Security and Trust

July 23, 2013
Peter Alterman

Peter Alterman, PhD., Chief Operating Officer, SAFE Bio-Pharma Association

Given front-page preoccupation with privacy and trust, this is a good time to look at the relationship between cyber security and cyber trust. Each is a key component of the other, and each deserves to be understood in order to assure a secure and protected system.

Broadly defined, cyber security comprises a body of behaviors and implementations whose goal is to protect the enterprise and its digital resources – including content – from harm.

These days, enterprise firewalls do a fair job of excluding known threats.  Your network devices have had their default passwords reset to something more than “password” and all software security patches are implemented in a timely fashion. You require staff to take an annual refresher in proper online security, such as never clicking on attachments from addressees they don’t know and never disclosing personal information online. Passwords are changed every ninety days. Your CISO may have deployed network sniffers to search for more advanced threats and behaviors (e.g., employees logging into websites of questionable reputation or downloading files from dubious sites at home and transferring them to the office computer on an unprotected thumb drive). On the surface it might appear that the enterprise is secured. But deep down, the enterprise will still be at risk from a variety of threats, not the least trusted employees.

Cyber trust is a category of cyber security. It’s the ability to trust that the user accessing your systems online is authorized to do so. It’s also the knowledge that certain sites outside your domain can be trusted. Accomplishing these levels of trust requires credentialing and authenticating users seeking access to your systems. Credentialing and authenticating are separate functions. If your enterprise can be accessed by external users who are credentialed and authenticated by third parties, it’s essential to require that the vetting and credentialing practices of the third parties — and the appropriate handling of personally identifiable information – are acceptable to the enterprise.

Perhaps the greatest overlap between cyber trust and cyber security occurs in the issuance, management and revocation of credentials. Among others, credential management cyber security  targets include: how the proofed identity assertion is sent to the credential issuing service; how the device issuing the credential is protected from hacking or other disruption; how the personnel managing the operation are themselves vetted, and how the credential is transferred to the subscriber.

All of these issues become more complicated when factoring for anonymity, which exists in two forms — trustworthy and untrustworthy. Use of trustworthy anonymous credentials – those vouched for by a trusted entity — increases cyber risk by adding another element that the cyber security strategies must address. These assertions have a place in the ecosystem but not in e-commerce or e-government domains.

Cyber security and cyber trust are separate and intertwined enterprise issues. . They remind me of the M.C. Escher print where the white fish turn into black fish as foreground and background merge and separate.


%d bloggers like this: