Archive

Archive for the ‘Intro’ Category

What will produce better Information Security? More trust? Or more untrust?

August 29, 2009 arthurbadger 1 comment

Who am I?

All I’m offering is the truth…nothing more. I’m Arthur Badger, and in my day job I help Fortune 500 companies wrestle with information security and compliance. Welcome to un-trusted.net.

Here I will think out loud about, and attempt to illuminate, the topics of trust and untrust in inter-connected computing systems. I’ve become convinced that the current approach to establishing trust is at best poorly thought out and poorly scalable, reliant on a variety of assumptions needing to be challenged, and very likely unsustainable.

I hope to find common ground with both sides of the security versus compliance debate, and provoke new ways of thinking about the problems.

By the way, I make no claims to any great or profound wisdom on these topics. Only a body of experience that has put me personally and professionally in the cross-hairs of these problems, a burning desire to participate in a more rational and reasoned process around these issues, and a willingness to share my ideas.

Welcome to my soapbox. Hope you enjoy it.

Who are you?

Since you’re here, you are likely someone with at least a passing interest in or association with the fields of Information Security, Information Assurance, Privacy, Compliance, or just Information Technology in general; or you are a fellow professional in one of these fields. Like me, you may also be frustrated with the status quo. In any case, there will be something here for you.

Certainly some of my musings will be written with other Information Security Professionals and technologists in mind. But increasingly, virtually everyone is technical to some extent and impacted by the problem of trust in computing systems. So, even if you are not involved in the business of Information Security, but find yourself impacted by it, I intend to have useful, practical, hopefully interesting, sometimes entertaining information for you as well.

Expect to see at least one major post per week, building on the theme outlined below, based on current events, trends, etc. I hope to be provocative and compelling, so please comment , and please subscribe to my RSS feed. You can also follow me on Twitter. (wow, groundbreaking, huh?). If you want to contact me personally, I can be reached at the name arthurstuff at the domain gmail dot com.

I’ll be attempting to make sense of the following questions:

The Basics

Trusted, trustworthy, and secure are related things; but they’re not the same thing.

  • What does it mean for a system to be trustworthy or untrustworthy?
  • What does it mean for a system to be trusted or untrusted?
  • What does it mean for a system to be secure or insecure?
  • How are the terms untrusted, untrustworthy, and insecure related?
  • In this context, what is a “system”?

Down The Rabbit Hole

Albert Einstein (one of my heroes) changed the world’s way of looking at the universe by being willing to turn problems upside down and consider unorthodox solutions. This is where things might get a little weird (you’ve been warned).

  • Do we regularly derive value from untrusted systems? Is this a valid thing to do?
  • Do we regularly trust systems that are not trustworthy? Is this a valid thing to do?
  • Is there value in the concept of subjective trust?
  • Trusted or untrusted…by whom? Trustworthy or untrustworthy…to whom?
  • What are the differences between subjective trust and objective trust? Do these distinctions matter?
  • What does it mean to establish trust? What is involved in this process?
  • Does this mean establishing that a system is trusted? Trustworthy? Secure?
  • How do subjective trust and objective trust affect the results of trust establishment processes?
  • What produces better Information Security: More trust? Or more untrust?

Getting To The Point

In an increasingly inter-connected and technology-dependent world it seems as though the ability to innovate is increasingly at odds with the ability to trust. The ongoing debate about “security in the cloud” is one example of this, and there are others. What are we going to do about this?

  • What is the relationship between the concept of trust and the concept of risk?
  • Do the terms untrusted, untrustworthy, and insecure all have the same effect in the context of the evaluation of risk?
  • What is the concept of third-party risk?
  • How do the terms untrusted, untrustworthy, and insecure affect our understanding of third-party risk?
  • How do the terms untrusted, untrustworthy, and insecure relate to the concepts of policy… and compliance? (You had to know that’s where I was going, right?)

Let’s see just how deep the rabbit hole goes.

What?…Don’t you trust me?

add to del.icio.us :: Add to Blinkslist :: add to furl :: Digg it :: add to ma.gnolia :: Stumble It! :: add to simpy :: seed the vine :: :: :: TailRank :: post to facebook

Categories: Intro