cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

What is Trust?

Hi All

 

I have been thinking about this subject for some time, and I cannot get a definitive statement which rings true, so far. 

 

Here is part 1 of my thinking:

 

Part 1: I think we need to examine the word "Trust" carefully - from a human being context:
Trust is a central part of all human relationships, including romantic partnerships, family life, business operations, politics, and medical practices. If you don't trust your doctor or psychotherapist, for example, it is much harder to benefit from their professional advice.
But what is trust? Here are some possibilities:
Trust is a set of behaviors, such as acting in ways that depend on another.
Trust is a belief in a probability that a person will behave in certain ways.
Trust is an abstract mental attitude toward a proposition that someone is dependable.
Trust is a feeling of confidence and security that a partner cares.
Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions.
The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams and third parties. But people instinctively distrust things they can't see, touch or understand.

And yet, we are talking fundamentally about technical trust of machines, devices, networks, applications, users and data

 

I will publish Part 2 shortly, but think of the context of Zero Trust and Trust Access in connection with Zero Trust Network Architecture and Zero Trust Architect.

 

I am sure there is spades of comments and many thoughts from many others, which are worth sharing and debating? 

 

Regards

 

Caute_cautim

14 Replies
Bowmann
Viewer


@Caute_cautim wrote:

Hi All

 

I have been thinking about this subject for some time, and I cannot get a definitive statement which rings true, so far. 

 

Here is part 1 of my thinking:

 

Part 1: I think we need to examine the word "Trust" carefully - from a human being context:
Trust is a central part of all human relationships, including romantic partnerships, family life, business operations, politics, and medical practices. If you don't trust your doctor or psychotherapist, for example, it is much harder to benefit from their professional advice.
But what is trust? Here are some possibilities:
Trust is a set of behaviors, such as acting in ways that depend on another.
Trust is a belief in a probability that a person will behave in certain ways.
Trust is an abstract mental attitude toward a proposition that someone is dependable.
Trust is a feeling of confidence and security that a partner cares.
Trust is a complex neural process that binds diverse representations into a semantic pointer that includes emotions.
The importance of trust is becoming more dependent on complex, often invisible, connected technologies, data streams and third parties. But people instinctively distrust things they can't see, touch or understand.
Download iMessage for PC
And yet, we are talking fundamentally about technical trust of machines, devices, networks, applications, users and data

 

I will publish Part 2 shortly, but think of the context of Zero Trust and Trust Access in connection with Zero Trust Network Architecture and Zero Trust Architect.

 

I am sure there is spades of comments and many thoughts from many others, which are worth sharing and debating? 

 

Regards

 

Caute_cautim


If you trust someone, you believe that they are honest and sincere and will not deliberately do anything to harm you.  Your trust in someone is your belief that they are honest and sincere and will not deliberately do anything to harm you. He destroyed me and my trust in men. You've betrayed their trust.

tmekelburg1
Community Champion

I like the APA's definition on Trust:

 

trust
1. n. reliance on or confidence in the dependability of someone or something. In interpersonal relationships, trust refers to the confidence that a person or group of people has in the reliability of another person or group; specifically, it is the degree to which each party feels that they can depend on the other party to do what they say they will do. The key factor is not the intrinsic honesty of the other people but their predictability. Trust is considered by most psychologists to be a primary component in mature relationships with others, whether intimate, social, or therapeutic. American Psychological Association 

 

I look forward to reading part 2!

rslade
Influencer II

In my first book I had a whole chapter just on trust. The copy editor sent me a
special message noting how important it was. (Copy editors *NEVER* comment
on the content of your manuscript ...)

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

@rslade   I would be interested in whether your book is still in print, available via Amazon or in Kindle format?

 

Trust is an important subject - it is becoming far more important because the ordinary person cannot understand what is meant by "digital trust" or even Zero Trust.

 

Part 2 states: 

 

For zero trust:  For zero trust to be effective, it needs to consider not only the user, but the risks of the resources themselves. It does not. You would never grant access in a zero trust model if the assets have remotely exploitable critical flaws. Zero trust ignores the resources risk, while focusing inordinately on access controls.  Hence we should not use the term "Trust Access", especially if the resources risk has been ignored or the assets have already been compromised aka Fireeye/Solarwinds lessons.

 

So fundamentally, if any component within the system is not secure, or cannot be implicitly trusted or is suspected to have been compromised, they Zero Trust cannot be achieved.

 

Also Zero Trust requires a policy engine, which constantly monitors and ensures that agreed, approved policies are centrally applied.  So far this is not achievable, unless we engage the assistance of AI and ML to ensure objective compliance and enforcement for all components.

 

So very interested, what or how you interpret "Digital Trust" in terms of digital identity, which is a core subject in a Trusted Digital Identity system or even within Zero Trust, some interpret it as Trust Access, which implies everything is centred on Trust.   Can Trust be applied via electronic, digital systems - because we put an awful lot of emphasis on it.  

