Do You Know About Zero Trust?
'Trust No One'
This phrase might sound like a line from a movie, but it frequently appears in discussions about current IT security issues. It embodies the fundamental principle of not trusting and verifying even users who have accessed the internal intranet. This new approach to cyber security, predicated on the premise of 'trusting nothing and no one,' is referred to as 'Zero Trust.' It is a concept introduced over a decade ago by cyber security expert John Kindervag. He highlighted that the seemingly trustworthy word 'trust' itself could be the most vulnerable in IT security issues. So, what should we not trust? The junior colleague I have coffee with every morning? The senior from another department I trusted like a brother? The Zero Trust concept assumes that nothing and no one is safe, be it a multitude of systems, commonly used intranets, or networks. Even if someone has access privileges, it demands mandatory authentication and identity verification, while minimizing the range of access to drastically reduce risks.
In the post-COVID-19 world, transformed drastically into a non-face-to-face paradigm, our lives have changed significantly. We had to wear masks and maintain distance from others. Moreover, the pandemic underscored the importance of not only epidemiological measures against the coronavirus but also network security, with the rise of video conferencing, remote work, and online education. As technology evolves rapidly, so does the threat posed by hackers and hacking groups, especially in this era of digital transformation. The emergence of various devices beyond smartphones and tablets has pushed the limits of our security systems. Organizations that need to access specific resources from any device, anywhere, especially with the proliferation of cloud computing, the Internet of Things, and artificial intelligence, require a flawless security system. Zero Trust, as designed by John Kindervag, is a cyber security model effectively addressing these needs. Its architecture mandates identity verification as a fundamental aspect. It focuses on ensuring safety by verifying accessible devices before granting access privileges and maintaining minimal access range even after permissions are granted.
The Necessity of Zero Trust and Considerations
Zero Trust is unanimously touted as the premier model in current cyber security issues. Irrespective of location, it mutually authenticates all users, devices, and applications while granting minimal permissions, thus minimizing security risks. All requests for data access are dynamically authenticated, and resources are accessed with minimal permissions, enhancing the protection of data. Zero Trust policies can be applied based on the infrastructure environment, from the nature of the data to who the accessing user is. The revolutionary idea of Zero Trust places its value on integrity. In large organizations with numerous users, it may require a complex architecture. Is Zero Trust not applicable to small startups or enterprises? On the contrary, the larger the organization, the greater the risk. Furthermore, in the era of digital transformation, the areas that big tech companies need to focus on are substantial. Implementing Zero Trust necessitates manpower and system costs, and productivity and efficiency should also be carefully evaluated. Typically, organizations collaborate with security providers specializing in Zero Trust. This collaboration is effective regardless of the organization's scale, allowing dynamic control of access, enhancing IT security, and even reducing costs. While the expense of setting up such a solution might seem daunting, when considering the costs of recovering a compromised system, it represents a reasonable investment.
Technologies for Zero Trust
Companies both domestic and international that are building Zero Trust solutions often mention various security technology cases. These include passwordless control models and biometric recognition systems, which aim to simplify the user experience while pursuing perfect security. Cyber tech company SSenStone, for instance, has proposed a technology called OTAC as a solution for Zero Trust. OTAC stands for One-Time Authentication Code, a unidirectional random unique identification authentication technology. It generates a one-time authentication method in a non-communication environment, where each real-time generated code is unique and does not overlap with others. A code that can be used only once, does not duplicate, and is time-limited, inherently blocks hacker access. Even if an account (ID/PW) is stolen or accessed with stolen information, authentication with such a code is impossible. Thus, it rigorously adheres to the Zero Trust principle of 'trusting no one,' while verifying and identifying authenticated users. Particularly, code generation is possible even in systems that completely block networks or do not allow Wi-Fi, causing no inconvenience to the user. It’s a technology that simultaneously supports user and device identification and authentication.
Some companies use an ID and password, along with OTP (One-Time Password), for intranet access. Although it seems cumbersome, using the OTP installed on smartphones is mandatory for intranet access through PCs. Even for simple tasks like checking emails, these security procedures must be followed. While accessing emails on common platforms like Naver or Daum, one can easily check spam, but sometimes a one-time OTP is required. It may be just for an unseen spam email, but it maintains strict security. While the security model may show limitations, Zero Trust, abstract as it may be, is a stark reality in our current situation. It’s essential to minimize uncertainties to zero, covering the security of potentially vulnerable devices, intelligent threats that can bypass existing security systems, authorization security regarding where and what to connect and access, and access security controlling minimal permissions.
I once visited an IT company. Before entry, they checked the serial number on my laptop and placed a sticker over the camera lens on my smartphone after a preliminary verification, reminiscent of airport security. Once past this checkpoint, my activities were not particularly restricted. Within the principles of Zero Trust, frequent verification and monitoring of my actions are necessary. SSenStone’s security technology OTAC authenticates device connections through one-time authentication codes and verifies their proper functioning. It’s a lightweight spec and can be applied without environmental restrictions. Technology continues to evolve even at this moment, and our surrounding environment changes accordingly. From the devices in our hands to the systems in the many spaces where we operate, all are undergoing transformation. No matter how advanced artificial intelligence technology becomes, there's always a human element involved. Although these changes enhance our quality of life, any gaps can become threats. In this sense, Zero Trust seems to be a task we must attend to for the sake of maintaining the right value of technology in our lives.