T-Road and Zero Trust
Triple verification of identity, equipment, and behavior patterns, even the head of the agency.
Recently, Taiwan’s first dedicated cybersecurity administrative body, the National Institute of Cybersecurity (NICS), was officially established, adding a strong force to the Ministry of Digital Affairs. About the same time, the Ministry of the Interior also revised the Regulation for Applying for Provision of Household Registration Information and Related Information by Various Agencies.”.
These two events seem unrelated, but in fact, they mark a new chapter in the concept of “cybersecurity equals national security.”
Given that data exchange methods such as CDs and flash drives are easily replicated, lost, or untraceable, the Ministry of the Interior stopped providing household registration data to applying units through these methods since the end of last year. This means that any agency applying to access household registration data can only do so through the government’s Internet Service Network (GSN).
Based on the experience of the Ministry of the Interior, all public agencies that involve national personal information will introduce the “Interagency Data Transmission Exclusive Channel” (T-Road) within the next two years. T-Road transmission is encrypted with agency certificates and is not connected to external service, providing more stringent cybersecurity.
Based on this foundation, our next focus policy is to integrate the “Zero Trust” system with the T-Road network transmission management system and fully introduce it into public agencies with the highest level of cybersecurity.
The traditional cybersecurity framework is based on the distinction between internal and external network permissions, protected by a firewall. The most common approach is that administrators must enter the internal network and input an account password to log into the back end.
However, relying only on the firewall and password for protection is like relying on a single anti-theft door and password lock for an entire building. No matter how stringent the security measures are, if someone intends to steal, they can use the password and pass the security to enter each floor and move freely in each room, causing serious consequences.
The core concept of “Zero Trust” is “Never Trust, Continuously Verify”: anyone, anywhere, at any time, must undergo three verifications of identity, equipment, and behavior patterns when entering any room, even the head of the agency. This way, even if the attacker sneaks into the lobby, they cannot obtain other data because the three verifications at each door are not the same.
From these characteristics, it can be seen that for information systems that require a large amount of transmission and frequent interaction with other units, Zero Trust can prevent malicious actors from stealing data at both ends of the transmission. The complete identity verification trail and undeniable transmission record can more effectively detect insider theft.
T-Road provides a leak-proof secure channel, and “Zero Trust” fills in the gap of a stringent gatekeeping mechanism. Therefore, starting from the Ministry of Digital Affairs’ MyData platform, the T-Road management system will fully introduce the Zero Trust system with three verifications by the end of this year. The Cybersecurity Institute, which broadens the recruitment of cybersecurity professionals and effectively integrates industrial, academic, and research resources, is the project partner to assist various agencies in introducing Zero Trust systems.
In addition to assisting various agencies to strengthen cybersecurity measures, the NICS will also use public code to develop common systems and assist various departments in joint defense against major cybersecurity incidents. Starting from the “Never Trust, Continuously Verify” Zero Trust framework, we aim to create a “Never Stop, Continuously Improve” national digital resilience.