Main menu


The basics of "zero trust" that I can't hear anymore


The basics of "zero trust" that I can't hear anymore

The basics of "zero trust" that I can't hear anymore

1. What is the "zero trust" that you often hear in recent years?

In recent years, the term "zero trust" has come to be heard frequently in the security world. Currently, security vendors all claim their products as "zero trust compatible", and media articles almost always put the keyword "zero trust" in the foreground when taking up security topics.

On the other hand, even with the spread of the word zero trust, many people still do not understand its exact meaning. Some may take it diagonally, "I wonder if it's a new buzzword set up by the IT industry anyway." However, zero trusts are by no means a transient buzzword, but a concept that gives very valuable suggestions when considering the ideal state of ICT in the coming "With Corona" and "New Normal" eras.

If you take the word zero trust literally, it means "no trust", that is, "do not trust anything". "Trust" here means "whether or not to unconditionally trust a user's access to the system."

The conventional information security model completely separates the internal network from the Internet that extends outside, and places security products such as firewalls and proxies on the boundary to create cyber attacks from the outside and information from the inside. It was based on the idea of ​​shutting out leaks. Such a security model is called "boundary defense" and has long been the basic idea of ​​information security.

In this perimeter defense, the corporate network protected from external threats should be basically secure, so access to the servers and PCs located there is also basically considered "reliable" and necessary. I've been happy with only the minimum measures.

2. Why is a zero trust needed now?

However, there are more and more cases where the conventional method of borderline defense does not work. Behind this is the rapid proliferation of cloud services and mobile devices.

Cloud services are now not limited to consumer services, but business cloud services such as Microsoft 365,, and Google Workspace have become widespread and are now used by many companies as a matter of course. This poses a major challenge to corporate systems and their security measures.

As I mentioned earlier, traditional business applications were located in a corporate network protected by perimeter defenses from threats on the Internet, so only the minimum required security measures were sufficient. However, when this becomes a cloud service, important information assets are placed on the Internet and directly exposed to external threats, which greatly increases the security risk.

In addition, smartphones and tablet terminals have become widespread, and their use in the business scene has become quite commonplace. Nowadays, when using business applications, not only PC terminals located in the internal network but also smartphones and tablet terminals from the external environment There are more and more occasions to access applications using. In some cases, you will be accessing cloud services directly from an external environment via the Internet, and this makes the perimeter defenses you have relied on completely meaningless.

Of course, even when accessing cloud services from outside the company, a certain level of security can be guaranteed by making sure to connect to the company network once with a VPN and then go out to the Internet again via perimeter defense. In fact, many companies adopt such a network configuration, but if the number of accesses to the internal network from outside the company increases rapidly, the performance of the VPN device will be insufficient, and the access speed will decrease or the connection will become unstable. Will occur.

In fact, many companies that have rushed to deploy telework to deal with the Korona-ka faced this challenge. When most of the employees moved to the telecommuting system at once and accessed the internal network from home via VPN, the processing load of the VPN device reached the limit in a blink of an eye, and the speed and stability of the network. There were a number of cases in which the number dropped significantly. In addition, as the use of VPNs has increased rapidly all over the world, cyber attacks that exploited the vulnerabilities have occurred frequently, leading to a situation in which a lot of damage actually occurs.

Once you pass the VPN connection authentication, you gain access to a wide range of resources on your corporate network. Therefore, if a cyber criminal impersonates a legitimate user and breaks into the corporate network via a VPN, it can cause great damage. Even if you are a legitimate user, you will be able to access business systems that you should not be able to use unless you have appropriate access rights, which may lead to internal crimes. Therefore, it has become necessary to manage not only external cloud services but also access rights to internal systems in a new way.

3. What do you need to achieve a zero trust?

As a result, the idea of ​​borderline defense, which divides the network into "inside and outside," is gradually becoming less effective. Instead, what is needed is a measure that can protect the company's information assets from the threat of cyber attacks and internal crimes in an "open and flat network" that is neither inside nor outside. The zero trust introduced at the beginning is considered to be effective in thinking about this.

Since there is no mechanism such as borderline defense between the company's information assets placed in the cloud service and the Internet, and it is directly exposed to access from the Internet, these accesses are taken into consideration. I can't trust it. Rather, it is necessary to not trust all access at all (zero trust), perform strict authentication to verify the validity of each access, and finely control access. As for the authentication method, sufficient security cannot be ensured only by the conventional user ID / password authentication. Therefore, a multi-factor authentication mechanism using biometric authentication, device authentication, one-time password, etc. is required.

In this way, it is necessary to strengthen authentication and access to applications, and at the same time, strengthen security measures for client terminals. Since client terminals are directly connected to the open Internet environment, the risk of being directly exposed to the threat of cyber attacks is significantly higher than in environments protected by perimeter defense. Therefore, not only conventional anti-virus measures but also strong endpoint security measures using the latest technology are required.

Also, in a telework environment, employees will be scattered in physically separated places such as homes, so IT governance will be less effective than before the introduction of telework. Therefore, it will be necessary to take measures to prevent or prevent unauthorized information from being taken out from the terminal, and to take measures against "shadow IT" that uses unauthorized IT services without permission.

4. Summary

As we have seen above, the concept of zero trust itself is extremely simple, but when it comes to implementing it concretely, in all areas of information security such as authentication, access control, encryption, endpoint security, and log management. New efforts are needed. However, even if you try to introduce them all at once, it will take a lot of time and cost, and it will be difficult to set up an operation system. Therefore, it is recommended that you first visualize the current state of your company's security measures and the risks you are facing, prioritize them, and then take steps to achieve zero trust.