Selecteer een stuk tekst om voor te lezen   Click to listen highlighted text! Selecteer een stuk tekst om voor te lezen

Trust

The connotations of the words ‘trust’ and ‘security’ overlap, potentially creating semantic confusion

Definition trust

Trust is the design and implementation of measures that evaluate the chain of trust per presented credential by any party; the decision to accept a certain level of trust is dependent on the risk of making a mistake.

 

Scope of trust

Trust ranges from IT credentials (certificates) to checking which organization has certified the subject and against what scheme, to following the trust chain to the Trust Anchor (for example, checking if a verifiable credential has been revoked). Reputation schemes that combine historic experience into trust expectations.

 

Definition security

Security is the design and implementation of measures that create resistance against the detrimental effects of human error, weaknesses, or attacks by malicious actors (resilience).

 

Scope of security

Security ranges from IT security (development stack, libraries, code design) to operational security (employees cannot access databases), to logs, daemons and trigger warnings (detecting anomalous behavior).

 

Approach 1: perimeter with sentry

One approach to trust and security is to set a clear perimeter on the data space and have a sentry at the gate:

  • An organization is a member or not.
  • Members are vetted and once they are accepted, they are trusted within the member group – possibly with a recurring check to ensure that the vetting result is still valid.
  • Only vetted members can communicate within the data space.

 

Approach 2: perimeter-free network

The other approach is to see the network as perimeter-free, a ‘zero-trust network’:

  • No hard perimeter
  • Polycentric governance
    • Multiple sub-groups (large number), possibly in a hierarchy
    • With local-specific differentiation
  • Zero-trust
    • Trust has to be evaluated continuously and dynamically
    • Trust chains
    • Trust core base in the polycentric governance
    • Trust sovereignty

 

Required level of trust

In the international business environment, the adage is ‘we do business with anybody but trust them only as far as we can see’ – meaning that trust is a dynamic and contextual characteristic, driven as much by reputation as anything else. Trust sovereignty is the logical result of this observation: the data owner is the ultimate decision maker per interaction (!) of the level of trust required versus the risk.

 

Assessing trust

The data owner and other actors in the network need to be able to assess the trust one can have in the digital credentials (identity and other) presented by a party. Assessing trust is costly; lowering the burden of assessment is an obvious requirement in practice.

 

Pillars for trust

Trust between individuals, even when acting in legal entities, is built on four pillars:

  • strong social control
    • ‘If you break your word, everybody will know and you will be out of business’
    • reputation
  • and/or legal enforcement
    • civil law
    • technology/cryptography
  • and/or neutral parties
  • and/or government authorities

 

Trust implementation

The local BDI Association is the foundation of effective and efficient trust management in a perimeterless, zero-trust environment. Zero-trust principles require that BDI Associations do not trust anyone outside their own members and use all four pillars of trust to assess interactions with others outside of their community.

The strong social control pillar is supported by a reputation scheme:

  • Members of the same association are considered trusted insiders.
  • Members of other associations are considered untrusted outsiders at the outset, but that position can change when:
    • a shared reputation scheme builds experience with outsiders;
    • outsiders that commit themselves to specific legally enforceable rules set by the association become preferred partners.
Click to listen highlighted text!