Home / Blogs

.trust Technical Policy Launch

Whenever I examine the technical elements of the various Internet security certifications and standards that organisations are clamouring to achieve compliance against, I can’t help but feel that in too many cases those businesses are prioritising the wrong things and wasting valuable resources.

They may as well be following a WWI field guide on how to keep cavalry horses nourished and bayonets polished in a world of stealth aircraft and dirty bombs.

The current generation of security compliance requirements (at their very best) encapsulates principles that were designed to battle the unsophisticated threats of a decade ago.

The threat spectrum has evolved and so too has the way in which customers and business partners interact with organisations.


In a world filled with weekly mega-breach announcements, reconfirming some arbitrary compliance standard or placing a third-party tick-mark logo on a website are about as comforting and reassuring as lifting up a horse’s tail, slapping down a “new car smell” scented air-freshener and calling it a sports utility vehicle.

There are many problems with the growing ensemble of security standards and certifications that businesses are increasingly being held accountable against—not least the fact that the majority of the technical elements they contain are closer to recommendations than requirements; resulting in confusion and the pursuit of compliance against the lowest bar.

But the biggest failure in my opinion is that many of the most important and widely adopted security standards exist to limit a company’s liability, rather than actively secure the business and trust of those they transact with.

Time for change

It’s time to change the compliance game. Customers and business partners deserve better.

To that end, I’m very happy to announce the publication and general availability of the .trust Technical Policy (or “.trust policy” for short).

The .trust policy is a technical security policy crafted by Internet security experts and industry luminaries to capture the best practices in securing Internet systems and online communications with an organisation’s customers, clients and business partners.

It contains practical security requirements that reflect current thoughts and agreement on best practices capable of thwarting today’s spectrum of cyber threats and reducing the surface of attack.


A core tenet of the .trust policy is transparency and with that, compliance with the security requirements should be externally verifiable—e.g. no more self-accredited checkboxes.

Businesses that follow the .trust policy (or are on a progressive path towards full adoption of the .trust policy) can be externally measured and rated against the compliance criteria.

Such transparency in compliance—against a security policy that constantly reflects current best practices in the industry—is designed to let customers, clients and business partners know that real and measurable steps have been taken by an organisation to secure and protect both their transactions and personal information.

In essence, that they can trust that organisation to be doing their very best (hence the “dot trust” name).

Technical scope

The technical scope of the .trust policy is divided in to Network, Web Application, Email, DNS and Abuse sections—solidly emphasising an Internet and online security focus.

While some antiquated (yet currently enforced) Internet security standards and certifications may only go as deep as providing a checkbox to confirm that a firewall is installed, even the most basic .trust policy criteria include measurable details on how a firewall should be configured and what needs to be blocked.

I could write pages and pages extolling the virtues of the .trust policy, I am perhaps most happy to see that DNS is finally being addressed in a public security policy.

DNS is the hidden power that, quite literally, makes the Internet work; yet it is so rarely covered in security discussions, let alone mandated in a policy to secure a business.

Given the breadth of threats and abuse that target DNS and DNS-reliant services and how damaging they are to business over (and trust of) the Internet, adherence to a handful of best practices in secure configuration and utilisation can reap tremendous gains in combating threats ranging from domain hijacking through to the receipt of spam email.


The .trust policy is designed to be a live reflection on best practices in security. This means that the .trust policy will evolve and strengthen further over time.

Industry luminaries, Internet security experts and subject matter experts play a key role in defining what the .trust policy includes and reflects the practical reality of what is technical feasible for businesses to adopt and address.

As businesses adopt the .trust policy and strengthen their online security in accordance with its guidance, it is my hope that not only will customers, clients and business partners once again begin to trust those organisations they interact online with, but that we’ll also slowly regain a corner of the Internet and make it secure to do business again.

The sooner organisations step-up from liability-mitigation standards (that may as well be “new security” scented air-fresheners hung in a server farm) the safer we’ll all be.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Brand Protection

Sponsored byCSC


Sponsored byVerisign