Skip to main content

Who Do You Trust?

This is a tough question, whether it's focused on technology or real life.  'Who can you trust?' is often an easier angle to take, but ultimately that is a precursor to the main scene.  Peeling the onion a little, you can focus on bite sized chunks and respond with, 'trust with what?'.  If it's my life then the picture changes substantially.  I might trust Google with my search engine results, but perhaps not with diagnosing a disease.

The context will obviously help to determine the scope of who and what are trusted, but the decision making process will generally take on the same route.  We ultimately start off with a blank canvas of pre-decision making, slightly marked by some bias and framing, before ending up with a person, product or service that we then utilise to perform an action we can not perform ourselves.  Once that 3rd party has been chosen, we often fail to perform the checks again, placing our trust in them implicitly and explicitly.  This when issues can arise.

Trust with what?  What's important to you?  Asset identification

When using any 3rd party in your life, there is often a boundary as to what you're exposing.  From a technology perspective, there should be pretty strict barriers and terms of reference, as to what exactly the 3rd party will be used for, their level of service and responsibility to you.  For example, when you go to get a Ministry of Transport road worthiness certificate for your car in the UK, the check covers the basic safety aspects of the car.  It wont guarantee the car's value, or that any of the components within the car wont break in the next 12 months.  That is beyond the scope and purpose of the test.  The same is true for any service provider.

It's important to therefore really understand what is being entrusted with the 3rd party.  Good asset management here is key.  Understand the value of the asset, who it belongs to, what it does, what's the impact if it's not working and so on.  This is often done implicitly in the real world, without documentation or management, but from a technology perspective the opposite is key.  If you know what the 3rd party will be looking after and it's implicit and explicit value, it's makes the trusting aspect easier to manage.

Who can you trust? Reputation Management

Once you identity what will essentially be outsourced - and that can be a decision, not just an object - it makes it a lot easier to understand who or what can be trusted.  The scope is narrowed.  There are several aspects to the 'who can' part of the trust question.  The 'who do' (no hoodoo!) part can only be answered based on a pool of people or companies in the 'who can'.  Those 'who can't' are obviously ignored.  

But how do you separate those who you can trust from those who you can't?  Reputation is obviously a massive part of this process.  Reputation is again implicitly based on trust.  A reputation of a celebrity for example, can be destroyed overnight by a newspaper expose, but only if you trust the journalist in the newspaper.  Reputation is clearly the most sensible part of trust analysis, and the additional 3rd parties required to build those reputations is key.  They could come in the form of certifications or standards adherence or perhaps from a review process.  The reviews themselves individually are sometimes difficult to verify, but collectively become a powerful testament.  This can be shown by the likes of Tripadvisor, which is based on the collective power of individual travellers and their comments and reports.

A major part of Facebook's social graph plan, is to utilise your collection of friends to provide implicit advice and guidance, in the form of likes and on line purchase history.  If you see someone from your trusted pool of friends like a particular restaurant or band, you are more likely to trust their judgement - as you know them - and use their opinion in your buying process.

Default actions based on trust - check and check again

Once someone or something has been trusted, all is done right?  You can be happy in the knowledge that the person or service you trust has been carefully selected, either implicitly or explicitly, based on a thorough analysis of the risks involved, the exposure of the asset and impact if anything goes wrong.  This maybe true, but this if often when you are at greatest risk.  'Those you trust are the ones who let you down the most' is a well worn film and song lyric cliché.  

The same can be said of on line safety in many respects.  Would you open an email from some one unknown or click on a link from a random tweet.  Probably not.  But make those emails, URL's, pictures and attachments come from some one you trust - or more importantly, look like they're coming from someone you trust - and the entire ball game changes.  The success of phishing attacks is simply based on trust.  'Well, it comes from my bank, so it must be trust worthy'.  Phishing is successful, as the barriers normally applied to untrustworthy data and scenarios has been removed.  

Whilst it's not effective, healthy or timely to be be paranoid even about the services and products you do trust, it's often worth keeping a look out for the unusual, if it does look legitimate.


Popular posts from this blog

2020: Machine Learning, Post Quantum Crypto & Zero Trust

Welcome to a digital identity project in 2020! You'll be expected to have a plan for post-quantum cryptography.  Your network will be littered with "zero trust" buzz words, that will make you suspect everyone, everything and every transaction.  Add to that, “machines” will be learning everything, from how you like your coffee, through to every network, authentication and authorisation decision. OK, are you ready?

Machine Learning I'm not going to do an entire blog on machine learning (ML) and artificial intelligence (AI).  Firstly I'm not qualified enough on the topic and secondly I want to focus on the security implications.  Needless to say, within 3 years, most organisations will have relatively experienced teams who are handling big data capture from an and identity, access management and network perspective.

That data will be being fed into ML platforms, either on-premise, or via cloud services.  Leveraging either structured or unstructured learning, data fr…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…