What’s in a name? Attestation vs data, claim, statement, etc
There are already so many words and concepts in information security: why do we need another one? And indeed ‘attestation’ is already used in several industry contexts with many subtly different meanings: what do we gain by overloading it?
A very common misconception in cybersecurity is that it’s possible to be 100% secure or bulletproof, and a similar misconception in information security is that it’s possible to protect information in a way that it is 100% reliable or ‘true’. This has never been the case: just as a person can lie to your face, they can also lie to you in a digitally signed and encrypted document. Just as a physical machine can develop faults and malfunction, so too can previously secure software fall to new vulnerabilities and start producing wrong data.
What cryptography does do, though, is to strongly demonstrate that the data received is the exact same data that was sent. So, whether true or not, you can be pretty sure that what you heard is exactly what was intended to be said. If you’re lucky, you’ll even get a verifiable copy to keep and prove it later if you get into a dispute.
So why is it useful to observe this difference when talking about attestation? Merriam Webster defines ‘attest’ as: “to affirm to be true or genuine, specifically to authenticate by signing as a witness”.
No matter what spin or extra promises may be applied to attestations by the various different offerings in the industry they are all simply what Merriam Webster says: signed witness statements. Or in other words they are a high-integrity record that someone said something (possibly at a particular time). Whether that something is objectively true or not… that’s a different matter.
This might make attestations seem less useful than hoped but read on: this is actually a step forward for security and trustworthiness.
Knowledge Evidence is power
Business is powered by decisions, and decisions are powered by information. In principle the more information you can access, the better quality your decision-making will be. And in the modern era when practically all of business and industry is connected and relies on the exchange of critical operational information at scale there should be plenty of data available from which to make decisions.
But there’s a problem: raw information isn’t knowledge. Because unless you’re sure that the information is genuine, how can you be confident in any decision you’re making? What if you’re being fooled? Is that signal from the fire system real, or is it a clever adversary trying to open the emergency doors? What if a previously reliable supply chain partner goes bad, or a formerly robust piece of software falls to a vulnerability? What if a simple honest mistake leads to a decision based on the wrong data, or the wrong version of an artifact?
And how do you prove to your auditors and insurance company that you acted in good faith? In the modern era when practically all of business and industry is connected and relies on the exchange of critical operating data at speed and scale, the old ways of ‘trust but verify’ don’t safely scale. For resilience now and audits in the future it’s much more robust to have a philosophy of ‘verify, then trust’.
For both of these situations we need to move beyond pure data to a position of confidence based on provable knowledge of the provenance of that data that can stand the test of time. Where did it come from? Can I rely on it? Who did what when?
Putting attestation to work
As espoused by the US National Institute for Standards and Technology (NIST): “It is no longer feasible to simply protect data and resources at the perimeter of the enterprise environment and assume that all users, devices, applications, and services within it can be trusted. ”
This crucial insight demonstrates why we need a new approach based on provenance: every perimeter eventually falls. That means you can’t implicitly trust anything inside any former boundary and must verify EVERY TIME you use data and systems. As soon as you put a file down you can’t be sure it will be the same when you pick it up again, even just a few seconds later. You need a way to check that.
One size does not fit all: when do you need evidence?
Don’t take away from this that all data needs to be attested and shared transparently all the time. While this would be ideal, and is the future we’re trying to build in RKVST, it’s not really practical. You have to pick your battles, and most of what you do can continue uninterrupted with the same systems and processes you use today. It is possible to evolve into this future state a little at a time, starting with the most important pieces of your operation.
Turning raw data into evidence is most useful when:
- There’s genuine risk associated with using the data, and/or it is a meaningful input to a critical operating decision
- You need to prove that something existed, or was done, before a certain point in time
- The data originated outside the organization relying on it
- The integrity of data relies on multiple security mechanisms or is exposed to multiple administrators
Miranda Rights for operating data
So how does any of this really help? In what is essentially a voluntary disclosure system can’t people make different statements depending on who’s asking? A crooked supplier could tell the auditors a different version of history than the version they told their customers, or simply say nothing at all and avoid scrutiny. After all we can’t possibly journal and attest everything! Can’t we create advantage with creative silence and omissions?
We’re all familiar with the idea of a Miranda Warning: the warning given by police about a suspect’s right to silence under questioning. The UK version of the Miranda Warning is usually stated as:
“You do not have to say anything. But, it may harm your defence if you do not mention when questioned something which you later rely on in court. Anything you do say may be given in evidence.”
https://www.gov.uk/arrested-your-rights
This tight mix of responsibility with accountability is what makes the whole thing work:
“Whenever a conflict arises between privacy and accountability, people demand the former for themselves and the latter for everybody else”.
David Brin, The Transparent Society
When it comes to connected systems, we must demand both qualities for everyone. All data must first be attested and posted to an evidence ledger, and then it can be considered admissible for digital operations. Asserting the right to silence means forfeiting that evidence in any dispute later.
The bottom line
You wouldn’t eat food you find on the street or run your car on gas you found in a rusty can by the side of the road, so how can business run on data of unknown provenance? Or to put it crudely in the words of young parents everywhere… “Don’t put that in your mouth: you don’t know where it’s been!”
Adjusting to an attestation-based mindset is the key to unlocking zero trust and supply chain integrity, transparency and trust. Make that move today.
The RKVST supply chain evidence management platform offers public attestation as-a-service and is low-cost and easy-to-deploy, allowing you to choose which assets are attested and automatically verified in public. Try it yourself for free!
