{"id":39185,"date":"2021-04-05T10:37:06","date_gmt":"2021-04-05T14:37:06","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?post_type=emagazine&p=39185"},"modified":"2023-07-10T04:59:20","modified_gmt":"2023-07-10T08:59:20","slug":"trust-management-zero-trust","status":"publish","type":"emagazine","link":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/trust-management-zero-trust\/39185\/","title":{"rendered":"Businesses need trust, and trust management is here to help."},"content":{"rendered":"

Trust is crucial to personal and professional decisions. It determines which brands we\u2019ll share our data with<\/a> or work with and allows managers to let employees work flexibly<\/a>. But could trust help us make better decisions about sharing corporate information and IT network access?<\/p>\n

Workplace mental health expert Dr. Joti Samra says pandemic life has given us \u201cnew co-workers:\u201d Those we live with<\/a> 24 hours a day, seven days a week. My partner Dr. Theo Dimitrakos<\/a> is a world-leading expert in trust management, currently working in the Trustworthiness Theory, Technology and Engineering Lab, Huawei Europe. He\u2019s a much-cited author<\/a>, Professor of Computer Science at the University of Kent,<\/a> where he chairs the advisory board of Kent Interdisciplinary Research Centre in Cyber Security<\/a> and founder of an international trust management research community<\/a>.<\/p>\n

Between lockdown chores and deciding who should load the dishwasher \u2013 while we wait for Samsung\u2019s futuristic new kitchen robot<\/a> \u2013 we had a cup of tea and chat about trust management.<\/p>\n

\"\"<\/p>\n

Dr. Theo Dimitrakos<\/em><\/p>\n

Susi O\u2019Neill: Trust management, from what I hear between the walls, seems complex. What are the basics \u2013 how would you explain it to your mother?<\/strong><\/p>\n

Theo Dimitrakos: Before retiring, my mother ran an olive oil business in Greece. I learned many skills by helping the family business. In the 1980s, I installed an Amstrad computer<\/a> in our Athens shop window, showing 8-bit animations to amazed passers. My parents would produce print packaging slips giving measurements of the olive oil\u2019s pureness from the state chemical analysis agency. This was before standard classifications like \u2018virgin\u2019 and \u2018extra virgin\u2019 olive oil.<\/p>\n\t\t\t

\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t

Kaspersky Global Transparency Initiative<\/p>\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t

Action on trust<\/span><\/h3>\n\t\t\t\t\t\t\t\t\t\t\t<\/header>\n\t\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t

Cybersecurity community and stakeholders verifying trust.<\/p>\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t\t\t\t

\n\t\t\t\t\tFind out more<\/a>\n\t\t\t\t<\/div>\n\t\t\t\t\t\t\t<\/article>\n\t\t<\/div>\n\t\n

Central to trust management is reliability assessment, so parties can trust each other to share data. If I claim my olive oil is 100 percent unrefined virgin oil, you need to be able to check my claim. It helps if I give you a trust statement, like the oil purity label. You need to validate the assessor \u2013 in this case, seeing proof from the state agency who is an authority qualified to assess the oil.<\/p>\n

Through this process, the customer sees a complete trust chain, giving them confidence in your product\u2019s origins. That\u2019s a fundamental principle of trust management.<\/p>\n

Dr. Theo Dimitrakos<\/p><\/cite><\/blockquote>\n

I can verify your mother\u2019s olive oil is delicious. What are some more key concepts in trust management?<\/strong><\/p>\n

In the olive oil example, recognizing authority is a key concept which underpins trust assessment. Different methods of measuring trust are also important. My colleague Professor Audun J\u00f8sang, who invented subjective logic<\/a>, created a calculus for computing in trust networks. It\u2019s now combined with decision networks<\/a> to measure trustworthiness in neural networks<\/a>.<\/p>\n

Trust-based decisions inform how an intelligent agent<\/a> program makes final purchasing decisions using data. Professor Harrison McKnight, my co-editor for Trust Management VI<\/a>, developed a cognitive model<\/a> to explain the process.<\/p>\n

Another fundamental of trust management is trust negotiation<\/a>: Incremental information disclosure. Organizations must take care of what they disclose, to whom and how. Releasing information over time can help reach a trust level to share more valuable data for a common goal.<\/p>\n

Imagine a group of secret agents negotiates by sharing trivial information between themselves. After sharing lower-level information, they now feel more comfortable disclosing more valuable secrets.<\/p>\n<\/blockquote>\n

Trust negotiation can help decide how to share credentials to achieve the least-privilege principle (users can only access the parts of the system or data they need for their job) to implement the zero-trust security model<\/a>. Trust negotiation algorithms do this and more. Before you let someone have privileged information, you may want to check their security clearance. In an IT system, you may want to share as little information as possible for the task, then let the system ask for more information when you need higher-level access.<\/p>\n

How did you become interested in trust management?<\/strong><\/p>\n

After gaining my Computer Science Ph.D. at Imperial College, London, I worked at a UK government computing lab. We experienced the first dot-com bubble crash around 2001. People lost trust in tech businesses. I felt I had to take action, so I got involved in an international partnership between government, academics and industry to improve trust between customers and companies.<\/p>\n

