National Institute of Standards and Technology releases draft practice guide “Implementing a Zero Trust Architecture.”
June 4, 2022 |
The National Institute of Standards and Technology (“NIST”) have released Volume A of a preliminary draft practice guide titled “Implementing a Zero Trust Architecture” . This guide shows how commercially available technology is being used to build interoperable, open standards-based ZTA example implementations that align with the principle of Zero Trust Architecture.
The Abstract provides:
The proliferation of cloud computing, mobile device use, and the Internet of Things has dissolved conventional network boundaries. The workforce is more distributed, with remote workers who need access to resources anytime, anywhere, and on any device, to support the mission. Enterprises must evolve to provide secure access to company resources from any location and asset, protect interactions with business partners, and shield client-server as well as inter-server communications.
A zero trust cybersecurity approach removes the assumption of trust typically given to devices, subjects (i.e., the people and things that request information from resources), and networks. It focuses on accessing resources in a secure manner, regardless of network location, subject, and asset, and enforcing risk-based access controls while continually inspecting, monitoring, and logging interactions. This requires device health attestation, data-level protections, a robust identity architecture, and strategic micro-segmentation to create granular trust zones around an organization’s digital resources. Zero trust evaluates access requests and communication behaviors in real time over the length of open connections, while continually and consistently recalibrating access to the organization’s resources. Designing for zero trust enables enterprises to securely accommodate the complexity of a diverse set of business cases by informing virtually all access decisions and interactions between systems and resources.
This NCCoE project will show a standards-based implementation of a zero trust architecture (ZTA). Publication of this project description begins a process that will further identify project requirements and scope, as well as the hardware and software components to develop demonstrations. The NCCoE will build a modular, end-to-end example ZTA(s) using commercially available technology that will address a set of cybersecurity challenges aligned to the NIST Cybersecurity Framework. This project will result in a freely available NIST Cybersecurity Practice Guide.
Some of the insights from the guide include:
- Conventional network security has focused on perimeter defenses. A zero trust architecture (ZTA) addresses this trend by focusing on protecting resources, not network perimeters, as the network location is no longer viewed as the prime component to the security posture necessary for a resource.
- Zero trust is a set of cybersecurity principles used to create a strategy that focuses on moving network defenses from wide, static network perimeters to focusing more narrowly on subjects, enterprise assets (and individual or small groups of resources.
- ZTA uses zero trust principles to plan and protect an enterprise infrastructure and workflows.
- ZTA environment embraces the notion of no implicit trust toward assets and subjects, regardless of their physical or network locations. It never grants access to resources until a subject, asset, or workload are verified by reliable authentication and authorisation.
- the focus is on behaviors of enterprise employees, contractors, and guests accessing enterprise resources while connected from the corporate (or enterprise headquarters) network, a branch office, or the public internet.
-
Current challenges to implementing a ZTA include:
- Maturity of vendor products to support a ZTA.
- Organization’s ability/willingness to migrate to a ZTA because of:
- heavy investment in other (legacy) technologies
- absence of, or deficiency in, identity governance
- lack of ability/resources to develop a transition plan, pilot, or proof of concept
- Security concerns such as:
- compromise of the zero trust control plane
- ability to recognize attacks and detect malicious insiders
- Interoperability considerations of ZTA products/solutions with legacy technologies such as:
- standard versus proprietary interfaces
- ability to interact with enterprise and cloud services
- User experience. To date, there has been no detailed examination of how a ZTA would or could affect end-user experience and behavior. The goal of a ZTA should be to enhance security in a way that is transparent to the end
The technical components required of the ZTA solution(s) include :
Core Components:
- The policy engine handles the ultimate decision to grant, deny, or revoke access to a resource for a given subject. The policy engine calculates the trust scores/confidence levels and ultimate access
- The policy administrator is responsible for establishing/terminating the transaction between a subject and a resource. It generates any session-specific authentication and authentication token or credential used by a client to access an enterprise resource. It is closely tied to the policy engine and relies on its decision to ultimately allow or deny a
- The policy enforcement point handles enabling, monitoring, and eventually terminating connections between a subject and an enterprise
Functional Components:
- The data security component includes all the data access policies and rules that an enterprise develops to secure its information, and the means to protect data at rest and in
- The endpoint security component encompasses the strategy, technology, and governance to protect endpoints (e.g., servers, desktops, mobile phones, IoT devices) from threats and attacks, as well as protect the enterprise from threats from managed and unmanaged
The identity and access management component includes the strategy, technology, and governance for creating, storing, and managing enterprise user (i.e., subject) accounts and identity records and their access to enterprise resources.