From The Desk | NIST Zero Trust Architecture Released

From the desk of Andrew Deer, CISSP CISM CISA QSA PCIP

Who do you trust? It’s a question that can have a significant bearing on securing information. If like Ed Rooney in Ferris Bueller’s Day Off, you don’t trust anyone further than you can throw them, then you’re well on the way to meeting the zero trust ideals of NIST’s newly published Zero Trust Architecture (ZTA).

The concept behind this architecture is that no implicit trust is granted to assets or user accounts based solely on their physical or network location. This means that all assets are treated equally; with an equal level of distrust. Each interaction with a resource must be authenticated and authorised. Compare this to current methods of implied trustworthiness where if the subject has met a base authentication level (e.g., logging into an asset), all subsequent resource requests are assumed to be equally valid.

Put simply, if you’ve been given initial access to a file server, no further authentication takes place. This is one of the primary means of lateral movement through an enterprise exploited by hackers.

The ZTA concept can effectively dissolve the perimeter of an organisation and help secure remote users, BYOD, cloud services, and other off-premises hardware. The zero trust model focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments as the network location is no longer seen as the prime component to the security posture of the resource.

By adopting this approach it becomes possible to secure distributed enterprises – particularly relevant in this COVID time of working from home and BYOD scenarios.

NIST’s architecture is based on a series of tenets. Not all tenets may be fully implemented for a given strategy:

● All data sources and computing services are considered resources
● All communication is secured regardless of network location
● Access to individual enterprise resources is granted on a per-session basis
● Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioural and environmental attributes
● The enterprise monitors and measures the integrity and security posture of all owned and associated assets
● All resource authentication and authorisation is dynamic and strictly enforced before access is allowed
● The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications, and uses it to improve its security posture

NIST also describes some basic assumptions for network connectivity for any organisation that utilises ZTA in network planning and deployment. These assumptions are used to direct the formation of a ZTA:

● The entire enterprise private network is not considered an implicit trust zone
● Devices on the network may not be owned or configurable by the enterprise
● No resource is inherently trusted
● Not all enterprise resources are on enterprise-owned infrastructure
● Remote enterprise subjects and assets cannot fully trust their local network connection
● Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture

Armed with this framework, it becomes possible to gradually introduce systems to shift to a ZTA.

Most security technology companies now have solutions that may assist in moving towards a Zero Trust Architecture. If you’re interested in learning more about this robust security model, you can read more here: