25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

NIST Publishes Final Guidance on Establishing Zero Trust Architecture to Improve Cybersecurity Defenses

Posted By on Aug 14, 2020

NIST has published the final version of its zero trust architecture guidance document (SP 800-207) to help private sector organizations apply this cybersecurity concept to improve their security posture.

Zero trust is a concept that involves changing defenses from static, network-based perimeters to focus on users, assets, and resources. With zero trust, assets and user accounts are not implicitly trusted based on their physical or network location or asset ownership. Under the zero trust approach, authentication and authorization are discreet functions that occur with subjects and devices before a session is established with an enterprise resource.

The use of credentials for gaining access to resources has been an effective security measure to prevent unauthorized access; however, credential theft – through phishing campaigns for instance – is now commonplace, so cybersecurity defenses need to evolve to better protect assets, services, workflows, and network accounts from these attacks.

All too often, credentials are stolen and are used by threat actors to gain access to enterprise networks undetected. Threat actors often have access to networks for days, weeks, or even months before an attack is detected, during which time they are free to move laterally and compromise an entire network. The increase in remote working, bring your own device initiatives and the use of cloud-based assets that are not located within the traditional network boundary has made the traditional perimeter-based approach to network security less effective.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

A zero trust architecture helps to solve these issues and improve cybersecurity defenses. According to NIST, “zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.”

The guidance document provides an abstract definition of zero trust architecture (ZTA), covers the zero trust basics and logical components of zero trust architecture, and includes general deployment models and use cases where the zero trust approach can improve an organization’s information technology security posture.

In the guidance document NIST explains how the zero trust model can be combined with the NIST Risk Management Framework, NIST Privacy Framework, and other existing federal guidance and outlines how organizations can migrate to zero trust architecture.

Initially, organizations should focus on restricting access to resources to individuals who require access to perform their work duties, and to only grant minimal privileges such as read, write, delete. In many organizations with perimeter-based defenses, individuals tend to be given access to a much broader range of resources once they have been authenticated and logged in to an internal network. The problem with this approach is unauthorized lateral movement is too easy, either by internal actors or external actors using stolen credentails.

The zero trust security model assumes an attacker is present within an environment, so there is no implicit trust. Enterprise networks are treated the same as non-enterprise networks. Under the zero trust approach, organizations continually analyze and evaluate risks to assets and business functions and then enact protections to mitigate those risks.

Migrating to zero trust is not about the wholesale replacement of infrastructure or processes, rather it is a journey that involves incrementally introducing zero trust principles, processes, technology solutions, and workflows, starting with protecting the highest value assets. Most organizations will remain in a hybrid zero trust and perimeter-based environment for some time while they implement their IT modernization plan and fully transition to zero trust architecture.

The guidance document is the result of collaboration with several federal agencies and was overseen by the Federal CIO Council. The document was developed for enterprise security architects, but is also a useful resource for cybersecurity managers, network administrators, and managers to gain a better understanding of zero trust.

The publication can be downloaded from NIST on this link.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist