Another good blog post – thanks. Yes, totally agree again. As we “harden” the hardware and lower stack, the vulnerability and attack surfaces move higher. Therefore we must begin to address how we address the trust/safety/integrity and security of the the entire stack.

From the time power hits the processor, thru login, at and during application load processes, and continuing thru network services – we need to have some notion of transient trust promotion.

Microsoft has been messaging this (as most of us know) as “end-to-end” trust — so it is really what I said above repeated for both ends of a “trusted and secure” transaction between two endpoints and/or business process interchanges.

We like to think of this as creating and passing the “trust baton” up and across the layers – attesting to some independent or federated trust references along the way.

There are many challenges with this of course, not the least of which is vendor cooperation in the creation of to “trust baton”, and the passing of the baton up and through the various layers.

All of this argues in favor and supports some of your prior posts IMHO. Let’s think about adding a “trust credential” when we are gating information and data transactions.

Sort of a “FICO score” for platforms. With some proactive expression of positive trust and platform health (possibly leveraging whitelists) one could gate IDENTITY and PLATFORM trust credentials via NAC/NAP/UAC frameworks in some normalized way.

With these type of methods, we might have a prayer of closing some of the full stack exposure issues that you point out.

And we need to do that across a heterogeneous and increasingly vulnerable ICT infrastructure that the world depends on for just about everything these days.

Wyatt.