Categories
Uncategorized

The Tao of Trust in IT – Untapped Benefits of Trust in Information Technology

Introduction

Everyday people make personal and business commitments and everyday people break these commitments. Breaking personal commitments is personal; breaking business commitments has a greater effect on trade and commerce. Establishing business relationships and conducting commerce requires trust. Without trust, the economic fabric of business dealings is frail. The ancient Romans knew this and appointed officials known as scribes or notaries. These officials were merely recorders of facts, third party entities that would attest that statements between two parties were made, confirmed and agreed upon. This practice is still used today in business. However, with the emergence of the Internet and a new way of executing business electronically, new challenges to the trustworthiness of statements in the commission of business have surfaced. Unfortunately, the importance of trust is only realized when trust is broken or the absence of it carries a financial price tag.

Today, organizations are racing to upgrade their IT infrastructures to take advantage of the latest computing technologies like Grid, Utility, Autonomic and Cloud platforms. While these technologies are evolutionary, their success is largely based on traversing untrusted mediums, making the conveyance of trust even more vital. Whether you’re looking to upgrade or you’re content with your existing infrastructure, bolstering trust in business adds value.

“Transcendent values like trust and integrity literally translate into revenue, profits and prosperity” – Patricia Aburnene, Author of Megatrends 2010

Market Drivers

Enormous cost-benefits are being experienced by organizations leveraging the latest computing technologies mentioned above. Technological advancements in open systems and the adoption of maturing IT standards have accelerated the shift to distributed computing. But, my inquisitive nature begged me to ask “what is its Achilles heel”? The answer was immediate, security; more specifically, trust.

The good news is that IT security methodologies are mirroring the distributed computing model. Complex, expensive all-in-one security solutions are giving way to lighter, more pliable security components that are easily assessable, re-usable and quickly adapt to policy changes.

“Cost optimization, and the shifts in spending from mega-suites to the automation of processes will continue to benefit alternative software acquisition models, as organizations will look for ways to shift spending from capital expenditures to operating expenditures,” said Joanne Correia, managing vice-president at Gartner. “Because of this, vendors offering software as a service (SaaS), IT asset management, virtualization capabilities, and that have a good open-source strategy will continue to benefit. We also see mobile-device support or applications, as well as cloud services driving new opportunities.” [1]

Preempting trust in this area may not seem a high priority, but how much will it cost in the future when regulatory mandates force you to comply or your ability to scale your infrastructures is constrained.

The value of trust initiated is far greater and monetarily cheaper that trust complied with.” – Kenneth R. Dean

Definition and axioms

  • Authentic Information – information that contains evidentiary facts (self-evident) and is portable (self-identifying). of origin is undisputed or authorship; genuine [2], accurate in representation of facts; trustworthy; reliable [2], duly executed, any necessary legal formalities having been complied with [2]
  • Coarse-grained trust model – trust established and confined to a single logical layer (ex: network).
  • Fine-grained trust model – trust established at one logical layer and propagates to others (ex: data, application, network).
  • Individuals who are knowingly legally accountable for information that they attest to provide more accurate information and are less likely to repudiate it.

The Problem

In Stephen M. R. Covey book ‘The Speed of Trust’ he outlines the economics of trust in a simple formula:

More TRUST = More SPEED & Less COSTS

In IT, the lack of trust can be felt in the areas: business agility and legal departments.

Since trust doesn’t live in a vacuum, only the pervasive nature of trust can be measured. The quantified value of business agility can be measured by its’ speed, nimbleness and intelligence. Legally, it’s measured by reducing the exposure of liabilities or the ability to counteract claims.

An agile business is one that can “sense environmental change and respond efficiently and effectively to that change” (Gartner).

Let’s examine each in turn.

Business Agility

Conducting business on open systems, like the Internet, offers high efficiency, low cost and agility. However, these less-secured systems involve risk relating to the sharing and authenticity of information that passes through it. A deficiency of trust can affect the speed of business transactions and restrict the expansion of business systems.

  • Business automation Human intervention impedes automation. Manual reviewing or handling information for verification, routing, approvals and data entry purposes interrupts business workflows and can potentially introduce errors. Automated business algorithms require concrete information on which to operate from. Lack of or questionable information is intellectually unsound and limits business logic’s real-time decision making capabilities. Many organizations lack the capability to electronically verify digital information that is legally attested to; eliminating its’ participation in automation or requiring it to be manually handled.
  • Case in point: a large government contractor may process hundreds, if not thousands of contracts annually. Contracts with partners, suppliers and vendors are generated, scanned, emailed out, hand signed, scanned again, emailed back, copied and processed. What is the expense of processing a single contract in terms of man hours and resources? Are there any mistakes that have been overlooked and what if either party repudiates the contract? What are the evidential facts in support of either party? What’s the audit trail? Without an original copy, how can the handwritten signature be evaluated and verified? How secure is both parties’ email systems? So many questions, so many costly answers. But there’s a better way.
  • Business systems Today business networks that interact with outside entities (customers, partners and vendors) are coupled by security, making them exclusive to one another and limiting its’ reuse. This Coarse-grained security model offers good trust since these systems are tailor-made for each other and all transaction are ‘known’ to originate from a trusted source. However, trust ends at the endpoints and post-endpoint services lack fine-grained processing capabilities.

