with azbil
A to ZLearn with A to Z and everything will be clear! Keywords
- NEW
Zero Trust
A security approach that always verifies and monitors legitimacy of access and operations involving information systems and work data. Unlike the conventional approach of protecting the boundary between the trusted internal portion and untrusted external portion, this approach assumes that all access and operations are untrusted and develops a variety of security countermeasures based on that assumption.
© Hiroyuki Hayashi
Why the state of security has changed
In recent years, news stories related to computer viruses and cyber-attacks have become more and more frequent. The methods used are growing in complexity, and there are many cases in which a user receives an email pretending to be business communication and logs in from a link in that email, leading to damage before they are even aware of it. It’s amid this situation that the approach to corporate information security was reconsidered.
Conventionally, many companies have adopted a boundary line defense, in which safety is ensured by differentiating between external (internet) and internal (internal systems) and protecting the barrier between those two. Mechanisms that prevent unauthorized external access by establishing a boundary with firewalls*1 and VPN*2 connections would fall under this, for example. In principle, while external access was strictly checked, the action of anyone who was able to get over that boundary to access internal systems was not being checked. To make an analogy using an office building, it was similar to a situation in which visitors are checked at the entrance, but then allowed to freely walk around the office, able to go anywhere.
However, the environment surrounding information security has changed dramatically, making it now difficult to operate under the assumption that those on the inside can be trusted. Behind this is a blurring of the boundary between what is external and what is internal through expanded use of remote work and cloud services. Furthermore, cases such as people posing as legitimate users by using IDs and passwords stolen in external cyber-attacks, fraud conducted by internal parties, and risks of malware*3 infection through operations that have no ill intent have made it difficult to say that conventional boundary line defense is sufficient as a security countermeasure.
This is why the new information security “Zero Trust” approach has been garnering attention. The Zero Trust approach does not naively assume external access is suspicious and internal access is safe. Rather, the legitimacy of operations like logins to information systems and viewing business data and files is constantly monitored, and access is allowed only after strict verification processes.
The idea of Zero Trust was conceived in 2010 in the US, taking shape largely in US government institutions after that. In 2022 in Japan, the Digital Agency announced that it would be using a “Zero Trust Architecture Application Policy*4” for government information systems, positioning it as an important security countermeasure not just for public institutions, but for private companies as well.
Security design for information that should be protected
Zero Trust isn’t simply a stance meant to show a lack of trust. What’s important is establishing security that is appropriate for the information assets and details of business that a company should protect based on that assumption of Zero Trust. There are dramatic differences in the information that companies and organizations handle and the importance of that information. This is why security countermeasures based on a Zero Trust approach aren’t the same for all companies. What’s needed are appropriate countermeasures that have an understanding of what needs to be protected and to what extent it needs to be protected.
For example, conventional boundary line defense allowed access to the internal system if a correct user password was entered. However, there is a possibility that the password in question had been stolen by a third party and is being misused. Zero Trust assumes this sort of risk, relying not simply on passwords but rigorously checking to see who is accessing through multi-factor authentication using biometric data, authentication applications, and other such means.
Additionally, an issue with boundary line defense was that, once someone had access to internal systems approved, they were able to freely access a variety of data and systems. Zero Trust, on the other hand, grants access permission on a per user basis, with the scope of access coextensive with what is required for each user in carrying out their tasks. In some systems that incorporate a single sign-on*5 authentication platform, user access is determined automatically without requiring authentication each time, realizing protection in which the user doesn’t even have to think about it. However, stricter checks are implemented for particularly important systems and data for which reauthentication is required. These mechanisms help minimize damage even in the event of unauthorized access or information leaks.
Safe and secure business environments are supported by individual awareness and action
The information security we need must ensure that all users and all access are authenticated, regardless of whether that access originates from internal or external networks. Zero Trust is designed to maintain an environment where each and every employee can engage in their work with peace of mind by following the company’s established rules and mechanisms. Companies are seeking to maintain a stable environment that enables smooth daily operations.
That environment isn’t going to be realized just with a security system, though, as the awareness of each and every employee is important. Many companies are engaging in awareness raising through continual security education and awareness raising activities that assume Zero Trust. Employees are warned about security risks in daily activities, like phishing emails and unauthorized website access, carelessly downloading free software, connecting to free Wi-Fi at travel destinations, the usage of shared passwords, etc. Scams in recent years have used generative AI to create fraudulent emails and websites that look exactly like the real thing, with a level of sophistication that can even deceive careful people. You may think you won’t fall for these sorts of tricks, but changes in your physical state or situation in general can lower your guard and might lead to an error in judgement. This is why it’s important to properly understand the mechanisms that are based on the established rules and systems of the company and to adopt a stance of always checking.
There are many cases in which cyber-attacks were started by first targeting individuals, and from there moved on to attempt to gain access to company systems. Not only during working hours, but also in your daily life, make it a habit to always check. This will support an environment that allows you to engage in work with peace of mind, helping to protect not just corporate information assets but also your personal safety.
- *1: Firewall
Positioned on the boundary between internal and external networks, a firewall is a security system that prevents unauthorized access and attacks from external sources. - *2: VPN
VPNs create virtual private circuits on the internet and encrypt communication details. They are a security technology that has mechanisms to allow safe access to internal systems from external sources, preventing information leaks and tampering. - *3: Malware
Malware is malicious software that has the ability to steal information or destroy systems. Computers can be infected with malware through email attachments and unauthorized websites. - *4: Zero Trust Architecture Application Policy
A fundamental policy showing the manner in which the Zero Trust approach will be applied in government information systems in response to a business environment that assumes expansions to cloud service utilization and remote work. - *5: Single Sign-On
Single Sign-On is a mechanism in which a single instance of authorization grants access to multiple systems and applications based on that authorization information (via ID or password entry). - *This article is a translation of a Japanese version that was published on May 13, 2026.