Zero-Knowledge Technology in Web2 Security- The European Financial Review

By Deepthi Kumar

Companies of as we speak aren’t maintaining with the stress of modern-day risk actors – however Web3’s Zero-Knowledge expertise can present an impactful answer.

The risk panorama of as we speak is barely rising bigger, whereas the safety structure beneath even the most important companies isn’t maintaining. Right now’s enterprise expertise is constructed on a harmful assumption: the extra knowledge a system holds, the extra helpful it turns into. Nonetheless, this increasing knowledge useful resource is offering risk actors with an ever-increasing assault floor. It’s clear that enterprises, particularly monetary, want environment friendly safety – and Web3 expertise may maintain the important thing.

Learnings From the Salesforce Provide-Chain Marketing campaign

The yr 2025 was stricken by cyberattacks that uncovered simply how fragile the safety structure underpinning most main enterprises actually is. The Salesforce supply-chain marketing campaign is a number one instance of what’s happening. Attackers exploited compromised OAuth tokens from a third-party integration to extract knowledge from a whole lot of company CRM situations, hitting corporations from Google to FedEx to Disney. This wasn’t as a result of Salesforce lacked safety controls, removed from it. Scoped OAuth permissions, token rotation, and API entry auditing all existed on the platform. The challenge occurred when a whole lot of well-resourced enterprises, staffed by succesful safety groups didn’t deploy these controls accurately. This wasn’t an accident. It was a sign that the  present system calls for extra operational perfection than organisation may ship.

These have been giant, well-known enterprises spending hundreds of thousands on cybersecurity, utilizing the trade’s ‘best-in-class’ instruments and but, they didn’t have the proper defences in place for when a third-party uncovered their knowledge. Surprisingly, the breach didn’t require cracking any encryption or exploiting a zero-day vulnerability. Utilizing a single third-party app, attackers compromised OAuth tokens and used them to systematically export knowledge from buyer situations. As a result of the system was designed to make it accessible, the info was all sitting there. The fact of the matter is that when each failure of operational self-discipline results in catastrophic publicity, the structure is over-burdened.

Fixing the Situation on a Structural Degree

Right now’s monetary enterprise expertise is constructed on an assumption that now exists as its biggest legal responsibility: the extra knowledge a system holds, the extra helpful it turns into. A companies’ CRM shops buyer particulars akin to their names, e-mail addresses, cellphone numbers, monetary particulars, and transaction histories. Your identification suppliers maintain authentication credentials, alongside exposing private data. Your compliance programs ingest and retain huge quantities of delicate knowledge required for audits.

On the finish of the day, this creates a rising assault floor.

To clarfiy, fashionable SaaS platforms do provide significant data-layer defenses and when deployed, these controls work. The downside lies in the hole between “accessible” and “constantly deployed throughout a whole lot of integrations” and that is the place breaches occur. For instance, the Salesforce marketing campaign didn’t exploit a lacking functionality; it exploited the truth that sustaining excellent configuration hygiene throughout all third-party integrations, each API scope and each token lifecycle, is a bigger job than safety groups can maintain tempo with.

A conventional safety repair for this downside is constructing larger partitions across the knowledge with multi-factor authentication, role-based entry controls, token rotation insurance policies and intrusion detection programs. Though these are all obligatory and priceless, they share a standard limitation: they’re perimeter defenses that demand steady operational perfection. As soon as an attacker will get previous them (by way of social engineering or a stolen credential), the underlying knowledge is uncovered. The Salesforce marketing campaign revealed that even MFA might be bypassed fully by way of OAuth abuse.

The downside doesn’t lie in weak safety programs.  In actuality, the problem is that the dominant structure forces programs to carry – and due to this fact expose – extra knowledge than any given transaction really wants, after which requires an increasing floor space of entry controls to be maintained. Fixing this requires reframing safety  as a sequence of architectural layers that cut back what exists and has the potential to be stolen in the primary place.

 Zero-Knowledge Proofs

Zero-knowledge (ZK) cryptography presents companies a very completely different place to begin. As a substitute of gathering, storing, after which placing partitions round delicate knowledge. ZK proofs permit one social gathering to show the reality of a press release  to a different social gathering with out revealing the underlying knowledge. The verifier features mathematical certainty in regards to the declare, whereas studying nothing past the validity of the assertion itself.

