Zero Trust and Digital Sovereignty: Real solutions for real challenges

How do you use IT if you don't trust anyone - i.e. take zero trust seriously. You have to define chains of trust. This includes our own and external personnel, suppliers, subcontractors, service providers and all ICT components. 
Consequently, there are fewer trustworthy chains of action/processes and a core of particularly sensitive activities. However, every ICT component always has the purpose of processing data or establishing communication relationships for data transmission. The process and the people involved should also be trustworthy “enough” if they have access to the plain text information. So what is trustworthy “enough” for which data? The human resources department e.g. B. works with sensitive data that is subject to regulations, but should also be protected for the company's own interests in order to protect itself from poaching. 
In HR's daily routine, in addition to managing and developing existing staff, there is also new business. Applications come via portals or databases with a variety of access methods (LinkedIn etc.). The application profiles are links to companies, objects created by the applicants themselves - i.e. data of unknown, untrustworthy origin. At the same time, HR staff need the opportunity to verify profiles on the Internet, so that access to social media and sometimes problematic domains also makes sense. 
Data of varying levels of trustworthiness obviously come together in one workplace. A look at the company's security guidelines shows that staff should not click if something seems problematic. An impossibility in this example - and there are many of them with even greater discrepancy when it comes to M&A, patents, IoT, OT, strategies or internal and external security, military suppliers, etc. 
It is therefore important to master at least two disciplines: 
1. The exchange of data between structures of different trustworthiness
2. In the case of higher security requirements, the management of the supply chains of used components.

For secure data exchange under 1. several facets of “security” must be verified. If data comes from an unsafe environment, the content must be checked for executable code. This process is known as data laundering. If you want to transfer data from a trustworthy area to a less trustworthy one, various disciplines are essential: using company keys for confidentiality, logging for provability, signing for integrity, evaluating the content, whether the data can even be transported into the environment, etc .
With 2. one finds that e.g. B. The BSI's warning against the use of Kaspersky products is not a statement of the quality of the product available at the time of the warning, but rather reflects the fact that patches, patterns, etc. could contain malicious code. According to studies, good malicious code is often only found after more than 200 days. By then it is usually too late and a lot of important data has already been transmitted to attackers. The first thing to do here is to know exactly the ITC components used (SBOM – Software Bill of Material), hardware, firmware, the companies involved and the supply chains. These possibilities are being investigated in a project at the University of the Bundeswehr and, abstractly speaking, enable the management of digital sovereignty as part of risk management with practically applicable tools. To understand the term digital sovereignty in practice, it is best to look at the Pegasus papers and note that a cell phone - even if it is switched off - can be used to eavesdrop on the room in which it is located. The owner of the cell phone is not informed about this - so he is not digitally sovereign.