This document outlines security measures for digital transformation (DX). It discusses how security impacts management and market capitalization. It compares the traditional "perimeter defense" method to the more effective and efficient "zero trust" method. Zero trust greatly improves defenses against both internal and external threats while lowering costs. The document also examines a case study of security issues at Zoom, and provides designs for implementing zero trust, including monitoring employees and restricting access. Multi-layered defenses are proposed to securely protect service sites from external attacks.
1. Security as the foundation of DX
1. The impact of security on management
2. Security measures for DX
3. Expected effects of Zero Trust
a. Security Requirements in the Context of Business Trends
b. Case study zoom
c. Measure
c-1 "Perimeter Protection" and "Zero Trust" methods compared
c-2 Design
Appendix
Masaaki Murakami
masaaki-murakami@funaisoken.co.jp
Funai Soken Holdings Inc.
2020/12
2. 1. The impact of security on management
a) Security is involved in all business activities
Digitized Business
Cloud
security
linkage linkage linkage
security
securitysecurity securitysecurity
securitysecurity
Customer-
owned
Information
In-house information
and
employee information
In-House Business
Site for customers
company-internal
information
In a digitized business world
a) Security is involved in all business activities
b) Impact of security on management = market capitalization of the
company
1 2
The cloud is all about "internal operations" and "digitized business," and attackers can
exploit the cloud to leak information, exploit employee, internal, and customer information
in the cloud, and hold the information hostage to demand money and goods.
Protect customer-
owned information
Protecting employee and
company information
3. b) Impact of security on management = market capitalization of the company
The "market capitalization" of digital businesses is sensitive to security troubles.
The most important factors are "rumors" and "reputation of security experts".
The "rumors" will lower the market cap.
Returning to the original trend of market capitalization is "cyber-security experts'
evaluation".
2月 3月 4月 5月 6月
1.5 trillion yen
Jan. 2
3.5 trillion yen
March 23
3.7 trillion yen
Apr. 23
April 8
2.6 trillion yen
4.9 trillion yen
Jun. 3
Market capitalization down by 25%
The zoom bomb led to accusations of
security in the media and SNS.
(Mostly speculation and
misrepresentation of facts)
Back to the trend before the
trouble
zoom solves encryption
technology problems pointed out
by security experts
Market capitalization will return in
the short term, but will go down
again.
zoom fixes features that lead to
speculation and factual errors
<Analysis of the zoom case study>
3Protecting market
capitalization
4. 2. Security measures for DX
Protecting employee and
company information
① Protecting employee and company information
Since the conventional "perimeter defense" method is "ineffective" and "very low
investment efficiency," change to the "zero trust" method, which is "highly effective" and
"high investment efficiency.
Approx. XXXXX yen/year
Effectiveness against threats 18%
Remote work rate is 70%.
Cost
90%
Approx. XXXXX yen/year
Investment efficiency
Cost per 10% threat coverage
Cost
XX% Down
coverage ratio
500% Up
Investment efficiency
increased by X times
Threat Coverage *1
1
1 2 3
Protect customer-
owned information
zero trust Multi-layered protection
of service sites
Use industry-known
curatorial services
and integrators.
Protecting market
capitalization
perimeter defense zero trust
Approx. XXXXX yen/year Approx. XXXXX yen/year
*1 ; Calculated using Bayesian statistics based on IPA's “10 Major Security Threats 2020”.
https://www.ipa.go.jp/files/000084114.pdf
5. ③ Protecting market capitalization
② Protecting customer-owned information
integrators
Security Services >>> Use the services of the world's top security companies
>>> TOP level security integrator in Japan
Use "security services" and "integrators" that security experts agree on.
"Cloud services that handle sensitive personal and employee information of customers"
require a higher level of security than general cloud services ⇒ "Multi-layered defense".
3
2
WAF
IPS
FW
Multi-layered
defense
IdaaSspoofing
Attacks that
exploit
weaknesses
Infection
that
turned
our
company
into a
cluster
Spoofing, using
our company as
a springboard
Damage to
customers' personal
information on our
website.
Damage to personal
and internal information
on customers' and
partners' sites
6. 3. Expected effects of Zero Trust
The risk of internal information leaks (risk of misuse of the cloud) and the risk
of external attacks can both be reduced to close to zero.
1
2
The risks in this area are expected to increase.
With hacking tools circulating in the underworld, multi-layered defenses are capable
of handling the latest attacks.
3
1
2
is highly effective against a variety of risks that become rumor.
is directly related to the company's credibility and is highly effective in reducing
the risk of a decline in market capitalization.
Protecting employee and company information
Protect customer-owned information
Protecting market capitalization
7. 2019 2020 2021 2022 2023 2019 2020 2021 2022 2023
Almost no risk of
internal information
leaks by misusing the
cloud
Risk of internal information leakage
(risk of misuse of the cloud)
Anticipated risks
Almost no risk from external attacks
on terminals.
