“Trust in Computer Systems and the Cloud” (2022)
Book written by Mike Bursell
Book review by Helen Patton
Security has always been about knowing how, when, and how much to trust someone or something. It hasn’t been until recently, however, that we have begun to pay more attention to how little our computer environments can be trusted, and how our reliance on trusting the untrustworthy has led to all kinds of security incidents. So I was excited to learn that Mike Bursell has written a book that delves into the complicated topic of trust in computing. His book “Trust in Computer Systems and the Cloud” (2022, Wiley) is a tremendous book for anyone working in security or technology, to learn more about the elements of trust in our digital environments.
Bursell wrote his book because “…we need, as a security and IT community, to be able to talk about trust – but there is little literature or discussion of the subject aimed at our requirements and the day-to-day decisions we make...” He has written a dense book, going deeply into the definitions of trust in computer systems. He examines the human, technical and time dimensions of trust, and explores how various types of systems (blockchain, open source, cloud and edge computing) deal with trust. He explores the tools to manage trust, and the role of architects in ensuring trust is considered.
Defining trust is a difficult task, and Bursell spends time to tease out the nuances of the definition. He discusses trust corollaries:
- Trust is always contextual
- One of the contexts for trust is always time
- Trust relationships are not symmetrical
These lead to questions about what is Agency and Security, and using trust to manage risk. This leads to a definition Bursell uses throughout the book:
“Trust is the assurance that one entity holds that another will perform particular actions according to a specific expectation.”
Bursell spends time reviewing the human elements of trust. How human relationships are the basis of our understanding of trust, but that this understanding doesn’t directly translate to the world of computing. He reviews game theory (prisoner’s dilemma), reputation, and theories of institutional trust. He examines the challenges of trusting individuals, and the concept of “trust but verify.” Importantly, he observes that “one of the key sources of information about an entity is the entity itself, but we cannot trust any information that an entity provides about itself because, of course, we have no trust relationship to it to allow us to do so.”
He moves on to discussions of trust operations, and notes that “implicit trust relationships are dangerous and should always be transformed into explicit trust relationships.” He evaluates transitive trust and chains of trust, and considers alternatives to trust (e.g., legal contracts, enforcement, and verification). He then considers trust definitions again, in more detail. He considers NIST 800-160, the Trusted Computing Group (TCG) and the Internet Engineering Task Force (IETF) Security Glossary definitions. He considers socio-philosophical and mathematical definitions of trust. I’m delighted to note that he also references Ken Thompson’s “Moral” paper:
“The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me). No amount of source-level verification or scrutiny will protect you from using untrusted code.”
Bursell then moves into a discussion about the importance of systems. He explores the design of physical and virtual stacks, and the elements of trust within systems, noting “real systems are vastly more complex than their security models.” He explores what it means to say that one system trusts another and suggests that trust isn’t a property of a system. He explores hardware roots of trust, cryptographic hash functions, measured boot and trusted boot. He covers internet and local certificate authorities and using root certificates as trust pivots. He even wades into the definition of “zero trust” and notes that it is mis-named. It should be called “explicit trust.” Bursell emphasizes the need to be explicit about what is, and what is not, trusted, and ensure these decisions are documented properly. I was pleased to see Bursell take on technologies like blockchain and cloud, to further extend our understanding of trust. He covers smart contracts, permissioned and permissionless blockchains.
Within his chapter on “the importance of time,” Bursell discusses how trust decays over time and as the system lifecycle gets more complex and ages. He reviews trust anchors, trust pivots and their effect on supply chains. He spends time reviewing attestations and the problem of attestation measurement. He goes on in further chapters to examine the risks and benefits of automating trust relationships (hint: there are more risks than benefits). He covers trust and open source communities, and how they work, or not (“in the proprietary case, the trust relationship is much clearer and tighter”).
Bursell then discusses trust and the cloud. He talks about three types of isolation that must be in place to facilitate trust:
- Type 1 – workload form workload (in multi-tenancy deployments)
- Type 2 – host from workload
- Type 3 – workload from host …“unless we can separate the workload and its associated agency from the host, there can be no well-defined trust relationships.”
He notes that cloud service providers cannot provide the level of assurance of trustworthiness that customers typically expect:
“tenants… are likely to have made risk assumptions based on behavioral beliefs that are not only computationally impossible to verify but also unlikely to be covered by commercial agreements.”
Bursell discusses hardware and trust, going into detail about isolation and roots of trust. He reviews the impact of physical compromise on trustworthiness, and the “confidential computing” use case. This includes a discussion of the “Trusted Execution Environment (TEE), homomorphic encryption and TEE Trusted Computing Bases (TCBs).
He finalizes the book by writing about trust domains as a core concept. Trust domains are “sets of entities or components that can be considered to form a single unit from the point of view of a trust relationship.” He discusses trust frameworks, minimum viable governance (MVG) and management by exception. He concludes with a discussion of the role of the architect.
In sum, this book is a well-researched, well-written guide to trust in computer systems. Bursell wrote it for anyone interested in practicing trust, particularly for technologists. The concepts in the book are universal; the application of the concepts are for the technical and security professional. I recommend this book as a candidate for the Cybersecurity Canon Hall of Fame.