Failure Pattern
Storage systems authenticate clients using metadata or certificates that attackers can reuse. Compromised workloads access sensitive storage paths.
What We See in the Field
A compromised VM mounts storage volumes, reads encrypted disk blocks, or issues API calls that appear legitimate. Monitoring tools trust the traffic.
Underlying Causes
Volume access tied to IPs or metadata
Certificates reused
No workload identity
Overprivileged storage credentials
Blind trust in upstream systems
Trust-Native Network Resolution
DTL ensures storage systems grant access only to workloads presenting valid TrustKeys. Compromised workloads cannot read or write data.
Broken Trust Assumption
The attacks that exposed this failure pattern were not stealthy break-ins. They were trusted operations.
During incidents such as SolarWinds, Capital One, and Okta, malicious activity was carried out using valid identities and approved execution paths. Certificates were valid. Tokens were accepted. Sessions were authenticated. From the system’s point of view, nothing appeared wrong.
This is the risk of trust inferred from credentials, location, or prior authentication.