Trust Is For Suckers: Lessons From the RSA Breach

wiredmikey writes "Andrew Jaquith has written a great analysis of lessons learned from the recent RSA Cyber Attack, from a customer's perspective. According to Jaquith, in the security industry, 'trust' is a somewhat slippery concept, defined in terms ranging from the cryptographic to the contractual. Bob Blakley, a Gartner analyst and former chief scientist of Tivoli, once infamously wrote that 'Trust is for Suckers.' What he meant is that trust is an emotional thing, a fragile bond whose value transcends prime number multiplication, tokens, drug tests or signatures — and that it is foolish to rely too much on it. Jaquith observed three things about the RSA incident: (1) even the most trusted technologies fail; (2) the incident illustrates what 'risk management' is all about; and (3) customers should always come first."

Re:Trust is required

[hedwards]

No, what it means is that you don't blindly trust anybody, but you do verify periodically that the trust hasn't been abused. It's like granting a business the right to take money out of your checking account to cover expenses, like say a CC company. You trust them not to put things on the bill which you didn't authorized. And you verify at least once a month that everything that's on the bill was authorized by you.

Same thing here, the problem with RSA was that people trusted them, but there was no particular manner of verifying that the trust was well placed.