Through 2011, trust in a number of technological protocols, devices and companies came under attack.
We saw hacking collectives shout about their exploits on Twitter, high-profile companies suffer severe data thefts and entire governments come under attack from hackers. Clearly none of these security threats were new in themselves, but public awareness of them reached an all-time high, and the trust and confidence of users became increasingly fragile commodities.
2012 looks set to continue to test trust – and companies are going to have to work very hard to rebuild and retain the user confidence that is crucial for them to function.
For both individuals trusting the sites they visit to be genuine and organisations trusting the reliability of their certificate issuers, trust in the security and authenticity of the internet is paramount.
This trust came under particular attack in 2011, with the secure sockets layer (SSL) protocol demonstrated as badly implemented, and the website certification industry hit repeatedly.
Both DigiNotar and Comodo were hit by malicious hackers, KPN Corporate Market discovered a security breach that may go back four years, and Microsoft revoked trust in DigiCert Sdn. Bhd on the basis of poor security practices. This shows that the system is already untenable.
Quite rightly, authorities are already looking for stricter governance of this system, with the CA/Browser Forum approving baseline requirements for SSL/TLS certificates. Subjects including verification of identity, certificate content and profiles, certificate authority (CA) security, liability, privacy and confidentiality will be subject to best practice baselines, with a July deadline for implementation.
But the intractable issue is that there is no organisation sitting above the reams of CAs that are, ultimately, dealing in trust and confidence. There are more than 1,500 of them, it's complicated and convoluted and there's no overriding standard of security or quality.
Ultimately, it's far too easy for an organisation to become a CA. So what value is being placed on trust? Far greater transparency and clarity is required, with the security standards that CAs attain made public. If providers want to be trusted they not only need to unite, agreeing standards of security and scrutiny, but also undertake rigorous external audits and publicise the results.
Greater clarity also needs to be provided for the end-users who run the risk of their data being silently decrypted via earlier versions of TLS, or accidentally using websites that have been issued with false certificates. If diversity online is to be maintained, the confidence of those end-users is crucial.
What certificate authorities, websites and mobile device manufacturers have in common is that for most businesses they are third-party suppliers, companies whose goods or services have a direct connection on other organisations, but whose security procedures are out of reach.
It is not sufficient for organisations to strengthen their own security procedures and policies. If they do not also validate the security of those suppliers that may provide easy access to contact details or sensitive data, then a back door is being left open.
It is the fragility of third-party security that, ultimately, means that generating and sustaining trust is going to be vital in 2012. Whether manufacturers or service providers, businesses or governments, all organisations must not merely be secure, but be seen to be secure.
Rob Cotton is CEO of NCC Group