NIST and Zero Trust: In light of the recent hack of the Colonial Pipeline – many are turning to the concept of Zero Trust for an answer to the question of what we do to thwart the pandemic of assaults on our IT system. Zero Trust is not new – many site Google’s Beyond Corp architecture, published in 2009, for helping the industry understand how a zero trust enterprise could be enacted as did John Kindervag writing for Forrester in 2010. The idea has been popularized so much NIST has enacted a paper on it in 2020.
NIST and Zero Trust: What is SP 800-207?
In August 2020, the NIST released Special Publication 800-207, which outlines an abstract definition of zero trust architecture, deployment models, and use cases for the cybersecurity approach. The publication creates much-needed clarity for many on what zero trust truly entails.
NIST and Zero Trust
What is NIST?
Found in 1901, the National Institute of Standards and Technology (NIST), is a non-regulatory government agency intended to promote innovation. While the organization does not create regulations for industries to follow, many regulatory requirements mirror recommendations outlined in the NIST’s various standards published on topics such as cybersecurity.
What is Zero Trust?
Zero trust is the “term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” Rather than assuming trust based on a user or device’s location or asset ownership, zero trust removes that trust. Especially as the number of remote workers rises, bringing your own device becomes more widespread, and cloud-based data storage grows, standard resource protection becomes insufficient as infrastructures become more complex.
A zero trust approach assumes that a bad actor has already made their way into a network, meaning that users in an enterprise-owned network are not to be trusted than on external networks.
Including the introduction, the NIST SP 800-207 publication is divided into seven sections:
Section 2: Defining zero trust and zero trust architecture
Section 3: Describing the building block of zero trust architecture
Section 4: Identifying potential use cases for zero trust architecture
Section 5: Discussing threats in a zero trust environment
Section 6: Identifying how zero trust complement existing federal agency guidance
Section 7: Discussing the starting point for the transition to zero trust
While any organization can implement zero trust principles, NIST sees the most immediate use in organizations with geographically distributed employees or a highly mobile workforce. The example the publication uses is an enterprise with a headquarters and multiple satellite offices and facilities that are not joined by a single, enterprise-owned network. Additionally, companies using multiple cloud vendors, contracted services, with public-facing services, and facilitating cross-boundary collaboration should also consider switching to zero trust architecture to improve their security.
When making the transition to zero trust, the NIST publication recommends that it is “a journey, rather than a wholesale replacement of infrastructure or processes.” The transition will be defined by the organization’s current cybersecurity posture, the publication also suggests. It will also be likely for organizations to operate a hybrid of zero trust and perimeter-based cybersecurity indefinitely while continuing to invest in IT modernization. However, before the transition even begins, organizations need to assess assets, users, and processes to build a foundation and a plan that leads to success in zero trust implementation.
With the SP 800-207, the NIST continues to be a leading, neutral advisor on what zero trust means. Zero trust is more than a buzzword, it is a principle that will transform information security and establish new considerations for security data, resources, and assets from the malicious activities of hackers and insider threats.
YouAttest and Zero Trust
YouAttest is the only cloud-based IGA platform that deploys in minutes to conduct access reviews. YouAttest has a dedicated AD attestation and can be used in conjunction w/ Guardicore, an advanced and award winning micro-segmentation solution which can derive its authorization from active directory to enact a zero trust network environment for the enterprise.
YouAttest enables an enterprise to ensure the privileges are applied correctly to the enterprise to implement the zero trust architecture.
YouAttest is the only cloud-based IGA platform that deploys in minutes to conduct access reviews. YouAttest has a dedicated AD attestation and can be used in conjunction w/ Guardicore in a Zero Trust environment. Register for the YouAttest/Guardicore webinar, Micro-Segmentation for Zero Trust Security and Compliance.
Also please feel free to write back to us if you found this NIST and Zero Trust article informative or if you feel like we have missed important aspects of NIST and Zero Trust so we can update our article as well. We will make sure that any suggestions and recommendations we receive will be added to the current NIST and Zero Trust article.