Mythic Monday – Orpheus
So, you all know the story of Orpheus, right?
Orpheus was the greatest musician in the world. He had a wife named Eurydice who died. He went to the underworld, played for and charmed the Lord and Lady of Death (Hades and Persephone) into letting him bring his wife back from death. The one condition was that he not look back on his journey back to the lands of the living. Being a Greek tragedy, he looked back and saw his wife following. She then faded away, and was gone forever.
While, most people seem to have a general idea of what the word “trust” means, there has been considerable debate in the computer security field as to how to build it into systems. They raise questions about levels of trust, webs of trust, calculating trust, and how to handle the fact the trusted relationships can change over time. These questions can be very fine grained and particular, but you’re probably not interested in the academic nature of these discussions. Instead, let’s look at a couple examples.
Scenario 1: You partner with a large company.
Suppose you enter into a business partnership with a company that is much larger than yours. Odds are that you have to fill out a contract and commit to specific items (usually based on revenue). You are then granted access to specific resources at the large company. In IT, this is usually in the form of internal-use licenses.
In this model, you trust the company to provide you with software that doesn’t steal your data and the company trusts you not to resell your licenses to others or otherwise negatively impact their revenue. So, what happens if the trust model is violated?
Well, there are really two variants. If you break the trust relationship, you will likely be faced with, at minimum, the severing of partnership and, at maximum, legal action. However, if it turns out that the large company is not to be trusted, what can be done? Legal action may not be much of an option, and if you terminate the partnership, how much would it hurt you versus the large company?
Is the partnership fair?
Scenario 2: Trusted people within a business.
In security discussions, the second hardest discussion is trying to convince a client that inside attacks are a real and present danger. Of course, the hardest discussion is after the trusted insider is discovered to have been embezzling money or selling private data, so it’s often worth the time to have the first discussion.
Simply put, businesses don’t function well without trusted internal people. If there are too many rules, work can’t get done. However, the more lax an organization is, the more risk it faces. In time of economic difficulty, this risk increases.
Why? When people don’t get bonuses and raises, they often take it personally. They may be in a position where valuable data (or even just money) passes through every day. They may stop and think “gee, with all this money around, who is going to miss a little tiny bit” then they’ll have the big thought of “besides, they owe me”. Sometimes, they wind up in personal difficulty, and it starts as a little “borrowing” that gets out of control.
Yeah yeah, I know, you’re different, your people can be trusted.
Do you have any systems or procedures in place to catch this type of activity?
In the story, Hades and Orpheus had an agreement. Sure, it was an agreement with an odd condition, but that’s not exactly unusual in partnerships. In this case, who was trustworthy and who was not? Also, how were the individuals impacted?
Hades: Got to hear some lovely music.
Orpheus: Lost the love if his live TWICE.
The cost of being untrustworthy is awfully high, isn’t it?
So, what could Orpheus have done differently? Might the agreement have benefited from some additional clarity, so that his nervousness could have been alleviated? Could there have been some procedure or technology used to make it more difficult for him to violate the agreement?
Look at the trust relationships at work within your business. Consider what happens if you wind up being untrustworthy. Consider what happens if your partner isn’t trustworthy.
Is there anything in place to validate and maintain the trust?
Should there be?