In 2002, with the late Christos Nikolau<\/a> (IBM and University of Crete,) we established iTrust, an interdisciplinary network including experimental economists<\/a>, philosophers, and cybersecurity and access management specialists. Trust management previously meant identity and access management for IT networks. We broaden it to include models for measuring and increasing trust and consumer confidence.<\/p>\n

I found the experimental economists\u2019 research particularly interesting. Microeconomics Professor Claudia Keser<\/a> wanted to look at giving incentives for supplying data. We now see that in practice as people trade their data for free online services.<\/p>\n

In 2004, I led an international applied research project<\/a> that developed a framework for managing trust when sharing sensitive data between organizations. The research informed web services trust protocols in use and created a start-up that\u2019s now a market leader in dynamic authorization<\/a>.<\/p>\n

My interest in trust management continues. At the forthcoming IFIP conference<\/a>, I will present new methods to authorize and change a person\u2019s access depending on their situation. For example, if they\u2019re working at home and others are present who shouldn\u2019t have access to sensitive documents, or they\u2019re trying to evade detection when taking photos of confidential documents on their computer screen.<\/p>\n

How has trust management evolved since then?<\/strong><\/p>\n

There have been significant developments and new identity verification models, virtual organizations and consensus-based decisions. There are now more decentralized ways to create digital identities, share and verify them without violating privileges, nor the identity provider needing to track who\u2019s used them.<\/p>\n

How does this relate to decentralized data models like blockchain?<\/strong><\/p>\n

Blockchain<\/a>\u2018s decentralized trust model has distributed credentials and verifiers. It can be used to implement a trust model, but it\u2019s not the only way to implement trust management today.<\/p>\n

Credentials verification is a model promoted by W3C<\/a> \u2013 the community that sets global open web standards \u2013 for verifying web information. It has nothing to do with blockchain but can be used alongside it. My colleague Professor David Chadwick<\/a>, a co-editor of the standard, highlights this distinction<\/a>.<\/p>\n

Blockchain or not, it means someone can prove your credentials without assuming a centralized authority, the party and identity provider issuer know each other. And you could use someone\u2019s credentials without the identity provider tracking what you do \u2013 for example, when you share your identity documents to open a new bank account or use a trust-led community like Airbnb. If credential verification becomes popular, big tech firms like Google will be less able to track us.<\/p>\n

How can businesses establish a suitable trust management model?<\/strong><\/p>\n

Knowing your business means understanding its processes and data flows with suppliers, incentives for users and which authorities regulate your data or services. Understand your relationships, model them, design your system, then make it secure. Apply security from concept to deployment<\/a>.<\/p>\n

Never presume trust \u2013 always measure and verify it.<\/p>\n<\/blockquote>\n

How can businesses use trust management to improve IT security? <\/strong><\/p>\n

Trust management predates zero trust<\/a> and will probably outlive it. Zero trust integrates different decentralized trust models. It\u2019s becoming popular because of how technology has evolved: Our work environment has become more decentralized with cloud computing, remote working and data sharing.<\/p>\n

Zero trust is about decentralized trust models, fusing trust authorization and verification versus reliability. It means you need to check your assertions about someone rather than rely on another authority to validate them. You need to examine the subject and score them, then use that score and the outcome of your trust algorithm to decide what systems and information they can access.<\/p>\n

Now we can measure trust, so your decisions must be calculated. You can have verification like digital signatures<\/a>, behavior analysis, biometrics, or a combination. This creates a trust score for each entity that should be linked to your access management policies.<\/p>\n

Authorization becomes dynamic and continuous. This is often overlooked when considering zero trust strategies for security and access control that only focus on prevention. As trust values change over time, authorization levels and access must change. You may need to increase, reduce or revoke authorization previously given.<\/p>\n

With Dr. Fabio Martinelli<\/a>, Vice-Chair of the European Cybersecurity Organization, we recently developed a lightweight enabling technology<\/a> for network gateways and consumer internet of things (IoT) devices that combine dynamic authorization with an evaluation of trust levels. I hope this helps zero trust models go beyond corporate networks to smart homes and data usage control<\/a>.<\/p>\n

Excellent! Now I feel suitably informed about trust. So in place of the dishwasher robot, can I use a trust management model to make sure you do this?<\/strong><\/p>\n

Yes, but we first need to set up an algorithm and scoring method, agree on incentives and maybe a consensus protocol.<\/p>\n

Perhaps technology models can\u2019t solve all our challenges yet.<\/strong><\/p>\n

Opinions are those of the interviewee and do not represent his employers (corporate or academic).<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

How can your business know it can trust its partners? How can your customers know they can trust you? Trust management has the answer.<\/p>\n","protected":false},"author":2521,"featured_media":39188,"template":"","coauthors":[3452],"class_list":{"0":"post-39185","1":"emagazine","2":"type-emagazine","3":"status-publish","4":"has-post-thumbnail","6":"emagazine-category-data-and-privacy","7":"emagazine-category-opinions","8":"emagazine-category-transparency","9":"emagazine-tag-blockchain","10":"emagazine-tag-trust-management","11":"emagazine-tag-zero-trust"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/secure-futures-magazine\/trust-management-zero-trust\/39185\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/secure-futures-magazine\/trust-management-zero-trust\/24501\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/secure-futures-magazine\/trust-management-zero-trust\/22542\/"}],"acf":[],"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine\/39185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/emagazine"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/emagazine"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/2521"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/39188"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=39185"}],"wp:term":[{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/coauthors?post=39185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}