Trust versus identification, authentication and authorization
Trust, identification, authentication and authorization are related but not equivalent concepts in the BDI.
Identification: assigning a unique identifier to a person or entity or IT-system.
Authentication: verifying a claim that a person, entity or IT-system has a specific identity.
Trust: Assessing the level of confidence in the authenticated person, entity or IT-system, given the specific circumstances and context.
Authorization: Determining what data the authenticated person, entity or IT-system is allowed to access.
Authentication, Trust, Authorization
Do we accept the identity claim?
- Authentication verifies whether the identity is legitimate.
What level of trust is appropriate?
- Trust is then assessed situationally, based on the specific context, role, and timing:
- Trust is often grounded in experience and reputation.
- The potential consequences if trust is violated also play a significant role.
- Trust assessment process can not always be fully automated, the outcome does
What data access is necessary?
- Finally, authorization limits data access:
- Access is granted on a need-to-know basis, aligned with the role of the authenticated identity.
Trust Sovereignity
The concept of Trust Autonomy, often referred to as “perimeterless trust,” emphasizes that there is no central authority overseeing a common global perimeter of an operational network. Instead, each data owner independently determines the trust level for entities they interact with.