[DigitalToday] "Regulatory changes and advances in AI technology are changing the security paradigm, and zero trust and zero CVE (Common Vulnerabilities and Exposures) are becoming increasingly important. To achieve zero trust and zero CVE, organisations need zero ops capabilities."

Seong Hee-kyung (성희경), a director at Red Hat Korea, pointed to zero trust and zero CVE as security keywords for the AI era.

Seong shared the background behind the growing importance of zero trust and zero CVE in the changed security environment, and Red Hat's strategy to support them, at Red Hat Ansible Automate 2026 hosted by Red Hat Korea at Lotte World Tower in Jamsil on the afternoon of May 28.

According to him, the security paradigm in the financial sector is shifting sharply after the government asked financial firms in March to abolish installed software such as keyboard security programmes.

He emphasised that this does not simply mean a few programmes disappearing, but that security responsibility and the paradigm have moved from consumer devices to financial firms' servers. He said that while the past relied on installing security modules on consumer devices and distributing responsibility, regulatory direction is now shifting to a risk-based security framework. He said the essence of security will be to continuously verify vulnerabilities on financial firms' servers and operate them through an automation-based intelligent server management system.

For financial firms, he said, the key task will be how to operate servers securely.

He presented zero trust and zero CVE as the two pillars of the new security system. On zero trust, he said the existing security model treated the area inside the network perimeter as a trusted zone, leaving it helpless against so-called lateral movement attacks in which an intruder who gained privileges could move freely between internal servers and data. He said the core philosophy of zero trust is to "never trust, always verify."

He cited four core principles of zero trust: deny and verify all access; apply security regardless of network location, including the network itself; strictly control resource access at the micro-segment level; and apply user-based real-time security policies.

On zero CVE, he stressed it is a security operations strategy that minimises the time vulnerabilities are exposed.

Citing a Linux kernel vulnerability disclosed in early May, he said that in the past it took months after a vulnerability was disclosed for it to lead to actual attacks, but the spread of AI-based tools is shortening that gap to days or hours. He said that even if access is controlled through zero trust, OS-level privileges can be stolen if kernel-level vulnerabilities exist, so a separate system for continuous vulnerability response is needed. According to him, the most realistic approach for companies to embed zero trust and zero CVE as security strategies is a "zero ops" operating strategy.

Seong said both zero trust and zero CVE strategies underscore the need for sustained operations. He said it is becoming increasingly difficult to maintain them through repetitive manual work alone, making policy-based security automation necessary. He said zero ops does not mean excluding people, but shifting operators' roles from repetitive manual work to high-value tasks such as policy design, verification and exception decisions.

Seong cited JPMorgan, a global financial firm, as an example of running zero ops effectively.

According to him, JPMorgan declared a shift to a zero trust-based architecture after a major security incident in 2014. It strengthened multi-factor authentication, refined access privileges, expanded AI-based real-time detection and scaled up security operations automation. Using Red Hat AAP, it standardised more than 380,000 operating automations and also strengthened audit and compliance response systems. Seong said this shows that an enterprise automation platform that can automate policies and responses is needed to maintain continuity in real operating environments.

The AAP-based zero ops operating model presented by Red Hat consists of three stages: observation, AI-based decision-making, and controlled execution. In the observation stage, it collects logs, events and alerts in real time across customers' infrastructure and security systems. In the decision stage, AI analyses risk levels and action priorities, and automatically generates job plans and Ansible playbooks.

Seong said the financial sector finds it difficult to use public AI services because network separation is required under security policy. He said reviews have recently expanded into building internal large language models or closed AI platforms for use together in operating environments.

In the execution stage, actions are carried out in a controlled manner, including AAP-based role-based access control, control of account credentials, approval procedures and audit trails of execution history.

Seong recommended a phased approach to adopting zero ops. He said it is realistic to start by standardising regulatory responses by automating repetitive tasks such as CVE checks and result reporting and linking event-based alerts, then expand AAP's operating scope to strengthen AI-based operations automation, and in the long term broaden it into a zero ops operating system in which continuous threat detection and verification are repeated. He emphasised that the key is not how much has been automated, but how trustworthy and controllable an operating system can be built. He said zero ops is not a destination achieved once and completed, but an ongoing change in operating methods.