Skip to main content

Who Do You Trust?

This is a tough question, whether it's focused on technology or real life.  'Who can you trust?' is often an easier angle to take, but ultimately that is a precursor to the main scene.  Peeling the onion a little, you can focus on bite sized chunks and respond with, 'trust with what?'.  If it's my life then the picture changes substantially.  I might trust Google with my search engine results, but perhaps not with diagnosing a disease.

The context will obviously help to determine the scope of who and what are trusted, but the decision making process will generally take on the same route.  We ultimately start off with a blank canvas of pre-decision making, slightly marked by some bias and framing, before ending up with a person, product or service that we then utilise to perform an action we can not perform ourselves.  Once that 3rd party has been chosen, we often fail to perform the checks again, placing our trust in them implicitly and explicitly.  This when issues can arise.

Trust with what?  What's important to you?  Asset identification

When using any 3rd party in your life, there is often a boundary as to what you're exposing.  From a technology perspective, there should be pretty strict barriers and terms of reference, as to what exactly the 3rd party will be used for, their level of service and responsibility to you.  For example, when you go to get a Ministry of Transport road worthiness certificate for your car in the UK, the check covers the basic safety aspects of the car.  It wont guarantee the car's value, or that any of the components within the car wont break in the next 12 months.  That is beyond the scope and purpose of the test.  The same is true for any service provider.

It's important to therefore really understand what is being entrusted with the 3rd party.  Good asset management here is key.  Understand the value of the asset, who it belongs to, what it does, what's the impact if it's not working and so on.  This is often done implicitly in the real world, without documentation or management, but from a technology perspective the opposite is key.  If you know what the 3rd party will be looking after and it's implicit and explicit value, it's makes the trusting aspect easier to manage.

Who can you trust? Reputation Management

Once you identity what will essentially be outsourced - and that can be a decision, not just an object - it makes it a lot easier to understand who or what can be trusted.  The scope is narrowed.  There are several aspects to the 'who can' part of the trust question.  The 'who do' (no hoodoo!) part can only be answered based on a pool of people or companies in the 'who can'.  Those 'who can't' are obviously ignored.  

But how do you separate those who you can trust from those who you can't?  Reputation is obviously a massive part of this process.  Reputation is again implicitly based on trust.  A reputation of a celebrity for example, can be destroyed overnight by a newspaper expose, but only if you trust the journalist in the newspaper.  Reputation is clearly the most sensible part of trust analysis, and the additional 3rd parties required to build those reputations is key.  They could come in the form of certifications or standards adherence or perhaps from a review process.  The reviews themselves individually are sometimes difficult to verify, but collectively become a powerful testament.  This can be shown by the likes of Tripadvisor, which is based on the collective power of individual travellers and their comments and reports.

A major part of Facebook's social graph plan, is to utilise your collection of friends to provide implicit advice and guidance, in the form of likes and on line purchase history.  If you see someone from your trusted pool of friends like a particular restaurant or band, you are more likely to trust their judgement - as you know them - and use their opinion in your buying process.

Default actions based on trust - check and check again

Once someone or something has been trusted, all is done right?  You can be happy in the knowledge that the person or service you trust has been carefully selected, either implicitly or explicitly, based on a thorough analysis of the risks involved, the exposure of the asset and impact if anything goes wrong.  This maybe true, but this if often when you are at greatest risk.  'Those you trust are the ones who let you down the most' is a well worn film and song lyric cliché.  

The same can be said of on line safety in many respects.  Would you open an email from some one unknown or click on a link from a random tweet.  Probably not.  But make those emails, URL's, pictures and attachments come from some one you trust - or more importantly, look like they're coming from someone you trust - and the entire ball game changes.  The success of phishing attacks is simply based on trust.  'Well, it comes from my bank, so it must be trust worthy'.  Phishing is successful, as the barriers normally applied to untrustworthy data and scenarios has been removed.  

Whilst it's not effective, healthy or timely to be be paranoid even about the services and products you do trust, it's often worth keeping a look out for the unusual, if it does look legitimate.

Popular posts from this blog

Top 5 Security Predictions for 2016

It's that time of year again, when the retrospective and predictive blogs come out of the closet, just before the Christmas festivities begin.  This time last year, the 2015 predictions were an interesting selection of both consumer and enterprise challenges, with a focus on:

Customer Identity ManagementThe start of IoT security awarenessReduced Passwords on MobileConsumer PrivacyCloud Single Sign On
In retrospect, a pretty accurate and ongoing list.  Consumer related identity (cIAM) is hot on most organisation's lips, and whilst the password hasn't died (and probably never will) there are more people using things like swipe login and finger print authentication than ever before.

But what will 2016 bring?

Mobile Payments to be Default for Consumers

2015 has seen the rise in things like Apple Pay and Samsung Pay hitting the consumer high street with venom.  Many retail outlets now provide the ability to "tap and pay" using a mobile device, with many banks also offer…

Customer Data: Convenience versus Security

Organisations in both the public and private sector are initiating programmes of work to convert previously physical or offline services, into more digital, on line and automated offerings.  This could include things like automated car tax purchase, through to insurance policy management and electricity meter reading submission and reporting.

Digitization versus Security

This move towards a more on line user experience, brings together several differing forces.  Firstly the driver for end user convenience and service improvement, against the requirements of data security and privacy.  Which should win?  There clearly needs to be a balance of security against service improvement.  Excessive and prohibitive security controls would result in a complex and often poor user experience, ultimately resulting in fewer users.  On the other hand, poorly defined security architectures, lead to data loss, with the impact for personal exposure and brand damage.

Online-ification: The Role of Identity

The Wikipedia entry for Digital Transformation, "refers to the changes associated with the application of digital technology in all aspects of human society".  That is a pretty broad statement.

An increased digital presence however, is being felt across all lines of both public and private sector initiatives, reaching everything from being able to pay your car tax on line, through to being able to order a taxi based on your current location.  This increased focus on the 'online-ification' of services and content, drives a need for a loosely coupled and strong view of an individual or thing based digital identity.