Web Reliability
21. Trust reduces resistance
Mitchell Kimbrough
Founder & CEO
Trust as a currency Trust allows a wide variety of people in a community to creatively interact with one another. Trust is a convenience. It is a medium of communication (where communication refers to making something common). Trust allows one person to safely assume a broad range of positive and benevolent things about another. If I lose my wife in a train station I trust that she will make the right decisions to make sure we have reunited again and with the least possible inconvenience. On a team, trust allows me to assume that my teammates will meet their obligations and deadlines just the same way that they always did. If they fail to, I trust that it will be for good reason. When I trust my team I don't have to monitor every detail. This vastly reduces overall friction. Lack of trust not only creates friction but arguably blocks up the system so much that it can't even function.
Once my company had been in business for a while and once we had been operating in a specific community with a known specialty, we began to notice that trust was making things much easier. New clients would come to us and provide server credentials without a second thought. These were production credentials to sensitive systems. They handed over the keys with 100% trust because over time we had earned the community trust and had avoided doing anything to lose it. It was easier to win new business because clients were coming in with an already set feeling of trust in our honesty and abilities. Our ability to help others was greatly enhanced by the presence of trust around what we did and who we were. Friction had been reduced and we prospered as our ability to help others had been increased.
Trust, but verify It is ultimately humans that we trust. We may trust the banks they build, the security systems that they install, the airplanes they manufacture, but it is always ultimately the underlying humans in which our trust is placed.
Humans are fallible. They are frail. They are weak. They are imperfect. Those in whom we place our trust do not necessarily break our trust intentionally. Even when they do, it comes from a place of frailty and weakness. Even then as we embrace trust as a conduit for the smooth flowing of our teamwork, we must also embrace verifying our trust.
'Trust, but verify' comes from a Russian proverb. It was made famous by Ronald Reagan during his efforts to bring about nuclear disarmament. The phrase embraces the idea that humans can only achieve things through trusting one another. But those achievements can be thwarted by naively ignoring the fact that those whom we trust are merely human.
President Reagan thought, with a project as large as nuclear disarmament, that he could trust Russian General Secretary Gorbachev. But he also knew that the apparatus in which Gorbachev operated was vast, complex, and full of flawed humans. One would be foolish to take the word of one man as gospel and representative of the will of an entire country. One needed to trust, but also verify that words were being met with actions.
Security In the context of web development, trust but verify refers to security. As a team, we develop systems that embrace our trust of one another, but also verify that trust through security measures.
When a team of developers will need to access a production server, for example, an optimally secure system will have each developer accessing the system from a VPN. Each person will have separate credentials. Each person will have an account on the server(s) with a level of permission appropriate to their level of responsibility, no more no less. Each person will have individual accounts that can be turned off in the event that someone goes rogue.
Humans are frail. A perfectly trustworthy and well functioning member of a team may suffer from gambling addiction. It's not unheard of for such a person to rationalize their way into embezzling funds from a website. A perfectly trustworthy and well functioning member of a team can be angered and injured by a perceived insult. In their rage, they can lash out and deface a web property or disable its core functions. Trust but verify, aka security, means having the ability to block unexpected human behavior or mitigate its damage.
A secure team is one that embraces the power of trust but also embraces the fact that it is humans that we trust. As humans are frail and imperfect, they can also be trusted to make mistakes that harm themselves and others. Security means we protect the trust of the team and system as a whole from the frailties of the individual.
Trust reduces resistance. Security, as the mode of the 'trust, but verify' maxim, enables that trust.
