NIST Issues Final Guidance on 'Zero Trust' ArchitectureGuidelines Describe Deployment Scenarios
The National Institute of Standards and Technology has released the final version of its "zero trust" architecture guidelines that provide a road map for using the architecture in security programs.
NIST Special Publication 800-207 is designed to help CISOs, security professionals and network administrators gain a better understanding of the zero trust concept.
By adopting a zero trust strategy, organizations can help prevent data breaches and limit attackers' lateral movement, the NIST guidance states.
"Perimeter-based network security has also been shown to be insufficient, since once attackers breach the perimeter, further lateral movement is unhindered," the guidance notes.
The publication discusses the components of a zero trust architecture and possible deployment scenarios. "It also presents a general road map for organizations wishing to migrate to a zero trust design approach and discusses relevant federal policies that may impact or influence a zero trust architecture," NIST says.
"Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources."
Scott Rose, a NIST computer scientist who helped draft the document, notes that the guidelines were designed to be descriptive rather than prescriptive, allowing users to delve into the concept of zero trust without laying out specifics of what organizations must do to implement it.
"We tried to ... say these are the foundations of zero trust and that organizations know best about what their risks are and then they can go ahead and build their architectures based on these principles," Rose tells Information Security Media Group.
Understanding Zero Trust
NIST notes that zero trust is not a stand-alone architecture that can be implemented all at once. Instead, it's an evolving concept that cuts across all aspects of IT.
"Zero trust is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources," according to the guidelines document. "Transitioning to [zero trust architecture] is a journey concerning how an organization evaluates risk in its mission and cannot simply be accomplished with a wholesale replacement of technology."
Rose notes that to implement zero trust, organizations need to delve deeper into workflows and ask such questions as: How are systems used? Who can access them? Why are they accessing them? Under what circumstances are they accessing them?
"You're building a security architecture and a set of policies by bringing in more sources of information about how to design those policies. ... It's a more holistic approach to security," Rose says.
Because the zero trust concept is relatively new, NIST is not offering a list of best practices, Rose says. Organizations that want to adopt this concept should start with a risk-based analysis, he stresses. "You want to do a risk analysis of those workflows and what are the risks associated with them and then start developing policies based on those," he says.
Who Can Deploy Zero Trust?
The publication states that any organization in the private sector or the government can adopt the zero trust guidelines. In fact, most organizations already have some elements of zero trust in their enterprise infrastructure, NIST notes.
But enterprises that are geographically dispersed or have a large mobile workforce are more likely to benefit from deploying the latest zero trust guidance. These include enterprises with satellite facilities, those using multi-cloud or cloud-to-cloud approaches, organizations that rely on contracted services and enterprises with public- or customer-facing services.
Zero Trust Challenges
NIST warns of challenges that can arise during implementation of a zero trust architecture including:
- Subversion of the zero trust decision process: Because enterprise administrators play a key role in implementation, they could make unapproved changes and provide unapproved access to certain resources. The only way to mitigate this threat is by auditing monitoring tools and configuration changes.
- Denial-of-service or network disruptions: An attacker could disrupt or deny access to security tools through DoS attacks or router hijacking. This threat can be mitigated by having the security analysis tools reside in a properly secured cloud environment or by replicating these tools in several locations.
- Stolen credentials or insider threat: Attackers could use phishing or social engineering to target accounts that have access to enterprise resources.
Making a Business Case
While the notion of zero trust has gained in popularity over the years as organizations look to improve their defenses, some believe that a stronger business case needs to be made before adopting the concept and incorporating it into security plans.
"The latest NIST Publication on Zero Trust is a great guideline that enhances security and reduces the risks of user privileges being compromised. However, as with most security strategies and architectures, we continue to have a failure to focus on the business value and how Zero Trust improves business efficiency or helps employees do their job," Joseph Carson, Advisory CISO at security firm Thycotic, tells ISMG. "How does Zero Trust make a positive security impact is the big question. As always, we need to have security that is usable and make the employees job better."
Managing Editor Scott Ferguson contributed to this report.