The new security challenges, between cyberwar and cloud

The cybernetic war, but also the transition of the Public Administration to the cloud and the need for a "zero trust" model: the opinions of the major Italian representatives of cybersecurity compared on the hot topics of 2022. Published on 30 March 2022 by Elena Vaciago

The Russian-Ukrainian conflict is having important repercussions on cyber security issues, as emerged from the numerous episodes that have filled the news in the last month, including hacking, ransomware, DDoS attacks and phishing campaigns linked to the theme of war. It was also discussed on March 9 and 10, during the tenth edition of the Cybersecurity Summit organized by The Innovation Group in Milan. The alert level is high, due to the protracted situation in which cyber attacks continue to grow and the risk of spillover, that is of general contamination, starting from the actions of the cyber armies of Russia and Ukraine. In this scenario, several parts underline the need to rethink the foundations of the cybersecurity paradigm, to make it respond to the challenges of today and those of tomorrow. According to Ivano Gabrielli, director of the Postal Police and Communications service, the moment is very critical and there is evidence of intense attacks, which actually began even before the conflict. "Beyond what we read about lines of acronyms already known, there is an undeclared situation that produces substantial damage and that is requiring a very careful response from those involved in security," said Gabrielli. “It is no coincidence that there are daily awareness bulletins published by the main intelligence agencies. It will then be necessary to carry out an in-depth analysis to better understand a scenario that was only theorized in the past and which we now see under the test of facts. A scenario characterized by the fact that it has little public limelight and that it focuses more on substance than on proclamations ”.

Ivano Gabrielli, director of the Postal Police and Communications service

"We live in times of war, and cyber domination is extremely topical," said Giorgio Mulè, undersecretary with responsibility for security at the Ministry of Defense. "There is a parallel war, which is being fought not at the borders but within countries, with attacks that travel in all directions, with groups that are on the side of the Russians, the Ukrainians or who define themselves as neutral. They are attacks as serious as the physical ones, which feed on fake news and which have harmful effects comparable to those of normal tools ".

The scenario of the Public Administration The need for greater data security and services of the Italian Public Administration, however, precedes the events of the ongoing cyberwarfare. The National Recovery and Resilience Plan provides for the creation of an innovative infrastructure to enable and accelerate the process of migration to the cloud of the services and data of central and local Public Administration, the so-called National Strategic Pole (Psn). The PSN therefore aims to support administrations in a transformative process, qualifying as an operator capable of offering the highest security standards for the processing of critical and strategic data and services for the country. "Digital transformation in public administration is one of the main objectives of the NRP", explained Mulè. “The first mission of the plan aims to accompany administrations in this transition towards cloud solutions, as defined in the Cloud Italy strategy. Today we have three major challenges ahead of us. The first is to ensure technological autonomy, a resilient and technological sovereignty that must act as a perimeter to what constitutes the state, that is, territory, people and sovereignty. The second aspect is the guarantee on data control, the third is the increase in the resilience of digital services. In line with these objectives, the PNRR makes 623 million euros available for cybersecurity in the Public Administration, and is aimed at 75% of PAs that must migrate to cloud environments, within which everyone's data can be safely stored. ".

Giorgio Mulè, undersecretary with responsibility for security of the Ministry of Defense

The good of cybersecurity belongs to everyone, it is universal, so it must be the state that guarantees its integrity, while private individuals can help build the value of this strategic asset, which will then also be available for their daily use. What we are learning in these days of conflict is also that today we need to pay more attention to suppliers, especially foreign ones, something that has not been done enough in the past. “We need value partners”, continued the undersecretary, “who have the same values in which we recognize ourselves. The trust that must be created with these private suppliers cannot ignore an overlapping of values that represent the constituency of the companies themselves ". Unfortunately, cyber attacks cannot be reset, so we must have the courage to recognize where there is a delay and take action. There are no impenetrable networks: our task is therefore to make life difficult for those who attack us. “A word is paradigmatic with respect to everything is competence”, said Mulè, “an aspect on which we have a guilty delay. Therefore, the funds must be used to build this expertise which is still lacking ". "The funds of the PNRR risk being a drop in the sea of what is needed in the Public Administration", underlined Giovanni Ciminari, head of cyber defense of Sogei, "but in reality they could help to start programs of great value: the first calls to use these funds and like Sogei we see a strong interest in the PA ".

