As you likely know by now, President Biden has signed an executive order mandating Zero Trust Architecture as the cyber-security special publication for all federal agencies.
Underpinning this initiative is the Zero Trust Architecture from NIST (The National Institute of Standards and Technology). The special publication is written in a way that can make it difficult to consume.
In this article, we break down the document in plain English. Our hope is that the summary below will help you understand best practices without a deep dive into the special publication itself.
Zero Trust Architecture: Breaking Down the NIST Special Publication
From a high level, NIST suggests that companies and organizations abandon the legacy “Castle and Moat” approach to IT security as it is no longer fit to purpose. Hackers have adapted to traditional security and coupled with the rise in remote work, leaves companies exposed to excessive risk.
There has been a 500% rise in organizational breaches since the beginning of the pandemic. Additionally, the cost of these breaches is steadily increasing in countries like the United States, where an average breach cost enterprises 8.64 million dollars.
It is time to accept the fact that traditional IT security measures no longer provide adequate protections – it is time to adopt a Zero Trust Architecture.
Conceptualizing Zero Trust
Understanding Zero Trust is not as complicated as it may seem at first glance. Essentially, Zero Trust is a “guilty until proven innocent” model. Any request to access company information requires an explicit check to ensure the device, user, and application are allowed access to the resource.
That’s the basic concept. Now. let’s go through the seven tenets of Zero Trust Architecture according to NIST.
NIST’s Seven Tenants of Zero Trust Architecture
There are seven critical components (tenants) that the NIST points to in their publication for Zero Trust Architecture. According to their requirements, these tenants will be followed by every federal government agency to ensure the highest special publication of Zero Trust Architecture. Listed below are each of the tenants broken down and simplified.
-
All data sources and computing services are considered resources
Any file, data, or other digital asset that contains company information must be considered a resource. These resources can be something as small as an excel file to larger data aggregators or internally leveraged SaaS. There are no exceptions to this.
-
All communication is secured regardless of network location
This is saying to ALWAYS use encryption. The two types of encryption used in Zero Trust Architecture are:
-
Encryption at Rest, which focuses on device hardware, such as local, network, and cloud storage. Encryption at Rest ensures that if the guts of your device were physically removed and then installed on another device, the data would be unreadable to anyone without the encryption key.
-
Encryption in Transit, where encryption takes place in data being transferred from one device to another. Examples include https / SSL.
-
-
Access to individual enterprise resources is granted on a per-session basis
Anytime someone attempts to access a resource (file, data, or digital asset) it will be delivered only if the requester is proven to be trustworthy. Effectively, every time a user attempts to access a file or resource, access is given only to the single resource and attempts to access other resources will require their own round of explicit verification.
-
Access to resources is determined by dynamic policy—including the observable state of client identity, application/service, and the requesting asset—and may include other behavioral and environmental attributes
Before granting a user access to resources, the Zero Trust infrastructure should check the user’s device, identity, application, network, and location. While the totality of checks is variable, the idea is that multiple layers of authentication occur for each access request.
When increased risk is detected, additional checks can be made like requiring MFA or altogether blocking access.
Dynamic policies give administrators the ability to lock resources down based on risk by using time, location, network access, device compliance, identity, and more. For a deeper dive, refer to an earlier insight detailing identity and endpoint management as a foundation for Zero Trust.
-
The enterprise monitors and measures the integrity and security posture of all owned and associated assets
This tenet addresses the architecture continuously monitoring and looking for deviations in normal use. For example, if a user is copying or deleting an excessive number of files, the system can trigger alerts or temporarily block access.
-
All resource authentication and authorization are dynamic and strictly enforced before access is allowed
This one is simple. Guilty until proven innocent. Your infrastructure should check explicitly every time that a user attempts to access a resource and ensure that they have permission to do so.
-
The enterprise collects as much information as possible about the current state of assets, network infrastructure and communications and uses it to improve its security posture
You should not only collect data but use that data to create insights and improve policy creation and enforcement. For instance, if you notice users are operating in a risky manner, you should address it through policy and/or compliance. In essence, your group should be continuously learning to improve your security settings and reduce risk.
Moving forward in accordance with NIST’s Special publication
The Zero Trust tenets the NIST special publication establishes should be taken seriously and be thoughtfully considered by all IT administrators. The old “Castle and Moat” system is simply not designed to combat modern attacks. If you’re not using or building a foundation for Zero Trust right now, it’s time to get to work.
Zero Trust Whitepapers
AN OVERVIEW OF ZERO TRUST
A Non-Technical Overview for Executive and Boards Members
GETTING STARTED WITH ZERO TRUST
A Deployment Guide with Microsoft 365 E3 Licenses
ZERO TRUST AT SCALE
Enhanced Security with Microsoft 365 E5 Licenses