Gaps and Challenges: Key Takeaways

Authors:

Marco Anisetti, Università degli studi di Milano

Claudio Ardagna, Università degli studi di Milano

Marco Cremonini, Università degli studi di Milano

Ernesto Damiani, Università degli studi di Milano

Jadran Sessa, Università degli studi di Milano

---

The following list briefly highlights the most important findings, i.e. key takeaways, that emerged from the H2020 CONCORDIA gap analysis.

• Extended attack surface. Despite the advent of the innovative security platform, technologies, and organizational and regulatory initiatives, the attack surface continued expanding. The emergence of new technologies, including 5G, IoT, and smart working has put security departments under constant pressure to prevent or mitigate the related threats.
• COVID-19 as an amplifier of threats and attacks. The increasing number of scams, spam, ransomware, and disinformation during the pandemic highlighted the importance of performing security prevention and operations effectively. Promising solutions include automation of current processes investigation regarding the application of AI algorithms, as well as training and education.
• Security management. Even with the availability of proper security tools and protocols, fully documented standards and procedures, and skilled security experts, organizations are still struggling when it comes to the management of security processes. The reason is lying in the impacts on other processes, system operations, and legacy systems. Possible solutions include deployment of context automation and AI/ML for enhancing the correctness and reducing complexities, as well as the adoption of novel ways for addressing hardening/patching of processes for reducing operation impacts.
• Interoperable Data Protection. It is necessary to design and implement new data approaches for addressing the peculiarities related to varying components of hybrid systems, ranging from loud/edge nodes to smart devices, and thus extend data protection to hybrid and complex distributed systems. On top of that, a rising number of regulations and policies for modeling conflicting requirements have to be addressed.
• Data (Un)Trustworthiness. The ever-increasing migration from code to data in application areas has made the role of data essential. Simultaneously, the increasing development of autonomic and adaptive systems represent strong requirements on the quality of data, whereas data trustworthiness embodies a critical challenge for increasing the precision of modern system behavior.
• ML/AI Verification. Nowadays, traditional software systems based on deterministic algorithms are increasingly being replaced by ML-based systems which utilize data for finding solutions to individual problems. However, such systems are often perceived as black boxes since automated decisions based on inference are often unpredictable. Hence, to ensure certified ML-based behavior trustworthy system and services, it is essential to verify the non-functional properties of ML models, including fairness and privacy.
• Complexity. In the case when applications are managed by complex orchestration platforms, security management represents a challenge, owing to the fact that it requires authentication, authorization, and securing network communication. In addition, supply-chain security is another important aspect because vulnerabilities can surface from one of the constituting system parts (hardware, library, etc.).
• Long-standing issues. There are still several persisting issues in omnipresent microservice-based architectures. Despite the recent advances of programming languages and tools for supporting programmers, security and safety by default are yet to be accomplished. Issues such as exploitable memory bugs and poor security and coding practices are still present.
• Management of Human Errors. The persistent lack of reliable users’ behavior still jeopardizes the ability to understand, predict, and diminish human errors.
• Limited Knowledge. The persistent lack of high-quality data and information regarding the current security threats affects the quality of analysis and decreases knowledge sharing.
• Professionals Shortage. There are many uncertainties about the expertise of security personnel, including the definition of specific curricula and education programs.
• Skills and education. Handling complex applications and advanced threats requires skilled professionals and solutions based on security processes. Moreover, evading potential attacks and yielding full benefits from the new technologies during the peak usage of digital technologies calls for educating all of the users.
• User Negligence and Misconfiguration. To diminish cybersecurity risks, remote workers should be educated on security topics including phishing, password guidance, device hardening, working with confidential materials, and securing physical computing assets, with a special focus on cloud services configuration and control management.
• Logistic Challenges Resulting From the Service Overload. Ever-increasing usage of cloud and streaming services brought difficulties for maintaining the availability of network services and obsolete hardware. To mitigate this problem and prevent possible security vulnerabilities, cloud service providers have to improve the infrastructure and prevent large chunks of cloud server traffic by systematically checking, absorbing, and scattering DDoS attacks.
• Lack of standards. To ensure compatibility between independent systems, cloud environment services have to adopt universal standards on interoperability and cloud transparency in SLAs. Concurrently, to avoid potential fines, end-users should investigate which cloud service providers meet the required industry standards.
• Cloud Transition Requirements. Data storage and security requirements should be met to perform the secure data transition. To enable successful empowerment of security, integrity, stability, and data runtime appropriate control planes should be deployed. Finally, since cloud services’ security depends on the user interfaces and APIs, they have to be designed with security as a default.
• Careful adoption of new technologies. Even though new technologies introduce a range of positive effects on system security, their incorrect adoption can cause an even larger number of side effects. To safeguard the system from the potential negative implications in terms of integration and interoperability, solutions that incorporate new technologies should not be rushed. Moreover, only competent and skilled personnel should be in charge of deploying such technologies. Unfortunately, the unexpected advent of COVID-19 and the necessity for fast reaction hindered the provision of required training and education for operating with the new devices, thus exposing systems to severe security threats.
• Reinforce diagnosis and remote management. The majority of the IoT-related problems trace back to the lack of secure and fully functional remote management procedures that enable configuration checking and IoT devices’ behavior assurance without having to physically operate them. Such procedures can introduce secure boot functionalities, thus removing the need for weak authentication and authorization procedures.