Digital sovereignty is currently the order of the day. It seems European leaders suddenly opened their eyes and realized they were living in a fairy tale.
Many practitioners and organizations have been alerting to this need for years (decades?). They were ignored.
Nevertheless, this is not the topic of this post, even though it could help us visualize the extent of our dependency.
Recently I became aware of a few very interesting projects that map the providers and security settings of the digital infrastructure of many public institutions.
We have the maps of the email providers:
And many others can be found in the original project readme file.
The overall picture is not good (pretty bleak, actually) for something that should already be a “commodity.” From the countries I was able to take a look at, Portugal is not one of the worst, still far from the one in better shape (France) but not the worst. However, in this land, some people just don’t learn.
Another project, announced here, focuses on a different area. Not on the providers, but on the configurations and security good practices of the said infrastructure. Essentially, it aims to monitor and evaluate the security settings of many websites and platforms from European governments. The results can be found on:
Even though I disagree with some criteria for evaluating the risk of a few settings, looking at Madeira and Portugal, the picture isn’t also pretty. Insecure ciphers on HTTPS, lack of encryption in FTP servers, lack of DKIM signatures for email, etc.
There is lots of room for improvement on basic and essential things. It reinforces the idea that security is not a first-class citizen, and I’m always skeptical when I hear/read that some institution was a target of a “sophisticated” cyber attack.
Nevertheless, visualizing things helps us know where to focus and track progress. That’s why I found these projects interesting and worth sharing. So with this in mind, I will leave here a few other things I would like to also see tracked:
- The technologies and providers of those platforms
- Where and how the code managed
- Where and how the data are hosted
- The official file and data formats used by these public institutions
Leave a Reply