Due to the influence of the new coronavirus, it can be said that we have entered a semi-forced full-fledged remote work era. Along with this, the use of cloud services is progressing, and an environment is being established in which the necessary information can be accessed from any location. According to the Ministry of Internal Affairs and Communications ” Communication Usage Trend Survey Report 2018 (Corporate Edition) “, about 60% of all companies use cloud services, even if only partly. Compared to 2016, The number of companies that answered “Yes” increased by 18.7%.
There is a new way of thinking about security that is needed in the era of telework, including telecommuting and remote work, and the era of cloud services. That is the security concept called ” Zero Trust Network (Zero Trust) “. This time, I will explain the basics of this zero trust.
What is Zero Trust?
Zero Trust, the word means “zero (no) trust”. Conventional security measures were based on the basic idea that “internal networks are safe”, and security measures were implemented centering on border measures. be said that the internal network is always safe. Zero Trust, on the other hand, means “no trust,” meaning that security measures are implemented without trusting any factor. So why has that basic concept changed now?
The security measures that have been built and operated over a long period of time are called “perimeter security”. products such as firewalls on the boundary line, and block cyber attacks at the boundary line.
Perimeter security is a measure that can be called trust security which trusts the devices on the internal network and the users who use them.
On the other hand, it is also true that the limits have gradually become apparent. The environment surrounding business has changed dramatically, such as the development of mobile technology, progress in digital technology, changes in work styles, and changes in the ecosystem.
This is because the premise of perimeter security is that “information assets to be protected are inside the perimeter,” “users work inside the perimeter,” and “safety can be secured inside the perimeter.” because it is about to crumble.
Why do we want Zero Trust?
Where are the company’s information assets now? Perimeter security assumes that data is stored in on-premises file servers and databases. However, due to the spread of cloud services, there are many cases where not only email but also file servers and core systems are migrated to the cloud, and there are many situations where important information assets are hardly managed within boundaries.
Big changes are also coming to where employees work. With the promotion of work style reforms and faster communication lines, it has become possible for some industries to work without going to the office, and an increasing number of companies are adopting remote work. Especially in recent years, due to the influence of the new coronavirus, more companies than ever before are working remotely. Among the venture companies established in recent years, there are an increasing number of cases that do not have their own bases in the first place.
And the biggest reason why perimeter security, which was thought to be “safe only inside the perimeter”, has collapsed is the diversification of cyberattacks. The name tends to give an image of “attacks carried out in cyber (Internet) space”, but attacks from cyberspace are only the first step, and there is a good chance that they have already penetrated inside the perimeter. I have.
Furthermore, recent cyber-attacks sometimes combine attacks in real space as necessary, and sometimes they pretend to be a visitor and physically infiltrate and launch some kind of attack.
An interesting study was conducted by the British security firm Sophos in the past. A survey conducted by the company revealed that about 2/3 of the USB memory devices left behind on the train were infected with malware.
At the global security conference “Blackhat USA 2016”, almost all dropped USB memory sticks were picked up by someone, and about 45% of them found that they inserted them into their personal computers and clicked on the files. doing. A cyber attack that exploits this is “USB drop”, and it is an attack method that is repeated in reality.
Today’s cyberattacks are trying to achieve their goals using every means possible, and it is no longer possible to say “safe inside the perimeter”. That’s why we need Zero Trust, where everything is questioned and even inside the perimeter is monitored.
How zero trust works
With no information assets to protect and no employees in the office, it no longer makes sense to secure internal networks with traditional security measures. Therefore, zero trust is strongly required. By the way, Zero Trust was proposed in 2010 by Mr. Kinderberg, a researcher at Forrester Research, a US research company.
The difference between perimeter security and zero trust
| perimeter security | zero trust | |
| Assumed storage location for information assets | inside the corporate network | Anywhere, including the cloud |
| employee work style | Company physical location (office) | Telework, home, cafes, working spaces, trains, customer sites, airports, airplanes, etc. |
| Corporate network security | Assuming it can be secured | Assuming it cannot be guaranteed |
The basics of Zero Trust, as mentioned above, are to abandon the premise that “the internal network is reliable and secure” and inspect all access to the internal network and all traffic that occurs inside the internal network.
Specifically, “Is the access source terminal permitted to access?”, “Are the access source terminal security measures appropriate?”
Access to servers, access to information assets, anyway, all access is confirmed, and by examining whether they are communicating with appropriate authority, security that is not bound by conventional perimeter security is realized.
In order to support the work style required in the post-corona era, for DX, we need a new way of thinking about security in order to deal with the frequent cyber-attacks and expanding damage in recent years. security, but the concept of Zero Trust is required now. Why don’t you take this opportunity to consider and realize an IT environment based on Zero Trust?
