Self-driving cars can no longer be viewed as a single system. These are cars with complex computer systems that independently make countless connections with the driver, with other vehicles, with the immediate environment and with various communication systems and networks. We want to be sure that these connected systems are reliable. As a result, IT Security Architects must work in a more intricate manner, as the interconnected networks are becoming too complex to oversee as a whole.
Decentralised design on the basis of zero trust.
By decentralising the design of an IT architecture and thus dividing the design into a number of clear sub-divisions (each with its own responsibilities), an overview can be created. This provides certainty regarding the security of each sub-part, the connections which are relevant to this sub-part and how they can be protected. In this way, an organisation can get a better grip on possible attacks because they can already monitor them within a smaller sub-part. All of this is done on the basis of the Zero Trust philosophy. The foundation for Zero Trust is ‘never trust, always verify’. Whereas certain connections were always open to certain users in the past, a Zero Trust design has no prior assumptions on the degree of reliability regarding those who want access – regardless of whether this concerns organisations, users, hosts or datasets.
In the TNO Implied Trust Zones methodology, an IT architecture goes from a centralised process (with one architect at the helm) to a decentralised process with several responsible parties. The relationships and connections are clearly visualised and the system is set up through a series of separate Implied Trust Zones. As an example from the automotive industry, take a car that communicates with surrounding cars, traffic lights, road information, weather information and traffic information in order to drive safely and autonomously in as optimal a manner as possible (or: to support the driver). While this is very complex as a whole, the individual parts can remain clear with the right methodology.
Due to the decentralised design, individual components can now also be tested and validated separately. In other words, a smart traffic light can be deemed secure without the need to test all other connected systems (cars, other infrastructure) as well.
The method is currently being tested in the automotive industry within the SECREDAS project, and a healthcare case is being developed. case.
More secure and resilient: This methodology offers major advantages because the architecture becomes clear, processes remain transparent and responsibilities are straightforward. An architecture with a decentralised design conducts analyses more easily and acts faster and more effectively in the event of possible attacks. The Implied Trust Zones methodology ensures that the impact of an incident is kept to a minimum.
Better designs lead to a safer and more flexible environment: The method helps to identify and correct ‘errors’ and shortcomings in IT designs from the outset AND helps to better plan urgent measures to be taken, including where they best fit into the architecture.
The Implied Trust Zones methodology is applicable in many areas of cybersecurity:
But the methodology also quickly helps to provide answers to questions such as:
TNO has the unique expertise needed to advise you on customised solutions. If you would like to collaborate with us and/or learn more about the Implied Trust Zones methodology, please contact Mark Buningh.