The latest US Government Cyber Strategy aims to implement Zero Trust broadly across Government and critical infrastructure. Zero Trust is described as "Never trust, always verify" and is mostly seen in reference to protecting access to resources by entities, i.e. Is Larry E (Entity) allowed to access this Oracle database (Resource)? This concept applies broadly to any situation where an Entity requests access to a Resource; a trust verification check is performed and if successful the Entity is allowed to access a Resource where further authorization checks are performed.
This is the traditional concept people think of with a Zero Trust control plane, following NIST SP 800-207 Zero Trust Architecture
But the digital age is demanding more "verifiable trust" to offset the "systemic risk" we now face from multiple cyber risks, such as malicious software, software vulnerabilities, fake items produced using AI, as well as the "Zero Trust Bond" trust verification that is typically associated with the "Zero Trust" concept described above. Trust verification is mission critical across cyberspace in the digital age. This raises the need for a "Trust Control Plane" in the digital age to manage, maintain and verify trust in digital objects (Trusted Object Types) as a core, mission critical business function, broadly, including software applications, IoT products, digital artifacts, resources, entities and Zero Trust Bonds linking Entities with Resources in a trust relationship, etc. NIST describes the Zero Trust Control Plane requirements in SP 800-207.
We are rapidly approaching the point where everyone and everything will have an assigned "Cyber Identity", Business Cyber Guardian calls this a "Digital DNA ID", that must be presented and verified in all cyber interactions, human and non-human. This is where an IETF SCITT Trust Registry fills the need to "always verify" in Zero Trust implementations, like SAG-CTR provides today.. Think of this as "Okta on seroids", able to verify trust broadly using the Digital DNAID concept and the SAG-CTR Trust Trinity across an entire cyber ecosystem, even older legacy platforms that lack any knowledge of Zero Trust principles or concepts.
Why do we need a whole new identify for the cyber ecosystem, can't we just use our existing IAM credentials? NO; https://www.linkedin.com/posts/richard-dick-brooks-8078241_a-trust-control-plane-for-the-digital-age-activity-7445119007797522432-DE95?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABMsYcB3I6zhtjaqBqVcePEOQqxsZNzj5E
Zero Trust concepts and the "Never trust, always verify" philosophy/need extends well beyond the traditional concept of Entity/Resource Zero Trust to include the verification of trust in digital objects across all of cyberspace. Verifiable Trust is universal and essential to avoid bad situations that disrupt a comfortable life at home and work.
Trust management and verification has its own domain control plane operating as a core, mission critical business function, where verifiable trustworthiness and trust verification, are the goals of the control plane, that implements an IETF SCITT "Trust Registry" concept using a "Trust Trinity", i.e. the "SAG Trust Trinity" (TM) to govern and enforce Trust Registry registration policies and verify trust in cyber ecosystem objects.
A "Trust Control Plane" is a critical component and key enabler within "Enterprise Cyber Risk Management" (ECRM) implementations enabling entities to answer the question "Is this trusted?", where "this" can be any type of digital object capable of producing a Digital DNA ID using SHA256, preventing risky situations from occurring. The time has arrived to assign a Digital DNA ID to every employee and digital object in the enterprise that needs to be trusted, like applications, servers and other digital functions in order to verify trust. This Digital DNA ID is used to verify trust in a broader number of situations that demand trust within a cyber ecosystem. Everyone and everything that is part of a cyber ecosystem needs to present its Digital DNA ID in order to verify trust before proceeding.
Three roles make up the SAG Trust Trinity(TM) within the Trust Control Plane:
1. A SAG-CTR(TM) Trust Label Owner (Registration Policy Owner) that defines transparent Registration Policies and the criteria for something to become a "Trusted Object"in the Trust Registry and authorizes trusted risk assessors to submit Trust Declarations for their Trust Label to SAG-CTR. The Trust Label Owner is the very foundation of all Trust in the Trust Control Plane. For example, the FCC is the Label owner for the US Cyber Trust Mark. Registration policies define which digital objects (Trusted Object Types), i.e. products/artifacts/ZTBOND are in scope along with registration criteria.
2. Authorized, Trusted Risk Assessors that perform risk assessments and submits "Trust Declarations" to SAG-CTR(TM) for a specific Label Type and Product Category (Trusted Object Type) when a digital object meets label owner registration policies; a ZTBOND is one of many unique product categories (Trusted Object Types) in SAG-CTR(TM). Risk Assessors MUST be authorized and credentialed by a Trust Label Owner.
3. The independent SAG-CTR(TM) Gatekeeper operating as an honest broker that enforces Trust Label Owner Registration Policies and validates submitted Trust Declarations evidence for a Trusted Object Type (Product Category) data from authorized Risk Assessors before placing an entry in the Product Trust Registry. Ensures the integrity, trustworthiness and resilience of the SAG-CTR Registry operations, data and procedures.
Each colored bubble represents an industry sector with a set of trusted parties that perform the Risk Assessor risk assessment functions, based on Registration Owner policies. Each object that is subjected to a risk assessment, per Registration Owner Policies, is identified with a Digital DNAID (ProductID) that uniquely identifies the studied object in a "Trust Registry" producing evidence data. After completing a risk assessment the Risk Assessor submit a "Trust Declaration" along with this evidence data into the Trust Registry "Trust Queue" where it becomes the responsibility of the Gatekeeper to evaluate the submitted data against Registration Owner registration policies, which determine if the object is place into the "Trust Registry" as a "Trusted Object".
A Registration Policy owner, represented by a unique "Label Icon" may choose to make the public or others aware of the newly trusted object in the Trust Registry using a QR Code or hyperlink URL (EXAMPLE ONLY MOCK CONTENT AND QR CODE):
The "Trust Control Plane" concept described in this article, SAG-CTR, has been operational since 2021 to manage and verify trusted objects for all types of "Digital DNA ID" from software applications to SBOM's, IoT devices and, of course "Zero Trust Bonds" for Zero trust verification:
NOTE: A prototype ZTBouncer Gateway for the Postgres database has been implemented by BCG in our test environment and is functioning as expected, checking trust with SAG-CTR before allowing access to a Postgres database. Entity connection testing and trust verification was conducted using the pgAdmin and psql tools against a local ZTBouncer7 instance accessing a remote AWS Postgres database running under RDS in teh cloud. The ZTBouncer Gatweway for Postgres product is provided free of charge to existing SAG-PM(TM) and SAG-CTR(TM) Customers. The ZTBouncer Gateway for Postgres can be installed and running Zero Trust checks on a Production Postgres database in a few hours on a Windows platform!
NIST provides additional implementation Guidance for Zero Trust in this document. Here is an example label display for a Zero Trust Bond record for the SAG-CTR Trust Registry (Entity DNAID) and a shared API implemented in SAG-CTR (Resource DNAID) indicating that a trust relationship (Trust Bond DNAID) exists between an EntityID and ResourceID in a specific Zero Trust Domain:
Always remember "Risk always exists, but trust does not always exist". That is why verifiable trust is essential for the digital age.
Microsoft CoPilot summarizes the importance of the "Trust Registry" and "Trust Control Plane" for the digital age: