The buzzword in the cyber security industry these days is Zero Trust. As traditional perimeter security has reached its limits, Zero Trust has emerged as the next security paradigm. Major governments are preemptively implementing Zero-Trust security schemes in their government agencies, and global enterprises are racing to capture the Zero-Trust market. It's time to get ahead of the curve.
 

Traditional perimeter security is often compared to a castle. It's an intuitive security system that builds high walls and digs a deep moat around the perimeter to keep the outside world out. It's simple and clear, easy to operate, and efficiently provides stability in traditional work environments.

But times have changed. The proliferation of mobile, the Internet of Things (IoT), and the cloud has created a remote work environment, and the COVID-19 pandemic has accelerated a contactless society, requiring changes to traditional security systems. Digital transformation (DX) has diversified the location of resources and made it harder to predict when and where access will be required. In particular, the recent rise in insider collusion and privilege theft attack methods has cracked the implicit trust policy of perimeter security. Those who enter the castle must also turn around.
 

A complementary concept to traditional perimeter security, Zero Trust is based on the core philosophy of "Never trust, Always verify. Unlike perimeter-based security, which allows users to roam anywhere on the internal network once they gain access, the key is to assume that the internal network environment is insecure, granting the least amount of privileges for continuous access to various computing resources, and using dynamic authentication to grant access. The three key principles for implementing Zero Trust are: Strong authentication, micro-segmentation, and software-defined perimeter.
 

Major countries around the world, including the U.S., U.K., Japan, and China, are moving quickly. The U.S. is the most advanced among them. 

Zero Trust is not a new concept. It's a security methodology that was proposed in 2010 by John Kindervag, a principal analyst at Forrester Research. One of the things that drew the U.S. federal government's attention to Zero Trust was the massive data breach at the U.S. Office of Personnel Management (OPM) in 2014-2015. In September 2016, the U.S. House of Representatives Committee on Oversight and Government Reform released a report on the breach, and the second of 13 security strategies it recommended to the federal government to prevent a recurrence was the adoption of a Zero Trust architecture model at the federal level.
 

The U.S. federal government has been working on a Zero Trust security model in earnest, with the National Institute of Standards and Technology (NIST) launching the Zero Trust Architecture Project in 2019 and releasing Zero Trust Architecture (NIST SP 800-207) in 2020.

The Biden administration's May 2021 Executive Order to Improve National Cybersecurity also mandated that the federal government adopt Zero Trust best practices and directed agency heads to develop plans to adopt Zero Trust architectures within 60 days. In January 2022, the White House Office of Management and Budget (OMB) issued a memorandum to agency heads titled "Moving the U.S. Federal Government Toward Zero Trust Cybersecurity Principles," which calls for agencies to: achieve agency-specific Zero Trust security goals by the end of 2024; submit adoption plans and budget estimates for 2022-2024; and designate a lead for implementing a Zero Trust strategy to strengthen national cybersecurity.
 

The UK's National Cyber Security Center (NCSC) has been making efforts to establish Zero Trust in the country since November 2019, when it mentioned the design principles of Zero Trust architecture on its official website. Japan, which has shown interest since 2020, also included Zero Trust terminology in its revised Cybersecurity Management Guidelines Version 3.0 in March of last year.
 

The South Korean government is also accelerating its implementation of Korean (K)-Zero Trust. The Ministry of Science, ICT and Future Planning launched the Korea Zero Trust Forum in October 2022, conducted a Zero Trust demonstration project last year, and released the Zero Trust Guidelines 1.0 in July. This year, it will continue the Zero Trust demonstration project and establish Guideline 2.0. While 1.0 was aimed at improving the understanding of Zero Trust, 2.0 aims to present various use cases for reference in the field.

The NIS(National Intelligence Service)  also established the Cybersecurity Public-Private Cooperative Council in July 2022 with security experts from industry, academia, and research to discuss zero trust. Especially with the announcement that all national and public organizations will be subject to Zero Trust from 2026, it is more important than ever for the industry to support this effort.

Resource: Etnews, Feb. 28, 2024