 

I would appreciate your thoughts and wisdom, and other thoughts too.

 

Regards

 

Caute_Cautim

 

 

Caute_cautim
Community Champion

@tmekelburg1 

 

Part 2:

 

Part 2 states: 

 

For zero trust:  For zero trust to be effective, it needs to consider not only the user, but the risks of the resources themselves. It does not. You would never grant access in a zero trust model if the assets have remotely exploitable critical flaws. Zero trust ignores the resources risk, while focusing inordinately on access controls.  Hence we should not use the term "Trust Access", especially if the resources risk has been ignored or the assets have already been compromised aka Fireeye/Solarwinds lessons.

 

So fundamentally, if any component within the system is not secure, or cannot be implicitly trusted or is suspected to have been compromised, they Zero Trust cannot be achieved.

 

Also Zero Trust requires a policy engine, which constantly monitors and ensures that agreed, approved policies are centrally applied.  So far this is not achievable, unless we engage the assistance of AI and ML to ensure objective compliance and enforcement for all components.

 

Regards

 

Caute_Cautim

jmikesmith
Newcomer III

No one else has mentioned this yet, so I will...

 

Bruce Schneier published a book on the topic of trust in 2012: https://www.schneier.com/books/liars-and-outliers. I haven't read it yet, but I've read some of the essays and articles he's published over the years that touch on topics from the book.

 

Mike

rslade
Influencer II

> Caute_cautim (Community Champion) mentioned you in a post! Join the conversation

> @rslade   I would be interested in whether your book is still in print,
> available via Amazon or in Kindle format?

I've just checked at
https://www.amazon.com/Robert-Slade/e/B001H6MUCW
and all of them (except "Viruses Revealed" and the dictionary) seem to be
available. (I guess since the copyrights have reverted to me on those, they aren't
still selling them.)

But then again, the dictionary does seem to be available as well ...
https://www.amazon.com/Dictionary-Information-Security-Robert-Slade-
ebook/dp/B001077CJ4

======================
rslade@gmail.com rmslade@outlook.com rslade@computercrime.org
"If you do buy a computer, don't turn it on." - Richards' 2nd Law
"Robert Slade's Guide to Computer Viruses" 0-387-94663-2
"Viruses Revealed" 0-07-213090-3
"Software Forensics" 0-07-142804-6
"Dictionary of Information Security" Syngress 1-59749-115-2
"Cybersecurity Lessons from CoVID-19" CRC Press 978-0-367-68269-9
============= for back issues:
[Base URL] site http://victoria.tc.ca/techrev/
CISSP refs: [Base URL]mnbksccd.htm
PC Security: [Base URL]mnvrrvsc.htm
Security Dict.: [Base URL]secgloss.htm
Security Educ.: [Base URL]comseced.htm
Book reviews: [Base URL]mnbk.htm
[Base URL]review.htm
Partial/recent: http://groups.yahoo.com/group/techbooks/
http://en.wikipedia.org/wiki/Robert_Slade
https://is.gd/RotlWB http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Caute_cautim
Community Champion

Hi All

 

From a Research-gate paper on Trust - they conclude:

 

"In sum, trust is a behavioral construct; to trust is to place one’s confidence in the other party to the relationship. Trust is preceded by perceived trustworthiness of the party, the expectation of trustor of the trustee’s behavior,and/or emotional bonds between the trustee and the trustor. Both cognitive and affective anticipations lead to a choice of placing or not placing one’s confidence in the other party. Such a decision or choice may lead to both instrumental and psychological outcomes as consequences of trust, including highly social and emotional outcomes. Trust conceived as such, incorporates all the essential components we can conceive; we expect that our effort will serve as a stepping stone for other researchers in their endeavors of exploring the nature of trust."

 

It is obvious, we simply do not have an agreed term for Trust in a digital context or even electronics, so if we cannot trust a system, how can we in fact have "trust" as in Zero Trust. 

 

We need to examine this more closely, and ensure that there is an absolute agreement as to what is Trust in the context of digital Identity, Digital electronics, or that of Systems?  Can we actually have a trustworthy system? 

 

Regards

 

Caute_cautim

 

 

Caute_cautim
Community Champion

HI @jmikesmith   You are of course correct:

 

https://www.schneier.com/essays/archives/2019/02/theres_no_good_reaso.html

 

But given that Bruce Schneier cannot himself put a good definition of trust for security systems or even Blockchain, then what chance do we have of explaining to a CEO whether a security system can be implicitly trusted given the recent circumstances, which undermined the supply chain i.e. Solarwinds, which now has a legal case raised against them.

 

Trust is very important in our day to day interactions, but if we cannot define it explicitly, do we mere mortal accept everything everyone states is actually trustworthy i.e. this is system can be trusted, but if one component is compromised, then potentially the whole system is render untrustworthy and has to be burnt down and re-built from scratch.

 

Regars

 

Caute_cautim