Trust is a fundamental concept of today's IT. Security is based on trust.
We have (or better: had, after DigiNotar?) trust that a web server which has a valid SSL certificate is the server it claims to be.
We had trust that RSA SecurID tokens are secure (whích they still are to some degree, but a lower than before).
We have trust that our authentication in the Active Directory is done in a secure way.
We trust the identity provider when using identity federation.
However, especially the first two examples raise the question whether the concept of trust still is a foundation to build on. On the other hand: Are there any alternatives?
I think we will further need to build on trust as a concept. There is no real alternative. However, we need to be much more careful regarding this concept and add to other approaches:
That is related to the concept of risk. Risk relates to
- interactions and transactions performed and the information assets affected
- the level of mistrust and the "objective", factual security risks
Technically, this leads to the need for flexibility and versatility. It's not about a specific type of solution, it is about the ability to combine multiple technologies (for authentication, fraud detection,...) depending on the risks and the level of mistrust. The bad news however is: Mistrust will increase, trust will decrease, which will make it more complex to achieve an acceptable level of security for specific risks. And some of the concepts - like SSL - are obviously not sufficient by themselves to address today's and the future's security challenge. However: SSL++, e.g. SSL plus other approaches, might suit our needs. And approaches like the ones of convergence.io might help us as well in better rating the risks and applying the concept not only of trust but as well of mistrust. And, despite the mistrust we might feel for rating agencies in the finance world, having rating agencies for organizations like CAs we have to trust might be another approach.
Subscribe to our Podcasts
How can we help you