What will produce better Information Security? More trust? Or more untrust?
Who am I?
All I’m offering is the truth…nothing more. I’m Arthur Badger, and in my day job I help Fortune 500 companies wrestle with information security and compliance. Welcome to un-trusted.net.
Here I will think out loud about, and attempt to illuminate, the topics of trust and untrust in inter-connected computing systems. I’ve become convinced that the current approach to establishing trust is at best poorly thought out and poorly scalable, reliant on a variety of assumptions needing to be challenged, and very likely unsustainable.
I hope to find common ground with both sides of the security versus compliance debate, and provoke new ways of thinking about the problems.
By the way, I make no claims to any great or profound wisdom on these topics. Only a body of experience that has put me personally and professionally in the cross-hairs of these problems, a burning desire to participate in a more rational and reasoned process around these issues, and a willingness to share my ideas.
Welcome to my soapbox. Hope you enjoy it.
Who are you?
Since you’re here, you are likely someone with at least a passing interest in or association with the fields of Information Security, Information Assurance, Privacy, Compliance, or just Information Technology in general; or you are a fellow professional in one of these fields. Like me, you may also be frustrated with the status quo. In any case, there will be something here for you.
Certainly some of my musings will be written with other Information Security Professionals and technologists in mind. But increasingly, virtually everyone is technical to some extent and impacted by the problem of trust in computing systems. So, even if you are not involved in the business of Information Security, but find yourself impacted by it, I intend to have useful, practical, hopefully interesting, sometimes entertaining information for you as well.
Expect to see at least one major post per week, building on the theme outlined below, based on current events, trends, etc. I hope to be provocative and compelling, so please comment , and please subscribe to my RSS feed. You can also follow me on Twitter. (wow, groundbreaking, huh?). If you want to contact me personally, I can be reached at the name arthurstuff at the domain gmail dot com.
I’ll be attempting to make sense of the following questions:
The Basics
Trusted, trustworthy, and secure are related things; but they’re not the same thing.
- What does it mean for a system to be trustworthy or untrustworthy?
- What does it mean for a system to be trusted or untrusted?
- What does it mean for a system to be secure or insecure?
- How are the terms untrusted, untrustworthy, and insecure related?
- In this context, what is a “system”?
Down The Rabbit Hole
Albert Einstein (one of my heroes) changed the world’s way of looking at the universe by being willing to turn problems upside down and consider unorthodox solutions. This is where things might get a little weird (you’ve been warned).
- Do we regularly derive value from untrusted systems? Is this a valid thing to do?
- Do we regularly trust systems that are not trustworthy? Is this a valid thing to do?
- Is there value in the concept of subjective trust?
- Trusted or untrusted…by whom? Trustworthy or untrustworthy…to whom?
- What are the differences between subjective trust and objective trust? Do these distinctions matter?
- What does it mean to establish trust? What is involved in this process?
- Does this mean establishing that a system is trusted? Trustworthy? Secure?
- How do subjective trust and objective trust affect the results of trust establishment processes?
- What produces better Information Security: More trust? Or more untrust?
Getting To The Point
In an increasingly inter-connected and technology-dependent world it seems as though the ability to innovate is increasingly at odds with the ability to trust. The ongoing debate about “security in the cloud” is one example of this, and there are others. What are we going to do about this?
- What is the relationship between the concept of trust and the concept of risk?
- Do the terms untrusted, untrustworthy, and insecure all have the same effect in the context of the evaluation of risk?
- What is the concept of third-party risk?
- How do the terms untrusted, untrustworthy, and insecure affect our understanding of third-party risk?
- How do the terms untrusted, untrustworthy, and insecure relate to the concepts of policy… and compliance? (You had to know that’s where I was going, right?)
Let’s see just how deep the rabbit hole goes.
What?…Don’t you trust me?
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
:: 
I think this discussion requires a set of agreed upon terms. I’ll dive in blindly because if I otherwise know how much I don’t know I may not begin at all…
“Trust” and “Trusted Trust” are two key notions that come to mind.
“Trust” for me means formal, documented agreement between two or more parties about what they intend to being trusting about as well as the trust itself. This implies a knowledgeable or skillful disclosure. It requires a scope and an acceptance of how one party relies upon another. It is a statement about what is being exchanged and the agreement itself can be validated as factual by virtue of the agreement recorded. If such an agreement cannot be documented, a trustworthy (aka quality) trust may not be possible. Key here is that such statements can be validated by external observers not affiliated with the trust.
One party might want to promise more and be unable to authenticate or validate their part of the trust to the extent they intend to and that I would call an untrustworthy trust. One party may be willing to receive even something like that notion of risk in a trust (if the trust pertains to risk exchange) and be unable to do so, e.g. accepting a risk realized puts the accepting entity out of business. Regardless of each party’s assent, the trust was still unreliable as it was not fully factual in the statements of exchange being made. Unbounded statements are difficult in the context of establishing trust.
I’d also say there are unilateral trusts where a receiving party trusts the other party without assent. Can I rely on data from a 3rd party site responsibly if they make no statement of intent for that data to be reliable?
Without a valid trust there can be no valid relationship between risk, acceptance or transfer of risk. If a trust cannot be documented in a structured manner it cannot be used to measure risk.
From the above, I think you can begin to get at what untrustworthy is.
A nice potential side-effect of such terms might be definitive guidance for business decision-makers independent of a specific instance, aka, Best Practice guidance.
(first shot over the bow… prepare the boarding party)