ZK proofs have been tried and examined in blockchain ecosystems for years, the place they allow personal transactions and scalable computation. The expertise is mature sufficient to deploy right into a Web2 setting the place it’s desperately wanted.

The most rapid software is at verification boundaries, the place programs share knowledge to show one thing. On this, ZK proofs can confirm prospects with buyer identification verification (KYC) with out transmitting private knowledge that’s then saved and probably uncovered down the road. An essential caveat right here is that ZK-based KYC doesn’t eradicate the necessity to retain supply paperwork the place laws require it (not less than till regulatory our bodies begin recognising ZK primarily based compliance). What ZK adjustments is the relying social gathering mannequin – the second, third, and fourth establishments downstream that presently obtain after which need to retailer full doc copies simply to verify a standing. That’s the place the info proliferation occurs, and the place ZK proofs ship real discount.

This logic additionally applies to supply-chain compliance, third-party integrations, and any state of affairs the place one social gathering proves one thing by handing over uncooked knowledge. ZK proofs on the boundary are an  efficient strategy to cut back what’s shared externally.

However there’s a limitation: ZK on the verification boundary narrows what third events can extract, however it doesn’t change the underlying structure. The CRM database should nonetheless maintain every thing and inside programs nonetheless have broad question entry. If an attacker will get in by way of by way of a distinct vector, akin to credential phishing,  the pooled knowledge stays accessible to be taken. Changing an OAuth token with a ZK proof on the API boundary is a greater padlock, butthe door stays the identical.

 ZK-Gated Execution

The deeper architectural shift comes from a mannequin I’d name ZK-Gated Execution. On this, ZK proofs don’t simply confirm claims on the boundary; they gate what computation can happen inside an setting the place even the system operator can’t see the underlying knowledge.In the usual mannequin, you show you’re authorised earlier than you entry the info retailer. Nonetheless, in the ZK-Gated Execution model of occasions, you show eligibility with a ZK software executing a set of authorisation guidelines, after which a particular, constrained computation runs inside a safe enclave if the authorisation proof verifies. The operator operating this may’t see the inputs and, due to this fact, the third social gathering by no means touches the uncooked knowledge.

If we return to the Salesforce state of affairs: the core downside wasn’t simply that Salesloft Drift had an OAuth token, it was that the token gave entry to a system the place buyer knowledge, AWS keys, Snowflake credentials, and deal pipeline data have been all saved in plaintext and accessible to anybody with the proper permissions. Nonetheless, if this was below ZK-Gated Execution, the matching, filtering, or analytics operations that third-party apps want would all occur inside a blinded execution setting – retaining this knowledge protected. Even when the setting turned compromised, the plaintext knowledge publicity is constrained by the structure – and never by operational self-discipline.It doesn’t eradicate all risk- that’s an unimaginable promise. Nevertheless it’s the distinction between a dam bursting and a faucet dripping.

The Strain is On

Organisations that start integrating ZK-based verification now will likely be positioned forward of the risk panorama and the regulatory curve. However people who wait will discover themselves defending an structure that was by no means designed for modern-day threats.

ZK doesn’t eradicate the necessity for good safety hygiene. MFA, monitoring, entry controls, and correct configuration self-discipline are all nonetheless important and, for a lot of, totally deploying these current capabilities is the proper first step. What ZK does, significantly in the ZK-Gated Execution kind, is remedy the structural vulnerability that makes breaches catastrophic even when operational safety is robust: the huge shops of delicate plaintext knowledge that have been by no means a necessity. In a world the place it’s virtually assured that attackers will get previous the perimeter in some unspecified time in the future, essentially the most highly effective protection is leaving nothing for them to take.

In regards to the Writer

Deepthi Kumar is the Co-CEO of o1Labs, the core growth staff behind Mina Protocol, the world’s lightest blockchain powered by zero-knowledge cryptography. As a core protocol developer, Deepthi helped design Mina’s protocol structure, led its first exhausting fork, and continues to form its technical roadmap.