“Never trust; always verify” is the new slogan pushing the Zero Trust concept.
Zero Trust is the topic of a report released by the National Institute of Standards and Technology (NIST), in collaboration with the Federal CIO Council’s architecture subgroup.
The report talks about architectures and use cases and deployment models where zero-trust can improve cybersecurity. The report, released Monday, is a “technology-neutral set of terms, definitions, and logical components of network infrastructure using a [zero-trust] strategy.”
A typical enterprise’s network infrastructure has grown increasingly complex. A single enterprise may operate several internal networks, remote offices with their own local infrastructure, remote and/or mobile individuals, and cloud services. This complexity has outstripped traditional methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise.
This complex enterprise has led to a new way to plan enterprise network security known as Zero Trust Architecture (ZTA). A ZTA approach is primarily focused on data protection but can be expanded to include all enterprise assets. ZTA assumes the network is hostile and that an enterprise-owned network infrastructure is no different—or no more secure—than any non-enterprise owned network. In this new paradigm, an enterprise must continuously analyze and evaluate the risks to their internal assets and business functions and then enact protections to mitigate these risks. In ZTA, these protections usually involve minimizing access to resources to only those who are validated as needing access and continuously authenticating the identity and security posture of each access request.
This publication provides a definition of ZTA, its logical components, possible deployment scenarios, and threats. It also presents a general roadmap for organizations wishing to migrate to a ZTA-centered network infrastructure and discusses relevant federal policies that may impact or influence a zero trust architecture.
ZTA is not a single network architecture but a set of guiding principles in network infrastructure design and operation that can be used to improve the security posture of any classification or sensitivity level. Transitioning to ZTA is a journey and cannot be accomplished without a wholesale replacement of technology. That said, many organizations already have elements of a ZTA in their enterprise infrastructure today. Organizations should seek to incrementally implement zero trust principles, process changes, and technology solutions that protect its data assets and business functions. Most enterprise infrastructures will operate in a hybrid Zero Trust/Legacy mode during this time while continuing to invest in ongoing IT modernization initiatives and improving organization business processes.
Organizations need to implement effective information security and resiliency practices for zero trust to be effective. When complemented with existing cybersecurity policies and guidance, identity and access management, continuous monitoring, and general cybersecurity, ZTA can reinforce an organization’s security posture using a managed risk approach and protect against common threats.
The comment period for the draft report runs from September 23 to November 22.
Click here to view the complete report.