What Is Zero Trust Cybersecurity?
Zero trust, the NIST report notes, is “primarily focused on data protection but can be expanded to include all enterprise assets.”
“ZTA assumes the network is hostile and that an enterprise-owned network infrastructure is no different — or no more secure — than any non-enterprise owned network,” the report says. “In this new paradigm, an enterprise must continuously analyze and evaluate the risks to their internal assets and business functions and then enact protections to mitigate these risks.”
Zero trust involves limiting access to resources to “only those who are validated as needing access and continuously authenticating the identity and security posture of each access request.”
Zero trust is not a single network architecture or technology, but “a set of guiding principles in network infrastructure, design and operation that can be used to improve the security posture of any classification or sensitivity level,” the report says.
The NIST report notes that many agencies already have elements of zero trust in their enterprises. NIST recommends that agencies incrementally implement zero trust principles, process changes and technology solutions that protect their data assets and business functions.
The Elements of a Zero Trust Architecture
There are numerous elements of a ZTA, the NIST reports notes, including a policy engine to decide whether to grant access to a resource for a given client or subject, a policy administrator to connect a user and a resource, and a policy enforcement point to enable, monitor and eventually terminate the connection between a user and a resource.
There are many elements the policy engine needs to take into account, including Continuous Diagnostics and Mitigation systems, federal compliance adherence, threat intelligence feeds, data governance, and enterprise public key infrastructure among others.
All of these components are integral to achieving ZTA, the NIST report notes, and do not necessarily need to be unique systems. “A single system may perform the duties of multiple logical components, and likewise, a logical component may consist of multiple hardware or software elements to perform the tasks,” the report says.
One of the many pillars of a ZTA is network security. While zero trust networks do have perimeters, the model attempts to shift the focus away from just the perimeter and examine all network aspects. Then, policies such as micro-segmentation and privileged access management are implemented to follow the data and the personnel who has access to it.
Some agencies are already moving in this direction. The Defense Information Systems Agency is working with the U.S. Cyber Command to launch a zero trust pilot.
“Zero trust is the architecture or framework that we are building out for overall continued access and authentication mechanisms across the network and at all layers of the network,” Jason Martin, the vice director of the Development and Business Center at DISA said in September, according to Federal News Network.
To do that, Martin noted, agencies must create a “foundational identity credentialing, access and authorizations solution.”
“We are leveraging existing capabilities while in turn building out things like master user records and automated provisioning that we will set with policy and push out using our third component, a global policy orchestrator,” he says.
Most agencies will operate in a hybrid mode between zero trust and legacy cybersecurity systems while they continue to invest in ongoing IT modernization initiatives and improve their business processes, NIST says.
Zero trust will require a lot of investment, and agencies won’t get there overnight, but the benefits of moving in that direction are well worth it.