Exclusive Interview with NetAdmin Magazine: Integrating Software and Hardware to Develop ZTA Solutions, Balancing Compliance and Security
2024-02-05 *人氣 489*
Source: NetAdmin Magazine
CHANGING, equipped with extensive independent research and development capabilities, has been deeply immersed in identity authentication technology for 25 years. In response to the evolving landscape of modern office practices, the company has recently introduced a Zero Trust Digital Authentication System, encompassing "identity authentication" and "device authentication." This implementation aligns seamlessly with the National Institute for Cyber Security's (NICS) ongoing promotion of the Zero Trust Architecture. Additionally, the device authentication technology plays a crucial role in augmenting security across various Internet of Things (IoT) application scenarios.
Senior Manager Anddy Liu from CHANGING's Product Development Department pointed out that the concept of Zero Trust Architecture rapidly gained momentum since the issuance of the standard document SP 800-207 by the National Institute of Standards and Technology (NIST) in the United States in 2020. Not only have U.S. government agencies actively adopted it, but Taiwan's National Institute for Cyber Security (NICS) has also been promoting Zero Trust Architecture since 2022. The implementation initially prioritizes Level A agencies with responsibilities for information security. Simultaneously, this initiative aims to stimulate the development of the Zero Trust Architecture cybersecurity industry chain among domestic companies.
However, in practical interactions with clients, according to Senior Manager Anddy Liu, whether in government or enterprises, there appears to be a significant level of ambiguity in understanding the concept of Zero Trust. Throughout the entire year of 2023, CHANGING invested substantial time explaining the importance of Zero Trust to clients, revealing that there is still a need for enhanced comprehension of this concept in the market.
The core of the Zero Trust Architecture lies in preventing modern hackers from exploiting system vulnerabilities. In traditional cybersecurity incidents, the initial scrutiny often falls on the interception rules of firewalls or antivirus software. However, as long as there is a vulnerability, hackers can successfully infiltrate and propagate within the internal network. Therefore, addressing vulnerabilities in application systems has become a significant challenge in the context of the Zero Trust framework.
In recent years, with the heightened awareness of cybersecurity, network segmentation mechanisms have been considered an effective means of risk reduction. The challenge of this mechanism lies not in limiting the application scenarios within a specific range but in accurately identifying legitimate permissions. Government entities have adopted a Zero Trust approach in this regard, enhancing security through strict identity authentication and filtering mechanisms. However, this identity authentication mechanism contrasts significantly with existing application systems, requiring customization or integration to function. Fortunately, for government entities, many application systems developed under central policy initiatives are outsourced to large foreign companies, making it relatively easier to customize and integrate Zero Trust mechanisms. However, for most enterprises, the situation is more complex. As Anddy Liu explains, many enterprise operational systems rely on off-the-shelf software, making it challenging to incorporate identity authentication mechanisms. This, he notes, is a primary challenge faced by CHANGING when assisting clients in deploying Zero Trust mechanisms.
Legislation to establish cybersecurity standards and regulations
The concept of Zero Trust Security was first introduced in the cybersecurity market through Google's internal BeyondCorp project. This initiative aimed to break down traditional network boundaries between internal and external networks. Regardless of when and where access is initiated, a consistent authentication process and control policies are implemented. Access permissions are granted based on the user's role and privileges in order to enhance security.
CHANGING's Senior IoT Security Consultant, Frank Chiu, explains that within the framework of Zero Trust, not only does user login behavior require authentication, but the devices accessing resources also undergo rigorous inspection. The objective is to eliminate the possibility of hidden backdoor programs, thereby reducing concerns about sensitive data theft without detection.
In 2020, during the tenure of then-U.S. President Trump, the “IoT Cybersecurity Improvement Act” was signed, establishing standards and frameworks for the security review requirements of connected devices in the procurement by the U.S. federal government. Following this, the National Institute of Standards and Technology (NIST) in the United States began developing the Zero Trust framework. However, achieving implementation requires the integration of cross-departmental resources to formulate best practice examples," said Frank Chiu. The National Institute for Cyber Security, supervised by Taiwan's Ministry of Digital Development, has also referenced the best practices of NIST to develop a framework applicable to the Taiwanese context.
