Home > Cloud Computing, Cloud Security, Risk Assessment, Risk Management > Trust But Verify? That’s An Oxymoron…

Trust But Verify? That’s An Oxymoron…

February 23rd, 2009 Leave a comment Go to comments

GBCIA
In response to my post regarding Cloud (SaaS, really) providers' security, Allen Baranov asked me the following excellent question in the comments:

Hoff,

What would make you trust "the Cloud"? Scrap that… stupid question…

What would make you trust SaaS providers?

To which I responded:

Generally, my CEO or CFO. 🙁  

I don't "trust" third party vendors with my data. I never will. I simply exercise the maximal amount of due diligence that I am afforded given prevailing time, money, resources and transparency and assess risk from there.

Even if the data is not critical/sensitive, I don't "trust" that it's not going to be mishandled. Not in today's world.  (Ed: How I deal with that mishandling is the secret sauce…)

I then got thinking about the line that Ronald Reagan is often credited with wherein he described managing relations with the former Soviet Union:

Trust but verify.

Security professionals use that phrase a lot. They shouldn't. It's oxymoronic.

The very definition of "trust" is:

trust |trəst|
noun
firm belief in the reliability, truth, ability, or strength of someone or something relations have to be built on trust they have been able to win the trust of the others.
• acceptance of the truth of a statement without evidence or investigation I used only primary sources, taking nothing on trust.
• the state of being responsible for someone or something a man in a position of trust.
• poetic/literary a person or duty for which one has responsibility rulership is a trust from God.
• poetic/literary a hope or expectation all the great trusts of womanhood.

See the second bullet above "….without evidence or investigation"?  I don't "trust" people over whic
h I have no effective control. With third parties handling your data, you have no effective "control." You have the capability to audit, assess and recover, but control?  Nope.

Does that mean I think you should not put your information into the hands of a third party?  Of course not.  It's inevitable.  You already have. However, admitting defeat and working from there may make Jack a dull boy, but he's also not unprepared for when the bad stuff happens.  And it will.

I stand by my answer to Allen.

You?

/Hoff

  1. tim
    February 23rd, 2009 at 05:11 | #1

    The short answer to this is that its our job to make sure we don't have to "trust" them. Or you. Or myself.
    Policies, procedures, technical controls, contracts, risk acceptance, audits, etc are all part of that. I sleep better at night when trust is eliminated from the equation.
    (most likely the reason I am not married)

  2. David
    February 23rd, 2009 at 13:39 | #2

    I actually believe these definitions are missing an aspect of trust and that is "predictable expectation". "I trust you do to the right thing." There are many people that I trust to do the wrong thing. I have an expectation of their predictable behavior. For me the word trust has never been used to suggest something positive or something that was factually true or verifiable; it has always more dealt with setting an expectation on a relationship, behavior, or outcome.
    There are many people in the world that I can trust to always screw up a project and every once in while some of them violate that trust by actually succeeding with a project.
    “Trust, but Verify” to me means establish an expected relationship, behavior, or outcome, but prove it.
    I think “Trust, but Verify First” might be what you are arguing for, but isn’t “first” implied. If it is not then it should be written, “Trust then Verify”. At any rate it is explicitly stating that there should be no trust without verification.
    What would make you trust "the Cloud"? Answer: A significant business need. To me this question seems more like a tool looking for a purpose. What would make me trust a hammer? Well first I would have to have a want or need to use the hammer. Then I would set a trust level and hopefully verify that trust before I swung the hammer toward a nail and the head flew off the handle violating my level of trust in the hammer. If you’re asking someone what would make them trust the cloud they probably do not have a business need for the cloud in the first place. If they had a business need then they would be asking you to verify their required level of trust in the cloud.
    I will not trust clouds until I have need for them, then I will have to trust them, but verfiy first before I use them.
    Thanks…

  3. February 23rd, 2009 at 14:27 | #3

    Hoff-
    It seems to me that the higher up we go on your model (from bottom to top) the fewer technical resources we need to have involved in the contracting, design, maintenance, security, auditing and incident response for the application. We won't save their salaries though, as we'll have to replace them with lawyers.
    There's probably an axiom here. The higher up the stack that you outsource, the greater the ratio of lawyers to IT people required to ensure the security and availability of the application.
    –Michael

  4. Chip
    March 29th, 2010 at 11:15 | #4

    Trust and verify. Very simple thought and logic made complicated.What a shame.

  1. No trackbacks yet.