What "state of the art" means in IT security today

State-of-the-art is an expression used frequently but what does it mean? It is intended to express that current technology is being used but this implicitly excludes visionary technology. Often the term is used to as a line of defense to show compliance with standards: "I protected the system according to the state of the art, it's not my fault that something happened." So far so good, but we still have a number of questions to answer. Is a firewall based on iptables just as state of the art as a Next Generation Firewall provided by a large manufacturer? Are passwords with eight characters in length state-of-the-art? Are passwords still state-of-the-art at all? Many of these questions need to be pursued individually and will often provoke intense debate.

For some time now, two laws have been in force in Germany that require IT security to be based on the "state-of-the-art", but leave unanswered what this means in detail. Firstly, there is the EU General Data Protection Regulation (GDPR), which has placed high demands on technical and organizational measures since May 2018. Secondly, there is the IT Security Act  (ITSiG) which has been in force in Germany for some time, since July 25, 2015. Both the GDPR and ITSiG, demand state-of-the-art and recently the industry association TeleTrust has been trying to support users, integration specialists and manufacturers with this question. Expert groups at TeleTrust have developed a publication on the state-of-the-art with regard to technical and organizational measures. It is available in German and English ; the English version was published in cooperation with the European Network and Information Security Agency (ENISA).

What does the state-of-the-art in IT security document cover? First and foremost, it provides advice. The guidance is not binding, but at least provides a basis for discussion and a standard that many experts consider to be correct. Even though state-of-the-art is hard to pin down – the authors offer the definition as "the best performance of a subject available on the market to achieve an object" – the document contains useful advice for contractual agreements, tender procedures and also for classifying implemented security measures. Although, it does not replace advice and assessment for individual cases, the document is still recommended reading for users or integration specialists. It deals with a significantly broad range of security measures and describes the criteria necessary for a measure to classified as "sufficient".

The 70-page PDF document describes the most important security measures, ranging from server hardening and password strength to encryption, VPN, cloud storage, remote access as well as web and browser security. Even purely organizational topics such as scope, risk management and secure software development are briefly mentioned. The brief overview is mostly helpful for users in determining whether their supplier or integration specialist complies with the most important organizational requirements of standards and procedures, for example by ensuring the necessary roles are defined and assigned.

As most topics are covered on a single page, this document is not a detailed textbook. It does not, for example, explain what a web application firewall (WAF) is, but lists a consensus what needs to be done to achieve state-of-the-art in IT security at the moment. Key phrase: "At the moment". It remains to be seen how TeleTrust will approach the constant changes and innovations in technology. Nevertheless, thanks to the support of ENISA and its European scope, the document provides a basis for discussion and defines a minimum framework for users and integration specialists.