CISO2CISO.COM & CYBER SECURITY GROUP

Earning Trust in the 21st Century – Cloud Security Alliance – DC (CSA-DC) Research

n today’s interconnected and technology reliant world, the expectation of trust and need to trust
is growing. [1] Today’s trust-based solutions may become non-viable in the future. [2] [3] As use of
the cloud grows, we are experiencing a shift in resource allocation from on-premise to off-premise
systems. As systems move to cloud hosted environments, the loss of control over the access network
becomes a concern. Today’s trust-based solutions typically start at the network level. If a user has
access to a network, they are typically trusted to have access to some or all of the resources, data, and
systems on that network.
But, when networks are unknown and untrusted, how is trust acquired? Zero Trust (ZT) architectures
seek to provide access control techniques that assume the network is not trustworthy. One of the
approaches suggested by industry is the use of trust scores. Like a credit score, a cyber trust score
could be used to assess the risk potential associated with allowing any given user access to systems
and information. But how would a trust score be calculated? Current approaches smack of a violation
of privacy where the right to gain access is issued only by agreeing to be monitored.
This paper addresses the technical, social, policy, and regulatory issues associated with creating
trust frameworks in a Zero Trust world. Industry and government are called to solve issues in ways
that continue to protect the right to a users’ privacy.

Traditional Domain-Based Trust Systems

Transitive Trust is a two-way relationship automatically created between two domains in a forest. For
example, transitive trust may allow the resource domain to trust the account domain through a chain
of trust relationships—and even between intermediate domains. [22] Inter-Domain Trust occurs when
a domain provides another trusting domain with its user’s security access token. The trusting domain
may use the token to determine if the user has the necessary permissions to access its resources.
For example, in operation, a user logs into the first trusted domain and then opens a file in the
second trusted domain without logging into the second domain. [22]
Authentication is the process an entity undergoes to prove its identity to a second entity—which
is often a system the former entity is attempting to access. [4] Authentication may occur between
any system, such as a computer program and an end user (human), a computer system, a piece
of hardware, or a mobile device. Credentials authenticate users and are considered proof of
identity. There are different credentials—including Public Key Infrastructure (PKI)—which use digital
certificates, passwords, pins, and even biometrics (such as fingerprints and iris scans). [4]
Trust today is achieved between networks and domains using Single Sign On (SSO), Federation, and
Kerberos protocols. SSO is a session and user authentication service that permits end users to enter
one set of login credentials (such as a name and password) to access multiple applications. SSO
allows for a user’s identity to provide access across numerous service providers. [4

Leave a Reply

Your email address will not be published.