The Toshiba Group is implementing various measures in order to reform work styles. One of those is the introduction of telework. Furthermore, we expect to see an ongoing rise in the use of collaboration tools and cloud services.
However, current security measures cannot provide sufficient protection for company information assets when using these flexible work styles. This causes numerous issues, such as the need for strict limitations on device and service usage and time-consuming usage procedures. To tackle these issues, Toshiba Digital Solutions has formulated a new information security management policy and, based on it, is creating a zero trust network, a new network security model.
This article introduces the zero trust network we are creating.
The continually growing threat of cyber-attacks
Toshiba Digital Solutions promotes the autonomy and initiative of each and every employee and is implementing the work style reform in order to improve both company engagement and work motivation. One of the measures we are using to accomplish this is telework, in which employees work from their own homes or from satellite offices.
Roughly half of our employees are already using telework, and we are working to make work styles even more flexible and efficient.
Furthermore, through efforts such as our open community activities, it is becoming even more common for employees to coordinate and co-create with people from outside the company.
- As of April 2020, in response to the COVID-19 situation, the Toshiba Group has instituted telework (working from home) for all employees, as a general rule, with exceptions made only for employees that must come to the work place due to the specific nature of their work.
However, there is no end to the news of cyber-attack damage in the world. According to a report from the National Institute of Information and Communications Technology released in February 2020, monitoring of packets sent to unused IP addresses (darknet monitoring) found that the amount of traffic used in cyber-attacks is growing year-by-year. The amount of cyber-attack-related traffic in 2019 grew 1.5-fold in comparison to 2018 (source: National Institute of Information and Communications Technology NICTER Observation Report 2019). Advances in digital technologies and the greater adoption of IoT devices will, inevitably, bring with them a rise in the threat posed by cyber-attacks.
A new security policy created to promote the work style reform while ensuring information security
However, placing limitations and restrictions on the use of convenient services and locking down usage policies in order to enhance security can impede business activities, lower work efficiency, and block the progress of the work style reform. It is vital that measures take into consideration the balance of these factors. For example, identifying signs of cyber-attacks in advance and taking countermeasures, as well as minimizing damage during incidents, these security measures are required that can safely expand business and improve operational efficiency. This is why we have created our own network and revised our basic security policy to shift its focus from "prevention and restriction" to "access control and ongoing monitoring" (Fig. 1).
Base on this shift, we have created three new security management policies: Risk-based Security Management, Zero Trust, and Customer Zero.
The first, Risk-based Security Management, does not consist of uniform measures, but instead uses an approach that prioritizes response for high frequency (likelihood), high impact (damage) risks. The second, Zero Trust, is based on the evil theory. Any access, whether from inside or outside the company, is not trusted. Therefore, authentication and monitoring are executed for all access to applications and data. In other words, this policy manages trust by using authentication and monitoring on internal access, just as on external access, to prevent it from the unauthorized use. The last, Customer Zero, is based on the concept that we ourselves are the first customers of our own products, and we provide the service and the added value to customers after building up our knowledge and experience.
Previous problems of our network infrastructure
There are many software development systems and development information assets in our company's internal network.
In the past, we protected their safety by completely separating the internal network from the outside world with a strict security border.
However in the current, innovation activities involving partners and external consultants, and collaborations with customers are increasing. The reality is that we can no longer restrict access to necessary information to employees alone.
Furthermore, employees do not only access this information from the office. They also use telework to access information from various places outside the office -- their homes, satellite offices, while on the move, and other locations. There is also an increasing need to access information from devices other than personal computers, and to use cloud services. In the future, we expect BYOD* to become mainstream, and employees will do work from their own personal devices, not company-supplied devices.
It will not be possible to use fixed security borders as in the past. From now, it will be an important issue to realize the policy of “applying the optimum security border based on individual demands depending on customer and employee situations and conditions”.
- Bring Your Own Device
What are zero trust networks?
How can companies balance the work style reform with security measures and tackle the aforementioned issues?
We took note of Gartner's SASE* concept that “security functions should be accessible from anywhere via the internet” and we are currently working to build the new network security : ”zero trust network”.
- Secure Access Service Edge
This network will implement security measures and encryption measures using Internet-based gateways and authentication services, not only for internal access, but for all access, including access by employees, customers, and partners via public networks and from mobile environments. This will make it possible to use the cloud services needed for system development operations and business collaboration (Fig. 2). We will be able to monitor all information transactions and user conditions accesses from both inside and outside the company.
Zero trust networks are based on the following three concepts.
(1)The fundamental design that distrusts all networks and emphasizes access control and monitoring
(2)The ability to safely access networks at any time, from anywhere, by any method
(3)The monitoring and management of User ID, device, and location together with application control
The core of zero trust networks, monitoring, is performed 24/7 at the Security Operation Center (SOC). In our SOC, we have taken measures to improve operation accuracy and efficiency, such as introducing an AI model for the first stage of classification to prevent issues from being overlooked in monitoring. We believe that this approach will be tremendously effective in our zero trust network as the number of devices and users monitored, and the amount of logging data generated, grow.
Creating this kind of environment makes it possible to produce a cloud environment with a high level of freedom and internal infrastructure with robust security. It provides protection from security risks such as privacy violations, information leakage, and tampering when anyone, be they an employee, an affiliate, or a customer or partner with whom we are engaged in cocreation, accesses the network from anywhere, using any device. Currently, we are conducting PoC* in related departments, but in fiscal year 2020, we start deployment from development departments, and gradually extend it throughout the company.
- Proof of Concept
This zero trust network will comply with the Cyber/Physical Security Framework (CPSF) formulated by the Ministry of Economy, Trade and Industry and the ATT&CK* concept from U.S.・based MITRE, so it will be possible to expand it to be used for co-creation business with customers and partners, as well.
- Adversarial Tactics, Techniques, and Common Knowledge
Reviewing and revising device security measures
We are also reviewing and revising the security measures that apply to personal computers (devices) used by employees to do their work. In 2014, we deployed a thin client environment throughout the company, providing security by not storing data on individual devices. Roughly 70% of our employees now use the thin client environment on a full-time basis, and over 80% use it when working from home. However, one of the longstanding drawbacks of this security approach is that it is not suited to doing work while on public transportation or in environments where there is no network access. This is why, in parallel with our zero trust network, we are also considering next-generation workspaces that can be used from offline environments, as well. We plan to prepare a foundation that will allow departments and employees to make risk-based decisions on their own regarding which environment, the thin client environment or the hybrid online/offline environment, is safe and optimally suited for the work styles of employees and the characteristics of the customers they deal with.
Zero trust network ensures a security while implementing the work style reform. This is an initiative that is being advanced by our company, which has many software engineers in the Toshiba Group. We are actively deploying the security measure knowledge and expertise that we have developed, not only within the Toshiba Group, but with our customers, as well. This is because we do not think of security as a competitive field, but as a collaborative area.
We will continue to draw together knowledge, both from inside and outside our company, and tackle a wide range of cyber risks.
- The corporate names, organization names, job titles and other names and titles appearing in this article are those as of April 2020.