Giovanni Ciminari, Sogei's head of cyber defense

The risk, however, could be that we move in no particular order, without creating the synergies that would instead be used to obtain greater effectiveness. Although the threats and complexity of cybersecurity are similar in the public or in the private sector, the PA has its own peculiarities from the point of view of risks, because public bodies manage a lot of personal data of citizens, personal data, tax, health. Very critical information, which should be protected with particularly high security standards. Furthermore, the PAs have the task of making the best use of public resources, and therefore have constraints in the purchasing procedures that the private world does not know, restrictions that involve very long times in investments in cybersecurity, an aspect that involves problems if cyber defense measures require quick reactions. The 2022 agenda of the cybersecurity manager What will be the priorities of the chief security officers this year? From the discussions of the Cybersecurity Summit 2022, the importance of "creating a system" emerged to raise a resilience that today can no longer be limited to a single organization, but must necessarily be common. "Cybersecurity cannot be an end in itself, of the individual organization," said Simone Pezzoli, Ciso group of Autostrade per l'Italia. “There is no single entity that can solve all problems. Instead, there is an ecosystem of interactions and partnerships, with vendors and third-party companies, with other Italian CISOS, with public bodies, which helps to set up virtuous mechanisms for the exchange of information that are increasingly timely, essential for a correct posture of security especially at times like this characterized by a very critical geopolitical situation ".

Simone Pezzoli, Ciso group of Autostrade per l'Italia

The real differentiating factor is therefore becoming for companies the fact of being able to have the correct information very quickly. Corradino Corradi, head of ICT security & fraud management at Vodafone reiterated: "Today we need system initiatives to raise common resilience: with the Postal Police we actively collaborate to combat and prevent computer crimes that affect networks and information systems".

Corradino Corradi, head of ICT security & fraud management at Vodafone

The second imperative today is (for cybersecurity managers but also for all of us) to raise the culture of security in Italy. “Today it is essential to bridge a very strong digital divide in our country,” said Petra Chistè, Volksbank's head of IT security & data protection. "We are not worrying enough to point out, even in the education of our children, what the risks of cyber security are. We as a bank have launched the Capture the flag initiative, a competition open to children between 12 and 20 years of age, aimed at spreading knowledge on the subject of digital identities ".

Petra Chistè, Volksbank IT security & data protection manager

The debate on cloud security remains valid, indeed it is more than topical. "The paradigm has changed today, multi-cloud has entered the life of all companies," said Nicla Diomede, Ciso of the University of Milan. “Services must be much more dynamic and security must necessarily be able to keep up. The main challenge today is therefore to govern the complexity and fluidity of environments: various solutions help to identify problems related to bad configurations or problems at the host or network level, and to verify compliance with best practices and standards. However, in the face of complexity, it is also necessary to succeed in simplifying the life of those who work in security ".

Nicla Diomede, Ciso of the University of Milan

Therefore, a design effort is needed to put common factors into the management of cloud and on-premise environments, from a single control room. Simplification is therefore obtained with an ex ante design effort, in the redefinition of the architectures, in standardizing and automating. "Zero trust" architectures A model that today is beginning to gather consensus in the cybersecurity field is the one called "zero trust", in which greater controls are applied and trust is no longer granted by default. But where do you start? “The model starts from the principle that individual assets must be defended, as it is no longer possible to raise an external defensive wall”, explained Daniele Catteddu, chief technology officer of Cloud Security Alliance. "It also refers to the fact that no user or component can be trusted anymore." It is also fundamental, in this approach, to use a model of contextualization and continuous risk analysis, which must be fed with continuous monitoring, with information from different sources and with the assessment of the context (place, device, moment in which the user asks to log in). In the logic of "trust but verify", typical of zero trust, you need to be able to define who can do something, and what exactly can do in a given moment and context.

Daniele Catteddu, chief technology officer of Cloud Security Alliance

A fundamental element of zero trust is risk management, which culturally does not belong to us much, but which we should learn. "The zero trust aims to reduce the attack surface through a very strong segmentation model," continued Catteddu, "to reduce problems such as escalation of privileges and lateral movements. It is essential to adopt an approach of this type also for compliance: in fact, the model refers to rules and scope limitations ". “Switching to Zero Trust is a complex challenge”, added Marcello Fausti, cybersecurity manager at Italiaonline. “You understand this from the fact that you hear a lot about it but then you see few realizations. It should be emphasized, however, that zero trust is not reached with the purchase of a technology, it is one of the cases in which a lot of work is needed on the part of CISO and it is not enough to contact an external supplier. We are also experiencing a period of transition, all companies are migrating to the cloud, hybrid models are often adopted and this complicates the situation a lot ".

Marcello Fausti, cybersecurity manager of Italiaonline

The fact that digital identity has become the new IT "perimeter" of companies has consequences. First of all, a zero trust approach cannot be adopted without having an internal infrastructure that can adequately manage the transition to this model. Fundamental elements are also the Directory Service and the Identity Access and Management system, which governs the life cycle of identities and above all the roles of users and access permissions. In addition, it is necessary to have a Privileged Access Management solution, because today privileged users have become in particular the object of desire of the attackers. "Setting out on a path of this type is equivalent to carrying out large digital hygiene projects", underlined Fausti, "complex projects that affect the whole company across the board, starting from HR up to the lines of the business. Security can guide but without the collaboration of all you cannot proceed. They are also projects that take time, because for each step it is necessary to test the effects on the basis of the users, otherwise the risks of inefficiencies are just around the corner ".