnerability by locking systems with keys no-one will ever hold—Keys that are impervious to theft, loss, or misuse. This series demonstrates how the introduction of herd-immunity principles to cybersecurity removes today's inescapable need to blindly trust people, brands and processes. This new approach not only promises to redefine cybersecurity, but empowers you to innovate without fear of the inevitable breach.

Every developer’s nightmare

Every developer’s nightmare

You want to build something new, create awesome digital experiences, not to spend your nights worrying about security breaches. Yet here you are, staring at your screen, wondering if that last rushed feature commit opened the floodgates to a data breach. Remember when a single sketchy update nearly broke half the internet? Nobody wants to be that developer.

In today’s fast-paced world, security isn’t someone else’s problem. It’s a target painted directly on you. Cross-site scripting, SQL injections, session hijacking… Every line of code is a potential entry point for hackers, and every decision could lead to disaster. And it doesn’t even have to be your code – but a vulnerable 3rd party package you use!

Zero Trust: a false sense of security?

Zero Trust: a false sense of security?

The Zero Trust model is hailed as the savior of modern cybersecurity. If you’ve spent any time in security meetings or reading up on best practices, you’ve heard of it. It operates on the principle of “Never trust, always verify,” promising to secure platforms by treating everything interacting with your system as a potential threat. On paper, it’s brilliant—the default response to any access request is to grant "zero trust." Then, with appropriate and ongoing validation, the model allows for least-privilege access—giving users and systems only the permissions they need to perform their tasks. Think of it like installing a card reader on every door in your office, from the boardroom to the bathroom, not just the entrance.

Yet, if Zero Trust is the answer, why are we still seeing massive breaches? Despite over $300 billion poured into cybersecurity, breaches caused over $10 trillion in damage last year. Clearly, something isn’t working.

Here’s the kicker: Zero Trust solutions, in their current form, don’t eliminate the need for trust, they just shift it around. Sure, you’re not implicitly trusting the devices or identities interacting with your platform anymore, but now you’re putting blind faith in the very systems that manage that trust—your Identity & Access Management (IAM) system, your antivirus, your monitoring tools—and the people that administer them. It’s like locking every door in your house but leaving all the keys with a minimum-wage guard.

You’ve verified access and enforced least privilege—great! But what happens when the system responsible for issuing these permissions is compromised? Who verifies them? Right now, no one.

Who’s watching the watchers?

Who’s watching the watchers?

The naming of “Zero Trust” is rooted in the base assumption that anything connecting with your platform is afforded no trust, by default. Unfortunately, it’s been obnoxiously slapped onto the packaging of most major cybersecurity products promising “zero” trust, but in reality, we blindly trust those systems enforcing it, with god-like powers. Whether it’s your IAM system, end-point security, or anomaly detection tools, they’re treated as infallible. But what if they’re compromised?

Have you ever checked if your antivirus is doing more harm than good? Can you even verify if the systems you rely on haven’t already been breached? No matter how sophisticated, no system is foolproofWhen these particular systems fall, the entire house of cards collapses.

Attackers know this, and they’re going after the systems we depend on—our supply chains, our tools, even the very security measures we’ve put in place to stop them. The result? Breaches are causing damage on an unprecedented scale.

The trust problem isn’t what you think

Every developer’s nightmare

There are many ways to maximize trust—like improving communications, proving follow-through, and demonstrating accountability—however, even at its top levels, trust is still a form of blind faith. Being such an intangible construct, trust isn’t some parameter you can fine-tune, install or fabricate. Therefore, to remove the need for trust altogether, we must focus on what we’re trusting—authority. A breach of trust becomes problematic only when authority is exploited or abused. In other words: if we remove all authority from something, it no longer requires any trust. It is then guaranteed to be completely safe.

Authority is what gives the power to make important decisions, like granting access to data. Hackers don’t need to break through every layer of security—they just need to compromise the authority that controls it. Whether it’s a rogue admin, a misconfigured server, or a hacked vendor, once authority is abused, your platform is left vulnerable.

Authority is the Achilles’ heel of cybersecurity.

The Zero Trust model aims to remove the need for trust, but today it still relies on systems that wield unchecked authority. Trust in these systems is required because we can’t independently verify what’s happening behind the scenes. The IAM, identifying a user as a super-admin, is hopefully doing so correctly all the time, but how could you know?

