cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

What is Trust?

Hi All

 

I have been thinking about this subject for some time, and I cannot get a definitive statement which rings true, so far. 

 

Here is part 1 of my thinking:

 

Part 1: I think we need to examine the word "Trust" carefully - from a human being context:
Trust is a central part of all human relationships, including romantic partnerships, family life, business operations, politics, and medical practices. If you don't trust your doctor or psychotherapist, for example, it is much harder to benefit from their professional advice.
But what is trust? Here are some possibilities:
Trust is a set of behaviors, such as acting in ways that depend on another.
Trust is a belief in a probability that a person will behave in certain ways.
Trust is an abstract mental attitude toward a proposition that someone is dependable.
Trust is a feeling of confidence and security that a partner cares.
Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions.
The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams and third parties. But people instinctively distrust things they can't see, touch or understand.

And yet, we are talking fundamentally about technical trust of machines, devices, networks, applications, users and data

 

I will publish Part 2 shortly, but think of the context of Zero Trust and Trust Access in connection with Zero Trust Network Architecture and Zero Trust Architect.

 

I am sure there is spades of comments and many thoughts from many others, which are worth sharing and debating? 

 

Regards

 

Caute_cautim

14 Replies
Caute_cautim
Community Champion

@rsladeDo we get signed autograph copies of your books? 

 

So what exactly does your dictionary state and define "Trust"?  Or even Zero Trust?

 

Regards

 

Caute_cautim

Caute_cautim
Community Champion

Hi All

 

Onward we go to under stand the word "Trust"

 

Trust Modeling for Security Architecture Development  by Sun Microsystems 2003

Information technology architects must build applications, systems, and networks that match ordinary users' expectations of trust in terms of identity, authentication, service level agreements, and privacy. This article describes the vocabulary of trust relationships and demonstrates the practical importance of using trust modeling to formalize the threshold for risk.
Understanding Trust

As with many seemingly complex concepts, a good starting point is to consider the commonplace, everyday meaning of a word. Trust is an important part of our lives and it has numerous definitions. Consider questions like the following, which we deal with regularly even if we don't formalize a model:

  • What does it take to establish trust?

  • How do I determine the degree of trust to assign to an individual or process?

  • Would I trust a recommendation from an auto mechanic or a child care provider the same way?

Defining Trust

According to the ITU-T X.509, Section 3.3.54, trust is defined as follows:

"Generally an entity can be said to 'trust' a second entity when the first entity makes the assumption that the second entity will behave exactly as the first entity expects."

For the sake of defining trust and trust modeling relative to security architecture methodology, the following set of principles or elements are offered:

  • Trust is a characteristic and quality of a security architecture.

  • Trust is a balancing of liability and due diligence. For example, you must decide how much effort to expend to reduce liability to an acceptable level for a particular business proposition and stated security policy. You must establish an equilibrium of trust.

  • Trust is the enabling of confidence that something will or will not occur in a predictable or promised manner.  The enabling of confidence that something will or will not occur in a predictable or promised manner.  The enabling of confidence is supported by identification, authentication, accountability, authorisation and availability.
  • Trust is the binding of of unique attributes to a unique identity, for example, accountability.  This is both a qualitative and a subjective measure of expectations regarding another's behaviour and relative to a defined security policy.  Essentially a trust relationship is established when a satisfactory level of confidence in the attributes provided by an entity is achieved.
  • Trust is defined as a binary relationship, or set of componed binary relationship, based individual identity or unique characteristic validation.  That is, trust is the establishment of a trust relationship through a validation process and the subsequent use of that relationship in some transactional context.

Do not focus solely on technical solutions. As with all aspects of a security architecture, a successful trust model must consider people, process, and technology.

Finally, if you remember nothing else from this article, do not forget the following:

  • Failure to understand what trust model (if any) is actually in effect can create a false sense of security that may lead to serious, even catastrophic, financial and legal problems.

  • Adversaries exploit weak trust models.

Source:  https://www.informit.com/articles/article.aspx?p=31546&seqNum=6

 

Regards

 

Caute_Cautim

rslade
Influencer II

> Caute_cautim (Community Champion) mentioned you in a post! Join the conversation

>     So what exactly
> does your dictionary state and define "Trust"?

trust
extent to which one can have confidence that the system meets its objectives,
that is, that the system does what it claims to do and does not perform unwanted
functions. This is in line with Gene Spafford's famous definition that a secure
computer is one that does what it is supposed to.

There are nine more related definitions.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
If you can't make a mistake, you can't make anything.- Marva Collins
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

@rslade   So if any part of your system is compromised, trust would be lost.  If you review Systemic systems, all components are trusted until the point in time, that one or more components cause a failure or compromise to occur.   Nothing is static, and constant review and updates are required at all times.

 

Regards

 

Caute_Cautim

Caute_cautim
Community Champion

@rsladeHowever, witness the recent security breaches with Fireeye/Solarwinds and Accellion both of which were supply chain issues - so although the organisation may have had all its components tested and verified as a system.  One external component or relationship failed, thus is it became a systemic failure.   So if trust is based on all the components being aligned, verified and one fails, then you have a loss of trust as well as a systemic failure.

 

Regards

 

Caute_cautim