IT & Cyber Security Outlook 2020: It's time for Zero Trust
- Created by TUEV TRUST IT TUEV AUSTRIA GMBH
In 2020, not only will the IT Security Act 2.0 significantly change the requirements for critical infrastructures, but other urgent issues will also come to the fore. According to trend statements by Detlev Henze, CEO of TÜV TRUST IT TÜV AUSTRIA, this includes the zero-trust approach as well as agile ISMS. In addition, demand for the IEC 62443 standard in OT will increase and the aspect of usable security will also become more important.
1) The question of trust will arise:
Although it has previously not been widely used in business practice, zero trust is the approach becoming ever more relevant. This means you don’t really trust anyone, and so not even your own devices and networks. The consequence is that monitoring and auditing a company’s own assets must be focused on additionally.
While effective perimeter protection and network segmentation must remain as important as ever, authentication, authentification, authorization and auditing must no longer be performed only centrally, but must be tested and practiced throughout the IT network.
2) Agile Information Security Management Systems (ISMSs) are emerging:
Companies are increasingly transforming into agile organizations to become more flexible and faster. This began in software development and is also reflected in DevOps methods but there is also a need for action as far as information security is concerned. However, it is not enough to integrate security aspects into agile software development; rather, it is necessary to set up an ISMS that fits into agile organizational environments.
At the same time, it is important to ensure that the ISMS itself satisfies agile requirements and that IT operations are supported by SecDevOps in an agile manner. With these objectives in mind, the questions to be answered are what methods must be used and what existing standards have to be used or modified. This goes hand in hand with the need for training of personnel.
3) eIDAS and PSD2 remain on course for growth:
The elDAS Regulation has governed electronic identification and trust services within the European Economic Area since 2016. As a result, legally binding signatures and transmission of, for example, contract documents are now possible for the first time across borders in a continuous online process, without any media discontinuity and with legal certainty. This has already led to a significant increase in qualified trust services in Europe, especially as service providers also benefit from it.
As a result of digitalization, their use will continue to grow very dynamically, also because, for example, the European Banking Authority (EBA) has made the use of qualified trusted services according to eIDAS mandatory for implementing the new Payment Services Directive 2 (PSD2) for securing payment transaction data.
4) The IT Security Act 2.0 comes with significant changes:
The first IT Security Act revealed a considerable need for improvement. Legislation is now pursuing significant changes with IT-SiG 2.0, which has so far only existed as a draft bill. These include, for example, an extension of the powers of the BSI [German Federal Office for Information Security] and higher requirements for protecting critical infrastructures, such as an obligation to set up attack detection systems (SIEMs) [Security Information and Event Management], and that the focus will shift to a comprehensive perspective in the future.
Also new are the introduction of a security identifier and the role of public authorities as consumer protectors. At the same time, fines will rise drastically from the current 100,000 euros to as much as 20 million or four percent of annual global sales.
5) AI will be involved in security strategies to a greater extent:
Preventive measures for cyber protection make the use of artificial intelligence mandatory. AI solutions need to take on the task of identifying threats and classifying forms of attack, for example by learning to understand malware and cyber-attacks. This enables more targeted defense and prevention measures.
It is also important to let AI algorithms automatically perform tasks that have previously been carried out manually.
6) Demand for the IEC 62443 standard in OT is increasing significantly:
There is still a consolidated siloed environment between IT and OT. The degree of connectivity of industrial plants is continuing to rise very rapidly, and along with it so are risks in OT-related information security. For this reason, much attention will be given to the IEC 62443 standard in 2020.
This background makes it important for the rifts between IT and OT not to become deeper. An additional task in 2020 will be to achieve a mutual understanding of the situation, of possible threats and of effective measures in each particular context.
7) Growing constraints on security by design:
It is important to take security aspects into account right from the early planning stage of software solutions and apps. However, this requires a change of mentality in software development by incorporating defined protection goals and reorientation towards application-related threat models.
Concrete security requirements must be explicitly identified in the requirements process. Testing methods will also change as a result, as will the selection of testing tools under security aspects.
8) Usable security is also shifting into focus:
Security problems are often caused by uncertainty in dealing with IT and telecommunications equipment as well as processes on account of insufficient usability. In the smartphone space, useful approaches already exist with regard to usable security, but there are still significant deficits in other areas.
As a result, this range of issues is set to become significantly more important in 2020. In combination, the basic features of ISO 271001 and ISO 9241 can provide a useful foundation for this.
TÜV TRUST IT TÜV AUSTRIA GMBH
TÜV AUSTRIA-Platz 1
A-2345 Brunn am Gebirge
Tel.: +43 (0) 5 0454 - 1000
Fax: +43 (0) 5 0454 - 76245