The Zero Trust principle, as a conceptual framework, has been adopted and promoted by various governments worldwide through NIST specifications and best practice examples. In the field of IoT security, various communication protocols and standards, such as the Open Charge Point Protocol (OCPP) for charging stations, the IEC 62443 standard in industrial control, and IEC 61850 in smart grids, play crucial roles. Frank Chiu points out that, Similar to the EU's GDPR and the United States' Privacy Act, an increasing number of countries are strengthening the security of IoT devices through legislation. For example, the European Commission's proposed Radio Equipment Directive Authorization Act (RED-DA), expected to be effective in 2025, aims to enhance the security of connected devices, preventing larger-scale network attacks resulting from the widespread adoption of 5G technology.
For enterprises, especially those in export-oriented manufacturing, there is a growing focus on the management model of the Zero Trust principle. This is primarily due to the increasing demand from customers in Europe and the United States, who now require hardware devices to have robust cybersecurity mechanisms at the manufacturing stage. These mechanisms include firmware security updates, secure boot, key management, etc., aimed at mitigating cybersecurity risks.
Reverse proxy gateways assist the decision engine in authentication.
CHANGING's identity authentication product has received certifications from FIDO and OATH, enabling it to provide multi-factor authentication and device identification to meet various application requirements. According to Anddy Liu, after successfully passing the identity authentication function compliance verification proposed by the National Institute for Cyber Security, nearly twenty government agencies have been actively adopting and deploying the solution, with a few having completed the process and started its implementation.
CHANGING's development of the Zero Trust solution comprises key components, including the access gateway, decision engine, and identity and device authentication. Anddy Liu explained that the access gateway operates in a reverse proxy manner to support the declaration server and decision controller provided by the decision engine. It utilizes robust authentication methods such as FIDO to verify identity and checks whether the device's TPM has registered device credentials.
He further explained that in the implementation process of the Zero Trust principle, the main challenges encountered include the integration complexity and performance issues of application systems. The diverse architectures of each unit's application systems directly impact the degree to which the Zero Trust principle can be effectively implemented. This is especially pronounced in the case of decentralized application system deployments, where integration with authentication mechanisms must be carried out individually. This not only consumes time and resources but also requires robust technical team support. Government agencies can rely on external vendors for adjusting and modifying application systems, while enterprises tend to prefer utilizing standard protocols such as SAML or OpenID for integration with Zero Trust gateways.
The integration of TPM chips ensures the security of connected devices.
The importance of identity authentication in the current IoT application environment cannot be overlooked. In addition to user authentication, CHANGING has extended support to all types of identifiers available in the market, including biometric technologies. Regarding device authentication for connected devices, active development is underway. This involves leveraging the security chip Trusted Root of Trust (RoT) and the device certificate Public Key Infrastructure (PKI) management mechanism to verify the legitimacy of devices. This proactive approach helps prevent potential security vulnerabilities in firmware or operating systems of IoT devices that may not have received timely updates or patches.
In the photo, Senior Manager Anddy Liu (left) and Senior IoT Security Consultant Frank Chiu (right) from the Product Research & Development Division of CHANGING emphasize the company's commitment to leveraging their extensive experience in identity authentication technology over the past 25 years. Through their dedicated research and development capabilities, they are dedicated to crafting Zero Trust Architecture (ZTA) solutions for both enterprises and government organizations. These solutions aim to align with regulatory standards while elevating overall security levels.
"In the second stage of the Zero Trust Architecture promoted by the National Institute for Cyber Security — Device Authentication, CHANGING advocates implementing secure authentication using TPM chips to establish a reliable foundation. This approach concurrently enhances reliability within the IoT ecosystem." - Frank Chiu, Senior IoT Security Consultant
The recognition of connected devices typically relies on keys or certificates. If these credentials are not stored in a sufficiently secure environment, there is a risk of opportunistic theft by attackers. Therefore, to ensure the security of devices, it is imperative to establish a robust trust root. For instance, CHANGING collaborates with Infineon to integrate and deploy the Infineon OPTIGA TPM and OPTIGA Trust M security chip. These components, equipped with an independent microprocessor and storage area, provide physical isolation from the operating system running on the device. This setup ensures a highly secure environment, with core functionalities such as secure boot, access, and storage effectively resisting malicious penetration attacks.