According to the Digital Agency’s guidelines (“Concepts for Applying Zero Trust to Government Information Systems”), GCAS/GSS (Government Solution Services) are positioned as the foundation of the Zero Trust Architecture (ZTA). The introduction of the principle of “verifying all access” marks a significant step forward in Japan’s digital transformation.

However, the current GCAS model emphasizes integrated security controls within cloud environments and is structured on the premise of “no external trust.” As a result, while aligned with the philosophy of Zero Trust, its implementation resembles “cloud perimeter-based security.” This leads to structural limitations in connecting with systems outside the Government Cloud, such as those of local governments or independent administrative agencies, thereby hindering interoperability and distributed collaboration of administrative data. In such cases, the burden of managing authentication credentials is high, making it unsuitable for inter-agency connections or distributed systems. Moreover, the model heavily relies on specific services and functions provided by major cloud vendors, raising concerns about technological neutrality and vendor lock-in.

(1) Differences Between Japan and Estonia

Security Measures for Government Cloud Systems | GCAS Guide

GCAS’s approach of “managing authentication credentials confidentially” is based on a shared responsibility model between cloud service providers (CSPs) and user organizations. This design assumes that the application and data layers reside within the same cloud, prioritizing internal cloud control over external connectivity or interoperability. Thus, Japan’s Government Cloud design philosophy can be described as an “internal trust + confidential management” model.

In contrast, Estonia’s X-Road conducts all data exchanges through encryption, digital signatures, and mutual authentication (bi-directional TLS + e-Seal), treating authentication credentials not as “confidential assets” but as “publicly verifiable trust proofs.” Estonia’s Zero Trust does not mean “trust no one,” but rather “verify all trust through signatures.”

This mechanism is not only compatible with X-Road but also aligns technically with the EU’s internal data infrastructure such as the “European Data Space” and the “Once Only Technical System (OOTS),” indicating that Estonia’s design philosophy has influenced EU-wide interoperability standards.

X-Road uses mutual authentication via server certificates, e-Seals, and digital signatures (PKI-based), enabling complete mutual authentication and traceability in system-to-system communication. Since each organization holds its own private key, even if leaked, risks can be minimized by invalidating the certificate. This allows for consistent security levels across both on-premises and cloud environments. The open-source nature of X-Road also mitigates issues of technological dependence and vendor lock-in, although implementation and PKI management (including certificate lifecycle management) remain complex.

(2) Estonia’s Design Philosophy: “Mutual Trust + Signature Verification” Model

While Japan’s Government Cloud design is based on an “internal trust + confidential management” model, which leans toward “cloud perimeter defense” rather than true Zero Trust, Estonia’s design follows a “mutual trust + signature verification” model, which is closer to the original concept of Zero Trust. Estonia’s Zero Trust is risk-based, technologically and environmentally neutral, and encompasses on-premises environments, legacy systems, and critical infrastructures such as energy, finance, and transportation.

Estonia’s Zero Trust, based on the “mutual trust + signature verification” model, is supported by the establishment of a “Trust Framework” under the EU’s eIDAS regulation. Interestingly, the Zero Trust model came first in Estonia, followed by the institutionalization of the Trust Framework. Estonia has significantly contributed to elevating its domestically established trust system to an EU-wide framework.

Estonia’s strength lies in its realization of “Trust-by-Design,” legally backed and not merely a technical implementation — a fundamental difference from Japan. Thanks to the Trust Framework established under the EU’s eIDAS regulation, the legal validity of electronic signatures and e-Seals is clearly defined, allowing not only government agencies but also private entities—such as banks and healthcare institutions—to confidently adopt PKI-based mutual authentication.

(3) From “Cloud-by-Default” to “Hybrid-by-Default”

The trend of modernizing public sector information systems and databases by transitioning from legacy systems to government clouds is seen in many leading digital governments worldwide. However, the actual migration is fraught with challenges, making “Hybrid-by-Default” a more realistic approach than “Cloud-by-Default.”

Considering legal frameworks, data sovereignty, and security requirements, it is difficult to unify all systems under the cloud. Even in Estonia and Finland, operations combine “cloud + on-premises + ministry-specific environments.” The journey begins with the idealistic slogan of “Cloud-by-Default” and ends with the pragmatic reality of “Hybrid-by-Default.”

Another critical advantage of adopting “Hybrid-by-Default” is its compatibility with PQC (Post-Quantum Cryptography). In anticipation of the quantum computing era, “Hybrid-by-Default” is not just a practical compromise but a technical necessity.

Implementing PQC algorithms requires a complete overhaul of key management, certificate issuance, and verification systems across both cloud and on-premises environments. Given the current state of PQC adoption in cloud services, a short- to mid-term realistic approach would be “PQC implementation in on-premises or domestic cloud environments + hybrid connectivity with cloud services.” A hybrid setup allows for dual operation during the transition period, using both traditional PKI and PQC keys (hybrid signatures). Estonia also anticipates such dual operation during its transition.

For Japan, adopting a “Hybrid-by-Default” strategy with PQC readiness is a rational path forward. To move closer to true Zero Trust, Japan must establish a “trust-neutral” connection infrastructure based on mutual authentication and signature verification. This is not merely a technical choice but a reconstruction of national trust architecture. As the foundation for Japan’s future digital governance, a triad of technology, legal frameworks, and operational design is essential.