As we move towards more complex and interconnected computing architectures (e.g., SOA/Cloud Computing/SAAS/MSP) receiving assurance that critical business data is "secure" is growing ever more important and difficult. Despite efforts to the contrary (e.g., OSSTMM, OWASP), there is still far too much latitude in: the definition of "secure", the definition and scoping of the assessment activities intended to quantify security, the language used to communicate the results, and the qualifications of the personnel conducting the activities to engender confidence in the results.
SIMPLE ANSWER: VERIFY
We believe the answer to this complex challenge is rather simple: verify that the person/team/company responsible for establishing/ maintaining and assessing/reporting the security are worthy of being trusted.
ASK: ARE THEY TRUSTWORTHY?
So rather than ask the question "Are we/they/the systems/the applications secure?" ask the better question "Are we/ they/the systems/the applications trustworthy?" On first blush, the distinction looks rather minor, as many of the "technical" mechanisms that we choose to assess "trustworthy" are in large part the same that we would use to assess "secure" (e.g., vulnerability assessments, penetration tests, audits, third party attestation, etc.). However, the value of including trust in the assurance process is that it provides an additional set of measures that we can use to enhance the value and accuracy of the more technical mechanisms. That is, by considering the trustworthiness of the individuals, organizations, and systems, the level of assurance (either positive or negative) provided by the provider/assessor is infinitely increased.
CHECKLIST FOR THE ELEMENTS OF TRUST
The additional measures are based on the elements of trust; you need to believe that there is integrity, a perspective of mutual benefit, a capability of achieving your objectives, and a demonstrable track record of doing so.
- Integrity Checks: Have they (provider & assessor) demonstrated integrity/honesty/ transparency? Communicated in a straight forward and forthright manner?
- Intent Checks: Were the motives for all assessment (provider & assessor) decisions straightforward and based on mutual benefit (provider & assessment recipient)? Does the scoping of the test align with intent? Does the selection of security assessment activities align with mutual benefit? Was the "extent & rigor" of the tests suitable to the intent?
- Capabilities Checks: Are personnel appropriately qualified, sufficiently experienced (industry/standard), adequately certified? Are their skills aligned with the intent of the assessment?
- Results Checks: Can/will they (provider & assessor) demonstrate a track record of success? Are previous (provider) test results readily available and consistent with existing results? Are third party attestations to the capabilities/results of the assessor available?
A "COMMON SENSE" APPROACH
We understand if you may think that this approach is largely "common sense" and self evident. We agree. However, please don't dismiss it based on its simplicity. How can we trust that our systems and information are secure if we don't trust the personnel and organizations that are tasked with maintaining their security or those tasked with assessing and reporting on the same?
NATURAL CONCLUSION: "TRUST BUT VERIFY"
Trust based assurance is a logical extension to Information Security/Assurance. It extends Information Assurance by leveraging interpersonal and inter-organizational validation to verify the validity (completeness/accuracy/appropriateness) of information provided as a means of attestation of the security posture. With apologies to Ronald Reagan, "Trust, but Verify".