External attack risk
2019 2020 2021 2022 2023
Conventional defenses currently in use
will be even less effective in the future.
Effectiveness MDR
2019 2020 2021 2022 2023
Anticipated risks
The risk of internal information leaks increases in
proportion to the number of employees.
1 1
Effectiveness IdaaS+CASB
untreatedtreated
untreatedtreated
8. a. Security Requirements in the Context of Business Trends
b. Case study zoom
c. Measure
c-1 "Perimeter Protection" and "Zero Trust" methods compared
c-2 Design
Appendix
9. a. Security Requirements in the Context of Business Trends
manufacture
Before-Coronatrend
What
happened
withthe
Corona
disaster
post-corona
LogisticsLabourEconomic Trends distribution ICT
subscription
Expansion of online
shopping
Further expansion of
online shopping
No parts, no production
National and regional bloc
policies
Logistics over-optimized for
individual supply chains
Decline in
productive
population
Even if the product exists,
it is not distributed.
Layoffs and
labor shortagesCurrency is not
circulating in the
market.
remote work
Work style
reform
foreign worker
Foreign workers
are not allowed to
enter the country.
Cloudification
Rapid expansion of SaaS
blocking
A lot of currency was
dropped into the
market.
Money out of circulation
Expectations for Digital
A New Economic
Balance
Growth generated by
complexity of industrial
structure
Next Generation Supply Chains
New forms of
work
E-commerce
Return to
domestic
production
Flexible
Logistics
Collaborated SaaS
remote work
10. Requirements for the Cloud
Know-how
to use the cloud
Cloud integration
for the supply chain
Security
for cloud computing
with peace of mind
Expectations of the society
The technology that is the engine of the pump is
CloudAI
Securely share employee information between
clouds
Preventing threats and exploitation by
external attacks on PCs and clouds
Prevent external attacks from harming
customers and collaborating partners.
Site for customers
company-internal information
Requirements for security
Economic Trends Next Generation Supply Chains
DX = A pump to channel stagnant money under the new economic order
Prevent leakage of internal information
11. Market capitalization was about 1.5 trillion yen on January 2, but rose to about 3.5 trillion yen on March 23,
thanks to Corona's tailwind.
In the wake of the zoom bomb, rumors of security problems spread, and the market capitalization fell to about
2.6 trillion yen on April 8.
Various security issues were pointed out, but the only real trouble was the zom bomb. The zoom bomb was
also not a vulnerability in zoom, but a standard feature that was exploited by users.
Most of the problems were the result of misinterpretations and misunderstandings of facts that spread through
the media and social networking sites.
The first round of countermeasures paid off, and a month later, on April 23, the market capitalization returned
to the level of a month earlier.
The first round of measures focuses on counteracting rumors and zoom bombs.
Due to the effect of the second round of measures, the market capitalization rose to about 4.9 trillion yen on
June 2, about two months later.
The second measure is a countermeasure to the encryption problem pointed out by security experts.
b. zoom case study
12. March
April
May
June
security expertMassmedia,
social networking sites
U.S. Government rumor
zoom bombing
Actual
troubl
e
No real trouble, but problems pointed out.
zoom is being bugged by the Chinese government.
Meeting in zoom will be hijacked by hackers.
zoom is a Chinese service
zoom is a Chinese company
zoom is lying about its security.
Personal information has been leaked from zoom.
Zoom's end-to-end encryption is not
end-to-end encryption by security
experts' definition
Government officials banned
from usingzoom for someof
their official duties.
Items with factual errors
fact
zoom
security is
vulnerable
90-day security plan
Sequential
implementation of
measures for -
Corporate
takeover for
Measure
Change all
distributed apps
to prevent
Action
Market capitalization
(in Japanese yen)
Dec. 8, 9 trillion yen
Jan. 2, 1.5 trillion yen
March 23, 3.5 trillion yen
April 8, 2.57 trillion yen
Jun. 3, 4.9 trillion yen
Apr. 23, 3.7 trillion yen
1 2 3 4 5 6 7
8
1 6
7
7
13. perimeter defense Zero Trust
perimeter defense
Build a wall to protect the "people",
"systems", and "PCs" inside.
We're safe inside.
Management of "people", "systems", and "PCs and
smartphones" as a means of information leakage
people systems "PCs
information leak , Information loss
Manage directly
Unprotected against internal
information leaks
Protect against internal information leaks
Effectiveness against threats 500% increase in coverage
Annual cost XX% Down
Investment efficiency up X times
c-1 "Perimeter Protection" and "Zero Trust" methods compared
Changing to Zero Trust would "greatly improve our defenses" and "lower our costs
c. Measure
14. 0
1,000
2,000
3,000
4,000
5,000
Cost per 10% threat coverage
Approx. XXXX million yen/year
Effects on threats
18%
If the remote work rate is 30%.
