Zero-trust becomes accepted protection method for information security and value-added digital assets of enterprises

Sandy Du, DIGITIMES Asia, Taipei 0

Nai-Wei Lo (left) and Shi-Cho Cha (right). Credit: DIGITIMES

Driven by the huge temptation of economic interests, hacker groups have continued to expand their attacks during the pandemic. According to Check Point's latest Cyber Security Report, the number of cyberattacks hitting enterprises each week in 2021 increased by more than 50% compared with 2020. Information security challenges faced by enterprises today can be roughly divided into three categories: first is someone specifically targeting an enterprise or organization; the second is the change of access mode brought about by remote and mobile office work models, which expands the scope of malicious program attack; finally, a large number of not-for-profit hacking incidents, such as collecting the personal information of political figures, has paralyzing critical infrastructure.

The pandemic has not only accelerated the digital transformation of enterprises, but has also changed the way people live and work. Just look at the hybrid work model as an example: most employees lack a strict physical digital security mechanism at home, leaving them wide open to phishing email attacks launched by hackers against home workers. Such attacks can serve as a springboard for intrusion into the enterprise the person works for. If that enterprise does not have suitable protection mechanisms to prevent such attacks, it will eventually lead to the theft of confidential corporate information and the intrusion of ransomware.

Shi-Cho Cha, director of the Taiwan Information Security Center (TWISC) at National Taiwan University of Science and Technology (NTUST), said that remote and mobile offices have become routine in the post-pandemic era, so companies need to bring their information security protection mechanisms back to the drawing board. This is where zero-trust architecture comes in; it is seen as one of the best countermeasures against increasingly variable attack modes. The zero-trust mechanism adopts unified identification, encryption of network transmissions, and classification and protection of data according to its importance, thereby reducing the probability of hacker intrusion and reducing the likelihood of large amounts of data being stolen.

The zero-trust architecture adopts the most rigorous review mechanism for all network access requirements, helping uncover concealed malicious threats. This has led to widespread adoption by many enterprises and governments. In January 2022, the US Office of Management and Budget (OMB) issued a memorandum requiring that by the end of 2024, government agencies must comply with the goals of zero-trust for identity authentication, devices, networks, applications, and data. Identification in the zero-trust strategy promoted by the US federal government requires that employees use common de-identification tools of enterprises to prevent individuals from complex online attacks; such tools include establishing a single sign-on mechanism, using multi-factor authentication, adopting strong password policies, and checking for known data breaches.

In addition to zero-trust architecture, enterprise information security governance is also important. Information security is not just one person's responsibility, but everyone's responsibility. If overall information security awareness can be improved, the probability of malicious threat intrusion can be reduced. The role of the information security unit is to assist everyone in fulfilling such responsibilities, so that the information security defense mechanism can work as intended. Shi-Cho Cha explained that global information security professionals are insufficient in numbers, therefore, it is difficult for enterprises to hire enough talented security professionals. In addition to culling such professionals from within the company, it is also necessary for companies to avoid information security fatigue and create work value in order to retain existing information security team members and thus protect the digital assets of the enterprise.

Nai-Wei Lo, dean of the NTUST School of Management and a professor of the Department of Information Management, pointed out that when companies promote information security governance, they ought to cover four major aspects: establishment of information security systems, regular risk assessment, appropriate investment in information security, and a secure corporate environment. Only when those four aspects are present can information security be, on the whole, more robust. The business community has a strong demand for information security professionals. Noting that demand, NTUST invests in the cultivation of information security professionals across three aspects, namely, the information security long promotion education credit program (scheduled to begin in September), information security on-the-job master's program class (in preparation), the information security group under the master's program of the Department of Information Management/bachelor's program in information security (in preparation). These programs are meant to cultivate a variety of information security professionals for the public and private sectors.

NTUST also has its Taiwan Information Security Center (TWISC); its research topics, all oriented towards artificial intelligence and data science, cover information security technologies such as smart information security analysis, defense, and forensics technology, smart life, and emerging applications, and research results are shared with industry and academia.

Nai-Wei Lo(left), Dean of the NTUST School of Management, and Shi-Cho Cha(right), Director of the Taiwan Information Security Center at NTUST.

Nai-Wei Lo (left), dean of the NTUST School of Management, and Shi-Cho Cha (right), director of the Taiwan Information Security Center at NTUST.