Trust, Who Do You?

Trusted Partner. Trusted Provider. Trusted Advisor. Trust Zone. Zero Trust. We talk about trust a lot in cybersecurity, but what the hell are we actually talking about?

Well, as with any industry, some of what we're talking about is marketing, but some of it is a critical concept of cybersecurity, and yet some of what we're talking about is an explicit architecture and design ethos. Any way you care to look at it, trust - and managing your trust expectations - is the central concept of a good cybersecurity and privacy program.

Depeche Mode, Prince, Billy Joel, Etta James, and countless other musicians get this concept, though they usually associate it with romantic relationships not cybersecurity ones. Lets dive in and see if we can follow their lead and understand this concept better for cybersecurity and what it means for our own cybersecurity needs and concerns.

An Extremely Abridged History of the Internet Viewed From the Perspective of Trust

In the beginning the Internet was a network between universities and government networks. By their very nature, each of these was a "trustworthy" organization, primarily focused on things like research, design, and the pursuit of scientific achievement.

You can see this in the underlying protocols and designs of the Internet. SMTP, FTP, Telnet and the rest were built with a basic assumption that people and systems throughout the chain of communication were trustworthy: none of those early protocols were built with things like encryption and strong user validation in mind.

Once these networks began to open up and connect to more companies and corporations, as well as the general public did we see the massive flaw in those early designs for two primary reasons:

1. We invited people with opposing goals into the network. When it was a bunch of academics sharing research and collaborating on scientific endeavors, everyone was effectively rowing in the same direction. Thinking of this from a geopolitical perspective, the US and China both utilize the same Internet, and are interconnected with each other. Espionage and sabotage efforts between such forces quickly adapted to the online world. That filters down through the concepts of cybercrime as well, and even to the "good old days" of the experimental "hackers" (yes, the quotes are important) who were trying to subvert the system just for the discovery of doing it.
2. We started sharing really sensitive data over the network. If all we used the Internet for was, say, watching videos and playing games then security and privacy wouldn't be nearly as important. But we share medical, financial, and all sorts of PII via the Internet these days. Companies share trade secrets, and governments share sensitive communications over this network. The value of that data, and the value of the systems that are Internet connected - say, for managing things like gasoline pipelines - makes securing Internet communications very important.

So a new generation of protocols came out: SFTP, SSH, NAT, HTTPS, MFA, PGP and others focused on retrofitting or replacing those old insecure communications protocols. (side-note: the USPS used to "own" the entire 56.0.0.0/8 IP range because they were expecting to directly connect their systems to the Internet without NAT. Can you imagine that today?)

The Assumption of Trust

Every time we share sensitive data online there is an assumption that the people/organization we are sharing it with can be trusted to safeguard that data. Trusting that they will keep it private against all threats, including assuming that they pick trustworthy partners who will do the same.

We are trusting that their cybersecurity program is up to date, capable, and effective. We are trusting that their employees are beyond reproach. We also are trusting that the transmission mechanisms we're using are well protected against people listening in on the communications.

Let's face it, that's a lot of trust. But if we didn't have that trust why are we sharing sensitive data?

Clearly then, we need to pick and choose who we trust with sensitive data, vs who we trust with the rest of it. After all, you can't be betrayed by someone you don't trust can you?

Trust But Verify

Certainly businesses, corporate entities, and governments have the ability to validate trust that individual consumers don't in this arena. Contracts, regulations, and audits are mechanisms that these entities can use when they agree to share data or system access with other entities.

Businesses and organizations similarly can verify that their employees and contractors are trustworthy through the hiring process, and through tools and monitoring systems for ongoing validation.

Unfortunately we individuals don't generally have this leverage. Don't believe me? Try an experiment. Call up your physician's office, dentist, or even your auto insurance company. Ask them for a record of who has accessed your account data in the past 90 days. Go ahead and see what kind of response you get. I'll wager that you'll get some form of "we don't share that information with our customers" as a response.

Speaking as a service provider, I know we don't want to have to spend our time sharing this sort of data with our customers. We don't want to have to take time and energy away from whatever it is we do to respond to these requests day in and day out. So how do we build trust and confidence so that we don't get these sorts of requests all the time?

Being a Trustworthy Provider

Every customer, be they an individual or a corporation, wants to know that you're a trustworthy provider and good steward of their data and systems. Isn't that what you want from your partners and providers? There are a few ways you can demonstrate your trustworthiness to your customers and prospects alike that they will appreciate.

1. Transparency - Is how you handle customer data really a trade secret? What are you doing with your customer's data? How long do you store it? Who do you share it with? Publishing this information in plain language - and living up to it - is a great way to show you are trustworthy.
2. Choose Meaningful Compliance Frameworks - Let's be honest, a SOC2 is only as good as your own rigor around the controls you've chosen to implement. PCI only means you're treating card data appropriately. How are you showing your customers that you have built a quality program to protect their interests? Pick one that requires a real program and real controls, and get audited by a respected 3rd party.
3. Guarantees - Most EULAs are extremely one-sided. Most corporate contracts are slightly better, and contracts with Fortune 100 customers are generally far more favorable to those customers. Offering clear, provable performance metrics around security and privacy with appropriate penalties for not meeting up to them is a great way to build trust.

So What's With "Zero Trust?"

Zero trust is an architecture concept where implicit trust is reduced as much as possible. In "traditional" network architectures, we generally implicitly trusted any user or device that was on the internal network, after all, how did they get on the network without being physically on-site and plugged into a network port at their assigned desk?

So to spoil that party along comes WiFi, remote access, laptops, and the cloud. Now our users are anywhere, on any equipment (our corporate issued laptop, their own cell phone, the shared computer at the local library), with any possible level of insecurity associate with them, their hardware, and their connection.

Zero Trust is an extension of "identity is the new perimeter" thinking. It de-emphasizes trust based on IP address/location and increases the dependence on MFA, SSO, and similar technologies. In more in-depth cases it also relies on validation of particular software running on your hardware - approved anti-malware and the like - and can even use certificates and fingerprinting to validate the hardware itself.

Zero Trust is an important security concept, and an architecture that should be part of any modern environment, but it is not the same as being a trustworthy steward of data and systems and the two should not be confused for each other. Both are important, but they are not interchangeable.

It's a Question of Trust

To exist in today's data driven world we all have to do a lot of trusting. It is worth taking some time to evaluate those trusts and make decisions based on them more than we currently may. And as more and more entities recognize the underlying trusts that they've taken as assumptions, we as service providers need to do more to make sure we are trustworthy. We can do it, 'cause it's always been a matter of trust.