With the spread of telework and cloud services, many companies are likely feeling uneasy about traditional security measures. Zero Trust is gaining attention as an information security concept that supports the new normal, but some may be hesitant to decide whether to implement it in their own company.

Therefore, this article will explain Zero Trust. We will also explain the methods for achieving it and the points to keep in mind when implementing it, so please use it as a reference for reviewing your security measures.

In order to prevent damage from cyber attacks, all companies that use communication systems for their activities need to understand that they can be targeted for hacking and take appropriate measures. This article introduces basic knowledge of hacking and cyber attacks, which is essential for considering corporate security measures.

Table of Contents

1. What is Zero Trust?
   1. The Mechanism of Zero Trust Security
   2. Differences from Traditional Models
   3. Background to the Growing Interest in Zero Trust
2. 5 Methods to Achieve Zero Trust
   1. User Authentication
   2. Endpoint Security
   3. Network Security
   4. Cloud Security
   5. Security Monitoring
3. Points to Consider When Implementing Zero Trust Security
4. Summary

1, What is Zero Trust?

Zero Trust means “do not trust,” and is a security measure concept based on the premise of not trusting the safety of all communications and access. It is a concept that was proposed in the United States in 2010, and although it is not a new idea, it is attracting attention as something that matches today’s diversified environment.

1-1, The Mechanism of Zero Trust Security

Zero Trust security is an approach to security measures based on the premise of suspecting everything, not only access from outside the company but also access from within the internal network. Therefore, Zero Trust security adds verification to traffic (the amount of data flowing on the network) within the internal network, in addition to access from outside the company.

Because it is based on the premise of not trusting everything, internal verification is never less strict than external verification. Measures are taken from all aspects, such as networks, devices, authentication, and workflows, for all access and traffic.

1-2, Differences from Traditional Models

Traditional models are called boundary-based models, perimeter security, etc., and are models that separate the internal network and the outside, considering that there is a boundary, and take measures accordingly. Based on the premise that the inside is safe, it only deals with threats from the outside at the boundary. Therefore, in the case of a boundary type, there is a weakness that it cannot cope with threats that cross the boundary by exploiting security vulnerabilities.

In contrast to the boundary type, Zero Trust has no concept of a boundary. Also, by abandoning the premise that the inside is safe and taking measures, it is possible to deal with threats that cannot be defended by the boundary type.

1-3, Background to the Growing Interest in Zero Trust

The background to the recent interest in Zero Trust is the spread of telework and the cloud.

In the past, VPNs (virtual private networks) were mainly used to connect to the internal network from the outside. However, VPNs are not designed for a large number of people to access at once, so if unexpected access is concentrated, the communication speed may drop, which may hinder 업무.

As telework became more widespread, it became necessary to break away from VPNs and access internal data and information assets such as servers directly from outside the office. Therefore, the concept of Zero Trust, which does not rely on the idea of a boundary, became necessary.

2, 5 Methods to Achieve Zero Trust

In order to suspect all access, multi-layered measures are required. Therefore, in order to realize Zero Trust, it is necessary to combine methods according to the purpose and the company’s system environment.

Here are five methods that are particularly important for achieving Zero Trust.

2-1, User Authentication

User authentication is a method of determining whether the operation is performed by a user who is authorized to access data and servers when the user accesses them. In general, the method using ID and password is well known.

When performing user authentication based on Zero Trust, it is necessary to verify the authentication for each access. In addition, in order to improve security, multi-factor authentication in addition to ID and password is increasingly required. However, the more strictly authentication is performed, the more the user’s burden increases in terms of communication speed reduction and ID management. One of the challenges of Zero Trust is how to reduce the burden on users while complicating authentication internally.

IDaaS is one way to balance the complexity of authentication and the reduction of operational burden. IDaaS is a method of automatically issuing tickets called assertions and internally exchanging authentication to save the trouble of logging in.

2-2, Endpoint Security

An endpoint refers to a terminal that accesses data and servers. Endpoint security is to search for and block threats that enter the endpoint. Typical examples of endpoint security include anti-virus software and malware software.

With the spread of remote work and cloud services, the endpoint environment has also diversified. Therefore, endpoint security is executed by combining multiple security measures. For example, it is necessary to take measures for each type of endpoint, such as PCs, smartphones, and tablets, while linking with network security for one device.

2-3, Network Security

While endpoint security shuts out threats that enter the terminal, network security keeps an eye on traffic on the network. In the case of Zero Trust, it is necessary to monitor all traffic in the same way as communication on the Internet, even inside the internal network.

In addition, security can be ensured by taking measures such as logging and restricting connections from terminals and networks with low security.

2-4, Cloud Security

Cloud security is a security measure to prepare for risks in the cloud environment, such as unauthorized access and cyber attacks. The need for it is increasing due to the increasing use of cloud services. The cloud is a service that accesses data outside the company. Since there is no concept of a boundary, it can be said that it is exactly the realm of Zero Trust.

Cloud security is automatically introduced by the service provider and cannot be introduced by the user. When using the cloud, it is necessary to select a service with high security. If it is difficult to objectively judge the level of security, one way is to use the certification for cloud security that each service has received as a judgment criterion. Cloud security certifications include “ISO27001/ISO27017” and “CS Mark.”

2-5, Security Monitoring

Monitoring access logs is said to be an essential method in Zero Trust. In Zero Trust, the safety of the access is confirmed based on the “trust score” obtained by monitoring and analyzing a huge amount of access logs. A trust score is a numerical evaluation of the results of the user’s behavior and access authentication, etc., using AI.

By more accurately detecting whether the access is legitimate or fraudulent based on the trust score, it is possible to strictly implement security measures while suppressing the burden on operations and the decrease in efficiency. In addition, the logs that are the source of the trust score are enormous, and it is important to unify the logs in order to properly monitor and analyze them.

3, Points to Consider When Implementing Zero Trust Security

A multifaceted perspective is required to implement Zero Trust. When implementing Zero Trust, keep the following points in mind.

• Manage IDs appropriately

IDs must be strictly managed even in Zero Trust. If employees are managing multiple IDs, unifying IDs is one way to prevent ID management from becoming complicated.

• Manage access rights appropriately

Grant access rights only to the minimum necessary. If information leakage is discovered, it will be easier to identify the user who caused it.

• Acquire access logs

Access logs are a visualization of all access. Security measures are based on access logs, so be sure to prepare a means to acquire access logs and connect it to the implementation of prompt security measures.

Summary

Although there are various methods for realizing Zero Trust, each of them does not exert its effect alone. It is necessary to combine measures from various aspects based on the premise of “do not trust everything.”

In particular, endpoint security is diversifying, and it is necessary to protect all terminals with a certain level of security, so it is one of the most difficult measures in Zero Trust. EXO Security supports the construction of highly reliable endpoint security with simple operations from 5,000 yen per month. If you are considering implementing Zero Trust, please contact EXO Security.

Please contact globalsupport@jiran.com for further assistance.