Richard Bejtlich is at it again. The concept of Virtual Trust outlined in this paper is a matter of perspective. This continues a series of arguments laid out by business individuals who are far more learned than I that security is a business enabler and there is some sort of tangible ROI in it, and Ken Belva makes one of the most convincing arguments to the point. Despite that, I don’t think it makes any headway against the naysayer’s and is just more smoke and mirrors.
Let me give you the short version of the paper.
The author starts out by confirming the Co-Author and his credibility by listing a series of accomplishments and certificates, thus cementing our “Virtual Trust” in his arguments, in a mock interview. I find the venue for opening the paper a little amusing, and in fact the author does gain a little trust on my part, since I two conduct mock interviews with myself when I have ideas, usually on the toilet where, as I tell people, I have my most profound and enlightening thoughts. He then goes on to define Virtual Trust as “Traditional trust and traditional guarantors of trust are non-electronic means of establishing trust: signatures, notarizations, contracts, etc. Virtual Guarantors of trust are electronic and function by means of software—for example, digital certificates and digital signatures. These are mechanisms by which we can create electronic representations of real relationships. Virtual trust is a type of trust created between two parties though virtual guarantors of trust, basically through bits and bytes.” Kind of like my Virtual Pet, my virtual girlfriend, and my Virtual Democracy, they don’t really exist; they are just there to make me feel all warm and fuzzy. But, the author has succeeded in creating a new definition by tacking the word virtual in front of something. At least we were spared the tacking of a single letter and a dash, like “e-“, or “i-“, but that is probably because “etrust” and “itrust” were already taken and trademarked names. But then again, we do get a whole lot of “The Tao of” titles as well, but I gave Rich his ribbing for that already. I will have to check out the “Tao of Star Wars” when I have more time.
The article then goes on to list some examples (I-Tunes DRM, Microsoft Windows (???), SWIFT, e-Books). Our mock interview ends, and the introduction to the real paper begins. In the first three sentences, I think the author really gets to the whole point of the argument. “Cash. Profit. Margins. Productivity. This is the language of businesses. At this time, it is not the language of information security.” I think right here we get to the real motive. Information Security just doesn’t think in terms of “money”. Businesses want cash, moolah, some of that fat cash rolling in, and they want all their investments to generate it. I mean, look at the amount of investment that goes into security, both physical and digital. You buy firewalls, virus scanners, security guards, network security analysts, training for personnel, memos reminding employees of their “Shared Responsibilities” to insure a secure workplace, System Administrators who assign rights and privileges, access control mechanisms such as proximity cards for doors, and a whole slew of other digital and physical security products and services. And what is the overall return on investment? Nothing. Zero. If we provide a smoke screen giving the illusion of some sort of profit generation, then we can justify this from a business perspective. But then again, I don’t try to measure the ROI on the Police or the Military; I just thank my lucky stars when they respond to my complaints about my annoying neighbors and their loud music, parties, and public orgies. I do curse pretty loudly when I get a speeding ticket, though, which does make me question where my tax dollars are going.
Let’s look at the example of a bank. When I walk into a bank, I see a security guard, sometimes he’s awake, and sometimes he’s not. But he’s there just in case. I walk up to the teller and I see the “Insured by the FDIC” logo proudly displayed. In this instant, I feel a certain amount of “trust” that the bank is indeed a real bank. I write a check, sign it, and give it to the teller. From the banks perspective, the guard and the FDIC insurance are loss prevention, from my perspective, they enable me to have faith that I am doing business with a real bank that is doing what they can to protect my assets. My signature and my drivers license provide the trust from the banks end. Now “Shiftys Hock and Loan” down the street is another story. The crack heads out front eliminate any sort of trust that I am doing business with a reputable source. Then there is the strange guy sitting behind the cardboard façade with the marker sign that says “Sit-E Bank”, who I am suspecting might be a fraud. That lack of trust does not enable me to do business with the Home-Boy Shopping Network either.
The articles example of I-Tunes is a poor example. Here, DRM is not being used to address “trust”, but the lack thereof with the consumer. If you change the perspective from the Store to the Consumer to the Store and the Supplier, in this case the Music Industry, it switches from a loss prevention mechanism to a trust mechanism (and please not, I am a strong opponent of DRM, so don’t stone me for saying that). Let’s look at this from a different perspective, the I-Tunes Store, which is what really is generating the revenue. I log in to I-Tunes and my browser gives me a message stating that I have received a digital certificate stating that I have indeed connected to Apples I-Tunes store through SSL. I log in using my username and password, which verifies that I am indeed who I say I am. I click on a few songs, click purchase, I get asked to input my credit card number, input the security number on the back of the card, and verify using a security key word. In this case, the loss prevention mechanisms put in place to prevent intruders from eavesdropping and to confirm identity have established a trust that I am indeed who I say I am, and that Apple is indeed who they say they are. This, from my perspective, enables me to do business with them satisfactorily. The DRM in the songs I download, however, are not a trust, they are strictly loss prevention between me and Apple. However, between Apple and the music industry, that’s a different story. It’s just a matter of perspective.
All of that sounds just like “trust” in the physical world, and it is. There are a lot of people who want to start a semantics argument over the whole issue, and that’s fine. Free speech and all that. Trust is, or it isn’t, regardless of the media it resides in. The whole point however is not to define the term, but to demonstrate how security mechanisms at the very least, allow business to take place. I previously used the term “Trust Mechanism”. The reason being, establishing trust is just an aspect of doing business. Business can take place without that trust, but it might not be with the individual you think, which is what phishers and other scam artists rely on. The argument can go either way because it can be two things, both loss prevention and an enabler, and not necessarily both or either. Kind of like the chicken and the egg, this will be another one of those arguments that won’t be resolved. The author should be proud, his article has incited discussion, and typically that’s a good thing.