News

Zero-Defect-Security – review of a collection of articles

IT services obviously have to meet security requirements: sensitive data needs to be kept confidential, systems and data must not be tampered with and everything should be kept available. This sounds straightforward in principle, but the reality is more complex. The continuation of business strongly depends on good security. Criminals and fraudsters are focusing on IT. A lack of security endangers human lives by threatening those same IT services which support our society, such as our health care and road networks, among others. IT security governs safety in manufacturing and power plants. User organizations need secure IT services for meeting legal and industry requirements. They need information about IT security to convince auditors, customers and business partners. IT service providers must honor their security promises and fulfill the contracts they have signed. A combined lack of security policies, improper implementation and violations can bring serious harm to society as a whole.

In many areas, the risks due to faulty IT security is increasing exponentially. This is simply the result of IT services becoming the basis for a rise of applications in society. Our IT security management capabilities have not kept up with IT industry developments or their uses. This situation calls for the introduction of new, best practices within IT security: The IT industry must be able to ensure quality of IT services and of IT security. The focus here is quality which needs to reflect more than simply control and correction. Quality does not come from requirements and motivation alone. What we need are methods and tools that help to ensure that IT security is a genuine result of what people do. Relating to IT production, we call this concept Zero-Defect-Security. Quality means making everything right or providing the best results with minimal total costs.

Several of our experts have produced articles that address Zero-Defect-Security which were recently published in the July issue of ‘Datenschutz und Datensicherheit (DuD)’. These articles analyze trends and identify developments for possible solutions. ‘Necessity’, really is ‘the mother of all invention’ and with this the following matters were studied in detail: Digitization is paving the way for the arrival of new IT architectures (like the Internet-of-Things). The division of labor is increasing in the IT industry (supply chains are now more complex). Artificial intelligence is changing the game. Security and safety are merging, security is determining safety and vice versa. Simultaneously, corporations and authorities are becoming more dependent on qualified personnel (competencies instead of know-how). Idea and concept of this collection of articles have been developed by the author of this article.

Below are the brief synopsizes of those aforementioned articles:

Michael Mayr, Global Service Manager at Hitachi Vantara and Member of Board of Directors at Zero Outage Industry Standard, wrote about “Competencies: People Decide on Success” and provided a “model for often underestimated factors which affect the operational and IT security”. Competencies are underestimated. The Zero Outage Competency Model describes functional, methodological and interpersonal competencies. They are the basis for quality in IT and better IT security.

Angelika Steinacker, CTO Identity & Access Management at IBM Security Europe, wrote about “Architectures: Security in the Internet-of-Things (IoT)”. She emphasized that “secure IoT requires a new way of thinking”. IoT systems are more and more part of daily life. The article details requirements for IoT systems and summarizes approaches for secure IoT systems.

Eberhard von Faber, Chief Security Advisor, IT Services at T-Systems and Workstream Lead Security at Zero Outage Industry Standard, wrote about “Methods: ‘Secured by Definition’ and the Implementation of Principles from Quality Management”, e.g. by seamlessly integrating IT security with the IT production processes. In all stages of the value chain, people must follow pre-defined rules to produce reliable, high-quality results. This requires an arsenal of measures. The article brings together IT security and experience from quality management practices.

“Criticality: How Security Becomes Responsible for Safety” is the topic of Ivo Keller and Friedrich Holl from Security Management (master’s degree course) at Brandenburg Applied University. They show that threat modelling is essential, and defects can cause large disasters.

Frank Damm, Senior Manager, Cyber Security, and Hans-Peter Fischer, Partner, Cyber Security, both working at KPMG AG Wirtschaftsprüfungsgesellschaft, wrote about “Supply chain: How Cyber Security Depends on Adequate Cooperation”. Zero-Defect-Security can only be achieved through a very good cooperation in the IT supply chain. They emphasis that the chain is actually a very complex network with rapidly changing links. Many corporations are involved making Zero-Defect-Security a real challenge.

Eberhard von Faber, Chief Security Advisor, IT Services at T-Systems, and Arndt Kohler, Head of Internet of Things Security at IBM Europe are both also working in the Workstream Security at Zero Outage Industry Standard. They wrote about “The Gap: Information Security in Systems with Artificial Intelligence”. The subtitle is “How algorithms and artificial intelligence start endangering IT security”. They analyze foundations of IT security and problems coming up due to the use of machine learning and artificial intelligence.

Discover more at: https://www.springerprofessional.de/datenschutz-und-datensicherheit-dud-7-2019/16803194 or follow us on LinkedIn. The original articles (43 pages in total) are published in German.