Not scaling trust past the network layer constricts business infrastructures.

Legal

  • Legal Information that isn’t legally binding tends to be less accurate and is more susceptible to legal challenges. Mistakes in information can potentially jeopardize lives, as in the case of a medical misdiagnosis, prescription errors and criminal court documents. This increases the exposure to lawsuits, insurance premium hikes, non-compliance penalties and/or the monetary price tag associated with a diminished reputation. In litigation, taking a defensive posture is more labor-intensive and expensive.

The Solution

Since Coarse-grained trust is confined and terminates at the network’s endpoints; it’s pervasiveness ends and becomes assumed. This is highly risky in distributed computing.

Points to ponder:

  1. Just because you trust someone to enter your home, doesn’t mean you trust them to have free range.
  2. A package was delivered by a trusted carrier, but there’s no return information on it. Do you open it?

Item #2 is the best analogy to the way information is received by businesses today. Most businesses today wouldn’t accept a package without some kind of credentials (return address, certified). So why is information accepted this way?

The solution is to attach attestation to information; this is the main ingredient in authentic information which makes it self-evident and portable. Employing a fine-grained trust model can make something happen that otherwise would not.

The emanation of a fine-grained trust model occurs when authentic information is synergistically woven into business systems. Its’ portability characteristics makes these systems more fluid and its’ self-identifying characteristics enhance business intelligence. Resulting in greater scalability, flexibility and processing power. Legally, self-evident information provides greater protections and counter claims.

Business agility

With technological advancements in distributed computing such as Software as a Service (SaaS), Service Orientated Architecture (SOA) and Cloud initiatives, organizations are experiencing ways to enhance agility by expanding business automation and infrastructures.

Industry adoption of standards and technologies has removed many of the obstacles in the creation of authentic information. This information can be readily available for real-time access and verification. It adds to, but doesn’t impede existing business strategies.

  • Business systems Business infrastructures are the backbone of automated business processes; the greater the reach, the more these processes can evolve. Making trust fine-grained allows business infrastructure to be oblivious to the portability, self-identifying and self-evident characteristics of information that flows through it. Facilitating the expansion and reducing the coupling between disparate business systems.
  • Business automation processes Distributed computing removes many of the barriers imposed by monolithic applications and frameworks. Applications are no longer pricy all-in-one solutions, but an aggregation of loosely coupled services comprised to perform a specific business task. A fine-grained trust model facilitates quicker composition of new services and its’ enhanced business intelligence allows related algorithms to be more efficient. New services aren’t built, but wired together.

Existing business strategies that don’t rely on distributed computing can also benefit from a fine-grained model. Bolstering business intelligence is always advantageous and nimble systems simplify future migration strategies.

Legal

The self-evident characteristic and improved accuracy of authentic information reduces the exposure to lawsuits. Evidential information is abundant and is legally recognized. Authentic information generated in conjunction with a state commissioned electronic notary allows for greater legal protections. In the unfortunate event of a lawsuit, the proprietorship of evidential information shifts the burden of proof onto the opposing party. Requiring this party to pick up the lion’s share of the litigation costs.

Time, money and system interruptions are major concerns with any strategy to upgrade business systems. If any one of these concerns is deemed to be excessive, the endeavor will not be a viable one. The most auspicious strategy to achieving a fine-grained trust model is to incorporate a non-repudiation framework that works in harmony with business systems.

This framework would encompass the following characteristics:

  • Un-intrusiveness – Operates alongside, as opposed to in-line, with business processes.
  • Flexibility – Seamless integration with new or existing infrastructures (business, security and data management).
  • Scalable – Receptive to custom components and configuration.
  • Affordability – An infrastructure that acts more like a service than an application.
  • Adaptability – Quickly respond to changes in compliance, business workflows and infrastructure.
  • Vendor agnostic – Ability to interface with diverse systems including legacy and proprietary solutions.
  • Assess ability – Fast retrieval and verification of authentic information.
  • Retention – Storage and retrieval of evidential facts.
  • Compliant – Adherence to stringent industry standards and regulations.

Leave a Reply

Your email address will not be published. Required fields are marked *