White Paper Nov 21, 2023 Steps to introducing zero trust for global companies

Many people may be concerned about security measures for overseas offices. This white paper summarises the characteristics of Zero Trust and the steps to implementing it in an easy-to-understand way.


As vicious cyberattacks continue to threaten businesses, many companies are fortifying their defenses to protect themselves, but blind spots remain.

One such blind spot is their foreign sites. Many Japanese companies have expanded overseas, and this expands the security scope that needs to be covered. Many of them people may be wondering what kind of countermeasures should be taken for security at their overseas sites.

As a means of defense, the concept of "zero trust security" is garnering attention. As the name implies, zero trust literally means to "trust nothing" in an IT network and validate the legitimacy of all access, both inside and outside the company, scrutinizing access rights. Zero trust, which allows managing with the same security policy across multiple sites, is said to be an effective security measure for places like overseas sites where the security situation is difficult to grasp.

However, when introducing zero trust, it may not be clear what steps to take. This whitepaper has compiled the characteristics of zero trust and the steps to its introduction in an easily understandable way, not only for IT personnel but also for all readers. Furthermore, we have received advice on security measures from Nobuo Miwa, the CEO of S&J Corporation, a provider of security services.

Table of Contents

1.What is zero trust security?
2. Japanese corporations’ zero trust security is still to come
3. Zero trust security misconceptions
4. Points for the security of overseas sites
5. How can enterprises achieve zero trust security?
6.When overseas sites take the first steps

Overseas Locations of Japanese Companies – The Targets of Cyber Attacks

As vicious cyberattacks continue to threaten businesses, many companies are fortifying their defenses to protect themselves, but blind spots remain. One such blind spot is their foreign sites. According to a survey by Teikoku Databank*1, as of 2023, 28.1% of Japan companies had expanded overseas. It's important to remember that having more locations means the scope of security coverage likewise grows. 

It is very dangerous to underestimate the risk and think that “It is ok, they don’t have as important information as the headquarters”. Malicious attackers infiltrate from the most vulnerable points and launch critical attacks on important locations through the internal network. Any security incident would be considered a company-wide issue, risking significant damage such as loss of opportunities, stock price decline, and loss of trust from customers. It is crucial to properly consider beforehand security measures not just for the domestic headquarters but also for overseas locations.

“Survey on the Actual Production and Sales Situation at Overseas Locations of Expanding Companies (2023)” 
https://www.tdb.co.jp/report/watching/press/p230716.html

In the conventional "perimeter defense" model, based on the general principle of "safe inside and dangerous outside," defensive measures are used to stop attackers from entering the corporate network from the outside.  However, when it becomes commonplace to use an external cloud or to connect to an internal network from outside the company, such as from home, it becomes difficult to completely prevent intrusions at the perimeter. Once an intrusion has been allowed, without internal defense measures there is a risk that internal resources could be freely accessed by the intruder.

 On the other hand, with zero trust, where you literally "trust nothing," every access is suspected as potentially being from an attacker. Regardless of whether it is from inside or outside the company, based on information such as the ID of the employee who accessed the site and the MAC address of the computer used, careful examination is done to determine whether access shall be allowed. The decision is made whether to allow use (authentication) and how much access is allowed (authorization). Even allowed usage by regular employees is granted the minimum level of authority needed. 

*The information contained in the news releases is current at the time of publication.
*Products, service fees,service content and specifications, contact information, and other details are subject to change without notice.

Related Services

SD-WAN services
Security
Corporate networks that can adapt to the varied challenges of the cloud era
KDDI Cloud Inventory
Security
A unified cloud management service for device security
FireEye with KDDI
Security
The highly advanced solution against cyber attacks

What is the best solution for your problem?
Please consult a KDDI consultant.

Office Hours:9:00~18:00
(Closed Saturdays, Sundays, and National Holidays)