We build zero trust networks to provide security that solves these problems.
The zero trust approach is predicated on the belief that no one can be trusted. It verifies and monitors all network elements and traffic. For information systems, and even control systems, the perimeter defense security measures used in the past, based on trust, are reaching their limits. If these systems are hit by cyber-attacks, they must have effective mechanisms for minimizing the impact of the attacks and rapidly returning to their normal states. For these reasons, from the perspective of cyber resilience, we believe that zero trust networks are the optimal solutions.
* Cyber resilience is introduced in detail in the first article of this article.
In order to deal with today’s increasingly sophisticated and diverse attacks, we not only use a zero trust, but have also defined the security management policies of “risk-based security management,” which prioritizes the handling of risks with high incidence frequencies (likelihoods) and impacts (losses), and “customer zero,” in which we are our own first customers and provide customers with solutions they can trust, based on our knowledge and first-hand experience. We use these three policies to create internal zero trust networks.
The usage environment surrounding internal network infrastructure is changing. In the past, solid security barriers were erected to completely separate internal and external networks. The software development systems used by employees and the information assets used in development were managed within internal networks, whose safety was assured. However, we now engage in innovation activities with partners and external consultants, and increasingly collaborate with customers. The use of telework to has become commonplace in order to combat the spread of COVID-19. It is now vital that people have environments that allow them to access internal networks from home, while on the move, and at other locations. The future will see even greater use of cloud services and Bring Your Own Device (BYOD) approaches.
Because of this, security measures are applied to all access through the use of internet security gateways and authentication services. This makes it possible to use various networks and cloud services safely, without distinguishing between internal and external access.
Our zero trust networks are built on three concepts: “a fundamental design that does not trust any networks but is focused on access control and monitoring,” “making it possible to safely connect to networks any time, from anywhere, by any means,” and “user IDs and devices, location monitoring and management, and application control.”
We first deployed a zero trust network in our internal development environment for developing social infrastructure and mission critical systems (new development network). This network is now in the test operation phase (Fig. 2).