Read about the latest cybersecurity trends and insights.

Our Blog.

In An Increasingly Virtualised World, How Can It Be Secured In The Context Of 5G?

by Qinthara Fasya | October 31, 2022

Government platforms are employed in Singapore to link everything for its citizens. This includes essential infrastructure like smart meters that communicate energy use and possibly also communicate if you know you have families who may use solar panels to feed electricity into the grid, which is a relatively new phenomenon, so networks must be able to handle that. Energy grids used to function in a fashion where everyone consumed energy, with the exception of certain central power generation. However, this is completely changing now that power generation is decentralized, and in order to keep the network balanced and secure, you need this type of infrastructure. And this is something that Utimaco also sees as a global use case.

GovWare Conference and Exhibition, Asia Pacific’s premier cybersecurity event, returned in person on 18-20 October 2022, at Sands Expo and Convention Centre, Singapore where Utimaco shared some major insights on the priorities of the latest cybersecurity issues and trends, tech and policy developments, strategies and best practices. CIO World Asia spoke with Nils Gerhardt, CTO of Utimaco to find out deeper about hardware security modules, solutions for key management, data protection and identity management, and data intelligence solutions for regulated critical infrastructures discussed during his panel discussion.

Cybersecurity is at the forefront of many companies’ priorities today

A lot of what we do today is based on data and that data is available in the company itself whereas traditionally, we used to have it on-site. But now that we add the cloud to it, it’s kind of moving around, and this is why companies need to think more and more about security as they have the possibility to block everything that’s going into your company. Companies had some technologies to air-gap their production, but this is not possible anymore. If you want to use modern technology and the data in the right way, you have to open up to the cloud.

The first thing is to understand what data you own and what protection is needed around that data. The classification phase is important because if you don’t understand how long you need to protect your data, you can’t find the right measure to do that. The other thing is as IT teams have so many things floating around like keys, key material, certificates and so on, similar to password managers as well. Everyone would come across a password manager before, just like how our phones inform us when we’re using the same password across different sites. And it’s similar to what you do on a key and the certificate side. You need to understand the expiration dates when you need to renew things – getting this out of control would be one of the big priorities going forward.

What is crucial for data security as data interacts between traditional banks and Fintechs + digital-only banks

It depends a little bit on the nature of the setup, so if you look at banks, there are a lot of regulations, compliance and security that you have on-premise traditionally. That is a field that is working relatively well and relatively secure.

In fintech, however, you face the challenge of wanting to build a greater user experience. At the same time, you also want to get the security right, and you must be careful to focus not only on features and things that you know people can use but also on security at the same time. Looking back at some of the hacks, such as the Nomad Hack for example, we see that the feature was initially meant in a good way where some functionality has been built into the software to make it easier to use. Suddenly, it turns out that an attacker was able to exploit it and these are basically some of the things we need to address to some extent using services.

For instance, if you have a service that takes care of all the transaction security, you can sign up for that. It’s already certified and it comes free of charge – by this of course we mean that it is something that you don’t have to build on your own, but you’d still have to pay for the service accordingly. Providing secure and highly available host connections to two of the top HSMs manufacturers in the world—Utimaco Atalla AT1000 and Thales payShield 10K—MYHSM is the only multi-vendor, fully managed Payment HSMs service provider.

The MYHSM service offers a distinctive and universally accessible service offering to the whole payment ecosystem and is cross-cloud compatible with all significant payment apps. To secure processes like PIN protection and validation, transaction processing, issuing mobile and payment cards, and key management, connect effortlessly to a group of Payment HSMs of your choosing.

How can a virtualized environment be secured with the availability of 5G?

In general, we currently depend on virtualization in many cases to provide specialized services – whether in the cloud or 5G. If you have the devices that connect and the communication properties they expect and require from the network, then for instance they are the IoT devices. They come in the billions where they have low data rates and don’t necessarily need the massive broadband bent type of data. However, if we talk about cars, it’s a different story totally. They also need to transmit the big data and have higher data rates, including critical infrastructure, for instance, or emergency services that might want to enjoy priority on the network.

So how does one go about doing that? Hardware that has been individually installed cannot genuinely fall apart. Since this is not practicable, virtualization is used. Naturally, the risk increases, particularly if someone, for example, poses as an emergency service or an IoT device and then essentially receives specific communication. This is the key area where virtualization in general and 5G security, in particular, needs this kind of root of trust.

The confluence of IT-OT-IoT is required for Singapore’s SMART city aspiration. Is end-to-end protection feasible in this convergence?

It is definitely feasible, but is it necessarily feasible in all setups and legacy devices that could get connected? Probably not. This is something that, going forward is a must. If you look at these kinds of setups you might go down to the sensor, a very small device with very little computing power to do much authentication. And then you walk all the way over to the machine to the gateway, to the cloud and you know the possibilities that you must protect your data, become bigger and bigger. There are solutions individually for each step but putting those together is challenging.

Costs will undoubtedly be included during the planning process, right? How much are you investing in these legacy machines, if they can’t offer the necessary level of security, you’ll need a system in front to ensure that machine is somehow secured given that it was likely not created with security in mind when it was originally built, perhaps ten years ago. You require this because the assault surface would be very large without it. It’s really about identifying what you need – and then putting these technologies together to work seamlessly hand in hand.

If you think about a smart city and all the different digitalization cases that you may see there, you might have fast communication using 5G, and then you have critical infrastructure that gets connected. You also have the IT & OT conversion of factories being connected to the cloud and removing the air gapping. There’s one thing that all these digitalization cases have in common:

And that is that they need the root of trust, and the root of trust is really something that is at the base. Like with a building for example, it has to be solid and secure, and that’s something Utimaco provides, a hardware root of trust for all your key materials. And then of course it also has applications around that to support companies in building the digital services required.