Archive

Posts Tagged ‘Trust Relationships’

Who Do You Trust?

September 16th, 2009 No comments

Information security has a lot to do with trust. Who you trust and who you don’t trust are the essential elements that make up a threat model. I don’t trust anonymous web users not to deface my site, so I implement protections to reduce that risk. I trust these same users enough to read the site so I give them read access to posts like the one you’re reading now.

Trust extends much further into the information protection model than you may realize. Just by using your computer, you’re trusting thousands of people. You trust the companies that make the hardware and software, from the BIOS to the application you installed last night. By extension, you trust who they trust. This means you trust the employees, contractors, business partners, and even those who have broken their trust model.  And considering there’s no such thing as a completely secure system, there’s an implicit level of trust in almost everyone.

That’s not as bad as it sounds. We trust people every day. We trust someone to give us our apple from behind the stand after we paid for it, and if we’re at a restaurant and have eaten the apple first, they trust us to pay for it.

Users of open source software may be the most trusting of all. We add Yum repositories for some guy we have never met and trust that by installing the package he is managing for us, he’s not going to hijack the system and do something bad. But we have the source to look at, you say! Not so fast. That may be true, but how many applications on your system have had a code review by you, or someone you trust implicitly?

Trust works because we all have something to gain by trusting one another. But there are also short-term gains to be had by breaking trust. Spammers take advantage of trust to get you to buy their products. Most people don’t trust spam, but some do and buy the products.  And so it continues.

For systems to be (relatively speaking) secure, the trust relationship has to extend end-to-end. That means if there is a single weak link in the chain, the trust cannot be absolute. But, as I said, it might not be as bad as it sounds. Context provides the levity.

When designing secure systems, try to consider the trust relationship at as many points as possible. Model what might happen if someone or something breaks that trust. It will be a more secure system for the effort.

Categories: Dialogue, Secure Design Tags: