Ask yourself a simple question. Are you connected to more people now than you would have been without social networking websites (Face book, MySpace, Apple Ping, and Orkut), micro-blogging websites (Twitter), professional networks (LinkedIn) and blogs on Blogger, WordPress, LiveJournal and the likes etc...? Now ask yourself if the number of people you trust has gone up in the same proportion.
If there is one word that captures everything that is right, and also wrong, with the Internet it is 'trust'. Time was people made a decision on another person's trustworthiness based on their face to face interactions, in those days it was called a 'meeting', or a recommendation passed on by "word of mouth". People knew their neighbors, met their bankers regularly and struck friendships with the folks whom they bought groceries and supplies from. One has to now know who they are connecting with, what they are watching, is the person who says they are...really who said they actually are...?
What happens when people have to give up the way they have been interacting with each other for thousands of years and switch over to a new way in the space of just one generation? What do people do when everything around them (think online gaming, social networks, blogs and micro-blogs, coupled with devices like super-phones (smart-phones, tablets and laptops) is built with the single-minded goal of making it easier to get to know more people? What about trusting those people that you now 'know' and are connected to? How can we scale our mechanism for earning and according trust with the same velocity as the mechanism for getting to know people? We can't meet every person who sends us an email or a text message before deciding. And it would serve no purpose if we knew a thousand people but only trusted those we had met personally on multiple occasions. That would render our connections (once upon a time we called them acquaintances) useless. The only way to restore the balance between our acquaintances and trusted connections is to outsource how we trust. That's right, outsource trust. Now when chips have malware prevention and spyware or adware, even shareware is managed not by the operating system soon, but the chip...then there is Moore's Law.
In fact, we do this every day and just like making the decision on our own we trust different people to different degrees. I, for one, trust my connections on LinkedIn a lot more than the people I 'know' on MySpace or the PlayStation network. Our decision on whom to trust, and how much, now boils down to the arbiter, the person or organization we have outsourced this decision to. We don't own or control the algorithms, networks and servers at LinkedIn, MySpace or eBay but they still 'process' trust for us. Trust, ladies and gentlemen, has moved into the cloud.
This is different from expecting people to have confidence in the website of the bank they deposit their money in. Banks have not been able to position themselves as arbiters of trust the way social networking websites have. Ironically, we trust the banks with our money, only as long as the government promises to bail them out, but place more faith in websites that allow us to swap videos, jokes and trade non-existent produce from imaginary vegetable gardens. Then there is Mobile Commerce finally coming into our lives.
The downside of outsourcing trust is that it is now more fragile than ever. Breaking this trust, or the implicit promise that everyone you connect to via an arbiter like LinkedIn or Face book is legit and really who they claim to be, carries the very real possibility of losing users in droves and therefore going out of business. Websites and on-line businesses, on the other hand have to be sure that people transacting on them or posting comments are really who they claim to be. They too have outsourced the process of establishing trust to the likes of Facebook Connect, Google Checkout, PayPal and OpenID.
The entire edifice of transacting trust for, and between, different parties is built upon knowing definitively who the parties are, what they are entitled to and having the means to re-construct in an irrevocable manner every step of the process should a dispute arises.
Knowing who is who as people traverse continents, jobs, access points (iPad, Android phones, Internet-enabled refrigerators etc) is at the centre of process of being a trust-arbiter. To do so without fail and irrespective of the number of parties seeking this service at any given time is thekey to being perceived as reliable. A timed-out request for authentication to Google Checkout as a person tries to purchase a pair of running shoes online means loss of revenue for the seller and frustration for everyone involved. This has to happen right every time, all the time. Not all identity management applications can deliver on such a scale with the required level of reliability. For those who still think cloud is just a buzzword, here is an example of a situation that cannot be serviced by something originally built for enterprises with 'only' a few hundred thousand users.
Just as every person who has access to Fort Meade does not get to enter basement level 33 (I challenge you to tell me there isn't a basement level 33!), every person flagged through by a trust arbiter does not get access to every nook and cranny of the online retailer they might be visiting. Identities are meaningless unless they are matched to privileges and access rights. Just as the identity management application must scale, so should the access management piece. Where one hands off, the other should take over seamlessly with the handshake succeeding every time regardless of how many times it has been done so earlier. The most important transaction is the one happening right now and it MUST succeed!
For everything that has gone right millions of times there will be an instance when someone thinks an error was made or a fraud committed. On such occasions it is imperative to be able to build a trail from start to finish with no unexplained gaps. Such situations apart, it is good practice to monitor for unusual activity or anything out of the ordinary. This holds true for any business irrespective of size. It just becomes more critical as the size of the business increases or the function is critical enough to demand real-time monitoring.
Having only one, or a few, of these capabilities is not an option. Any arbiter of trust that wishes to be in business has to have all these. Trust must be demonstrably proven before it can be provided as a service.
Vic Mankotia is Vice President of Security Sales for Asia Pacific and Japan, CA Technologies.