An early example of 'trust' - inside the wall is good, outside are the Mongol Hordes lining up...

An early example of ‘trust’ – inside the wall is good, outside are the Mongol Hordes lining up…

Hello, World!

Shouldn’t all new blogs from people with any networking background start this way?  I always thought so.  I suppose we could use other languages as well – përshëndetje, sveiki, ciao, or здравствуйте.  I’ve had about a six year hiatus from corporate blogging, so I figured it was high time to get back in the game and start sharing a little bit about what we are building here at Skyport Systems. 

First, we’re really focused on building the right team and culture.  Because when you look back ten or twenty years that is what lasts and pervades an organization.  We want to build and be a part of a company where all roles are respected for the value they bring to the whole, where making our customers incredibly happy is the default in every decision, where we are not afraid to make the hard decisions but make the right up front decisions to avoid many pitfalls.  More than anything we want to work with really smart people who inspire us to work harder, challenge our assumptions, and in the end make an indelible mark on our industry.

Until we launch I am going to use this blogging platform to bounce a few ideas off the community, track and chronicle the journey of building an enterprise systems security company from scratch, and probably make a few comments on our industry as a whole in the process.  We will have the occasional guest blogger, share this platform with other employees and friends, link to things we really like.  Speaking of that…

Did you ever wonder how we trust a system in IT?  It used to be pretty simple – if it was on my network with an IP address from my assigned block it was ‘good’.  Over the next decade or two we added a few other checks: it had to be behind the firewall, checked with an anti-virus, had its traffic routed through an IDS/IPS system, have a series of IT required agents load onto it, and check in with reputation services, and on, and on, and on… 

Steve Bellovin has a very nice piece on the concept of Trust in IT systems that I picked up by reading a post from Bruce Schneier on the Equation Group.   Both are really good reads.  The key paragraph for me is this one:

For more than 50 years, all computer security has been based on the separation between the trusted portion and the untrusted portion of the system. Once it was “kernel” (or “supervisor”) versus “user” mode, on a single computer. The Orange Book recognized that the concept had to be broader, since there were all sorts of files executed or relied on by privileged portions of the system. Their newer, larger category was dubbed the “Trusted Computing Base” (TCB). When networking came along, we adopted firewalls; the TCB still existed on single computers, but we trusted “inside” computers and networks more than external ones.

If we hold this to be true and an accurate statement, it elicits the following question?  How can we re-establish trust in IT systems?  How can they be ‘known good’ and used to build a chain of trust. 

Thoughts?

dg

P.s. Unlike some corporate blogs we are a pretty open and thick-skinned group of folks.  We are happy to have constructive posting from about any source.  However, we will happily moderate away anything insulting, inflammatory, or just plain lame.