But what if we could remove that authority entirely? What if no single person, system, or entity was trusted with enough power to compromise your platform?

Enter Two-Way Zero Trust

Every developer’s nightmare

Let me introduce you to a new concept: Two-Way Zero Trust. Imagine a world where you don’t just verify everything interacting with your system, but where the system itself is continuously verified—by you and others interacting with it. In this model, no single entity holds unchecked authority. Instead, authority is decoupled from any one person or system and distributed.

Think of it as upgrading Zero Trust’s mantra of “Never trust, always verify” and applying it to everything, including the system itself. Imagine every time your IAM granted a user admin privilege to your platform, you had an instant guarantee it was issued correctly. It’s like building a security fortress where even the guards are under constant verification. And the best part? Even if someone breaches the system, they can’t access sensitive data because the authority to unlock it lives outside the system entirely.

Whether you’re a startup founder or a market leading platform, implementing Two-Way Zero Trust means you can finally sleep at night without worrying about being the weak link in a security chain. Even in the worst-case scenario, your platform stays protected because no one holds the “keys to the kingdom” —shielding you from potential legal liabilities and preserving customer trust. You could rest assured that encrypted data can only be decrypted to correctly-verified users or that write-permission can only be given to those approved of it. For some, this could mean avoiding the kind of catastrophic breach that may spell the end of the company.

Where do we go from here?

So, what’s next? We’ve identified the real problem: authority. Now, the challenge is figuring out how to remove it from the systems and people managing it. It’s not about abstract trust—it’s about ensuring that no one holds enough power to cause catastrophic damage, even if they’re compromised.

In the next part of this series, we’ll dive deeper into the vulnerabilities around authority and explore how it’s managed today. More importantly, we’ll look at how we can strip authority away, ensuring that no one has unchecked control.

And we’re not just going to shift the burden into another box you’ll have to, well, trust. Instead, I’ll introduce a radically different approach to managing authority—one that could fundamentally reshape how we think about cybersecurity, privacy, and digital ownership.

Trust me. But don’t! Verify.


Authors:

This 5-part series outlining the worry-free future of cybersecurity for platform developers is an adaptation of Tide Foundation Co-Founders Michael Loewy and Yuval Hertzog’s keynote at ACM SIGCOMM 2024

Michael Loewy is a Co-Founder of Tide Foundation and serves on the advisory board of the Children’s Medical Research Institute.

Yuval Hertzog is a Co-Founder of Tide Foundation and one of the inventors of VoIP.

Series shortcuts:

 

Recent News

Press
4 Nov 2024

Tide Win Tech Impact Award

Award for impact in transforming breaches into a non-issue.

Announcement
18 Nov 2024

TideCloak Secures Developers

Major Organizations Among Early Adopters Reporting Freedom from Security Concerns

Press
11 Mar 2024

Infrastructure Magazine Feature

New approach to securing critical infrastructure.

Press
23 Nov 2023

RMIT, Tide, AWS Collab Unveiled

Tide's "Ineffable Cryptography" to secure critical infrastructure

Blog
25 Sep 2024

Cybersecurity’s Kryptonite

It’s cybersecurity’s kryptonite: Why are you still holding it?

Blog
25 Sep 2024

Nature's key to cybersecurity’s future

How nature holds the key to cybersecurity’s future

Blog
25 Sep 2024

I got 99 problems, but a breach ain’t one

Ineffable Cryptography: The science behind a new era of cybersecurity

Blog
25 Sep 2024

Future proofing your platform

A practical walkthrough of creating the most secure apps on the planet.

Press
25 May 2023

New breakthrough in Zero-Trust

Deakin University researchers prove Tide's tech breakthrough in ZeroTrust cyber security

Announcement
26 May 2023

TideInside Dev Champion Crowned

Sean Nam Crowned Champion in the Prestigious TideInside Development Competition

Press
5 May 2023

CyberWire Podcast Interview

Tide propose we break the model so no one holds the keys to our data

Press
5 Apr 2023

Interview with Dr Zero Trust

New Approach to Security Strategy with Decentralization

Contact

Thanks for getting in touch. We'll get back to you as soon as possible!

Send another message