NIST Publishes Guidance on Implementing Zero Trust Architectures
The National Institute of Standards and Technology (NIST) has published new guidance on implementing zero trust architecture (ZTA) to help organizations overcome some of the challenges of adopting this new cybersecurity approach.
The traditional approach to security involves securing a perimeter, akin to a castle and moat. Perimeter defenses such as firewalls prevent malicious actors from gaining access to internal resources, and antivirus software, intrusion detection systems (IDS), and other security measures provide additional protection should the network perimeter be breached. Generally speaking, with this approach, anything inside the network perimeter is trusted.
Zero trust assumes that a malicious actor has already breached the defenses; therefore, no user or device is trusted and must always be verified through authentication processes, even when a user or device has been previously verified. The principle of least privilege is applied to ensure that, in the event of a security breach, damage is limited, with continuous monitoring of all activities and behaviors. Further, zero trust works equally well against insider threats and external threat actors.
The traditional approach has served organizations well, but this approach breaks down when the network perimeter has to be extended to cover SaaS apps, mobile devices, remote working, and third-party access. Further, the growing sophistication of cyber threats makes breaches of the network perimeter more likely, and traditional approaches make the prevention of lateral movement challenging.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
NIST previously released a conceptual ZTA framework in 2020 (NIST Special Publication 800-207), introducing the concept of zero trust. The latest publication provides practical guidance on implementing ZTA using commercially available technologies. The new publication includes 19 real-world implementation models, along with technical configurations, best practices, and valuable starting points for building your own ZTA. The guidance was developed through a 4-year project with the NIST National Cybersecurity Center of Excellence (NCCoE) and 24 industry partners.
“Switching from traditional protection to zero trust requires a lot of changes. You have to understand who’s accessing what resources and why,” said Alper Kerman, NIST computer scientist and co-author of the guidance. “Also, everyone’s network environments are different, so every ZTA is a custom build. It’s not always easy to find ZTA experts who can get you there.”
The guidance is based on real-world situations that large organizations typically confront, simulating the complexity of modern network environments with multiple internal networks, guest Wi-Fi networks, cloud platforms, SaaS apps, and multiple locations across the country, offering different approaches to address implementation challenges, and mapping the solutions to cybersecurity frameworks.
“The examples the guidance provides are demonstrations,” explained Kerman. “They can help organizations understand some of the capabilities they have to have on board to deploy a ZTA.”
