Trust in Computer Systems and the Cloud by Mike Bursell, CEO and co-founder of Profian, takes on a subject of monumental importance in cybersecurity that most of us tend to overlook it on a daily basis. Trust, functioning as a noun and verb, is the root of almost every control and countermeasure in the world of security. Yet, trust is poorly—or at least incompletely—understood by most security and computing professionals. Bursell’s book sets out to address this imbalance.
As Bursell notes, trust is one of those concepts that most of us understand intuitively, even if we cannot accurately express its meaning. Indeed, that’s part of the problem. The issue of trust is so deeply wired into the human brain that we may have difficulty accessing it in a productive, conscious way. We might speak about trust using our own definition, but the person we’re speaking with hears a different definition.
The book set me thinking that what we call trust is probably a brain stem function that predates the existence of modern homo sapiens. If two animals encounter each other in the wild, they are wired to either trust, or distrust each other. Survival depends on a fast, accurate trust reflex. So it goes in modern human society and computing, as well.
Bursell has his work cut out for him. He does an admirable job of breaking down trust into elements the reader can understand and apply to computing and security tasks. He draws on sociology and philosophy to offer a basic definition of trust, which is “the assurance that one entity holds that another will perform particular actions according to a specific expectation.”
However, as he quickly adds, things can get a lot more complicated in a computing context. In computing, we have at a minimum trust between user and system, from system to system, and entity to entity. Plus, as Bursell points out, trust is always contextual, and one of the contexts is always time. Nor are trust relationships symmetrical. Your device may trust data coming from Amazon Web Services. But that does not mean that AWS trusts your device.
Bursell offers a relatable example. You might trust your brother. Do you trust your brother to perform brain surgery on you, though? You trust your brain surgeon to perform surgery, but what if your surgeon operated on you 20 years ago. Now, he’s 80 years old. Do you still trust him to perform surgery? That’s the time context. AWS might trust your device for the next 10 minutes, but not next year, if it has not re-authenticated it.
The book then takes these fundamental precepts of trust and applies to the wide and messy world of computing and the cloud. He explores trust in the context of computer and network security, looking at the complexities of trust in system design and the challenges of implementing system-to-system trust. The book looks at the concept of Zero Trust (ZT), which is one of today’s most prominent applications of trust principles in cybersecurity.
Later chapters deal with trust in Blockchains, open source software, hardware and the cloud. He discusses trust domains and communities of practice for trust inside organizations. For hardware, Bursell focuses on the “root of trust,” which is a critical enabling factor in systems that depend on trusted hardware to function securely. Bursell is thorough and pragmatic throughout. This book is a great resource for anyone who needs to understand trust and its many manifestations across the worlds of computing, cybersecurity and business.