Zero Trust is a security strategy that assumes no user or device can be trusted until clear authentication is achieved. It is based on the principle of "Never Trust, Always Verify." It assumes that network security is always vulnerable to both internal and external threats.
![[News Terms] Trust No One! 'Zero Trust'](https://cphoto.asiae.co.kr/listimglink/1/2024080812543579531_1723089275.jpg)
The government has initiated improvements to the current public network separation system, which will change in 2018. The public network separation system is a security policy that separates the external internet network from the internal work network. Major administrative agencies have been using separate PCs for work and internet access. As remote work increased due to the COVID-19 pandemic, controversies arose over the effectiveness of this system, prompting the government to make adjustments. The improvement plan for the public network separation system is scheduled to be announced in early September.
The security model strongly considered is the 'Zero Trust' approach. Zero Trust is a concept first introduced in 2010 by John Kindervag of Forrester Research. The term was first used in the report titled "No More Chewy Centers: Introducing The Zero Trust Model of Information Security." He emphasized the need to adopt the Zero Trust model as a new security model, stating that "well-organized cybercriminals have developed new attack methods that can easily bypass current security."
Most companies protect their information assets by adopting a 'perimeter security model.' The firewall system is a representative example. It blocks intrusions from outside through a 'solid wall.' The perimeter security model draws boundaries inside and outside the corporate network, distinguishing safe zones from unsafe zones, and grants absolute trust credentials and high privileges to insiders.
![[News Terms] Trust No One! 'Zero Trust'](https://cphoto.asiae.co.kr/listimglink/1/2024080812560379533_1723089363.jpg)
This security model requires no additional authentication once identity is verified. A single authentication grants access to critical corporate data. The problem arises when external intruders steal the identity information of internal employees and receive absolute trust credentials. This increases the risk of important corporate data leaking outside. John Kindervag stated, "The vulnerability in security lies in trust."
In contrast, the Zero Trust model does not distinguish between internal and external corporate networks. This model repeatedly verifies and authenticates identity from data access to viewing. Even if an external intruder successfully accesses the internal network by stealing an insider’s ID and password, they are continuously required to authenticate through additional methods such as one-time passwords (OTP) or fingerprint verification. Even after completing authentication, only minimal privileges are granted. Although this is a more robust security model, it has drawbacks. The repetitive authentication increases fatigue, and the model reduces data accessibility and flexibility, which are challenges that Zero Trust must address.
Leading countries are implementing the Zero Trust model at the national level. In May 2021, U.S. President Joe Biden formalized the adoption of Zero Trust in the federal government through the "Executive Order on Improving the Nation’s Cybersecurity." In July of the same year, the United Kingdom announced the "Zero Trust Architecture Design Principles 1.0." Japan announced its "Zero Trust Architecture Application Policy" in June 2022.
© The Asia Business Daily(www.asiae.co.kr). All rights reserved.
