Challenges

An unauthorized user accessed the group's integrated network.

Please tell us about Toray's group network.

Yohei Mizutani, Toray Industries, Inc.

We have been integrating the group's information systems into a common service, and network integration has continued to progress since 2018. In Japan, the system has been integrated into one group network, and international group companies and bases can access the domestic core system through the group network.

Were there any challenges operating the group network?

Mr. Yasushi Oka,Toray Systems Center, Inc.

The disparity in each company's degree of security measures was an issue with international group companies. During this period, an incident occurred in which a server in Japan was actually infiltrated from the remote access environment of an international group company via the group network. Fortunately, there was no actual damage, but we still needed to reassess the access method for the group network. The server can also be accessed for maintenance purposes using management protocols such as SSH and RDP. Since the server can be controlled freely if accessed via SSH or RDP, a mechanism was needed to prevent these operations from being executed via the group network.

What kind of thoughts did Toray have regarding security?

Mr. Mizutani

I work in the Information Systems Platform Department, which serves as the group's headquarters to oversee security for domestic and international affiliate companies. The group network serves as the basis for services and communication, but we felt it was necessary to improve the security level by providing infrastructure services, including security functions, to affiliated companies. We decided to use the Toray Systems Center to provide unified security measures rather than having each organization handle remote access control separately.

Why Toray chose IIJ Safous ZTA

IIJ Safous ZTA met Toray's requirements perfectly.

What solutions did you consider to control network access?

Mr. Oka

How can we defend the server against SSH and RDP accesses that result in rewriting? That's when we thought of implementing a privileged ID management system with privileged accounts that grant each server access via SSH and RDP. However, a large number of servers needed to be made secure both domestically and internationally. When we considered implementing a privileged ID management solution to numerous servers, concerns arose about the cost and installation time.
Therefore, we also considered a gateway system that physically controls communication over the network. With this approach, a single jump server is installed, and multi-factor authentication is applied when the jump server is accessed. However, we had not considered running access control on-premise software due to the operational load.

Mr. Mizutani

We were searching for a service and thought that if there was no suitable service, we would need to have a vendor create and provide a service configuration with authentication and management requirements.

What were the results of your service search?

Mr. Oka

We were soliciting bids from multiple vendors for gateway-based access control solutions with privileged ID management systems when IIJ proposed a cloud service that worked well with the gateway system. IIJ Safous ZTA is a service that enables remote access control. I had no idea that such a solution existed, so I found it quite intriguing. IIJ explained that IIJ Safous ZTA could coexist with existing environments, such as multi-factor authentication during remote access and Zero Trust Network Access (ZTNA), both of which were listed as requirements. After confirming that it was functionally compatible with our company's vision, we comprehensively considered the cost and implementation period and concluded that Safous ZTA was our only option. That's how well the service met our needs.

Mr. Atsushi Kataoka, Sysco, Inc.

I was in charge of setting up the system at Sysco, a subsidiary of Toray Systems Center. Initially, we envisioned a method of setting up a physical server, but since Safous ZTA is a cloud service, it can be tested immediately after purchasing the license. We decided to try it first.

What IIJ Safous ZTA achieved

Maintaining zero unauthorized access to domestic servers

Please tell us the schedule from when you considered implementation until fully operational.

Mr. Oka

We started interviewing various vendors around May 2022, and around that summer we received information about Safous ZTA from IIJ. Actual operation as a test environment began in November, and because everything was going smoothly, we completed the environment preparation by the end of March 2023. In 2023, we moved SSH and RDP access to Safous ZTA.

How is Safous ZTA used for remote access?

Mr. Oka

Access is controlled via Safous ZTA for SSH and RDP communications necessary for managing IaaS infrastructure, physical servers, and cloud services. The system administrator is the user. Starting in fiscal 2023, we blocked SSH and RDP communications to the group network with a firewall and allowed access only through Safous ZTA. We have a system in place to block access from an attacker, even if they attempt to do so over SSH or RDP communication.

Were there any issues prior to the actual operation?

Mr. Kataoka

There were no examples of linking between Microsoft Entra ID (formerly Azure Active Directory) and Safous ZTA, so there were some problems before we could actually link them. With the help of IIJ engineers, who thought about our problem and made suggestions, we were able to resolve the issues. I think it was because of IIJ that we were able to successfully implement Safous ZTA.

Have you felt the effects from utilizing Safous ZTA since the spring of 2023?

Mr. Oka

Although it is difficult to measure the impact of security solutions, we think that Safous ZTA's success is demonstrated by the fact that, in the more than a year that we have been using it, we have not experienced a single unauthorized attack against servers using administrative communication. Although overseas group companies have logged incidents of cyberattacks or unauthorized accesses, the fact that our servers have not been accessed by unwanted parties is evidence that Safous ZTA is operating as intended.

Please tell us about any future developments.

Mr. Mizutani

At the moment, we have just finished successfully setting up Safous ZTA's access control for system administrator communication. As the use of digital data and cloud services increases, we are considering using Safous ZTA for access control, including Operational Technology (OT) . We are confident that we can successfully develop these initiatives by taking advantage of the ease of deployment that we have experienced using Safous ZTA.