I don’t want you to misunderstand Zero Trust – the correct definition explained by its proponent – ZDNET Japan

“Zero Trust” is a recent cybersecurity trend. John Kindervag, a well-known advocate, warns that it is “misunderstood.” He explained the original definition of zero trust.

Zero Trust was proposed by Kindervag in 2010 at Forrester Research, where he worked at the time. The concept is “never trust, always verify,” and he describes the original definition of zero trust as “a strategy for protecting assets (data, information, etc.) that should be protected from being compromised by threats.” Almost 15 years have passed since it was proposed, and “it has now been recognized as an important ‘strategy’ at the government level in various countries, including being promoted by a presidential order in the United States.”

In the current cybersecurity market, various products and services that claim to be Zero Trust have appeared, and there are many messages such as “If you implement Zero Trust security, you will be safe.” Other opinions include “ID security = zero trust” and “zero trust is complicated.”

Kinderverg said, “Certainly there are products needed to embody Zero Trust, but Zero Trust itself is a strategy, not a product. “I’m thinking about it,” he says. The above-mentioned statements about Zero Trust seem to contain some misunderstandings, although they are not completely wrong.

He came to advocate Zero Trust in response to the emergence of “targeted cyberattacks” as a new threat, and concerns about the effectiveness of traditional “perimeter defense” security measures. Perimeter defense is the idea of ​​taking measures such as firewalls at the boundary (gateway) between the environment outside the organization, such as the Internet, and the IT environment inside the organization, to ensure that the inside of the organization is safe. Around 2010, the increasing sophistication of cyber attack technology led to an increase in incidents in which attackers penetrated perimeter defenses and infiltrated internal organizations, compromising systems and data.

For this reason, he clearly defines the assets that an organization must protect, such as systems and data, minimizes the location of assets (data centers, endpoints, cloud), and provides reasons for appropriate access and use of assets. The company has established a strategy called “Zero Trust,” which involves establishing policies (such as policies) and constantly monitoring, verifying, and confirming access to assets based on those policies.

In other words, the idea of ​​“always monitoring, verifying, and confirming” is “zero trust,” and the security standard is based on the “identity” of the person or device attempting to access the protected assets. However, there is also the threat of cyber attackers and criminals impersonating legitimate users and devices, so zero trust requires constant monitoring, verification, and confirmation of identity and access to assets.

Always monitor actions and signs that do not comply with policies or are suspected of not complying with the policy, considering the possibility of threats or risks, and verify and confirm whether they are truly legitimate as necessary (control) . To this end, it is necessary to minimize the area in which assets to be protected are located so that they can be controlled efficiently and appropriately. If it is deemed safe, we will “permit” access to and use of assets, but we will not allow one-time permission to remain in effect, and we will always monitor, verify, confirm, and control while always assuming threats and risks. conduct.

Kindervag showed that “zero trust is the only cybersecurity strategy that will stop intrusions and breaches.”

It took about 10 years after he proposed the Zero Trust strategy, and it has finally become recognized by organizations around the world. The reason why it is taking such a long time is that it is not easy for organizations to change the perimeter defense security measures that organizations have continued to develop in the wake of the computer viruses and worms that became popular in the 1990s.

Still, he points to the 2013 cyber attack at retail giant Target, where air-conditioning systems were the entry point, and the 2015 massive personal data breach at the federal Office of Personnel Management. He states that the need for zero trust has gradually become recognized as attackers have repeatedly committed infringements over a long period of time.

As mentioned above, governments around the world are now positioning zero trust as an important strategy in their cybersecurity policies. “Zero Trust is rapidly spreading. Zero Trust will guide security in the future, and in areas like cyber insurance, having Zero Trust security measures in place will become an important requirement. (Mr. Kindervag)

Kindervag currently serves as chief evangelist at Illumio, a micro-segmentation security solution company. The reason for participating in the company is that it specifically provides a mechanism to protect protected assets in the minimum area under Zero Trust.

Andrew Rubin, co-founder and CEO of Illumio, who attended the briefing with Kindervag, said that he spent 10 years trying to persuade Kindervag to join the company.

Mr. Rubin came to Japan in December 2023 to announce the collaboration with Macnica, but said, “Until a year ago, we had barely been able to demonstrate our presence in the Japanese market. “Currently, we have more than 10 people working in Japan, and our partnership has expanded to the point where we are now being hired by many Japanese organizations that want to protect their important assets.” This is an opportunity to visit major countries in the Asia-Pacific region, including Japan, and says, “In other countries, we stay for one day, but in Japan we stay for a week. I want you to know that we are doing it,” he said.