Article Options
Enterprise Security Trends Blog | HP Blogs
Keep up with the latest cyber, cosumerisation, collaboration and cloud enterprise security trends from the team of HP information security professionals.

Trust Domains project publishes initial findings

SimonA| July 6, 2012 - last edited July 16, 2012
1 Comments
0

By Simon Arnell, Security Analytics Service Director


Over the last year, I've had the opportunity to engage with colleagues within HP Labs to enable the Trust Domains project to have access to select customers and to understand how we within HP Enterprise Security Services can utilize such research to shape our future services. The project has recently published an interim report of its early findings (available here).

 

How do organizations know they can trust each other – or even trust themselves!  This is one of the fundamental questions that a Technology Strategy Board (TSB) funded project called Trust Domains, which HP Labs is leading with partners Perpetuity Research and Consultancy InternationalUniversity of AberdeenUniversity of Birminghamand University of Oxford, is attempting to answer.

 

results.jpg

 

Trust Domains is a three year project, with one year now completed. The overall project goals are to:

  • Understand risk associated with information flows
  • Contribute to the set of analytic and modeling tools that help stakeholders understand risk
  • Improve understanding of risk tradeoffs associated with different security controls
  • Develop approaches for mapping from information flows to trust domains

A first deliverable is an empirical study of how organizations think about trust.  The findings make compelling reading, more so given that they draw on experiences of information security leaders from both public and private sector organizations.

So what have we learnt so far from the study?  The research focuses on fundamental questions that underpin today’s security thinking:

  • What are the main risks to organizations when engaging in information exchange
  • What constitutes trust in the context of information exchange
  • How is trust valued, and how exactly does it reinforces, or indeed undermine, security
  • How do organizations use information about each other to enhance confidence and improve interactions
  • and finally, how do organizations react when forced to share information in uncomfortable situations

 

Interim findings, which have recently been published (available here), may sound familiar; others you may find quite surprising.  For example, the study tells us that many of the polices that organizations rely on don’t work because they are flawed or not followed.  In some cases technology does not take sufficient account of human behavior, and that undermines the effectiveness of trust (domains).  In fact, evidence suggests that there are sometimes real limits to the technology being deployed, including the fact that what exists is out-dated and/or is no longer (as) fit for purpose.

The development of effective trust domains is complicated by the finding that organizations often don’t know who they are dealing with.  While the need to manage trust relationships is a given, the very nature of business entails relying on trust, a contradiction that is not always well thought through.  Even organizations that considered themselves risk adverse often take risks with the management and exchange of data, not least because staff sometimes seek and find practical ways of circumventing rules they considered inhibited the process of doing business

The empirical study continues, and in Phase II specific instances of information sharing will be explored, in particular where trust underpins the effectiveness of the sharing process.

To learn more about the Trust Domains project visit the HP Labs website. 

 

About the Trust Domains project

The Trust Domains Project is funded by the Technology Strategy Board (TSB). The Project’s aim is to develop “A Framework for Modeling and Designing E-Service Infrastructures for Controlled Sharing of Information.” The Project Partners are: Hewlett-Packard Ltd (Lead Partner), Perpetuity Research and Consultancy International, University of Aberdeen, University of Birmingham and University of Oxford.


About the Technology Strategy Board

The role of the Technology Strategy Board is to stimulate technology-enabled innovation in the areas which offer the greatest scope for boosting UK growth and productivity.  The TSB advises the UK Government on how to remove barriers to innovation and accelerate the exploitation of new technologies.

Tags: domains| enterprise security| Exchange| Information| Research| View All (8)
Labels: domains| Enterprise security| information exchange| Information Sharing| Research| trust
Labels:
Comments
TSchreider | ‎09-28-2012 03:39 PM
Options

An excellent area of research as trust is everything in data sharing. Trusting the data flow is an important step and trusting the data that flows within is equally important.  I have found that although security policies are critical, they are rarely y followed and poorly constructed.  At some point in time we will need to abandon security policies as folly and relay on networks designed in the manner this research suggests. Policies then become embedded within the data itself.

0
Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the community guidelines.
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
 
Search
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
About the Author
  • A business first, senior executive, with over 20 years of hands on experience in defending banks, governments and corporations against cyberwarfare. My career in security started when I was employed to crack a secure system, which had locked down the boot process, whitelisting of applications and encrypted disks. I linked TeamOffice (an ICL email and collaboration system) with Microsoft Word to send an email which allowed me to do anything the person reading the email could do and send the results back to me, all without there knowledge. Having proved this vulnerability, I worked with Peter Simpson to create Defuse, a tool that blocked inappropriate actions. This successfully blocked Winword Concept, the first known malicous code in the wild. From these begginings I have investigated all aspects of security to provide an holistic approach to security as a business enabler and currently advising organisations on the suitability of the cloud to their needs.
Follow Us