zero trust

Zero trust, the new cybersecurity buzzword

Any device or network architecture can be breached, that’s true. So we shouldn’t trust any user or system. The simple but trenchant assumption is feeding ‘zero trust’, a new hype concept in cybersecurity and a ‘very fashionable term’ in the tech world as the UK's National Cyber Security Centre defined it.

Widespread digitalization, new hybrid workforces and collaboration models, and the growing sophistication of cybercrime created the conditions for a more restrictive vision of data and infrastructure protection. While the EU is shaping its Cybersecurity Strategy, the US is already approaching zero trust after President Biden's "Executive Order on Improving the Nation's Cybersecurity." Released last May, the order basically pushes federal agencies to implement zero trust architectures and prepare for future enhancements. Updated guidance was released last week and agencies are given specific security goals to be achieved by September 2024.

If asked to summarize what zero trust is about, we might say “Never trust, always verify”. The idea is to remove inherent trust from the network, and don’t trust devices by default just because there are inside the perimeter of a firewall or VPN. A zero-trust architecture should verify everyone and everything, using granular techniques to permit only necessary network access and transactions.

The migration to this network design could be expensive and somehow disruptive for most organizations, and it could require years to be completed due to the extent of changes to be implemented.

Zero trust supporters highlight this strict model allows the organization to minimize cyberattack risks, define stronger authentication and authorization policies, reduce the network overhead, and react more quickly in case something gets compromised.

However, we need to remember 100 percent cybersecurity is an impossible goal, unless we fully give up on innovation and digital transformation. So zero trust architectures or solutions can’t be taken as the ‘silver bullet’ answer to solve everything.

Some analysts recommend a pragmatic approach, starting with an accurate assessment of actual vulnerabilities. Which network elements actually require zero trust protection? Which data, transactions, or applications need to be locked down with the utmost level of security? This kind of analysis could lead to the decision to shift to zero trust only for the most critical assets and acting more proactive and systematic cybersecurity measures without adding unnecessary complexity.

 

What’s your approach to cybersecurity? Is zero trust applicable to your network? Contact our cybersecurity experts to share thoughts and insights!


survivorship bias

Cybersecurity in Smart Cities: don’t be trapped in the survivorship bias

During World War II, a team of researchers at the Columbia University was asked to examine the damage done to aircraft that had returned from missions and recommended adding armor to the areas that showed the most damage. This sounded pretty logical, but the statistician Abraham Wald contradicted the US military's conclusions by pointing out that only the aircraft that had survived had been considered. Since the bullet holes in the returning aircraft identify areas where a bomber could take damage and still fly well enough to come back safely to base, Wald proposed to reinforce areas where the returning aircraft were unscathed.

The ‘survivorship bias’ – thus the logical error of concentrating on people or things that passed some selection process and overlooking those that did not – can lead to some false conclusions in several different ways, and it is a pitfall for cybersecurity too.

In 2020 the Center for Long-Term Cybersecurity at UC Berkeley surveyed 76 cybersecurity experts and ranked different technologies according to underlying technical vulnerabilities, their attractiveness to potential attackers, and the potential impact of a successful serious cyberattack. According to this study, not all Smart City technologies pose equal risks: emergency alerts, street video surveillance, and smart traffic signals stand out as the most vulnerable, while smart waste systems and satellite water leak detection are meant among the safest.

City officials should therefore consider whether cyber-risks outweigh the potential gains of technology adoption on a case-by-case basis, and invest more on technologies are both vulnerable in technical terms and constitute attractive targets to capable potential attackers because the impacts of an attack are likely to be great. Again, this sounds like a logical recommendation – but let us beware the survivorship bias.

Achieving 100% cybersecurity is an impossible goal unless we fully give up on innovation and digital transformation. However, Cities should be 100% conscious that any urban network infrastructure and application should be properly designed and implemented with security built in from the outset. Even potentially unattractive systems – such as streetlights – might become interesting for criminals, and the human element is often the weak link to turn a vulnerability into an actual leak.

Many governments around the world are raising cybersecurity consciousness and starting dedicated programs to protect critical systems and resources. Last May, President Joe Biden signed an executive order aimed at strengthening US cybersecurity defenses, a move that follows a series of sweeping cyberattacks on private companies and federal government networks over the past year. The order seeks to move the federal government toward more modern and safer digital infrastructure, and sets stricter rules for IT service providers working with public bodies.

Italy is set to create a national agency responsible for fighting cyberattacks and creating a unified cloud infrastructure to increase security for public administration data storage. Most European countries are boosting their efforts to counter cyber risks, seen as a threat to their security and competitiveness in an increasingly networked world.

While we head for improved systems and data protection, we shouldn’t forget that it is possible to balance the value of innovative technology with the lowest possible risks. At Paradox Engineering, the balance is made thanks to our ‘security by design’ approach: this means injecting cybersecurity into IoT technologies from their very inception, and combine different methods (blockchain, dedicated hardware security modules on devices, ultra-reliable encryption, and other features) to ensure urban infrastructures are intrinsically secure.

Securing cities is an ongoing challenge which requires an overarching approach and strategy (let us avoid the survivorship bias!), together with constant monitoring, learning and collaboration, especially as hackers tap advanced technologies such as AI to become more effective and cybersecurity insurance costs soar.