Trust in the Digital World

“Trust” in the Digital World

Author: Ioannis Solomakos, CSO at Huawei, South Balkans

As you read these lines, thousands of companies ranging from small startups to big conglomerates strive to bring to the market information and communication technologies, solutions, products and services. These companies work hard towards their vision and mission which among others entail the development and supply of those technological achievements that allow us to live the era of digital and intelligent transformation, with ICT products, services and solutions that ultimately will bring the digital technology to every individual, home and organization across the world.

However all these companies operate at the heart of the smart digital world under the constant pressure to safeguard the entities involved, while at the same time try to provide products and services that bring people digitally closer within an environment that is overshadowed by ever growing threats, blurred borders between the various networks and technologies, and the endless exchange of valuable data. And when we talk about continuously growing threats we talk about serious risks with a significant impact on the practical functioning of society which we should not take lightly or underestimate their importance as the examples are many and painful, with many entities becoming victims of ransomware and have either lost their data and infrastructure or paid significant amounts of money in order to get them back.

In particular due to the pandemic of the recent years coupled with the correlated trends of the growing online presence, the transition from traditional networks to the cloud, the increase of advanced and complex connections, the development of artificial intelligence and the shift towards the hybrid workplace, we have observed that the cyber threats in the European Union have increased in numbers, complexity, impact, and have become more multilayered and innovative while adapting to the new trends of our society. The truth is that the cyber threat landscape has changed quite a bit with the pandemic. Over the past two years we have seen the attacks related to Ransomware and the ones aimed towards government agencies reach the top of the threat pyramid, we have seen profit-driven and cryptocurrency related digital scams rise to record levels, and we also saw that the increase in IoT devices used worldwide, has led to the evolution of the nature of Distributed Denial-of-Service Attacks into more persistent and multidimensional than ever before.

So given these facts the following reasonable question comes to mind: Can we really trust the digital world? The answer to this question is clearly neither simple nor unique. The only thing that can be immediately answered with certainty is that confidence in the digital world can no longer be based on subjective criteria and assumptions but only on objective multidimensional security policies and best practices that involve no sentiment whatsoever. Hence, the rise of the concept of Zero Trust… a concept that allows the application of relevant cyber security practices from the design of a product or service until its withdrawal from the market. Under the concept of zero trust, traditional notions such as the “network perimeter”, “trusted users”, or “internal network” cease to exist as the progression of cloud computing, IoT devices, and the ever-increasing remote access, create new doctrines where products, services, software, and accessibility are continuously subjected to security questioning and multi-dimensional controls throughout their network interaction, from the design stage to the withdrawal stage.

To achieve a Zero Trust environment with the least possible interaction and disruption towards the end user we need to redesign the way we approach the security of data and our wider ICT infrastructure so that the individual components that make up the ICT ecosystem are not treated as isolated ones but as interconnected parts of the same collective,… a collective that is governed by complex and resilient systemic security policies throughout the interaction with each user, device, and interface. However, implementing a zero-trust environment is not a specific straightforward process and it can be achieved via many different ways. In any case, it is fairly common for implementers to focus on the technical aspects of the issue in a network and forget about the non-technical factors that surround us in these efforts, factors that play an equally important role and turn out to be significant tools in our hands.

One of these factors is the international standards of the industry in question, which when based on objective criteria that are commonly accepted by the industry players become powerful platforms of trust in the digital world. The same principle applies to the corresponding certification mechanisms surrounding international standards, mechanisms that help us build trust around products and services, that facilitate and substantiate decisions on security procedures and policies in a zero-trust environment, and that take out of the equations (to a certain extent) the subjective and bias factors that the human interfaces introduce in the decision making process.

Another equally important pillar in an implementation of a zero-trust environment is the proper and proportionate sharing of responsibilities and obligations when it comes to security precaution and matters between all the participants involved thought out the production & supply chain, from concept design to end customer delivery and installation. In other words, overall assurance should not be a unilateral obligation of the end provider or recipient but should be shared proportionally and according to technically acceptable criteria within all the participants in the design, production, and supply of a final product or service, irrespective of which part of the chain they serve.

And while all the aforementioned sound great and create a certain feeling of complacency in our respective micro universe, we need to understand that in order for all of these to work towards a positive direction it is vital to become completely transparent and outward looking when it comes to security ecosystem efforts and implementations in general, so as to enable all stakeholders to observe, scrutinize, and why not challenge us, so that through this process mutual trust can be built on a more solid foundation.

Certainly, in any attempt towards change and implementation of modernized concepts there are always the relevant myths that can indirectly influence adversely the related implementation decisions. This is why it is imperative to clear up the illusions surrounding the project early on in any attempt to implement a zero-trust ecosystem, so that only the real facts prevail. And in the case of Zero Trust, the associated positive aspects are substantial and strengthen the security around infrastructures and the data these contain, while simplifying the secure integration of new users or devices into the ICT ecosystem. And although this is not always as easy as it sounds, I emphatically believe that implementing a zero-trust logic from the initial design stage that is based on transparency, continuous audits, best security practices, protective policies, shared responsibilities, international standards and certifications, is perhaps the only viable strategy for securing and protecting data and cyber infrastructures and the only way to create real and solid trust among stakeholders on all levels.

About the Author

Ioannis Solomakos is a security professional with more than 20 years of experience in positions of increasing responsibly in the international corporate arena. Having served as the Chief Security Officer and a Security Executive for a number of top international organizations (OTE Group of Companies, SNF Stavros Niarchos Foundation, Praxia Bank, Ericsson, Ingersoll Rand, Intrasoft International) he is now serving as the CSO at Huawei for the South Balkans.