Gartner Blog Network


Forget Trust, Think “Trustability”

by Neil MacDonald  |  May 31, 2011  |  3 Comments

The term “trust” is too binary for the world of business and IT we are moving into.

Trust sounds black and white / all or nothing. Either I trust you or I don’t.

The reality is far more complex and a world of information security decisions based on shades of grey, not black and white. In the past we owned and controlled most of the IT infrastructure that supported our organization. We used this ownership and control as a proxy for “trust” – because I owned it, I trusted it. The same was true for user identities as well.

No longer. Consumerization and the shift to Cloud-based computing changes everything.

Trustability (or confidence, or assurance – pick your favorite term) is the new mindset for information security.

Instead of perceived absolute trust (which we never really had), we will shift to a paradigm that embraces variable levels of trustability — adaptive and context-aware security policy enforcement mechanisms that help us answer the real question:

“Do I have enough trust in the entities involved to take the requested action at my current level of risk tolerance and given the current context to allow the action to take place?”

That’s a direct quote out of my research note for clients titled The Future of Information Security is Context-Aware and Adaptive.

Context is key to making better information security decisions where we increasingly don’t own and don’t control the devices, networks, OSs, and applications that our organization runs on.

I’ll be presenting on this topic as well as another session on virtualization and security at Gartner’s upcoming Security and Risk Management Summit at the end of June in Washington DC.

Here’s the description:

Adaptive, Context-Aware Security Infrastructure and Intelligence

20 June, 2011 (02:30 PM – 03:30 PM)

Consumerization, virtualization, and cloud computing challenge traditional static security models. The future of information security – infrastructure and intelligence — must become contextual and adaptive to changes in business requirements and the changing threat landscape. Richer, real-time context-aware information such as reputation, identity, application and content-awareness at the point of a security decision will provide more accurate and timely security decisions. Information gathered by context-aware security platforms will provide security intelligence — delivering actionable, risk-based insight and situational awareness.

I hope to see you there!

Category: cloud  cloud-security  next-generation-security-infrastructure  

Tags: adaptive-security-infrastucture  cloud-security  context-aware-security  information-security  security-summit-na  


Thoughts on Forget Trust, Think “Trustability”


  1. Saqib Ali says:

    Adding “-ability” to a term still keeps the concept binary. A more appropriate term would be trustiness. Trustiness is not binary and yet measurable.

    Btw, have you read Prof. Nessembaum’s writings on Privacy as Contextual Integrity?

    Saqib

  2. Neil MacDonald says:

    @Saqib – funny you should say this. I watch Colbert as well.

    http://www.colbertnation.com/the-colbert-report-videos/24039/october-17-2005/the-word—truthiness

    However, trustiness (like truthiness) runs the risk of bein interpreted to mean ‘trust that we have intuitively “from the gut” without regard to evidence, logic, intellectual examination, or facts…’

    http://en.wikipedia.org/wiki/Truthiness

    and that’s not eactly what we mean ….

    Thanks – I will take a look at the professor’s work:
    http://crypto.stanford.edu/portia/papers/RevnissenbaumDTP31.pdf

    Neil

  3. Jay Heiser says:

    Colbert is using truthiness to describe a sort of wishful thinking on the part of the ‘consumer’. So while there is some similarity, I think trustability can be better understood as having a relationship to transparency. Its not about how much you want to buy something (not that wishful thinking doesn’t play a serious role in today’s cloudy market), but its about the degree to which the service provider has given you legitimate reason to believe that it will behave as advertised.

    I’ve used the term ‘pseudo-transparency’ to describe the deceptive process of framing your offering as being trustable, while actually providing no useful evidence. The classic example is “we are in a SAS70 certified facility” 7 words that are deceptive in at least 3 ways, which represents a low ratio of truthiness.



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.