TCM -- The Trust Capability Model
by CBDi Forum
The industry has various models for assessing the integrity of processes and by inference organizations they rely on. Many IT organizations use ISO9000 and variants to demonstrate their internal disciplines to their customers. However ISO9000 based practices and audits are largely focused on traceability, providing some documentary evidence that good practice was complied with. My own experience is that they can and are sadly abused.
The Software Engineering Institute provides a comprehensive Capability and Maturity Model (CMM), which is well respected. This is specifically focused on IT organizations, but is primarily about the repeatability of the IT process, rather than the repeatability and consistency of the provided service.
Microsoft's Trustworth Computing initiative
Early last year, Microsoft announced its Trustworthy Computing initiative, and in the face of widespread cynicism has clearly, at least to some extent embraced the trust issue in its products and services and practices. But the key question is "to what extent?" Microsoft continues to be embarrassed by its own security and trust related failures; most recently with the Slammer virus when they had to admit failure to keep their own patches current. Is this sufficient evidence that Microsoft is failing to meet its own goals in becoming a trusted vendor? Probably not. It's an embarrassing but isolated incident. For example Microsoft has instituted processes for keeping their users up to date with patches - just this morning I and many of us will have received the latest Security Bulletin, and upgraded our systems automatically to close a newly discovered security loophole. So how can we make a balanced measurement of trusted status and improvement progress?
It's not just Microsoft that needs to be measured
More interesting is the idea that it's not just Microsoft that we need to measure. Microsoft just happens to be the most high profile company, and that the media love to expose its weaknesses. But reality is that every company, enterprises and vendors alike have trust issues, that right now they need to manage. And as we all know, to manage something you need information, and we have no systems that allow us to measure and assess trustworthyness of our own or our suppliers or partners capabilities.
As we move progressively towards virtualized business, as Web services allow seamless interoperability between companies and business processes, the requirement for some measure of trustworthness is going to become absolutely vital.
Today many are saying that they will not use Web services until there is good security, and they are looking at security protocols - particularly WS-Security to address this. But the real requirement is not just to have secure messages, but trusted transactions. So it is not just about WS protocols, they only protect the message in transmission across the net. Equally important is the trust that I can place in the recipient of the message, what they will do with it once they receive it. If I am going to make my business processes dependent on a third party Web service the risk is not simply the transmission of the message but the risk that the third party may not be trusted. We need a mechanism to measure what level of trust may reasonably be placed on ourselves and others.
The CBDI Trust Capability Model
CBDI has developed a capability model for measuring trust capabilities. The purposes of the capability model are threefold
1. Measure & manage progress against the objectives of trustworthy computing. This will apply not just to Microsoft, but also to its partners, customers, competitors – indeed, potentially to the whole industry.
2. Create benchmarks for comparison between organizations and for comparison against requirements.
3. Define a roadmap for planning local and global improvement. The model defines a series of enablers and a series of achievements. The enablers are the things that are done as part of a trust program; the achievements are the results of the program. The enablers are justified because they are expected to produce the achievements. The outline model is as follows:
Level 1: Adhoc - No systematic capability
Level 2: Defined - Adequate set of policies defined. Program to implement and embed policies in organization.
Level 3: Controlled - Broad implementation of policies, fully embedded in organization. Program yielding significant and tangible results.
Level 4: Managed - Ability to attribute specific results to specific enablers.
Level 5: Optimizing
Pretty much everyone accepts today that trust is a major priority. However there's little guidance on how to address what is an amazingly complex issue, and how to measure progress and results. We are of the opinion that this needs addressing in a formalized manner, and that there is a need for independent audit and certifying agencies to perform a similar role that are already available particularly for ISO and SEI/CMM models.
First we need to establish a more detailed understanding of the extent of the risk we are entering into, because it's not just about making the Internet safe. Its equally about how much trust you can place in others. But how do you trust the recipient of your requests? What are they doing with that information? Just because it is behind the firewall can it be held unencrypted? What needs to be protected?
We need a systematic approach to assessing our trust capability and relationships that then allow us to decide for example between one intermediary and another. Today we place too much emphasis on price and performance; trust models are essential to allow us to make similarly informed decisions on whether a service provider is trustworthy? These are questions that need better answers than we are accustomed to give and get.
We welcome feedback to firstname.lastname@example.org
Copyright CBDi Forum Limited 2003. The CBDi Forum is an analysis firm and think tank, providing insight on component and web service technologies, processes and practices for the software industry and its customers. To register for the weekly newswire click here.
For more information:
- Looking for free research? Browse our comprehensive White Papers section by topic, author or keyword.
- Are you tired of technospeak? The Web Services Advisor column uses plain talk and avoids the hype.
- For insightful opinion and commentary from today's industry leaders, read our Guest Commentary columns.
- Hey Codeheads! Start benefiting from these time-saving XML Developer Tips and .NET Developer Tips.
- Visit our huge Best Web Links for Web Services collection for the freshest editor-selected resources.
- Visit Ask the Experts for answers to your Web services, SOAP, WSDL, XML, .NET, Java and EAI questions.
- Couldn't attend one of our Webcasts? Don't miss out. Visit our archive to watch at your own convenience.
- Choking on the alphabet soup of industry acronyms? Visit our helpful Glossary for the latest lingo.
- Discuss this article, voice your opinion or talk with your peers in the SearchWebServices Discussion Forums.