Cost
90%
Investment efficiency
Cost per 10% threat coverage
Annual Cost
XX% Down
Threat Coverage
500% Up
Investment efficiency
increased by X times
Threat Coverage
Approx. XXXX million yen/year
Approx. YYY million yen/year Approx. YYY million yen/year
perimeter defense Zero Trust
15. i. Zero Trust / "Countermeasures against internal information leaks
C-2 Design
Basic design
Intensive monitoring, regulation, and warning of (former) employees
with high risk of internal information leakage
Most employees who contribute to
business performance
(Former) employees at
high risk of internal
information leakage
≒ retired person
Alerted to change
in action
Centralized monitoring,
regulation, and warning
Regulation
&
leave evidence of fraud.
IdaaS + CASB
16. Stage1 ;
Stage2 ;
Stage3 ;
Employees are notified that this policy is being implemented.
(only black sites are restricted)
Regulate sites with low trust levels.
Use only whitelisted sites.
For most employees who contribute to business performance, use Stage 1 as
the normal operation and raise or lower the level depending on the situation.
Security measures are disclosed to employees.
Operation
Conventional general security measures (regulations for all employees)
Most employees who contribute
to business performance
Strict regulation
Reference
(Former) employees at high
risk of internal information
leakage
17. ❶ Minimize the risk of personal information and ID/PW leaks from the cloud you use.
❷ Steadily identify, analyze, and take measures against employee misconduct
❸ Restrict access to sites that you do not want our employees to use.
Technical
Requirements
Design
❷-3 Evidence of legal action against misuse by
employees
❷-1 Analysis and alerting of suspicious
employee use
❸ Restrict access to sites that you don't want
our employees to use.
❷-2 Automatically take action when an employee
uses the system in a suspicious manner.
CASB
IdaaS
Web site
Cloud
・・・In-house systems
Cloud in the
world
Log storage
UEBA
Standard
Adaptive
Standard
❶ Minimize the risk of personal information and
ID/PW leaks from the cloud you use.
Functional design
18. Cloud
computing as
an internal
system
In-house Cloud Web site
Employees
Analyze employee site access
behavior.
Block employee access to the site.
c
d
Control what employees can use in the
cloud.
a
b
CASB
IdaaS
Dedicated employee
credit information DB
for our company
UEBA
Analyze employee behavior
and score their trust level.
CCI
SaaS Credit InformationDB
Approximately 30,000 to 40,000 security evaluated clouds
Number of newly evaluated clouds: several thousand per year
Cloud version of Teikoku Databank
List of Dangerous Sites
In-house system
Non-Certified Clouds
Personal Cloud
Web site
Control employee "login" to the cloud
19. MDR = EPP + EDR + SOC
❹ Protect all PCs and smartphones from attacks.
❹-1 Waterfront measures
Note: Not effective against non-malware attacks,
which account for more than half of all attacks.
❹-2 Measures to prevent pathogens from
slipping past waterfront measures
Effective against most attacks because it detects
symptoms after the onset of the disease.
PC, smartphone
MDR
EPP
EDR/SOC
ii. Zero Trust / Countermeasures against external attacks (ransom, exploitation, etc.)
for PC, smartphone
Technical
Requirements
Design
20. Infection and extermination
attack (disease)
isolation
extermination
water's edge
Undetectable
Cloud Web siteMail USB
Conventional attacks
attacks by conventional viruses, etc.
New type of attack
new type of fileless attack
2018 2019
60%
40%
49%
51%
Traditional anti-
virus protection MDR
Extermination area
Conventional attacks
New type of attack
MDR
MDR
EPP EDR/SOC
attack (disease)
isolation
extermination
21. ❺ To prevent all attacks from outside
❺-1 Measures against unauthorized access by
parties other than customers
❺-2 Preventing direct attacks on a site
Service website
IdaaS
WAF
IPS
FW
MDR = EPP + EDR + SOC
iii. Multi-layered protection for service sites / Countermeasures against external attacks
(ransom, exploitation, etc.) for Service website
Technical
Requirements
Design
22. Applications
developed for each site
OS, middleware
Network
WAF
IPS
FW
Multi-layered
defense
IdaaS
Applications developed
for each site
OS, middleware
Network
spoofing
Attacks that
exploit
weaknesses
Infection
that
turned
our
company
into a
cluster
Our Wes site customers' and partners' sites
Spoofing, using
our company as
a springboard
Damage to
customers' personal
information on our
website.
Damage to personal
and internal information
on customers' and
partners' sites
vulnerability