The latest US Government Cyber Strategy aims to implement Zero Trust broadly across Government and critical infrastructure. Zero Trust is described as "Never trust, always verify" and is mostly seen in reference to protecting access to resources by entities, i.e. Is Larry E (Entity) allowed to access this Oracle database (Resource)? This concept applies broadly to any situation where an Entity requests access to a Resource; a trust check is performed and if successful the Entity is allowed to access a Resource where further authorization checks are performed.
This is the traditional concept people think of with Zero Trust.
But the digital age is demanding more "verifiable trust" to offset the "systemic risk" we now face from multiple cyber risks, such as malicious software, software vulnerabilities, fake articles produced using AI, as well as the "Zero Trust Bond" trust verification that is typically associated with the "Zero Trust" concept described above. This raises the need for a "Trust Control Plane" in the digital age to manage, maintain and verify trust in digital objects, broadly, including Zero Trust Bonds linking Entities with Resources in a trust relationship.
Trust management and verification is its own domain control plane, where trustworthiness and trust verification, are the goals of the control plane, that implements a SCITT "Trust Registry" using a "Trust Trinity", i.e. the "SAG Trust Trinity" (TM) to enforce Trust Registry registration policies using "trust declaration evidence" submitted into a Trust Registry Trust Queue where an independent Trust Registry Gatekeeper is responsible for enforcing Registration policies provided by a Registration Policy Owner that defines what is required to be registered in the Trust Registry as a trust object for all types of digital objects, including Zero Trust Bond object that state "This Entity is trusted to access this Resource" expressed as a unique ZTBOND object in the Trust Registry that needs to be verified for trustworthiness as a precursor.
Three roles make up the SAG Trust Trinity(TM):
1. A SAG-CTR(TM) Trust Label Owner that defines transparent Registration Policies and authorizes trusted risk assessors to submit Trust Declarations for their Trust Label to SAG-CTR. The owner is the very foundation of all Trust. For example, the FCC is the Label owner for the US Cyber Trust Mark.
2. Authorized, Trusted product Risk Assessors that perform product risk assessments and submit Trust declarations to SAG-CTR(TM) for a specific Label Type and Product Category when a product meets label owner registration policies. MUST be authorized and credentialed by a Trust Label Owner.
3. The independent SAG-CTR(TM) Gatekeeper operating as an honest broker that enforces label owner Registration Policies and validates submitted Trust Declarations evidence data from authorized Risk Assessors before placing an entry in the Product Trust Registry. Ensures the integrity, trustworthiness and resilience of the SAG-CTR Registry operations, data and procedures.
Each colored bubble represents an industry sector with a set of trusted parties that perform the Risk Assessor risk assessment functions, based on Registration Owner policies. Each object that is subjected to a risk assessment, per Registration Owner Policies, is identified with a Digital DNAID (ProductID) that uniquely identifies the studied object in a "Trust Registry" producing evidence data. After completing a risk assessment the Risk Assessor submit a "Trust Declaration" along with this evidence data into the Trust Registry "Trust Queue" where it becomes the responsibility of the Gatekeeper to evaluate the submitted data against Registration Owner registration policies, which determine if the object is place into the "Trust Registry" as a "Trusted Object".
A Registration Policy owner, represented by a unique "Label Icon" may choose to make the public or others aware of the newly trusted object in the Trust Registry using a QR Code or hyperlink URL (EXAMPLE ONLY MOCK CONTENT AND QR CODE):
The "Trust Control Plane" concept described in this article has been operational since 2021 to manage and verify trusted objects for all types of "Digital DNA ID" from software applications to SBOM's, IoT devices and, of course "Zero Trust Bonds" for Zero trust verification:
Here is an example label display for a Zero Trust Bond record for the SAG-CTR Trust Registry (Entity DNAID) and a shared API implemented in SAG-CTR (Resource DNAID) indicating that a trust relationship (Trust Bond DNAID) exists between an EntityID and ResourceID in a specific Zero Trust Domain:
Microsoft CoPilot summarizes the importance of the "Trust Registry" and "Trust Control Plane" for the digital age: