The rollout of the National Cybersecurity Basic Guidelines has introduced the National Network Security Framework (N2SF), keeping security companies busy. The expectation is that new security demand will open up.

With N2SF, public agencies can move away from a uniform network separation structure. Information deemed less important can be made public online. The framework classifies data by importance into C (Classified), S (Sensitive) and O (Open). Open-grade data can be published on the internet. There are expectations that, while it will vary by agency, open-grade data could account for more than 80 percent at public agencies that provide services to the public.

This is not mandatory, but the National Intelligence Service, which carries significant influence in the public security market, uses it as a guideline. The government is also encouraging public agencies to apply N2SF. The security industry expects this to open a new market that did not exist before. Some say it remains to be seen whether a large new market will emerge or whether it will encroach on the existing market. Still, there appears to be no disagreement that N2SF is a change the domestic security market cannot ignore.

Reflecting that, many security firms across fields such as network security and authentication have already entered the N2SF race, each with their own rationale and grounds. Companies that have targeted the zero trust security market are also increasing spending while stressing their fit with N2SF.

FasooAI, which specialises in data security, has also made a strong push into the N2SF market. It set a goal of providing a solution that can help organisations take the first step in responding to N2SF.

Kang Bong-ho (강봉호), an executive director at FasooAI, said the key to N2SF is a shift toward data importance. He said building a framework to classify data should come first. He stressed that FasooAI has provided its Fasoo Data Radar (FDR) to support identifying and classifying data since about 10 years before N2SF was introduced.

He said there were already many providers of personal information protection solutions. But he said FasooAI has developed FDR for 10 years with a focus on data identification and classification, accumulating significant experience and know-how.

The industry says it is harder than expected for public agencies to classify various data into C, S and O.

Public agencies must include items 1 through 8 of non-disclosure categories under the Information Disclosure Act when drafting documents, meaning some data classification is already reflected in drafted documents. It is different on systems or PCs. In many cases data is not classified. As AI makes the environment more complex, many officials find it difficult to be confident that their PCs contain only information that can be made public.

It is also not acceptable for a system to contain both disclosable and non-disclosable information together. If they are together, guidelines require prioritising the highest grade, so the entire system becomes bound as non-disclosable. With so much to manage, automatic classification would be best from the perspective of public agencies, but it is not easy. Personal information is easier to find because patterns are similar, but other sensitive information is often ambiguous, making it hard to automate. Raising the level of partial automation is a realistic solution.

Kang said the most difficult and demanding part is classifying systems and data. He said it is important to simplify as much as possible the process of finding and classifying non-disclosure items 1 through 8. He repeatedly highlighted that FasooAI is well prepared in this area.

He said the company has focused for more than 10 years on data discovery and response beyond personal information protection solutions. He said it has handled significant amounts of non-disclosable data under the Information Disclosure Act through public projects such as the Onnara system. He said providing digital rights management (DRM) solutions has also strengthened capabilities to distinguish what should and should not have encryption applied. He said FDR is not at the level of automatic classification, but the company continues to advance it.

FasooAI updates its FDR solution to support N2SF classification

Practicality is another point Kang emphasises about FDR. He said C, S and O classification should be done as much as possible within systems. He said doing it at the network level creates a heavy load. He said it is enough to classify in advance at the system level and conduct post-verification when linking networks.

Kang also stressed the need to consider agents in an N2SF environment. As data transfers via AI agents increase, he said attention is also needed for AI data security. Kang said FasooAI has focused on the data security business for the past 26 years. He said the security paradigm is changing and public data is increasingly seen as important at home and abroad. He said he wants to support public institutions in responding effectively to N2SF, achieve results, and use that as a chance to expand overseas.